package org.apache.qpid.server.security.auth.sasl.scram;

import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Arrays;
import java.util.Base64;
import java.util.Map;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerTestHelper;
import org.apache.qpid.server.model.PasswordCredentialManagingAuthenticationProvider;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.sasl.PasswordSource;
import org.apache.qpid.server.util.Strings;
import org.apache.qpid.test.utils.UnitTestBase;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/qpid/server/security/auth/sasl/scram/ScramNegotiatorTest.class */
public class ScramNegotiatorTest extends UnitTestBase {
    private static final String VALID_USER_NAME = "testUser";
    private static final String VALID_USER_PASSWORD = "testPassword";
    private static final String INVALID_USER_PASSWORD = "testPassword1";
    private static final String INVALID_USER_NAME = "testUser1";
    private static final String GS2_HEADER = "n,,";
    private static final Charset ASCII = StandardCharsets.US_ASCII;
    private static final int ITERATION_COUNT = 4096;
    private String _clientFirstMessageBare;
    private String _clientNonce;
    private byte[] _serverSignature;
    private PasswordSource _passwordSource;
    private AuthenticationProvider<?> _authenticationProvider;
    private Broker<?> _broker;

    @BeforeEach
    public void setUp() throws Exception {
        this._clientNonce = randomUUID().toString();
        this._passwordSource = (PasswordSource) Mockito.mock(PasswordSource.class);
        Mockito.when(this._passwordSource.getPassword((String) ArgumentMatchers.eq("testUser"))).thenReturn(VALID_USER_PASSWORD.toCharArray());
        this._authenticationProvider = (AuthenticationProvider) Mockito.mock(AuthenticationProvider.class);
        this._broker = BrokerTestHelper.createBrokerMock();
    }

    @AfterEach
    public void tearDown() throws Exception {
        this._authenticationProvider.close();
    }

    @Test
    public void testHandleResponseForScramSha256ValidCredentialsAdapterSource() throws Exception {
        doSaslNegotiationTestValidCredentials("SCRAM-SHA-256", this._authenticationProvider, new ScramSaslServerSourceAdapter(ITERATION_COUNT, "HmacSHA256", "SHA-256", this._passwordSource));
    }

    @Test
    public void testHandleResponseForScramSha1ValidCredentialsAdapterSource() throws Exception {
        doSaslNegotiationTestValidCredentials("SCRAM-SHA-1", this._authenticationProvider, new ScramSaslServerSourceAdapter(ITERATION_COUNT, "HmacSHA1", "SHA-1", this._passwordSource));
    }

    @Test
    public void testHandleResponseForScramSha256InvalidPasswordAdapterSource() throws Exception {
        doSaslNegotiationTestInvalidCredentials("testUser", INVALID_USER_PASSWORD, "SCRAM-SHA-256", this._authenticationProvider, new ScramSaslServerSourceAdapter(ITERATION_COUNT, "HmacSHA256", "SHA-256", this._passwordSource));
    }

    @Test
    public void testHandleResponseForScramSha1InvalidPasswordAdapterSource() throws Exception {
        doSaslNegotiationTestInvalidCredentials("testUser", INVALID_USER_PASSWORD, "SCRAM-SHA-1", this._authenticationProvider, new ScramSaslServerSourceAdapter(ITERATION_COUNT, "HmacSHA1", "SHA-1", this._passwordSource));
    }

    @Test
    public void testHandleResponseForScramSha256InvalidUsernameAdapterSource() throws Exception {
        doSaslNegotiationTestInvalidCredentials(INVALID_USER_NAME, VALID_USER_PASSWORD, "SCRAM-SHA-256", this._authenticationProvider, new ScramSaslServerSourceAdapter(ITERATION_COUNT, "HmacSHA256", "SHA-256", this._passwordSource));
    }

    @Test
    public void testHandleResponseForScramSha1InvalidUsernameAdapterSource() throws Exception {
        doSaslNegotiationTestInvalidCredentials(INVALID_USER_NAME, VALID_USER_PASSWORD, "SCRAM-SHA-1", this._authenticationProvider, new ScramSaslServerSourceAdapter(ITERATION_COUNT, "HmacSHA1", "SHA-1", this._passwordSource));
    }

    @Test
    public void testHandleResponseForScramSha256ValidCredentialsAuthenticationProvider() throws Exception {
        this._authenticationProvider = createTestAuthenticationManager("SCRAM-SHA-256");
        doSaslNegotiationTestValidCredentials("SCRAM-SHA-256", this._authenticationProvider, (ScramSaslServerSource) this._authenticationProvider);
    }

    @Test
    public void testHandleResponseForScramSha1ValidCredentialsAuthenticationProvider() throws Exception {
        this._authenticationProvider = createTestAuthenticationManager("SCRAM-SHA-1");
        doSaslNegotiationTestValidCredentials("SCRAM-SHA-1", this._authenticationProvider, (ScramSaslServerSource) this._authenticationProvider);
    }

    @Test
    public void testHandleResponseForScramSha256InvalidPasswordAuthenticationProvider() throws Exception {
        this._authenticationProvider = createTestAuthenticationManager("SCRAM-SHA-256");
        doSaslNegotiationTestInvalidCredentials("testUser", INVALID_USER_PASSWORD, "SCRAM-SHA-256", this._authenticationProvider, (ScramSaslServerSource) this._authenticationProvider);
    }

    @Test
    public void testHandleResponseForScramSha1InvalidPasswordAuthenticationProvider() throws Exception {
        this._authenticationProvider = createTestAuthenticationManager("SCRAM-SHA-1");
        doSaslNegotiationTestInvalidCredentials("testUser", INVALID_USER_PASSWORD, "SCRAM-SHA-1", this._authenticationProvider, (ScramSaslServerSource) this._authenticationProvider);
    }

    @Test
    public void testHandleResponseForScramSha256InvalidUsernameAuthenticationProvider() throws Exception {
        this._authenticationProvider = createTestAuthenticationManager("SCRAM-SHA-256");
        doSaslNegotiationTestInvalidCredentials(INVALID_USER_NAME, VALID_USER_PASSWORD, "SCRAM-SHA-256", this._authenticationProvider, (ScramSaslServerSource) this._authenticationProvider);
    }

    @Test
    public void testHandleResponseForScramSha1InvalidUsernameAuthenticationProvider() throws Exception {
        this._authenticationProvider = createTestAuthenticationManager("SCRAM-SHA-1");
        doSaslNegotiationTestInvalidCredentials(INVALID_USER_NAME, VALID_USER_PASSWORD, "SCRAM-SHA-1", this._authenticationProvider, (ScramSaslServerSource) this._authenticationProvider);
    }

    private void doSaslNegotiationTestValidCredentials(String str, AuthenticationProvider<?> authenticationProvider, ScramSaslServerSource scramSaslServerSource) throws Exception {
        ScramNegotiator scramNegotiator = new ScramNegotiator(authenticationProvider, scramSaslServerSource, str);
        byte[] createInitialResponse = createInitialResponse("testUser");
        AuthenticationResult handleResponse = scramNegotiator.handleResponse(createInitialResponse);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.CONTINUE, handleResponse.getStatus(), "Unexpected first result status");
        Assertions.assertNotNull(handleResponse.getChallenge(), "Unexpected first result challenge");
        AuthenticationResult handleResponse2 = scramNegotiator.handleResponse(calculateClientProof(handleResponse.getChallenge(), scramSaslServerSource.getHmacName(), scramSaslServerSource.getDigestName(), VALID_USER_PASSWORD));
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, handleResponse2.getStatus(), "Unexpected second result status");
        Assertions.assertNotNull(handleResponse2.getChallenge(), "Unexpected second result challenge");
        Assertions.assertEquals("testUser", handleResponse2.getMainPrincipal().getName(), "Unexpected second result principal");
        String[] split = new String(handleResponse2.getChallenge(), ASCII).split(",");
        if (!split[0].startsWith("v=")) {
            Assertions.fail("Server final message did not contain verifier");
        }
        if (!Arrays.equals(this._serverSignature, Strings.decodeBase64(split[0].substring(2)))) {
            Assertions.fail("Server signature did not match");
        }
        AuthenticationResult handleResponse3 = scramNegotiator.handleResponse(createInitialResponse);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, handleResponse3.getStatus(), "Unexpected result status after completion of negotiation");
        Assertions.assertNull(handleResponse3.getMainPrincipal(), "Unexpected principal after completion of negotiation");
    }

    private void doSaslNegotiationTestInvalidCredentials(String str, String str2, String str3, AuthenticationProvider<?> authenticationProvider, ScramSaslServerSource scramSaslServerSource) throws Exception {
        ScramNegotiator scramNegotiator = new ScramNegotiator(authenticationProvider, scramSaslServerSource, str3);
        AuthenticationResult handleResponse = scramNegotiator.handleResponse(createInitialResponse(str));
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.CONTINUE, handleResponse.getStatus(), "Unexpected first result status");
        Assertions.assertNotNull(handleResponse.getChallenge(), "Unexpected first result challenge");
        AuthenticationResult handleResponse2 = scramNegotiator.handleResponse(calculateClientProof(handleResponse.getChallenge(), scramSaslServerSource.getHmacName(), scramSaslServerSource.getDigestName(), str2));
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, handleResponse2.getStatus(), "Unexpected second result status");
        Assertions.assertNull(handleResponse2.getChallenge(), "Unexpected second result challenge");
        Assertions.assertNull(handleResponse2.getMainPrincipal(), "Unexpected second result principal");
    }

    private byte[] calculateClientProof(byte[] bArr, String str, String str2, String str3) throws Exception {
        String str4 = new String(bArr, ASCII);
        String[] split = str4.split(",");
        if (split.length < 3) {
            Assertions.fail("Server challenge '" + str4 + "' cannot be parsed");
        } else if (split[0].startsWith("m=")) {
            Assertions.fail("Server requires mandatory extension which is not supported: " + split[0]);
        } else if (!split[0].startsWith("r=")) {
            Assertions.fail("Server challenge '" + str4 + "' cannot be parsed, cannot find nonce");
        }
        String substring = split[0].substring(2);
        if (!substring.startsWith(this._clientNonce)) {
            Assertions.fail("Server challenge did not use correct client nonce");
        }
        if (!split[1].startsWith("s=")) {
            Assertions.fail("Server challenge '" + str4 + "' cannot be parsed, cannot find salt");
        }
        byte[] decodeBase64 = Strings.decodeBase64(split[1].substring(2));
        if (!split[2].startsWith("i=")) {
            Assertions.fail("Server challenge '" + str4 + "' cannot be parsed, cannot find iteration count");
        }
        int parseInt = Integer.parseInt(split[2].substring(2));
        if (parseInt <= 0) {
            Assertions.fail("Iteration count " + parseInt + " is not a positive integer");
        }
        byte[] generateSaltedPassword = generateSaltedPassword(saslPrep(str3).getBytes(StandardCharsets.UTF_8), str, parseInt, decodeBase64);
        String str5 = "c=" + Base64.getEncoder().encodeToString(GS2_HEADER.getBytes(ASCII)) + ",r=" + substring;
        String str6 = this._clientFirstMessageBare + "," + str4 + "," + str5;
        byte[] computeHmac = computeHmac(generateSaltedPassword, "Client Key", str);
        byte[] computeHmac2 = computeHmac(MessageDigest.getInstance(str2).digest(computeHmac), str6, str);
        byte[] bArr2 = (byte[]) computeHmac.clone();
        for (int i = 0; i < bArr2.length; i++) {
            int i2 = i;
            bArr2[i2] = (byte) (bArr2[i2] ^ computeHmac2[i]);
        }
        this._serverSignature = computeHmac(computeHmac(generateSaltedPassword, "Server Key", str), str6, str);
        return (str5 + ",p=" + Base64.getEncoder().encodeToString(bArr2)).getBytes();
    }

    private byte[] computeHmac(byte[] bArr, String str, String str2) throws Exception {
        Mac createHmac = createHmac(bArr, str2);
        createHmac.update(str.getBytes(ASCII));
        return createHmac.doFinal();
    }

    private byte[] generateSaltedPassword(byte[] bArr, String str, int i, byte[] bArr2) throws Exception {
        Mac createHmac = createHmac(bArr, str);
        createHmac.update(bArr2);
        createHmac.update(new byte[]{0, 0, 0, 1});
        byte[] doFinal = createHmac.doFinal();
        byte[] bArr3 = null;
        for (int i2 = 1; i2 < i; i2++) {
            createHmac.update(bArr3 != null ? bArr3 : doFinal);
            bArr3 = createHmac.doFinal();
            for (int i3 = 0; i3 < doFinal.length; i3++) {
                int i4 = i3;
                doFinal[i4] = (byte) (doFinal[i4] ^ bArr3[i3]);
            }
        }
        return doFinal;
    }

    private Mac createHmac(byte[] bArr, String str) throws Exception {
        SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, str);
        Mac mac = Mac.getInstance(str);
        mac.init(secretKeySpec);
        return mac;
    }

    private String saslPrep(String str) {
        return str.replace("=", "=3D").replace(",", "=2C");
    }

    private byte[] createInitialResponse(String str) {
        this._clientFirstMessageBare = "n=" + saslPrep(str) + ",r=" + this._clientNonce;
        return ("n,," + this._clientFirstMessageBare).getBytes(ASCII);
    }

    private AuthenticationProvider<?> createTestAuthenticationManager(String str) {
        PasswordCredentialManagingAuthenticationProvider passwordCredentialManagingAuthenticationProvider = (AuthenticationProvider) this._broker.getObjectFactory().create(AuthenticationProvider.class, Map.of("name", getTestName(), "id", randomUUID(), "type", str), this._broker);
        Assertions.assertEquals(State.ACTIVE, passwordCredentialManagingAuthenticationProvider.getState(), "Unexpected state");
        passwordCredentialManagingAuthenticationProvider.createUser("testUser", VALID_USER_PASSWORD, Map.of());
        return passwordCredentialManagingAuthenticationProvider;
    }
}
