package com.day.crx.security.authentication;

import com.day.crx.CRXSession;
import com.day.crx.core.CRXSessionImpl;
import com.day.crx.security.PrincipalIterator;
import com.day.crx.security.principals.DefaultPrincipalProvider;
import com.day.crx.security.principals.PrincipalProviderRegistry;
import com.day.crx.security.spi.DigestCredentials;
import com.day.crx.security.spi.Impersonateable;
import com.day.crx.security.spi.PrincipalProvider;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.util.HashSet;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import javax.jcr.Credentials;
import javax.jcr.RepositoryException;
import javax.jcr.SimpleCredentials;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/day/crx/security/authentication/AbstractLoginModule.class */
public abstract class AbstractLoginModule implements LoginModule {
    static final String CVS_ID = "$URL: http://svn.day.com/repos/crx/tags/crx-1.4.1-load3a/repository/crx-core/src/main/java/com/day/crx/security/authentication/AbstractLoginModule.java $ $Rev: 42191 $ $Date: 2008-09-30 14:04:49 +0200 (Tue, 30 Sep 2008) $";
    protected CRXSessionImpl session;
    protected boolean denyAnonymous;
    protected String anonymousPrincipal;
    protected Principal principal;
    protected SimpleCredentials credentials;
    protected boolean initialized;
    protected CallbackHandler callbackHandler;
    protected Subject subject;
    protected PrincipalProvider principalProvider;
    protected DefaultPrincipalProvider defaultProvider;
    protected String trustedKey;
    protected static final String ANONYMOUS_ID = "anonymous";
    protected static final String DEFAULT_ANONYMOUS_PRINCIPAL = "anonymous";
    protected static final String KEY_DENY_ANONYMOUS = "deny_anonymous_access";
    protected static final String KEY_TRUSTED_AUTHENTICATION = "trust_credentials_attribute";
    protected static final String KEY_ANONYMOUS_PRINCIPAL = "anonymous_principal";
    protected static final Logger log;
    protected static final String KEY_SIMPLE_CREDENTIALS = "com.day.crx.credentials.simple";
    protected static final String KEY_LOGIN_NAME = "javax.security.auth.login.name";
    protected static final String KEY_LOGIN_PWD = "javax.security.auth.login.password";
    private Map sharedState;
    static Class class$com$day$crx$security$authentication$AbstractLoginModule;
    static Class class$com$day$crx$security$CRXPrincipal;
    static Class class$javax$jcr$SimpleCredentials;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        try {
            log.debug("initalize: ");
            Properties properties = new Properties();
            properties.putAll(map2);
            SessionCallback sessionCallback = new SessionCallback();
            callbackHandler.handle(new Callback[]{sessionCallback});
            CRXSessionImpl session = sessionCallback.getSession();
            if (session instanceof CRXSessionImpl) {
                this.session = session;
                this.principalProvider = this.session.getPrincipalProviderRegistry().getProviders()[0];
                if (this.principalProvider instanceof DefaultPrincipalProvider) {
                    this.defaultProvider = (DefaultPrincipalProvider) this.principalProvider;
                }
                if (properties.containsKey(PrincipalProviderRegistry.PRINCIPAL_PROVIDER_NAME)) {
                    this.principalProvider = this.session.getPrincipalProviderRegistry().getProvider(properties.getProperty(PrincipalProviderRegistry.PRINCIPAL_PROVIDER_NAME));
                }
                if (this.principalProvider == null) {
                    this.principalProvider = this.defaultProvider;
                }
                log.debug("     : PrincipalProvider -> ''{}''", this.principalProvider.getClass().getName());
                doInit(callbackHandler, this.session, map2);
                this.denyAnonymous = map2.get(KEY_DENY_ANONYMOUS) != null && ((String) map2.get(KEY_DENY_ANONYMOUS)).equalsIgnoreCase("true");
                if (!this.denyAnonymous) {
                    this.anonymousPrincipal = properties.getProperty(KEY_ANONYMOUS_PRINCIPAL, "anonymous");
                }
                if (map2.containsKey(KEY_TRUSTED_AUTHENTICATION)) {
                    this.trustedKey = (String) map2.get(KEY_TRUSTED_AUTHENTICATION);
                    log.debug("     : Trust credenitials with following attribute -> ''{}''", this.trustedKey);
                }
                this.callbackHandler = callbackHandler;
                this.subject = subject;
                if (log.isDebugEnabled()) {
                    for (String str : map2.keySet()) {
                        log.debug("     : {} -> ''{}''", str, map2.get(str));
                    }
                }
            } else {
                log.error("LoginModule failed to intitialize: need a CRXSession");
            }
            this.sharedState = map;
            this.initialized = this.subject != null;
        } catch (Exception e) {
            log.error("LoginModule failed to initialize.", e);
        }
    }

    protected abstract void doInit(CallbackHandler callbackHandler, CRXSession cRXSession, Map map) throws LoginException;

    public boolean login() throws LoginException {
        boolean impersonate;
        if (!this.initialized) {
            log.warn("Can't login initalization failed beforehand");
            return false;
        }
        SimpleCredentials credentials = getCredentials();
        if (credentials == null) {
            log.warn("login: no credentials available -> try anonymous authentication attempt");
        }
        try {
            Principal principal = getPrincipal(credentials);
            if (principal == null) {
                log.debug("login: unkonwn User ''{}'' -> set to ignore");
                return false;
            }
            if (isAnonymous(credentials)) {
                impersonate = !this.denyAnonymous;
                if (!impersonate) {
                    log.debug("login: no UserID found -> ignore authentication attemp");
                }
            } else {
                impersonate = isTrusted(credentials) ? true : isImpersonation(principal, credentials) ? impersonate(principal, credentials) : authenticate(principal, credentials);
            }
            if (!impersonate) {
                return false;
            }
            this.credentials = credentials instanceof SimpleCredentials ? credentials : new SimpleCredentials(getUserID(credentials), new char[0]);
            this.principal = principal;
            return true;
        } catch (RepositoryException e) {
            log.error("login: failed {}", e);
            return false;
        }
    }

    public boolean commit() throws LoginException {
        if (this.credentials == null) {
            abort();
        }
        if (!this.initialized || this.principal == null) {
            return false;
        }
        HashSet hashSet = new HashSet();
        hashSet.add(this.principal);
        PrincipalIterator groupMembership = this.principalProvider.getGroupMembership(this.principal);
        while (groupMembership.hasNext()) {
            hashSet.add(groupMembership.next());
        }
        this.subject.getPrincipals().addAll(hashSet);
        this.subject.getPublicCredentials().add(this.credentials);
        return true;
    }

    public boolean abort() throws LoginException {
        if (!this.initialized) {
            return false;
        }
        this.sharedState.remove(KEY_SIMPLE_CREDENTIALS);
        this.session = null;
        this.defaultProvider = null;
        this.callbackHandler = null;
        this.principal = null;
        this.credentials = null;
        return logout();
    }

    public boolean logout() throws LoginException {
        Class cls;
        Class cls2;
        Subject subject = this.subject;
        if (class$com$day$crx$security$CRXPrincipal == null) {
            cls = class$("com.day.crx.security.CRXPrincipal");
            class$com$day$crx$security$CRXPrincipal = cls;
        } else {
            cls = class$com$day$crx$security$CRXPrincipal;
        }
        Set principals = subject.getPrincipals(cls);
        Subject subject2 = this.subject;
        if (class$javax$jcr$SimpleCredentials == null) {
            cls2 = class$("javax.jcr.SimpleCredentials");
            class$javax$jcr$SimpleCredentials = cls2;
        } else {
            cls2 = class$javax$jcr$SimpleCredentials;
        }
        Set publicCredentials = subject2.getPublicCredentials(cls2);
        if (principals == null || publicCredentials == null) {
            return false;
        }
        principals.clear();
        publicCredentials.clear();
        return true;
    }

    protected boolean authenticate(Principal principal, Credentials credentials) throws RepositoryException, LoginException {
        if (verifyPassword(getUserID(credentials), principal, getPassword(credentials))) {
            return true;
        }
        throw new FailedLoginException(new StringBuffer().append("attempt to authenticate denied for ").append(principal).toString());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isAnonymous(Credentials credentials) {
        String userID = getUserID(credentials);
        return userID == null || "".equals(userID) || "anonymous".equals(userID);
    }

    protected boolean isTrusted(Credentials credentials) {
        return (this.trustedKey == null || !(credentials instanceof SimpleCredentials) || ((SimpleCredentials) credentials).getAttribute(this.trustedKey) == null) ? false : true;
    }

    protected Map getSharedState() {
        return this.sharedState;
    }

    protected Principal getPrincipal(Credentials credentials) {
        Principal principal = null;
        if (credentials == null || isAnonymous(credentials)) {
            principal = this.principalProvider.hasPrincipal(this.anonymousPrincipal) ? this.principalProvider.getPrincipal(this.anonymousPrincipal) : this.defaultProvider.getEveryone();
        } else {
            String userID = getUserID(credentials);
            Principal[] findUser = this.principalProvider.findUser(userID);
            if (findUser == null || findUser.length == 0) {
                log.debug("login: unkonwn User for ID ''{}'' -> set to ignore", userID);
            } else {
                principal = findUser[0];
                if (findUser.length > 1) {
                    log.warn("login: found multiple users with id ''{}'' -> took first", userID);
                }
            }
        }
        return principal;
    }

    protected boolean isImpersonation(Principal principal, Credentials credentials) {
        return getImpersonator(credentials) != null;
    }

    protected boolean impersonate(Principal principal, Credentials credentials) throws RepositoryException, LoginException {
        Subject impersonator = getImpersonator(credentials);
        if (!impersonator.getPrincipals().contains(this.session.getPrincipalManager().getAdmin()) || impersonator.getPrincipals(principal.getClass()).contains(principal) || isImpersonateableBy(impersonator, principal)) {
            return true;
        }
        PrincipalIterator groupMembership = this.principalProvider.getGroupMembership(principal);
        while (groupMembership.hasNext()) {
            if (isImpersonateableBy(impersonator, (Principal) groupMembership.next())) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Credentials getCredentials() {
        Class cls;
        Class cls2;
        SimpleCredentials simpleCredentials = null;
        if (this.sharedState.containsKey(KEY_SIMPLE_CREDENTIALS)) {
            simpleCredentials = (SimpleCredentials) this.sharedState.get(KEY_SIMPLE_CREDENTIALS);
        } else {
            try {
                CredentialsCallback credentialsCallback = new CredentialsCallback();
                this.callbackHandler.handle(new Callback[]{credentialsCallback});
                SimpleCredentials credentials = credentialsCallback.getCredentials();
                if (credentials instanceof SimpleCredentials) {
                    simpleCredentials = credentials;
                    this.sharedState.put(KEY_SIMPLE_CREDENTIALS, simpleCredentials);
                    log.debug("login: found authentication attempt: take those credentials");
                } else if (credentials instanceof DigestCredentials) {
                    return credentials;
                }
            } catch (IOException e) {
                log.error(new StringBuffer().append("login: Credentials-Callback failed: ").append(e.getMessage()).append(": try Name-Callback").toString());
            } catch (UnsupportedCallbackException e2) {
                log.warn("login: Credentials-Callback not supported try Name-Callback");
            }
        }
        if (null == simpleCredentials) {
            Subject subject = this.subject;
            if (class$javax$jcr$SimpleCredentials == null) {
                cls = class$("javax.jcr.SimpleCredentials");
                class$javax$jcr$SimpleCredentials = cls;
            } else {
                cls = class$javax$jcr$SimpleCredentials;
            }
            if (!subject.getPublicCredentials(cls).isEmpty()) {
                Subject subject2 = this.subject;
                if (class$javax$jcr$SimpleCredentials == null) {
                    cls2 = class$("javax.jcr.SimpleCredentials");
                    class$javax$jcr$SimpleCredentials = cls2;
                } else {
                    cls2 = class$javax$jcr$SimpleCredentials;
                }
                simpleCredentials = (SimpleCredentials) subject2.getPublicCredentials(cls2).iterator().next();
                log.debug("login: found pre-authenticated subject: take those credentials");
            }
        }
        return simpleCredentials;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getUserID(Credentials credentials) {
        String str = null;
        if (credentials instanceof SimpleCredentials) {
            str = ((SimpleCredentials) credentials).getUserID();
        } else if (credentials instanceof DigestCredentials) {
            str = ((DigestCredentials) credentials).getUserID();
        }
        if (str == null) {
            try {
                Callback nameCallback = new NameCallback("User-ID: ");
                this.callbackHandler.handle(new Callback[]{nameCallback});
                str = nameCallback.getName();
            } catch (IOException e) {
                log.error(new StringBuffer().append("login: Name-Callback failed: ").append(e.getMessage()).toString());
            } catch (UnsupportedCallbackException e2) {
                log.warn("login: failed: Credentials- or NameCallback must be supported");
            }
        }
        if (str == null && getSharedState().containsKey(KEY_LOGIN_NAME)) {
            str = (String) getSharedState().get(KEY_LOGIN_NAME);
            log.debug("login: no userId found, fallback to shared userId {}", str);
        }
        return str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Subject getImpersonator(Credentials credentials) {
        Subject subject = null;
        if (null == credentials) {
            try {
                ImpersonationCallback impersonationCallback = new ImpersonationCallback();
                this.callbackHandler.handle(new Callback[]{impersonationCallback});
                subject = impersonationCallback.getImpersonator();
            } catch (IOException e) {
                log.error(new StringBuffer().append("login: Impersonation-Callback failed: ").append(e.getMessage()).append(": Impersionation is not possible").toString());
            } catch (UnsupportedCallbackException e2) {
                log.warn(new StringBuffer().append("login: ").append(e2.getCallback().getClass().getName()).append(" not supported: Impersionation is not possible").toString());
            }
        } else if (credentials instanceof SimpleCredentials) {
            subject = (Subject) ((SimpleCredentials) credentials).getAttribute("org.apache.jackrabbit.core.security.impersonator");
        }
        return subject;
    }

    protected char[] getPassword(Credentials credentials) {
        char[] cArr = new char[0];
        if (credentials != null && (credentials instanceof SimpleCredentials)) {
            cArr = ((SimpleCredentials) credentials).getPassword();
        }
        if (cArr == null || cArr.length == 0) {
            try {
                PasswordCallback passwordCallback = new PasswordCallback("Password: ", false);
                this.callbackHandler.handle(new Callback[]{passwordCallback});
                cArr = passwordCallback.getPassword();
            } catch (IOException e) {
                log.error(new StringBuffer().append("login: Password-Callback failed: ").append(e.getMessage()).append(": empty-passwords not allowed").toString());
            } catch (UnsupportedCallbackException e2) {
                log.warn(new StringBuffer().append("login: ").append(e2.getCallback().getClass().getName()).toString());
            }
        }
        if ((cArr == null || cArr.length == 0) && getSharedState().containsKey(KEY_LOGIN_PWD)) {
            cArr = ((String) getSharedState().get(KEY_LOGIN_PWD)).toCharArray();
            log.debug("login: Fallback to use Password from shared state");
        }
        return cArr;
    }

    protected abstract boolean verifyPassword(String str, Principal principal, char[] cArr) throws LoginException;

    public static boolean verifyCrypted(String str, char[] cArr) {
        boolean z = false;
        int indexOf = str.indexOf("{");
        int indexOf2 = str.indexOf("}");
        if (indexOf == 0 && indexOf2 > -1 && indexOf2 < str.length()) {
            String substring = str.substring(1, indexOf2);
            try {
                z = str.substring(indexOf2 + 1).equals(Text.digest(substring, new String(cArr), "UTF-8"));
            } catch (UnsupportedEncodingException e) {
                log.error("tried to verify password against unsupported encoding: UTF-8");
            } catch (NoSuchAlgorithmException e2) {
                log.error(new StringBuffer().append("tried to verify password against unsupported encryption: ").append(substring).toString());
            }
        }
        return z;
    }

    protected boolean verifyImpersonator(Subject subject, String str, Principal principal) throws LoginException {
        try {
            return impersonate(principal, getCredentials());
        } catch (RepositoryException e) {
            throw new LoginException(e.getMessage());
        }
    }

    private boolean isImpersonateableBy(Subject subject, Principal principal) {
        if (principal instanceof Impersonateable) {
            return ((Impersonateable) principal).isImpersonateableBy(subject);
        }
        log.debug("verifyImpersonation: checked non-local principal -> false");
        return false;
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$com$day$crx$security$authentication$AbstractLoginModule == null) {
            cls = class$("com.day.crx.security.authentication.AbstractLoginModule");
            class$com$day$crx$security$authentication$AbstractLoginModule = cls;
        } else {
            cls = class$com$day$crx$security$authentication$AbstractLoginModule;
        }
        log = LoggerFactory.getLogger(cls);
    }
}
