package org.apache.qpid.server.security.auth.manager;

import com.google.common.util.concurrent.ListenableFuture;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import javax.xml.bind.DatatypeConverter;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ManagedContextDefault;
import org.apache.qpid.server.model.PasswordCredentialManagingAuthenticationProvider;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.StateTransition;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.apache.qpid.server.security.auth.manager.AbstractScramAuthenticationManager;
import org.apache.qpid.server.security.auth.sasl.plain.PlainAdapterSaslServer;
import org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServer;
import org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSource;

/* loaded from: input_file:org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager.class */
public abstract class AbstractScramAuthenticationManager<X extends AbstractScramAuthenticationManager<X>> extends ConfigModelPasswordManagingAuthenticationProvider<X> implements PasswordCredentialManagingAuthenticationProvider<X>, ScramSaslServerSource {
    public static final String PLAIN = "PLAIN";
    private final SecureRandom _random;
    public static final String QPID_AUTHMANAGER_SCRAM_ITERATION_COUNT = "qpid.auth.scram.iteration_count";

    @ManagedContextDefault(name = QPID_AUTHMANAGER_SCRAM_ITERATION_COUNT)
    public static final int DEFAULT_ITERATION_COUNT = 4096;
    private int _iterationCount;
    private boolean _doNotCreateStoredPasswordBecauseItIsBeingUpgraded;
    private static final byte[] INT_1 = {0, 0, 0, 1};

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/qpid/server/security/auth/manager/AbstractScramAuthenticationManager$PasswordField.class */
    public enum PasswordField {
        SALT,
        SALTED_PASSWORD,
        STORED_KEY,
        SERVER_KEY,
        ITERATION_COUNT
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractScramAuthenticationManager(Map<String, Object> map, Broker broker) {
        super(map, broker);
        this._random = new SecureRandom();
        this._iterationCount = DEFAULT_ITERATION_COUNT;
    }

    @Override // org.apache.qpid.server.security.auth.manager.AbstractAuthenticationManager
    @StateTransition(currentState = {State.UNINITIALIZED, State.QUIESCED, State.QUIESCED}, desiredState = State.ACTIVE)
    protected ListenableFuture<Void> activate() {
        this._iterationCount = ((Integer) getContextValue(Integer.class, QPID_AUTHMANAGER_SCRAM_ITERATION_COUNT)).intValue();
        Iterator<ManagedUser> it = getUserMap().values().iterator();
        while (it.hasNext()) {
            updateStoredPasswordFormatIfNecessary(it.next());
        }
        return super.activate();
    }

    @Override // org.apache.qpid.server.model.AuthenticationProvider
    public List<String> getMechanisms() {
        return Collections.unmodifiableList(Arrays.asList(getMechanismName(), "PLAIN"));
    }

    protected abstract String getMechanismName();

    @Override // org.apache.qpid.server.model.AuthenticationProvider
    public SaslServer createSaslServer(String str, String str2, Principal principal) throws SaslException {
        if (getMechanismName().equals(str)) {
            return new ScramSaslServer(this, getMechanismName(), getHmacName(), getDigestName());
        }
        if ("PLAIN".equals(str)) {
            return new PlainAdapterSaslServer(this);
        }
        throw new SaslException("Unknown mechanism: " + str);
    }

    protected abstract String getDigestName();

    @Override // org.apache.qpid.server.security.auth.manager.UsernamePasswordAuthenticationProvider
    public AuthenticationResult authenticate(String str, String str2) {
        ManagedUser user = getUser(str);
        if (user != null) {
            updateStoredPasswordFormatIfNecessary(user);
            ScramSaslServerSource.SaltAndPasswordKeys saltAndPasswordKeys = getSaltAndPasswordKeys(str);
            try {
                byte[] createSaltedPassword = createSaltedPassword(saltAndPasswordKeys.getSalt(), str2, saltAndPasswordKeys.getIterationCount());
                byte[] digest = MessageDigest.getInstance(getDigestName()).digest(computeHmac(createSaltedPassword, "Client Key"));
                byte[] computeHmac = computeHmac(createSaltedPassword, "Server Key");
                if (Arrays.equals(saltAndPasswordKeys.getStoredKey(), digest) && Arrays.equals(saltAndPasswordKeys.getServerKey(), computeHmac)) {
                    return new AuthenticationResult(new UsernamePrincipal(str));
                }
            } catch (IllegalArgumentException | NoSuchAlgorithmException | SaslException e) {
                return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
            }
        }
        return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
    }

    @Override // org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSource
    public int getIterationCount() {
        return this._iterationCount;
    }

    private void updateStoredPasswordFormatIfNecessary(ManagedUser managedUser) {
        String[] split = managedUser.getPassword().split(",");
        if (split.length != 2) {
            if (split.length == 4) {
                upgradeUserPassword(managedUser, split[PasswordField.SALT.ordinal()] + ",," + split[PasswordField.STORED_KEY.ordinal()] + "," + split[PasswordField.SERVER_KEY.ordinal()] + "," + DEFAULT_ITERATION_COUNT);
                return;
            } else {
                if (split.length != 5) {
                    throw new IllegalConfigurationException("password field for user '" + managedUser.getName() + "' has unrecognised format.");
                }
                return;
            }
        }
        byte[] parseBase64Binary = DatatypeConverter.parseBase64Binary(split[PasswordField.SALTED_PASSWORD.ordinal()]);
        try {
            upgradeUserPassword(managedUser, split[PasswordField.SALT.ordinal()] + ",," + DatatypeConverter.printBase64Binary(MessageDigest.getInstance(getDigestName()).digest(computeHmac(parseBase64Binary, "Client Key"))) + "," + DatatypeConverter.printBase64Binary(computeHmac(parseBase64Binary, "Server Key")) + "," + DEFAULT_ITERATION_COUNT);
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalArgumentException(e);
        }
    }

    private void upgradeUserPassword(ManagedUser managedUser, String str) {
        try {
            this._doNotCreateStoredPasswordBecauseItIsBeingUpgraded = true;
            managedUser.setPassword(str);
            this._doNotCreateStoredPasswordBecauseItIsBeingUpgraded = false;
        } catch (Throwable th) {
            this._doNotCreateStoredPasswordBecauseItIsBeingUpgraded = false;
            throw th;
        }
    }

    private byte[] createSaltedPassword(byte[] bArr, String str, int i) {
        Mac createShaHmac = createShaHmac(str.getBytes(ASCII));
        createShaHmac.update(bArr);
        createShaHmac.update(INT_1);
        byte[] doFinal = createShaHmac.doFinal();
        byte[] bArr2 = null;
        for (int i2 = 1; i2 < i; i2++) {
            createShaHmac.update(bArr2 != null ? bArr2 : doFinal);
            bArr2 = createShaHmac.doFinal();
            for (int i3 = 0; i3 < doFinal.length; i3++) {
                int i4 = i3;
                doFinal[i4] = (byte) (doFinal[i4] ^ bArr2[i3]);
            }
        }
        return doFinal;
    }

    private byte[] computeHmac(byte[] bArr, String str) {
        Mac createShaHmac = createShaHmac(bArr);
        createShaHmac.update(str.getBytes(StandardCharsets.US_ASCII));
        return createShaHmac.doFinal();
    }

    private Mac createShaHmac(byte[] bArr) {
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, getHmacName());
            Mac mac = Mac.getInstance(getHmacName());
            mac.init(secretKeySpec);
            return mac;
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new IllegalArgumentException(e.getMessage(), e);
        }
    }

    protected abstract String getHmacName();

    @Override // org.apache.qpid.server.security.auth.manager.ConfigModelPasswordManagingAuthenticationProvider
    protected String createStoredPassword(String str) {
        if (this._doNotCreateStoredPasswordBecauseItIsBeingUpgraded) {
            return str;
        }
        try {
            int iterationCount = getIterationCount();
            byte[] generateSalt = generateSalt();
            byte[] createSaltedPassword = createSaltedPassword(generateSalt, str, iterationCount);
            return DatatypeConverter.printBase64Binary(generateSalt) + ",," + DatatypeConverter.printBase64Binary(MessageDigest.getInstance(getDigestName()).digest(computeHmac(createSaltedPassword, "Client Key"))) + "," + DatatypeConverter.printBase64Binary(computeHmac(createSaltedPassword, "Server Key")) + "," + iterationCount;
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalArgumentException(e);
        }
    }

    @Override // org.apache.qpid.server.security.auth.manager.ConfigModelPasswordManagingAuthenticationProvider
    void validateUser(ManagedUser managedUser) {
        if (!ASCII.newEncoder().canEncode(managedUser.getName())) {
            throw new IllegalArgumentException("User names are restricted to characters in the ASCII charset");
        }
    }

    @Override // org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSource
    public ScramSaslServerSource.SaltAndPasswordKeys getSaltAndPasswordKeys(String str) {
        byte[] parseBase64Binary;
        byte[] parseBase64Binary2;
        byte[] parseBase64Binary3;
        int parseInt;
        SaslException saslException;
        ManagedUser user = getUser(str);
        if (user == null) {
            parseBase64Binary = generateSalt();
            parseBase64Binary2 = null;
            parseBase64Binary3 = null;
            parseInt = -1;
            saslException = new SaslException("Authentication Failed");
        } else {
            updateStoredPasswordFormatIfNecessary(user);
            String[] split = user.getPassword().split(",");
            parseBase64Binary = DatatypeConverter.parseBase64Binary(split[PasswordField.SALT.ordinal()]);
            parseBase64Binary2 = DatatypeConverter.parseBase64Binary(split[PasswordField.STORED_KEY.ordinal()]);
            parseBase64Binary3 = DatatypeConverter.parseBase64Binary(split[PasswordField.SERVER_KEY.ordinal()]);
            parseInt = Integer.parseInt(split[PasswordField.ITERATION_COUNT.ordinal()]);
            saslException = null;
        }
        final byte[] bArr = parseBase64Binary;
        final byte[] bArr2 = parseBase64Binary2;
        final SaslException saslException2 = saslException;
        final byte[] bArr3 = parseBase64Binary3;
        final int i = parseInt;
        return new ScramSaslServerSource.SaltAndPasswordKeys() { // from class: org.apache.qpid.server.security.auth.manager.AbstractScramAuthenticationManager.1
            @Override // org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSource.SaltAndPasswordKeys
            public byte[] getSalt() {
                return bArr;
            }

            @Override // org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSource.SaltAndPasswordKeys
            public byte[] getStoredKey() throws SaslException {
                if (bArr2 == null) {
                    throw saslException2;
                }
                return bArr2;
            }

            @Override // org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSource.SaltAndPasswordKeys
            public byte[] getServerKey() throws SaslException {
                if (bArr3 == null) {
                    throw saslException2;
                }
                return bArr3;
            }

            @Override // org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSource.SaltAndPasswordKeys
            public int getIterationCount() throws SaslException {
                if (i < 0) {
                    throw saslException2;
                }
                return i;
            }
        };
    }

    private byte[] generateSalt() {
        byte[] bArr = new byte[32];
        this._random.nextBytes(bArr);
        return bArr;
    }
}
