package com.pcbsys.foundation.security.auth;

import com.pcbsys.foundation.drivers.fSubjectHelper;
import com.pcbsys.foundation.fConstants;
import com.pcbsys.foundation.logger.fLogger;
import com.pcbsys.foundation.security.fDefaultSecureObject;
import com.pcbsys.foundation.security.fSubject;
import com.pcbsys.foundation.security.sasl.Defs;
import com.pcbsys.foundation.store.Constants;
import com.pcbsys.foundation.utils.fSystemConfiguration;
import com.softwareag.security.jaas.login.SagCallbackHandler;
import com.softwareag.security.jaas.login.SagCredentials;
import com.softwareag.security.jaas.principals.SagUserPrincipal;
import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Set;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

/* loaded from: input_file:com/pcbsys/foundation/security/auth/fAuthentication.class */
public class fAuthentication {
    public static final boolean authenticationEnabled = "Y".equalsIgnoreCase(fSystemConfiguration.getProperty("Nirvana.auth.enabled", "N"));
    public static final boolean authenticationMandatory;
    public static final String SYSPROP_JAASKEY = "Nirvana.auth.server.jaaskey";
    public static final String SYSPROP_EXEMPTUSERS = "Nirvana.auth.exempt";
    public static String JAASKEY;
    private static final ArrayList<String> exemptUsers;
    private static final String REALM_EXEMPTION_STRING = "realm-";

    public static boolean isEnabledDirectory() {
        return authenticationEnabled && JAASKEY == null;
    }

    public static boolean isJAASEnabled() {
        return authenticationEnabled && JAASKEY != null;
    }

    public static String authenticate(String str, String str2) throws fAuthenticationException, IOException {
        if (str == null || str.length() == 0) {
            throw new fAuthenticationException("Authentication failure - no username supplied.");
        }
        if (JAASKEY != null) {
            String authenticateJAAS = authenticateJAAS(str, str2);
            if (authenticateJAAS != null) {
                return authenticateJAAS.toLowerCase();
            }
            throw new fAuthenticationException("Authentication failure - no authenticated user found.");
        }
        if (!isEnabledDirectory()) {
            throw new fAuthenticationException("Authentication failure - no authentication backend configured.");
        }
        try {
            if (fAdapterDirectory.getInstance().verifyPassword(str, str2)) {
                return str.toLowerCase();
            }
            throw new fAuthenticationException("Authentication failed - directory adapter rejected the username/password.");
        } catch (NamingException e) {
            throw new fAuthenticationException((Throwable) e);
        }
    }

    public static String authenticate(SagCredentials sagCredentials) throws fAuthenticationException, IOException {
        if (sagCredentials == null) {
            throw new fAuthenticationException("Authentication failure - no credentials supplied.");
        }
        if (JAASKEY != null) {
            String authenticateJAAS = authenticateJAAS(sagCredentials);
            if (authenticateJAAS != null) {
                return authenticateJAAS.toLowerCase();
            }
            throw new fAuthenticationException("Authentication failure - no authenticated user found.");
        }
        if (!isEnabledDirectory()) {
            throw new fAuthenticationException("Authentication failure - no authentication backend configured.");
        }
        try {
            String userName = sagCredentials.getUserName();
            char[] password = sagCredentials.getPassword();
            if (fAdapterDirectory.getInstance().verifyPassword(userName, password == null ? null : new String(password))) {
                return userName.toLowerCase();
            }
            throw new fAuthenticationException("Authentication failed - directory adapter rejected the username/password.");
        } catch (NamingException e) {
            throw new fAuthenticationException((Throwable) e);
        }
    }

    private static String authenticateJAAS(String str, String str2) throws fAuthenticationException {
        return authenticateJAAS(constructCredentials(str, str2));
    }

    private static String authenticateJAAS(SagCredentials sagCredentials) throws fAuthenticationException {
        try {
            LoginContext loginContext = new LoginContext(JAASKEY, new SagCallbackHandler(sagCredentials));
            loginContext.login();
            Subject subject = loginContext.getSubject();
            if (fAuthConstants.sDebug) {
                fConstants.logger.log(Defs.JAASLoginContext2String(loginContext, sagCredentials.getUserName()));
            }
            String extractUser = extractUser(subject);
            loginContext.logout();
            return extractUser;
        } catch (LoginException e) {
            throw new fAuthenticationException("JAAS-Authentication failed on username=" + sagCredentials.getUserName(), e);
        }
    }

    private static String extractUser(Subject subject) {
        if (subject == null) {
            if (!fAuthConstants.sDebug) {
                return null;
            }
            fConstants.logger.log("Subject is null - unable to extract user principal.");
            return null;
        }
        if (fAuthConstants.sDebug) {
            Set<Principal> principals = subject.getPrincipals();
            if (principals == null || principals.size() == 0) {
                fConstants.logger.log("Found no principals in the JAAS subject.");
            } else {
                fConstants.logger.log("Found the following principals in the JAAS subject:");
                for (Principal principal : principals) {
                    fConstants.logger.log(" - " + principal.getName() + " : " + principal.getClass().getName());
                }
            }
        }
        Set principals2 = subject.getPrincipals(SagUserPrincipal.class);
        if (principals2.size() == 0) {
            fLogger.log.report(5, "No user principals found in authentication result.");
            return null;
        }
        if (principals2.size() > 1) {
            fLogger.log.report(3, "Multiple user principals [" + principals2.size() + "] found in authentication result. Using the first one for authorization.");
        }
        String name = ((SagUserPrincipal) principals2.iterator().next()).getName();
        String extractCN = fSubjectHelper.extractCN(name);
        return !extractCN.isEmpty() ? extractCN : name;
    }

    public static SagCredentials constructCredentials(String str, String str2) {
        SagCredentials sagCredentials = new SagCredentials();
        sagCredentials.setUserName(str);
        sagCredentials.setPassword(str2.toCharArray());
        return sagCredentials;
    }

    public static boolean isExempt(fSubject fsubject) {
        String name = fsubject.getName();
        Iterator<fSubject> it = fDefaultSecureObject.getSuperUsers().iterator();
        while (it.hasNext()) {
            if (it.next().getName().toLowerCase().contains(name.toLowerCase())) {
                return true;
            }
        }
        if (name.startsWith(REALM_EXEMPTION_STRING)) {
            return true;
        }
        if (exemptUsers == null) {
            return false;
        }
        for (int i = 0; i != exemptUsers.size(); i++) {
            if (exemptUsers.get(i).equalsIgnoreCase(name)) {
                return true;
            }
        }
        return false;
    }

    /* JADX WARN: Finally extract failed */
    private static ArrayList<String> getExemptUsers() {
        String property = fSystemConfiguration.getProperty(SYSPROP_EXEMPTUSERS);
        if (property == null) {
            property = fSystemConfiguration.getProperty("SECURITYFILE");
        }
        if (property == null || property.equals("-")) {
            return null;
        }
        ArrayList<String> arrayList = new ArrayList<>();
        try {
            FileInputStream fileInputStream = new FileInputStream(property);
            InputStreamReader inputStreamReader = null;
            try {
                inputStreamReader = new InputStreamReader(fileInputStream);
                BufferedReader bufferedReader = new BufferedReader(inputStreamReader, Constants.BITSET_SIZE);
                while (true) {
                    String readLine = bufferedReader.readLine();
                    if (readLine == null) {
                        break;
                    }
                    arrayList.add(readLine.trim());
                }
                if (inputStreamReader != null) {
                    inputStreamReader.close();
                }
                fileInputStream.close();
            } catch (Throwable th) {
                if (inputStreamReader != null) {
                    inputStreamReader.close();
                }
                fileInputStream.close();
                throw th;
            }
        } catch (Throwable th2) {
            fConstants.logger.error("Failed to load exempt users from " + property + " - " + th2);
            arrayList = null;
        }
        return arrayList;
    }

    static {
        authenticationMandatory = "Y".equalsIgnoreCase(fSystemConfiguration.getProperty("Nirvana.auth.mandatory", "N")) && authenticationEnabled;
        JAASKEY = fSystemConfiguration.getProperty(SYSPROP_JAASKEY);
        exemptUsers = getExemptUsers();
        fConstants.logger.log("Server Authentication: Enabled=" + authenticationEnabled + ", Mandatory=" + authenticationMandatory + ", JAAS-key=" + JAASKEY + ", SuperUser=" + fDefaultSecureObject.getDefaultSuperUser().getName() + ", Exempt=" + (exemptUsers == null ? "n/a" : exemptUsers.size() + "/" + exemptUsers));
    }
}
