package org.openremote.container.security.basic;

import io.undertow.UndertowMessages;
import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.AuthenticationMechanismFactory;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.Credential;
import io.undertow.security.idm.IdentityManager;
import io.undertow.security.idm.PasswordCredential;
import io.undertow.security.impl.BasicAuthenticationMechanism;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.handlers.form.FormParserFactory;
import io.undertow.servlet.api.AuthMethodConfig;
import io.undertow.servlet.api.DeploymentInfo;
import io.undertow.servlet.api.LoginConfig;
import io.undertow.util.Headers;
import jakarta.persistence.NoResultException;
import jakarta.persistence.NonUniqueResultException;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import org.openremote.container.persistence.PersistenceService;
import org.openremote.container.security.IdentityProvider;
import org.openremote.model.Container;

/* loaded from: input_file:org/openremote/container/security/basic/BasicIdentityProvider.class */
public abstract class BasicIdentityProvider implements IdentityProvider {
    private static final Logger LOG = Logger.getLogger(BasicIdentityProvider.class.getName());
    protected PersistenceService persistenceService;

    /* loaded from: input_file:org/openremote/container/security/basic/BasicIdentityProvider$BasicFixAuthenticationMechanism.class */
    protected static class BasicFixAuthenticationMechanism extends BasicAuthenticationMechanism {
        private final boolean silent;
        public static Factory FACTORY = new Factory();

        /* loaded from: input_file:org/openremote/container/security/basic/BasicIdentityProvider$BasicFixAuthenticationMechanism$Factory.class */
        protected static class Factory implements AuthenticationMechanismFactory {
            protected Factory() {
            }

            public AuthenticationMechanism create(String str, IdentityManager identityManager, FormParserFactory formParserFactory, Map<String, String> map) {
                String str2 = map.get("realm");
                String str3 = map.get("silent");
                String str4 = map.get("charset");
                Charset forName = str4 == null ? StandardCharsets.UTF_8 : Charset.forName(str4);
                HashMap hashMap = new HashMap();
                String str5 = map.get("user-agent-charsets");
                if (str5 != null) {
                    String[] split = str5.split(",");
                    if (split.length % 2 != 0) {
                        throw UndertowMessages.MESSAGES.userAgentCharsetMustHaveEvenNumberOfItems(str5);
                    }
                    for (int i = 0; i < split.length; i += 2) {
                        hashMap.put(Pattern.compile(split[i]), Charset.forName(split[i + 1]));
                    }
                }
                return new BasicFixAuthenticationMechanism(str2, str, str3 != null && str3.equals("true"), identityManager, forName, hashMap);
            }
        }

        public BasicFixAuthenticationMechanism(String str, String str2, boolean z, IdentityManager identityManager, Charset charset, Map<Pattern, Charset> map) {
            super(str, str2, false, identityManager, charset, map);
            this.silent = z;
        }

        public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
            return httpServerExchange.getRequestHeaders().getFirst(Headers.AUTHORIZATION) == null ? this.silent ? AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED : AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED : super.authenticate(httpServerExchange, securityContext);
        }

        public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
            return (this.silent || httpServerExchange.getRequestHeaders().getFirst(Headers.AUTHORIZATION) != null) ? AuthenticationMechanism.ChallengeResult.NOT_SENT : super.sendChallenge(httpServerExchange, securityContext);
        }
    }

    @Override // org.openremote.container.security.IdentityProvider
    public void init(Container container) {
        this.persistenceService = (PersistenceService) container.getService(PersistenceService.class);
        this.persistenceService.getDefaultSchemaLocations().add("classpath:org/openremote/container/persistence/schema/basicidentityprovider");
        this.persistenceService.getSchemas().add("public");
    }

    @Override // org.openremote.container.security.IdentityProvider
    public void start(Container container) {
    }

    @Override // org.openremote.container.security.IdentityProvider
    public void stop(Container container) {
    }

    @Override // org.openremote.container.security.IdentityProvider
    public void secureDeployment(DeploymentInfo deploymentInfo) {
        LoginConfig loginConfig = new LoginConfig("OpenRemote");
        deploymentInfo.addAuthenticationMechanism("BASIC-FIX", BasicFixAuthenticationMechanism.FACTORY);
        loginConfig.addFirstAuthMethod(new AuthMethodConfig("BASIC-FIX", Collections.singletonMap("silent", "true")));
        deploymentInfo.setLoginConfig(loginConfig);
        deploymentInfo.setIdentityManager(new IdentityManager() { // from class: org.openremote.container.security.basic.BasicIdentityProvider.1
            public Account verify(Account account) {
                return null;
            }

            public Account verify(String str, Credential credential) {
                if (credential instanceof PasswordCredential) {
                    return BasicIdentityProvider.this.verifyAccount(str, ((PasswordCredential) credential).getPassword());
                }
                BasicIdentityProvider.LOG.fine("Verification of '" + str + "' failed, no password credentials found, but: " + credential);
                return null;
            }

            public Account verify(Credential credential) {
                return null;
            }
        });
    }

    protected Account verifyAccount(String str, char[] cArr) {
        LOG.fine("Authentication attempt, querying user: " + str);
        Object[] objArr = (Object[]) this.persistenceService.doReturningTransaction(entityManager -> {
            try {
                return (Object[]) entityManager.createNativeQuery("select U.ID, U.PASSWORD from PUBLIC.USER_ENTITY U where U.USERNAME = :username").setParameter("username", str).getSingleResult();
            } catch (NoResultException | NonUniqueResultException e) {
                return null;
            }
        });
        if (objArr == null) {
            LOG.fine("Authentication failed, no such user: " + str);
            return null;
        }
        LOG.fine("Authentication attempt, verifying password: " + str);
        if (!PasswordStorage.verifyPassword(cArr, objArr[1].toString())) {
            LOG.fine("Authentication failed, invalid password: " + str);
            return null;
        }
        LOG.fine("Authentication successful: " + str);
        final BasicAuthContext basicAuthContext = new BasicAuthContext("master", objArr[0].toString(), str);
        return new Account() { // from class: org.openremote.container.security.basic.BasicIdentityProvider.2
            public Principal getPrincipal() {
                return basicAuthContext;
            }

            public Set<String> getRoles() {
                return BasicIdentityProvider.this.getDefaultRoles();
            }
        };
    }

    protected abstract Set<String> getDefaultRoles();
}
