package org.wildfly.security.auth.provider.ldap;

import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.NoSuchAttributeException;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SupportLevel;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.password.Password;
import org.wildfly.security.password.PasswordFactory;
import org.wildfly.security.password.interfaces.OneTimePassword;
import org.wildfly.security.password.spec.OneTimePasswordSpec;
import org.wildfly.security.util.Alphabet;
import org.wildfly.security.util.ByteIterator;
import org.wildfly.security.util.CodePointIterator;

/* loaded from: input_file:org/wildfly/security/auth/provider/ldap/OtpCredentialLoader.class */
public class OtpCredentialLoader implements CredentialLoader, CredentialPersister {
    public static final String DEFAULT_CREDENTIAL_NAME = "otp";
    private final String myCredentialName;
    private final String algorithmAttributeName;
    private final String hashAttributeName;
    private final String seedAttributeName;
    private final String sequenceAttributeName;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/wildfly/security/auth/provider/ldap/OtpCredentialLoader$ForIdentityLoader.class */
    public class ForIdentityLoader implements IdentityCredentialLoader, IdentityCredentialPersister {
        private final DirContextFactory contextFactory;
        private final String distinguishedName;

        public ForIdentityLoader(DirContextFactory dirContextFactory, String str) {
            this.contextFactory = dirContextFactory;
            this.distinguishedName = str;
        }

        @Override // org.wildfly.security.auth.provider.ldap.IdentityCredentialLoader
        public SupportLevel getCredentialSupport(String str) {
            Attribute attribute;
            Attribute attribute2;
            Attribute attribute3;
            Attribute attribute4;
            if (!OtpCredentialLoader.this.myCredentialName.equals(str)) {
                return SupportLevel.UNSUPPORTED;
            }
            DirContext dirContext = null;
            try {
                dirContext = this.contextFactory.obtainDirContext(null);
                Attributes attributes = dirContext.getAttributes(this.distinguishedName, new String[]{OtpCredentialLoader.this.algorithmAttributeName, OtpCredentialLoader.this.hashAttributeName, OtpCredentialLoader.this.seedAttributeName, OtpCredentialLoader.this.sequenceAttributeName});
                attribute = attributes.get(OtpCredentialLoader.this.algorithmAttributeName);
                attribute2 = attributes.get(OtpCredentialLoader.this.hashAttributeName);
                attribute3 = attributes.get(OtpCredentialLoader.this.seedAttributeName);
                attribute4 = attributes.get(OtpCredentialLoader.this.sequenceAttributeName);
            } catch (NamingException e) {
                this.contextFactory.returnContext(dirContext);
            } catch (Throwable th) {
                this.contextFactory.returnContext(dirContext);
                throw th;
            }
            if (attribute == null || attribute2 == null || attribute3 == null || attribute4 == null) {
                this.contextFactory.returnContext(dirContext);
                return SupportLevel.UNSUPPORTED;
            }
            SupportLevel supportLevel = SupportLevel.SUPPORTED;
            this.contextFactory.returnContext(dirContext);
            return supportLevel;
        }

        @Override // org.wildfly.security.auth.provider.ldap.IdentityCredentialLoader
        public <C extends Credential> C getCredential(String str, Class<C> cls) {
            if (!OtpCredentialLoader.this.myCredentialName.equals(str)) {
                return null;
            }
            DirContext dirContext = null;
            try {
                try {
                    dirContext = this.contextFactory.obtainDirContext(null);
                    Attributes attributes = dirContext.getAttributes(this.distinguishedName, new String[]{OtpCredentialLoader.this.algorithmAttributeName, OtpCredentialLoader.this.hashAttributeName, OtpCredentialLoader.this.seedAttributeName, OtpCredentialLoader.this.sequenceAttributeName});
                    Attribute attribute = attributes.get(OtpCredentialLoader.this.algorithmAttributeName);
                    Attribute attribute2 = attributes.get(OtpCredentialLoader.this.hashAttributeName);
                    Attribute attribute3 = attributes.get(OtpCredentialLoader.this.seedAttributeName);
                    Attribute attribute4 = attributes.get(OtpCredentialLoader.this.sequenceAttributeName);
                    if (attribute == null || attribute2 == null || attribute3 == null || attribute4 == null) {
                        this.contextFactory.returnContext(dirContext);
                        return null;
                    }
                    Password generatePassword = PasswordFactory.getInstance((String) attribute.get()).generatePassword(new OneTimePasswordSpec(CodePointIterator.ofString((String) attribute2.get()).base64Decode(Alphabet.Base64Alphabet.STANDARD, false).drain(), CodePointIterator.ofString((String) attribute3.get()).base64Decode(Alphabet.Base64Alphabet.STANDARD, false).drain(), Integer.valueOf((String) attribute4.get()).intValue()));
                    if (!cls.isAssignableFrom(PasswordCredential.class)) {
                        this.contextFactory.returnContext(dirContext);
                        return null;
                    }
                    C cast = cls.cast(new PasswordCredential(generatePassword));
                    this.contextFactory.returnContext(dirContext);
                    return cast;
                } catch (NamingException | NoSuchAlgorithmException | InvalidKeySpecException e) {
                    if (ElytronMessages.log.isTraceEnabled()) {
                        ElytronMessages.log.trace("Getting OTP credential of type " + cls.getName() + " failed. dn=" + this.distinguishedName, e);
                    }
                    this.contextFactory.returnContext(dirContext);
                    return null;
                }
            } catch (Throwable th) {
                this.contextFactory.returnContext(dirContext);
                throw th;
            }
        }

        @Override // org.wildfly.security.auth.provider.ldap.IdentityCredentialPersister
        public boolean getCredentialPersistSupport(String str) {
            return OtpCredentialLoader.this.myCredentialName.equals(str);
        }

        @Override // org.wildfly.security.auth.provider.ldap.IdentityCredentialPersister
        public void persistCredential(String str, Credential credential) throws RealmUnavailableException {
            OneTimePassword oneTimePassword = (OneTimePassword) ((PasswordCredential) credential).getPassword();
            DirContext dirContext = null;
            try {
                try {
                    dirContext = this.contextFactory.obtainDirContext(null);
                    BasicAttributes basicAttributes = new BasicAttributes();
                    basicAttributes.put(OtpCredentialLoader.this.algorithmAttributeName, oneTimePassword.getAlgorithm());
                    basicAttributes.put(OtpCredentialLoader.this.hashAttributeName, ByteIterator.ofBytes(oneTimePassword.getHash()).base64Encode().drainToString());
                    basicAttributes.put(OtpCredentialLoader.this.seedAttributeName, ByteIterator.ofBytes(oneTimePassword.getSeed()).base64Encode().drainToString());
                    basicAttributes.put(OtpCredentialLoader.this.sequenceAttributeName, Integer.toString(oneTimePassword.getSequenceNumber()));
                    dirContext.modifyAttributes(this.distinguishedName, 2, basicAttributes);
                    this.contextFactory.returnContext(dirContext);
                } catch (NamingException e) {
                    throw ElytronMessages.log.ldapRealmCredentialPersistingFailed(credential.toString(), str, this.distinguishedName, e);
                }
            } catch (Throwable th) {
                this.contextFactory.returnContext(dirContext);
                throw th;
            }
        }

        @Override // org.wildfly.security.auth.provider.ldap.IdentityCredentialPersister
        public void clearCredentials() throws RealmUnavailableException {
            DirContext dirContext = null;
            try {
                try {
                    dirContext = this.contextFactory.obtainDirContext(null);
                    BasicAttributes basicAttributes = new BasicAttributes();
                    basicAttributes.put(new BasicAttribute(OtpCredentialLoader.this.algorithmAttributeName));
                    basicAttributes.put(new BasicAttribute(OtpCredentialLoader.this.hashAttributeName));
                    basicAttributes.put(new BasicAttribute(OtpCredentialLoader.this.seedAttributeName));
                    basicAttributes.put(new BasicAttribute(OtpCredentialLoader.this.sequenceAttributeName));
                    dirContext.modifyAttributes(this.distinguishedName, 3, basicAttributes);
                    this.contextFactory.returnContext(dirContext);
                } catch (NamingException e) {
                    throw ElytronMessages.log.ldapRealmCredentialClearingFailed(this.distinguishedName, e);
                } catch (NoSuchAttributeException e2) {
                    this.contextFactory.returnContext(dirContext);
                }
            } catch (Throwable th) {
                this.contextFactory.returnContext(dirContext);
                throw th;
            }
        }
    }

    public OtpCredentialLoader(String str, String str2, String str3, String str4, String str5) {
        Assert.checkNotNullParam("credentialName", str);
        Assert.checkNotNullParam("algorithmAttributeName", str2);
        Assert.checkNotNullParam("hashAttributeName", str3);
        Assert.checkNotNullParam("seedAttributeName", str4);
        Assert.checkNotNullParam("sequenceAttributeName", str5);
        this.myCredentialName = str;
        this.algorithmAttributeName = str2;
        this.hashAttributeName = str3;
        this.seedAttributeName = str4;
        this.sequenceAttributeName = str5;
    }

    @Override // org.wildfly.security.auth.provider.ldap.CredentialLoader, org.wildfly.security.auth.provider.ldap.CredentialPersister
    public SupportLevel getCredentialSupport(DirContextFactory dirContextFactory, String str) {
        return this.myCredentialName.equals(str) ? SupportLevel.SUPPORTED : SupportLevel.UNSUPPORTED;
    }

    @Override // org.wildfly.security.auth.provider.ldap.CredentialPersister
    public ForIdentityLoader forIdentity(DirContextFactory dirContextFactory, String str) {
        return new ForIdentityLoader(dirContextFactory, str);
    }
}
