package org.jboss.as.domain.http.server.security;

import com.arjuna.ats.internal.jdbc.recovery.JDBCXARecovery;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.Credential;
import io.undertow.security.idm.DigestCredential;
import io.undertow.security.idm.GSSContextCredential;
import io.undertow.security.idm.IdentityManager;
import io.undertow.security.idm.PasswordCredential;
import io.undertow.security.idm.X509CertificateCredential;
import io.undertow.util.HexConverter;
import java.io.IOException;
import java.net.InetAddress;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import org.ietf.jgss.GSSException;
import org.jboss.as.controller.security.InetAddressPrincipal;
import org.jboss.as.core.security.SimplePrincipal;
import org.jboss.as.core.security.SubjectUserInfo;
import org.jboss.as.domain.http.server.logging.HttpServerLogger;
import org.jboss.as.domain.management.AuthMechanism;
import org.jboss.as.domain.management.AuthorizingCallbackHandler;
import org.jboss.as.domain.management.RealmConfigurationConstants;
import org.jboss.as.domain.management.SecurityRealm;
import org.jboss.as.domain.management.SubjectIdentity;
import org.wildfly.security.auth.callback.CredentialCallback;
import org.wildfly.security.auth.callback.EvidenceVerifyCallback;
import org.wildfly.security.evidence.PasswordGuessEvidence;
import org.wildfly.security.password.interfaces.DigestPassword;
import org.wildfly.security.util.ByteIterator;

@Deprecated
/* loaded from: input_file:WEB-INF/lib/wildfly-domain-http-interface-3.0.8.Final.jar:org/jboss/as/domain/http/server/security/RealmIdentityManager.class */
public class RealmIdentityManager implements IdentityManager {
    private static final ThreadLocal<ThreadLocalStore> requestSpecific = new ThreadLocal<>();
    private final SecurityRealm securityRealm;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/wildfly-domain-http-interface-3.0.8.Final.jar:org/jboss/as/domain/http/server/security/RealmIdentityManager$ThreadLocalStore.class */
    public static final class ThreadLocalStore {
        AuthMechanism requestMechanism;
        InetAddress inetAddress;
        SubjectIdentity subjectIdentity;

        private ThreadLocalStore() {
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void setRequestSpecific(AuthMechanism authMechanism, InetAddress inetAddress) {
        ThreadLocalStore threadLocalStore = new ThreadLocalStore();
        threadLocalStore.requestMechanism = authMechanism;
        threadLocalStore.inetAddress = inetAddress;
        requestSpecific.set(threadLocalStore);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void clearRequestSpecific() {
        ThreadLocalStore threadLocalStore = requestSpecific.get();
        if (threadLocalStore != null && threadLocalStore.subjectIdentity != null) {
            threadLocalStore.subjectIdentity.logout();
        }
        requestSpecific.set(null);
    }

    private AuthMechanism getRequestMeschanism() {
        ThreadLocalStore threadLocalStore = requestSpecific.get();
        if (threadLocalStore == null) {
            return null;
        }
        return threadLocalStore.requestMechanism;
    }

    private InetAddress getInetAddress() {
        ThreadLocalStore threadLocalStore = requestSpecific.get();
        if (threadLocalStore == null) {
            return null;
        }
        return threadLocalStore.inetAddress;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setCurrentSubjectIdentity(SubjectIdentity subjectIdentity) {
        requestSpecific.get().subjectIdentity = subjectIdentity;
    }

    public RealmIdentityManager(SecurityRealm securityRealm) {
        this.securityRealm = securityRealm;
    }

    @Override // io.undertow.security.idm.IdentityManager
    public Account verify(Account account) {
        return account;
    }

    private boolean plainTextDigest() {
        Map<String, String> mechanismConfig = this.securityRealm.getMechanismConfig(AuthMechanism.DIGEST);
        boolean z = true;
        if (mechanismConfig.containsKey(RealmConfigurationConstants.DIGEST_PLAIN_TEXT)) {
            z = Boolean.parseBoolean(mechanismConfig.get(RealmConfigurationConstants.DIGEST_PLAIN_TEXT));
        }
        return z;
    }

    @Override // io.undertow.security.idm.IdentityManager
    public Account verify(String str, Credential credential) {
        if (str == null || str.length() == 0) {
            HttpServerLogger.ROOT_LOGGER.debug("Missing or empty username received, aborting account verification.");
            return null;
        }
        if (credential instanceof PasswordCredential) {
            return verify(str, (PasswordCredential) credential);
        }
        if (credential instanceof DigestCredential) {
            return verify(str, (DigestCredential) credential);
        }
        throw HttpServerLogger.ROOT_LOGGER.invalidCredentialType(credential.getClass().getName());
    }

    private Account verify(String str, PasswordCredential passwordCredential) {
        assertMechanism(AuthMechanism.PLAIN);
        if (!(passwordCredential instanceof PasswordCredential)) {
            return null;
        }
        AuthorizingCallbackHandler authorizingCallbackHandler = this.securityRealm.getAuthorizingCallbackHandler(AuthMechanism.PLAIN);
        Callback[] callbackArr = {new RealmCallback("Realm", this.securityRealm.getName()), new NameCallback("Username", str), new EvidenceVerifyCallback(new PasswordGuessEvidence(passwordCredential.getPassword()))};
        try {
            authorizingCallbackHandler.handle(callbackArr);
            if (!((EvidenceVerifyCallback) callbackArr[2]).isVerified()) {
                return null;
            }
            SimplePrincipal simplePrincipal = new SimplePrincipal(str);
            try {
                SubjectUserInfo createSubjectUserInfo = authorizingCallbackHandler.createSubjectUserInfo(Collections.singleton(simplePrincipal));
                addInetPrincipal(createSubjectUserInfo.getSubject().getPrincipals());
                return new RealmIdentityAccount(createSubjectUserInfo.getSubject(), simplePrincipal);
            } catch (IOException e) {
                return null;
            }
        } catch (Exception e2) {
            HttpServerLogger.ROOT_LOGGER.debug("Failure handling Callback(s) for BASIC authentication.", e2);
            return null;
        }
    }

    private Account verify(String str, DigestCredential digestCredential) {
        byte[] bytes;
        assertMechanism(AuthMechanism.DIGEST);
        AuthorizingCallbackHandler authorizingCallbackHandler = this.securityRealm.getAuthorizingCallbackHandler(AuthMechanism.DIGEST);
        Callback[] callbackArr = new Callback[3];
        callbackArr[0] = new RealmCallback("Realm", digestCredential.getRealm());
        callbackArr[1] = new NameCallback("Username", str);
        boolean plainTextDigest = plainTextDigest();
        if (plainTextDigest) {
            callbackArr[2] = new PasswordCallback(JDBCXARecovery.PASSWORD, false);
        } else {
            callbackArr[2] = new CredentialCallback(org.wildfly.security.credential.PasswordCredential.class, DigestPassword.ALGORITHM_DIGEST_MD5);
        }
        try {
            authorizingCallbackHandler.handle(callbackArr);
            if (plainTextDigest) {
                MessageDigest messageDigest = null;
                try {
                    try {
                        messageDigest = digestCredential.getAlgorithm().getMessageDigest();
                        messageDigest.update(str.getBytes(StandardCharsets.UTF_8));
                        messageDigest.update((byte) 58);
                        messageDigest.update(digestCredential.getRealm().getBytes(StandardCharsets.UTF_8));
                        messageDigest.update((byte) 58);
                        messageDigest.update(new String(((PasswordCallback) callbackArr[2]).getPassword()).getBytes(StandardCharsets.UTF_8));
                        bytes = HexConverter.convertToHexBytes(messageDigest.digest());
                        messageDigest.reset();
                    } catch (NoSuchAlgorithmException e) {
                        HttpServerLogger.ROOT_LOGGER.debug("Unexpected authentication failure", e);
                        messageDigest.reset();
                        return null;
                    }
                } catch (Throwable th) {
                    messageDigest.reset();
                    throw th;
                }
            } else {
                bytes = ByteIterator.ofBytes(((DigestPassword) ((org.wildfly.security.credential.PasswordCredential) ((CredentialCallback) callbackArr[2]).getCredential()).getPassword(DigestPassword.class)).getDigest()).hexEncode().drainToString().getBytes(StandardCharsets.US_ASCII);
            }
            try {
                if (!digestCredential.verifyHA1(bytes)) {
                    return null;
                }
                SimplePrincipal simplePrincipal = new SimplePrincipal(str);
                SubjectUserInfo createSubjectUserInfo = authorizingCallbackHandler.createSubjectUserInfo(Collections.singleton(simplePrincipal));
                addInetPrincipal(createSubjectUserInfo.getSubject().getPrincipals());
                return new RealmIdentityAccount(createSubjectUserInfo.getSubject(), simplePrincipal);
            } catch (IOException e2) {
                HttpServerLogger.ROOT_LOGGER.debug("Unexpected authentication failure", e2);
                return null;
            }
        } catch (Exception e3) {
            HttpServerLogger.ROOT_LOGGER.debug("Failure handling Callback(s) for BASIC authentication.", e3);
            return null;
        }
    }

    @Override // io.undertow.security.idm.IdentityManager
    public Account verify(Credential credential) {
        Principal kerberosPrincipal;
        AuthorizingCallbackHandler authorizingCallbackHandler;
        assertMechanism(AuthMechanism.CLIENT_CERT, AuthMechanism.KERBEROS);
        if (credential instanceof X509CertificateCredential) {
            authorizingCallbackHandler = this.securityRealm.getAuthorizingCallbackHandler(AuthMechanism.CLIENT_CERT);
            kerberosPrincipal = ((X509CertificateCredential) credential).getCertificate().getSubjectDN();
        } else {
            if (!(credential instanceof GSSContextCredential)) {
                return null;
            }
            try {
                kerberosPrincipal = new KerberosPrincipal(((GSSContextCredential) credential).getGssContext().getSrcName().toString());
                authorizingCallbackHandler = this.securityRealm.getAuthorizingCallbackHandler(AuthMechanism.KERBEROS);
            } catch (GSSException e) {
                HttpServerLogger.ROOT_LOGGER.debug("Unexpected authentication failure", e);
                return null;
            }
        }
        try {
            authorizingCallbackHandler.handle(new Callback[]{new AuthorizeCallback(kerberosPrincipal.getName(), kerberosPrincipal.getName())});
            try {
                SubjectUserInfo createSubjectUserInfo = authorizingCallbackHandler.createSubjectUserInfo(Collections.singleton(kerberosPrincipal));
                addInetPrincipal(createSubjectUserInfo.getSubject().getPrincipals());
                return new RealmIdentityAccount(createSubjectUserInfo.getSubject(), kerberosPrincipal);
            } catch (IOException e2) {
                return null;
            }
        } catch (IOException e3) {
            HttpServerLogger.ROOT_LOGGER.debug("Unexpected authentication failure", e3);
            return null;
        } catch (UnsupportedCallbackException e4) {
            HttpServerLogger.ROOT_LOGGER.debug("Unexpected authentication failure", e4);
            return null;
        }
    }

    private void addInetPrincipal(Collection<Principal> collection) {
        InetAddress inetAddress = getInetAddress();
        if (inetAddress != null) {
            collection.add(new InetAddressPrincipal(inetAddress));
        }
    }

    private void assertMechanism(AuthMechanism... authMechanismArr) {
        AuthMechanism requestMeschanism = getRequestMeschanism();
        for (AuthMechanism authMechanism : authMechanismArr) {
            if (requestMeschanism == authMechanism) {
                return;
            }
        }
        throw new IllegalStateException("Unexpected authentication mechanism executing.");
    }
}
