package oracle.kv.impl.security.login;

import java.util.Iterator;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import oracle.kv.AuthenticationFailureException;
import oracle.kv.AuthenticationRequiredException;
import oracle.kv.LoginCredentials;
import oracle.kv.PasswordCredentials;
import oracle.kv.impl.admin.param.GlobalParams;
import oracle.kv.impl.security.PasswordExpiredException;
import oracle.kv.impl.security.PasswordRenewResult;
import oracle.kv.impl.security.PasswordRenewer;
import oracle.kv.impl.security.ProxyCredentials;
import oracle.kv.impl.security.SessionAccessException;
import oracle.kv.impl.security.UserVerifier;
import oracle.kv.impl.security.login.LoginSession;
import oracle.kv.impl.security.login.SessionId;
import oracle.kv.impl.security.login.UserLoginCallbackHandler;
import oracle.kv.impl.security.metadata.KVStoreUser;
import oracle.kv.impl.security.metadata.SecurityMDChange;
import oracle.kv.impl.security.metadata.SecurityMetadata;
import oracle.kv.impl.topo.ResourceId;
import oracle.kv.impl.util.server.LoggerUtils;

/* loaded from: input_file:oracle/kv/impl/security/login/UserLoginHandler.class */
public class UserLoginHandler {
    public static final int SESSION_ID_RANDOM_BYTES = 16;
    private static final int DEF_ACCT_ERR_LCK_INT = 600;
    private static final int DEF_ACCT_ERR_LCK_CNT = 10;
    private static final int DEF_ACCT_ERR_LCK_TMO = 600;
    private volatile ResourceId ownerId;
    private volatile boolean localOwnerId;
    private final SessionManager sessMgr;
    private final UserVerifier userVerifier;
    private final PasswordRenewer passwordRenewer;
    private volatile long sessionLifetime;
    private volatile boolean allowExtension;
    protected volatile Logger logger;
    private volatile LoginErrorTracker errorTracker;

    /* loaded from: input_file:oracle/kv/impl/security/login/UserLoginHandler$LoginConfig.class */
    public static class LoginConfig {
        private long sessionLifetime;
        private boolean allowExtension;
        private long acctErrLockoutInt;
        private int acctErrLockoutCnt;
        private long acctErrLockoutTMO;

        public LoginConfig setSessionLifetime(long j) {
            this.sessionLifetime = j;
            return this;
        }

        public LoginConfig setAllowExtension(boolean z) {
            this.allowExtension = z;
            return this;
        }

        public LoginConfig setAcctErrLockoutInt(long j) {
            this.acctErrLockoutInt = j;
            return this;
        }

        public LoginConfig setAcctErrLockoutCnt(int i) {
            this.acctErrLockoutCnt = i;
            return this;
        }

        public LoginConfig setAcctErrLockoutTMO(long j) {
            this.acctErrLockoutTMO = j;
            return this;
        }

        /* renamed from: clone, reason: merged with bridge method [inline-methods] */
        public LoginConfig m708clone() {
            LoginConfig loginConfig = new LoginConfig();
            loginConfig.sessionLifetime = this.sessionLifetime;
            loginConfig.allowExtension = this.allowExtension;
            loginConfig.acctErrLockoutInt = this.acctErrLockoutInt;
            loginConfig.acctErrLockoutCnt = this.acctErrLockoutCnt;
            loginConfig.acctErrLockoutTMO = this.acctErrLockoutTMO;
            return loginConfig;
        }

        public static LoginConfig buildLoginConfig(GlobalParams globalParams) {
            LoginConfig loginConfig = new LoginConfig();
            if (globalParams != null) {
                loginConfig.setAcctErrLockoutCnt(globalParams.getAcctErrLockoutThrCount()).setSessionLifetime(globalParams.getSessionTimeoutUnit().toMillis(globalParams.getSessionTimeout())).setAllowExtension(globalParams.getSessionExtendAllow()).setAcctErrLockoutTMO((int) globalParams.getAcctErrLockoutTimeoutUnit().toMillis(globalParams.getAcctErrLockoutTimeout())).setAcctErrLockoutInt((int) globalParams.getAcctErrLockoutThrIntUnit().toMillis(globalParams.getAcctErrLockoutThrInt()));
            }
            return loginConfig;
        }
    }

    public UserLoginHandler(ResourceId resourceId, boolean z, UserVerifier userVerifier, PasswordRenewer passwordRenewer, SessionManager sessionManager, LoginConfig loginConfig, Logger logger) {
        this.logger = logger;
        this.ownerId = resourceId;
        this.localOwnerId = z;
        this.sessMgr = sessionManager;
        this.userVerifier = userVerifier;
        this.passwordRenewer = passwordRenewer;
        this.sessionLifetime = loginConfig.sessionLifetime;
        this.allowExtension = loginConfig.allowExtension;
        this.errorTracker = makeErrorTracker(loginConfig);
    }

    private LoginErrorTracker makeErrorTracker(LoginConfig loginConfig) {
        return new LoginErrorTracker(loginConfig.acctErrLockoutInt == 0 ? 600L : loginConfig.acctErrLockoutInt, loginConfig.acctErrLockoutCnt == 0 ? 10 : loginConfig.acctErrLockoutCnt, loginConfig.acctErrLockoutTMO == 0 ? 600L : loginConfig.acctErrLockoutTMO, this.logger);
    }

    public LoginResult login(LoginCredentials loginCredentials, String str) throws AuthenticationFailureException {
        if (loginCredentials instanceof ProxyCredentials) {
            throw new AuthenticationFailureException("Invalid use of ProxyCredentials.");
        }
        return loginInternal(loginCredentials, str);
    }

    public LoginResult renewPasswordLogin(LoginCredentials loginCredentials, char[] cArr, String str) throws AuthenticationFailureException {
        if (this.passwordRenewer == null) {
            throw new AuthenticationFailureException(new UnsupportedOperationException("Could not renew password"));
        }
        if (loginCredentials instanceof ProxyCredentials) {
            throw new AuthenticationFailureException("Invalid use of ProxyCredentials.");
        }
        if (loginCredentials == null) {
            throw new AuthenticationFailureException("No credentials provided.");
        }
        if (this.errorTracker.isAccountLocked(loginCredentials.getUsername(), str)) {
            throw new AuthenticationFailureException("User account is locked.");
        }
        String username = loginCredentials.getUsername();
        String str2 = null;
        try {
            this.userVerifier.verifyUser(loginCredentials, null);
        } catch (PasswordExpiredException e) {
            PasswordRenewResult renewPassword = this.passwordRenewer.renewPassword(username, cArr);
            str2 = renewPassword.getMessage();
            if (renewPassword.isSuccess()) {
                return loginInternal(new PasswordCredentials(username, cArr), str);
            }
        }
        throw new AuthenticationFailureException("Renew password failed" + (str2 != null ? ": " + str2 : ""));
    }

    public LoginResult proxyLogin(ProxyCredentials proxyCredentials, String str) throws AuthenticationFailureException {
        return loginInternal(proxyCredentials, str);
    }

    public LoginToken requestSessionExtension(LoginToken loginToken) throws SessionAccessException {
        if (loginToken == null) {
            return null;
        }
        if (!this.allowExtension) {
            this.logger.fine("Session extend not allowed");
            return null;
        }
        LoginSession lookupSession = this.sessMgr.lookupSession(new LoginSession.Id(loginToken.getSessionId().getIdValue()));
        if (lookupSession == null || lookupSession.isExpired()) {
            this.logger.info("Session " + loginToken.getSessionId().hashId() + ": extend failed due to expiration");
            return null;
        }
        long currentTimeMillis = this.sessionLifetime == 0 ? 0L : System.currentTimeMillis() + this.sessionLifetime;
        this.logger.info("Session extend allowed");
        LoginSession updateSessionExpiration = this.sessMgr.updateSessionExpiration(lookupSession.getId(), currentTimeMillis);
        if (updateSessionExpiration != null) {
            return new LoginToken(updateSessionExpiration.isPersistent() ? new SessionId(updateSessionExpiration.getId().getValue()) : new SessionId(updateSessionExpiration.getId().getValue(), getScope(), this.ownerId), updateSessionExpiration.getExpireTime());
        }
        this.logger.info("Session " + lookupSession.getId().hashId() + ": update failed");
        return null;
    }

    public Subject validateLoginToken(LoginToken loginToken) throws SessionAccessException {
        if (loginToken == null) {
            return null;
        }
        LoginSession lookupSession = this.sessMgr.lookupSession(new LoginSession.Id(loginToken.getSessionId().getIdValue()));
        if (lookupSession == null) {
            this.logger.info("Failed to find the session with " + this.ownerId + " login token " + loginToken.hashId());
            return null;
        }
        if (!lookupSession.isExpired()) {
            return this.userVerifier.verifyUser(lookupSession.getSubject());
        }
        this.logger.info("User login token " + loginToken.hashId() + " is expired");
        return null;
    }

    public void logout(LoginToken loginToken) throws AuthenticationRequiredException, SessionAccessException {
        if (loginToken == null) {
            throw new AuthenticationRequiredException("LoginToken is null", true);
        }
        LoginSession lookupSession = this.sessMgr.lookupSession(new LoginSession.Id(loginToken.getSessionId().getIdValue()));
        if (lookupSession == null || lookupSession.isExpired()) {
            throw new AuthenticationRequiredException("session is not valid", true);
        }
        this.sessMgr.logoutSession(lookupSession.getId());
    }

    public void updateSessionSubject(SecurityMDChange securityMDChange) throws SessionAccessException {
        if (securityMDChange.getElementType() == SecurityMetadata.SecurityElementType.KVSTOREUSER) {
            KVStoreUser kVStoreUser = (KVStoreUser) securityMDChange.getElement();
            Subject makeKVSubject = kVStoreUser.makeKVSubject();
            Iterator<LoginSession.Id> it = this.sessMgr.lookupSessionByUser(kVStoreUser.getName()).iterator();
            while (it.hasNext()) {
                this.sessMgr.updateSessionSubject(it.next(), makeKVSubject);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public LoginToken createLoginSession(Subject subject, String str) {
        return createLoginSession(subject, str, -1L);
    }

    protected LoginToken createLoginSession(Subject subject, String str, long j) {
        if (j == -1) {
            j = this.sessionLifetime != 0 ? System.currentTimeMillis() + this.sessionLifetime : 0L;
        }
        LoginSession createSession = this.sessMgr.createSession(subject, str, j);
        return new LoginToken(createSession.isPersistent() ? new SessionId(createSession.getId().getValue()) : new SessionId(createSession.getId().getValue(), getScope(), this.ownerId), createSession.getExpireTime());
    }

    protected SessionId.IdScope getScope() {
        return this.localOwnerId ? SessionId.IdScope.LOCAL : SessionId.IdScope.STORE;
    }

    public void updateConfig(LoginConfig loginConfig) {
        this.sessionLifetime = loginConfig.sessionLifetime;
        this.allowExtension = loginConfig.allowExtension;
        this.errorTracker = makeErrorTracker(loginConfig);
    }

    private LoginResult loginInternal(LoginCredentials loginCredentials, String str) throws AuthenticationFailureException {
        Subject subject = null;
        if (loginCredentials == null) {
            throw new AuthenticationFailureException("No credentials provided.");
        }
        if (this.errorTracker.isAccountLocked(loginCredentials.getUsername(), str)) {
            throw new AuthenticationFailureException("User account is locked.");
        }
        String username = loginCredentials.getUsername();
        UserLoginCallbackHandler userLoginCallbackHandler = new UserLoginCallbackHandler(this.logger);
        try {
            subject = this.userVerifier.verifyUser(loginCredentials, userLoginCallbackHandler);
        } catch (PasswordExpiredException e) {
            handleLoginFailure(username, str, e);
        }
        if (subject == null) {
            handleLoginFailure(username, str, null);
        }
        this.errorTracker.noteLoginSuccess(username, str);
        this.logger.log(LoggerUtils.SecurityLevel.SEC_INFO, LoggerUtils.KVAuditInfo.success(username, str, "LOGIN"));
        UserLoginCallbackHandler.UserSessionInfo userSessionInfo = userLoginCallbackHandler.getUserSessionInfo();
        long j = -1;
        if (userSessionInfo != null) {
            j = userSessionInfo.getExpireTime();
        }
        LoginToken createLoginSession = createLoginSession(subject, str, j);
        LoginResult loginResult = userLoginCallbackHandler.getLoginResult();
        if (loginResult == null) {
            loginResult = new LoginResult();
        }
        return loginResult.setLoginToken(createLoginSession);
    }

    private void handleLoginFailure(String str, String str2, PasswordExpiredException passwordExpiredException) throws AuthenticationFailureException {
        this.errorTracker.noteLoginError(str, str2);
        this.logger.log(LoggerUtils.SecurityLevel.SEC_WARNING, LoggerUtils.KVAuditInfo.failure(str, str2, "LOGIN", "Login Failed"));
        if (passwordExpiredException == null) {
            throw new AuthenticationFailureException("Authentication failed");
        }
        throw passwordExpiredException;
    }

    public void updateOwner(ResourceId resourceId) {
        this.ownerId = resourceId;
        this.localOwnerId = false;
    }

    public ResourceId getOwnerId() {
        return this.ownerId;
    }

    public void resetLogger(Logger logger) {
        this.logger = logger;
    }
}
