package org.apache.archiva.redback.integration.filter.authentication.digest;

import java.io.IOException;
import javax.inject.Inject;
import javax.inject.Named;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.archiva.redback.authentication.AuthenticationException;
import org.apache.archiva.redback.authentication.AuthenticationResult;
import org.apache.archiva.redback.authentication.TokenBasedAuthenticationDataSource;
import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticationException;
import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
import org.apache.archiva.redback.policy.AccountLockedException;
import org.apache.archiva.redback.policy.MustChangePasswordException;
import org.apache.archiva.redback.users.User;
import org.apache.archiva.redback.users.UserManager;
import org.apache.archiva.redback.users.UserManagerException;
import org.apache.archiva.redback.users.UserNotFoundException;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.springframework.stereotype.Service;

@Service("httpAuthenticator#digest")
/* loaded from: input_file:WEB-INF/lib/redback-common-integrations-2.6.1.jar:org/apache/archiva/redback/integration/filter/authentication/digest/HttpDigestAuthentication.class */
public class HttpDigestAuthentication extends HttpAuthenticator {

    @Inject
    @Named("userManager#default")
    private UserManager userManager;
    private int nonceLifetimeSeconds = 300;
    private String digestKey = "OrycteropusAfer";
    private String realm;

    public String getId() {
        return HttpDigestAuthentication.class.getName();
    }

    @Override // org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator
    public AuthenticationResult getAuthenticationResult(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, AccountLockedException, MustChangePasswordException {
        HttpSession session = httpServletRequest.getSession(true);
        if (isAlreadyAuthenticated(session)) {
            return getSecuritySession(session).getAuthenticationResult();
        }
        TokenBasedAuthenticationDataSource tokenBasedAuthenticationDataSource = new TokenBasedAuthenticationDataSource();
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            header = httpServletRequest.getHeader("authorization");
        }
        if (header != null && header.startsWith("Digest ")) {
            String substring = header.substring(7);
            HttpDigestHeader httpDigestHeader = new HttpDigestHeader();
            httpDigestHeader.parseClientHeader(substring, getRealm(), this.digestKey);
            User findUser = findUser(httpDigestHeader.username);
            tokenBasedAuthenticationDataSource.setPrincipal(findUser.getUsername());
            if (!StringUtils.equals(generateDigestHash(httpDigestHeader, findUser.getPassword(), httpServletRequest.getMethod()), httpDigestHeader.response)) {
                throw new HttpAuthenticationException("Digest response was invalid.");
            }
        }
        return super.authenticate(tokenBasedAuthenticationDataSource, session);
    }

    public User findUser(String str) throws HttpAuthenticationException {
        try {
            return this.userManager.findUser(str);
        } catch (UserNotFoundException e) {
            String str2 = "Unable to find primary user '" + str + "'.";
            this.log.error(str2, (Throwable) e);
            throw new HttpAuthenticationException(str2, e);
        } catch (UserManagerException e2) {
            this.log.error("issue find user {}, message: {}", str, e2.getMessage(), e2);
            throw new HttpAuthenticationException("issue find user " + str + ", message: " + e2.getMessage(), e2);
        }
    }

    @Override // org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator
    public void challenge(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, AuthenticationException authenticationException) throws IOException {
        StringBuilder sb = new StringBuilder();
        sb.append("Digest ");
        sb.append("realm=\"").append(str).append("\"");
        sb.append(", nonce=\"");
        long currentTimeMillis = System.currentTimeMillis() + (this.nonceLifetimeSeconds * 1000);
        sb.append(Base64.encodeBase64((String.valueOf(currentTimeMillis) + ":" + Digest.md5Hex(String.valueOf(currentTimeMillis) + ":" + this.digestKey)).getBytes()));
        sb.append("\"");
        sb.append(", qop=\"auth\"");
        if (authenticationException instanceof NonceExpirationException) {
            sb.append(", stale=\"true\"");
        }
        httpServletResponse.addHeader("WWW-Authenticate", sb.toString());
        httpServletResponse.sendError(401, authenticationException.getMessage());
    }

    private String generateDigestHash(HttpDigestHeader httpDigestHeader, String str, String str2) {
        String str3;
        String md5Hex = Digest.md5Hex(httpDigestHeader.username + ":" + this.realm + ":" + str);
        String md5Hex2 = Digest.md5Hex(str2 + ":" + httpDigestHeader.uri);
        if (StringUtils.isEmpty(httpDigestHeader.qop)) {
            str3 = md5Hex + ":" + httpDigestHeader.nonce + ":" + md5Hex2;
        } else {
            if (!StringUtils.equals("auth", httpDigestHeader.qop)) {
                throw new IllegalStateException("Http Digest Parameter [qop] with value of [" + httpDigestHeader.qop + "] is unsupported.");
            }
            str3 = md5Hex + ":" + httpDigestHeader.nonce + ":" + httpDigestHeader.nc + ":" + httpDigestHeader.cnonce + ":" + httpDigestHeader.qop + ":" + md5Hex2;
        }
        return Digest.md5Hex(str3);
    }

    public String getRealm() {
        return this.realm;
    }

    public void setRealm(String str) {
        this.realm = str;
    }
}
