package org.apache.jackrabbit.core.security.authentication;

import java.io.IOException;
import java.security.Principal;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import javax.jcr.Credentials;
import javax.jcr.GuestCredentials;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
import org.apache.jackrabbit.core.config.LoginModuleConfig;
import org.apache.jackrabbit.core.security.SecurityConstants;
import org.apache.jackrabbit.core.security.principal.PrincipalProvider;
import org.apache.jackrabbit.core.security.principal.PrincipalProviderRegistry;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/jackrabbit-core-2.19.0.jar:org/apache/jackrabbit/core/security/authentication/AbstractLoginModule.class */
public abstract class AbstractLoginModule implements LoginModule {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AbstractLoginModule.class);
    private static final String KEY_CREDENTIALS = "org.apache.jackrabbit.credentials";
    private static final String KEY_LOGIN_NAME = "javax.security.auth.login.name";
    private static final String PRE_AUTHENTICATED_ATTRIBUTE_OPTION = "trust_credentials_attribute";
    private String principalProviderClassName;
    private boolean initialized;
    protected String adminId;
    protected String anonymousId;
    private String preAuthAttributeName;
    protected CallbackHandler callbackHandler;
    protected Principal principal;
    protected SimpleCredentials credentials;
    protected Subject subject;
    protected PrincipalProvider principalProvider;
    protected Map sharedState;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        Object obj;
        this.callbackHandler = callbackHandler;
        this.subject = subject;
        this.sharedState = map;
        try {
            log.debug("Initialize LoginModule: ");
            RepositoryCallback repositoryCallback = new RepositoryCallback();
            callbackHandler.handle(new Callback[]{repositoryCallback});
            PrincipalProviderRegistry principalProviderRegistry = repositoryCallback.getPrincipalProviderRegistry();
            if (map2.containsKey(LoginModuleConfig.PARAM_PRINCIPAL_PROVIDER_CLASS) && (obj = map2.get(LoginModuleConfig.PARAM_PRINCIPAL_PROVIDER_CLASS)) != null) {
                this.principalProviderClassName = obj.toString();
            }
            if (this.principalProviderClassName == null) {
                if (map2.containsKey(LoginModuleConfig.COMPAT_PRINCIPAL_PROVIDER_NAME)) {
                    this.principalProviderClassName = map2.get(LoginModuleConfig.COMPAT_PRINCIPAL_PROVIDER_NAME).toString();
                } else if (map2.containsKey(LoginModuleConfig.COMPAT_PRINCIPAL_PROVIDER_CLASS)) {
                    this.principalProviderClassName = map2.get(LoginModuleConfig.COMPAT_PRINCIPAL_PROVIDER_CLASS).toString();
                }
            }
            if (this.principalProviderClassName != null) {
                this.principalProvider = principalProviderRegistry.getProvider(this.principalProviderClassName);
            }
            if (this.principalProvider == null) {
                this.principalProvider = principalProviderRegistry.getDefault();
                if (this.principalProvider == null) {
                    return;
                }
            }
            log.debug("- PrincipalProvider -> '" + this.principalProvider.getClass().getName() + "'");
            doInit(callbackHandler, repositoryCallback.getSession(), map2);
            if (map2.containsKey(LoginModuleConfig.PARAM_ADMIN_ID)) {
                this.adminId = (String) map2.get(LoginModuleConfig.PARAM_ADMIN_ID);
            }
            if (this.adminId == null) {
                this.adminId = repositoryCallback.getAdminId();
            }
            if (map2.containsKey("anonymousId")) {
                this.anonymousId = (String) map2.get("anonymousId");
            }
            if (this.anonymousId == null) {
                this.anonymousId = repositoryCallback.getAnonymousId();
            }
            this.preAuthAttributeName = (String) map2.get(PRE_AUTHENTICATED_ATTRIBUTE_OPTION);
            if (this.preAuthAttributeName != null && this.preAuthAttributeName.length() == 0) {
                this.preAuthAttributeName = null;
            }
            if (log.isDebugEnabled()) {
                for (String str : map2.keySet()) {
                    log.debug("- Option: " + str + " -> '" + map2.get(str) + "'");
                }
            }
            this.initialized = this.subject != null;
        } catch (Exception e) {
            log.error("LoginModule failed to initialize.", (Throwable) e);
        }
    }

    protected abstract void doInit(CallbackHandler callbackHandler, Session session, Map map) throws LoginException;

    protected boolean isInitialized() {
        return this.initialized;
    }

    public boolean login() throws LoginException {
        if (!isInitialized()) {
            log.warn("Unable to perform login: initialization not completed.");
            return false;
        }
        SimpleCredentials credentials = getCredentials();
        if (credentials == null) {
            log.debug("No credentials available -> try default (anonymous) authentication.");
        } else if (!supportsCredentials(credentials)) {
            log.debug("Unsupported credentials implementation : " + credentials.getClass().getName());
            return false;
        }
        try {
            Principal principal = getPrincipal(credentials);
            if (principal == null) {
                log.debug("No valid user -> ignore.");
                return false;
            }
            if (!((isAnonymous(credentials) || isPreAuthenticated(credentials)) ? true : isImpersonation(credentials) ? impersonate(principal, credentials) : authenticate(principal, credentials))) {
                return false;
            }
            if (credentials instanceof SimpleCredentials) {
                this.credentials = credentials;
            } else {
                this.credentials = new SimpleCredentials(getUserID(credentials), new char[0]);
            }
            this.principal = principal;
            return true;
        } catch (RepositoryException e) {
            log.error("Login failed:", e);
            return false;
        }
    }

    public boolean commit() throws LoginException {
        if (!isInitialized() || this.principal == null) {
            return false;
        }
        this.subject.getPrincipals().addAll(getPrincipals());
        this.subject.getPublicCredentials().add(this.credentials);
        return true;
    }

    public boolean abort() throws LoginException {
        if (!isInitialized()) {
            return false;
        }
        this.sharedState.remove(KEY_CREDENTIALS);
        this.callbackHandler = null;
        this.principal = null;
        this.credentials = null;
        return logout();
    }

    public boolean logout() throws LoginException {
        if (this.subject.getPrincipals().isEmpty() || this.subject.getPublicCredentials(Credentials.class).isEmpty()) {
            return false;
        }
        if (this.subject.isReadOnly()) {
            return true;
        }
        this.subject.getPrincipals().clear();
        this.subject.getPublicCredentials().clear();
        return true;
    }

    protected boolean authenticate(Principal principal, Credentials credentials) throws FailedLoginException, RepositoryException {
        Authentication authentication = getAuthentication(principal, credentials);
        if (authentication == null) {
            return false;
        }
        if (authentication.authenticate(credentials)) {
            return true;
        }
        throw new FailedLoginException();
    }

    protected boolean isImpersonation(Credentials credentials) {
        return getImpersonatorSubject(credentials) != null;
    }

    protected abstract boolean impersonate(Principal principal, Credentials credentials) throws RepositoryException, LoginException;

    protected abstract Authentication getAuthentication(Principal principal, Credentials credentials) throws RepositoryException;

    /* JADX INFO: Access modifiers changed from: protected */
    public Subject getImpersonatorSubject(Credentials credentials) {
        Subject subject = null;
        if (credentials == null) {
            try {
                ImpersonationCallback impersonationCallback = new ImpersonationCallback();
                this.callbackHandler.handle(new Callback[]{impersonationCallback});
                subject = impersonationCallback.getImpersonator();
            } catch (IOException e) {
                log.error("Impersonation-Callback failed: " + e.getMessage() + ": Unable to perform Impersonation.");
            } catch (UnsupportedCallbackException e2) {
                log.warn(e2.getCallback().getClass().getName() + " not supported: Unable to perform Impersonation.");
            }
        } else if (credentials instanceof SimpleCredentials) {
            subject = (Subject) ((SimpleCredentials) credentials).getAttribute(SecurityConstants.IMPERSONATOR_ATTRIBUTE);
        }
        return subject;
    }

    protected Credentials getCredentials() {
        Credentials credentials = null;
        if (this.sharedState.containsKey(KEY_CREDENTIALS)) {
            credentials = (Credentials) this.sharedState.get(KEY_CREDENTIALS);
        } else {
            try {
                CredentialsCallback credentialsCallback = new CredentialsCallback();
                this.callbackHandler.handle(new Callback[]{credentialsCallback});
                credentials = credentialsCallback.getCredentials();
                if (credentials != null && supportsCredentials(credentials)) {
                    this.sharedState.put(KEY_CREDENTIALS, credentials);
                }
            } catch (IOException e) {
                log.error("Credentials-Callback failed: " + e.getMessage() + ": try Name-Callback");
            } catch (UnsupportedCallbackException e2) {
                log.warn("Credentials-Callback not supported try Name-Callback");
            }
        }
        if (null == credentials) {
            Set publicCredentials = this.subject.getPublicCredentials(SimpleCredentials.class);
            if (!publicCredentials.isEmpty()) {
                credentials = (Credentials) publicCredentials.iterator().next();
            }
        }
        if (null == credentials) {
            Set publicCredentials2 = this.subject.getPublicCredentials(GuestCredentials.class);
            if (!publicCredentials2.isEmpty()) {
                credentials = (Credentials) publicCredentials2.iterator().next();
            }
        }
        return credentials;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean supportsCredentials(Credentials credentials) {
        return (credentials instanceof SimpleCredentials) || (credentials instanceof GuestCredentials);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getUserID(Credentials credentials) {
        String str = null;
        if (credentials != null) {
            if (credentials instanceof GuestCredentials) {
                str = this.anonymousId;
            } else if (credentials instanceof SimpleCredentials) {
                str = ((SimpleCredentials) credentials).getUserID();
            } else {
                try {
                    Callback nameCallback = new NameCallback("User-ID: ");
                    this.callbackHandler.handle(new Callback[]{nameCallback});
                    str = nameCallback.getName();
                } catch (IOException e) {
                    log.error("Name-Callback failed: " + e.getMessage());
                } catch (UnsupportedCallbackException e2) {
                    log.warn("Credentials- or NameCallback must be supported");
                }
            }
        }
        if (str == null && this.sharedState.containsKey(KEY_LOGIN_NAME)) {
            str = (String) this.sharedState.get(KEY_LOGIN_NAME);
        }
        if (str == null) {
            str = this.anonymousId;
        }
        return str;
    }

    protected boolean isAnonymous(Credentials credentials) {
        if (credentials instanceof GuestCredentials) {
            return true;
        }
        String userID = getUserID(credentials);
        return this.anonymousId == null ? userID == null : this.anonymousId.equals(userID);
    }

    protected abstract Principal getPrincipal(Credentials credentials);

    protected Set<Principal> getPrincipals() {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        linkedHashSet.add(this.principal);
        PrincipalIterator groupMembership = this.principalProvider.getGroupMembership(this.principal);
        while (groupMembership.hasNext()) {
            linkedHashSet.add(groupMembership.nextPrincipal());
        }
        return linkedHashSet;
    }

    public String getAdminId() {
        return this.adminId;
    }

    public void setAdminId(String str) {
        this.adminId = str;
    }

    public String getAnonymousId() {
        return this.anonymousId;
    }

    public void setAnonymousId(String str) {
        this.anonymousId = str;
    }

    public String getPrincipalProvider() {
        return this.principalProviderClassName;
    }

    public void setPrincipalProvider(String str) {
        this.principalProviderClassName = str;
    }

    protected final String getPreAuthAttributeName() {
        return this.preAuthAttributeName;
    }

    protected boolean isPreAuthenticated(Credentials credentials) {
        String preAuthAttributeName = getPreAuthAttributeName();
        boolean z = (preAuthAttributeName == null || !(credentials instanceof SimpleCredentials) || ((SimpleCredentials) credentials).getAttribute(preAuthAttributeName) == null) ? false : true;
        if (z) {
            log.warn("Usage of deprecated 'trust_credentials_attribute' option. Please note that for security reasons this feature will notbe supported in future releases.");
        }
        return z;
    }
}
