package com.pcbsys.foundation.security.sasl;

import com.pcbsys.foundation.base.fException;
import com.pcbsys.foundation.drivers.fDriver;
import com.pcbsys.foundation.drivers.fHTTPDSession;
import com.pcbsys.foundation.fConstants;
import com.pcbsys.foundation.io.fEventInputStream;
import com.pcbsys.foundation.io.fEventOutputStream;
import com.pcbsys.foundation.io.fStreamFactory;
import com.pcbsys.foundation.security.auth.fAdapterDirectory;
import com.pcbsys.foundation.security.auth.fAttribute;
import com.pcbsys.foundation.security.auth.fAuthConstants;
import com.pcbsys.foundation.security.auth.fAuthentication;
import com.pcbsys.foundation.security.auth.fAuthenticationException;
import com.pcbsys.foundation.security.fDefaultResponse;
import com.pcbsys.foundation.security.fDefaultServerLoginContext;
import com.pcbsys.foundation.security.fLoginResponse;
import com.pcbsys.foundation.security.fSSLServerLoginContext;
import com.pcbsys.foundation.security.fServerLoginContext;
import com.pcbsys.foundation.security.fSubject;
import com.pcbsys.foundation.utils.fSystemConfiguration;
import com.softwareag.security.jaas.login.SagCredentials;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.InetAddress;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.charset.Charset;
import java.util.ArrayList;
import java.util.HashMap;
import javax.naming.NamingException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;

/* loaded from: input_file:com/pcbsys/foundation/security/sasl/fSaslServerLoginContext.class */
public class fSaslServerLoginContext extends fDefaultServerLoginContext {
    public static final boolean ALT_AUTHID_PERMITTED = "Y".equalsIgnoreCase(fSystemConfiguration.getProperty("Nirvana.auth.permit_altuser", "N"));
    private static final String[] ENABLED_MECHANISMS = getEnabledMechanisms("Nirvana.sasl.server.mechanisms");
    private static boolean SASL_LOCALHOST_REVERSE_RESOLVE = Boolean.parseBoolean(System.getProperty("Nirvana.sasl.server.localhostResolve", "True"));
    private static final String PASSWD_CHARSET = fSystemConfiguration.getProperty("Nirvana.password.charset", "UTF-8");
    private static final String URI_hostname;
    private static int session_id_counter;
    private int session_id;

    @Deprecated
    public static final boolean authenticationMandatory;

    /* loaded from: input_file:com/pcbsys/foundation/security/sasl/fSaslServerLoginContext$CredentialsHandler.class */
    public static class CredentialsHandler implements CallbackHandler {
        private final fAdapterDirectory dtory = fAdapterDirectory.getInstance();
        private String username;
        private char[] password;

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException {
            for (Callback callback : callbackArr) {
                if (fAuthConstants.sDebug) {
                    fConstants.logger.log(fSaslServerLoginContext.debugPrefix(0) + "Callback=" + callback + "/" + callbackArr.length);
                }
                if (callback instanceof AuthorizeCallback) {
                    AuthorizeCallback authorizeCallback = (AuthorizeCallback) callback;
                    if (fAuthConstants.sDebug) {
                        fConstants.logger.log(fSaslServerLoginContext.debugPrefix(0) + "AuthorizeCallback: AuthenticationID=" + authorizeCallback.getAuthenticationID() + ", AuthorisationID=" + authorizeCallback.getAuthorizationID() + "/" + authorizeCallback.getAuthorizedID() + "/" + authorizeCallback.isAuthorized());
                    }
                    authorizeCallback.setAuthorized(this.username != null);
                } else if (callback instanceof NameCallback) {
                    NameCallback nameCallback = (NameCallback) callback;
                    if (fAuthConstants.sDebug) {
                        fConstants.logger.log(fSaslServerLoginContext.debugPrefix(0) + "NameCallback: Default=" + nameCallback.getDefaultName() + ", Current=" + nameCallback.getName());
                    }
                    this.username = nameCallback.getDefaultName();
                    try {
                        this.password = (char[]) getDirectoryPassword(this.username, char[].class);
                    } catch (Exception e) {
                        throw new IOException("SASL-Server failed on Directory=" + this.dtory + " lookup for username=" + this.username + " - " + e);
                    }
                } else if (callback instanceof PasswordCallback) {
                    ((PasswordCallback) callback).setPassword(this.password);
                    this.password = null;
                } else if (callback instanceof RealmCallback) {
                    RealmCallback realmCallback = (RealmCallback) callback;
                    if (fAuthConstants.sDebug) {
                        fConstants.logger.log(fSaslServerLoginContext.debugPrefix(0) + "RealmCallback: " + realmCallback.getPrompt() + " Default=" + realmCallback.getDefaultText() + ", Current=" + realmCallback.getText());
                    }
                    realmCallback.setText(realmCallback.getDefaultText());
                }
            }
        }

        private Object getDirectoryPassword(String str, Class<?> cls) throws fAuthenticationException, IOException, UnsupportedEncodingException, NamingException {
            fAttribute lookup = this.dtory.lookup(str, fAttribute.ATTRNAM_PASSWORD);
            if (lookup == null) {
                return null;
            }
            Object value = lookup.getValue();
            if (value == null) {
                value = "";
            }
            if (value instanceof String) {
                return cls == char[].class ? ((String) String.class.cast(value)).toCharArray() : ((String) String.class.cast(value)).getBytes(fSaslServerLoginContext.PASSWD_CHARSET);
            }
            if (value instanceof char[]) {
                if (cls == char[].class) {
                    return value;
                }
                ByteBuffer encode = Charset.forName(fSaslServerLoginContext.PASSWD_CHARSET).encode(CharBuffer.wrap((char[]) char[].class.cast(value)));
                if (encode.hasArray() && encode.arrayOffset() == 0 && encode.position() == 0 && encode.limit() == encode.array().length) {
                    return encode.array();
                }
                byte[] bArr = new byte[encode.limit() - encode.position()];
                encode.get(bArr);
                return bArr;
            }
            if (!(value instanceof byte[])) {
                if (fAuthConstants.sDebug) {
                    fConstants.logger.log(fSaslServerLoginContext.debugPrefix(0) + "Directory password has unexpected type=" + value.getClass().getName() + "/" + value + " - " + cls.getName() + " for username=" + str);
                }
                throw new fAuthenticationException("Sasl-ServerLoginContext failed to resolve password type=" + value.getClass().getName() + " as " + cls.getName() + " for username=" + str);
            }
            if (cls == byte[].class) {
                return value;
            }
            CharBuffer decode = Charset.forName(fSaslServerLoginContext.PASSWD_CHARSET).decode(ByteBuffer.wrap((byte[]) byte[].class.cast(value)));
            if (decode.hasArray() && decode.arrayOffset() == 0 && decode.position() == 0 && decode.limit() == decode.array().length) {
                return decode.array();
            }
            char[] cArr = new char[decode.length()];
            decode.get(cArr);
            return cArr;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/pcbsys/foundation/security/sasl/fSaslServerLoginContext$ServerMessage.class */
    public static class ServerMessage extends Message {
        public ServerMessage(fEventInputStream feventinputstream, fEventOutputStream feventoutputstream) {
            super(feventinputstream, feventoutputstream);
        }

        public String readMechanism() throws IOException {
            return this.is.readString();
        }

        public void sendChallenge(byte b, byte[] bArr) throws IOException {
            this.os.writeByte(b);
            write(bArr);
            this.os.flush();
        }
    }

    private void setDebugSessionID() {
        synchronized (getClass()) {
            int i = session_id_counter + 1;
            session_id_counter = i;
            this.session_id = i;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String debugPrefix(int i) {
        return "SASL-ServerLoginContext/" + i + ": [debug] ";
    }

    private String debugPrefix() {
        return debugPrefix(this.session_id);
    }

    @Deprecated
    public static boolean isExempt(fSubject fsubject) {
        return fAuthentication.isExempt(fsubject);
    }

    @Override // com.pcbsys.foundation.security.fDefaultServerLoginContext, com.pcbsys.foundation.security.fServerLoginContext
    public fServerLoginContext newInstance() {
        return new fSaslServerLoginContext();
    }

    @Override // com.pcbsys.foundation.security.fDefaultServerLoginContext, com.pcbsys.foundation.security.fLoginContext
    public fLoginResponse login(fDriver fdriver) throws fException {
        try {
            return login(fdriver, fStreamFactory.createInputStream(fdriver.getInputStream()), new fEventOutputStream(fdriver.getOutputStream()));
        } catch (Exception e) {
            if (e instanceof fException) {
                throw ((fException) e);
            }
            throw new fException("SASL-Authentication failed with driver=" + (fdriver == null ? null : fdriver.getClass().getName()), e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v63, types: [com.pcbsys.foundation.security.fLoginResponse] */
    @Override // com.pcbsys.foundation.security.fDefaultServerLoginContext, com.pcbsys.foundation.security.fLoginContext
    public fLoginResponse login(fDriver fdriver, fEventInputStream feventinputstream, fEventOutputStream feventoutputstream) throws IOException, fException {
        String loginJavaAPI;
        fSubject fsubject;
        fDefaultResponse fdefaultresponse;
        if (fAuthConstants.sDebug) {
            setDebugSessionID();
        }
        String host = fdriver == null ? "localhost" : fdriver.getConnectionDetails().getHost();
        String str = URI_hostname;
        if (SASL_LOCALHOST_REVERSE_RESOLVE) {
            str = Defs.checkAgainstLocalHostNames(host, URI_hostname);
        }
        ServerMessage serverMessage = new ServerMessage(feventinputstream, feventoutputstream);
        String readMechanism = serverMessage.readMechanism();
        if (fAuthConstants.sDebug) {
            fConstants.logger.log(debugPrefix() + "New session with mechanism=" + readMechanism + "/enabled=" + fAuthentication.authenticationEnabled + "/" + isMechanismEnabled(readMechanism) + ", remote=" + host + ", srvname=" + str + " - driver=" + (fdriver == null ? null : fdriver.getClass().getName()));
        }
        if (fAuthentication.authenticationEnabled) {
            try {
                if (!isMechanismEnabled(readMechanism)) {
                    serverMessage.sendChallenge((byte) 3, null);
                    throw new SaslException("SASL-" + readMechanism + " not enabled");
                }
                if (readMechanism.equals(Defs.MECHNAME_PLAIN)) {
                    SagCredentials sagCredentials = new SagCredentials();
                    extractTransportCredentials(sagCredentials, fdriver);
                    loginJavaAPI = loginSaslPlain(serverMessage, sagCredentials);
                    serverMessage.sendChallenge((byte) 2, null);
                } else {
                    loginJavaAPI = loginJavaAPI(readMechanism, str, serverMessage);
                }
                fsubject = new fSubject(loginJavaAPI.toLowerCase(), fdriver == null ? "localhost" : getRemoteAddress(fdriver), true);
                fdefaultresponse = new fDefaultResponse(true);
                if (fAuthConstants.sDebug) {
                    fConstants.logger.log(debugPrefix() + "Authenticated user=" + loginJavaAPI + " as " + fsubject);
                }
            } catch (Exception e) {
                if (fAuthConstants.sDebug) {
                    fConstants.logger.log(debugPrefix() + "SASL negotiation failed - " + e);
                }
                if (e instanceof IOException) {
                    throw ((IOException) e);
                }
                if (e instanceof fException) {
                    throw ((fException) e);
                }
                throw new fException(e);
            }
        } else {
            serverMessage.readMessage();
            serverMessage.sendChallenge((byte) 4, null);
            if (fdriver instanceof fHTTPDSession) {
                fdriver.close();
                throw new fAuthenticationException(2);
            }
            fDefaultServerLoginContext fsslserverlogincontext = fdriver.isRequireClientAuth() ? new fSSLServerLoginContext() : new fDefaultServerLoginContext();
            if (this.drvconfig != null) {
                fsslserverlogincontext.setConfig(this.drvconfig);
            }
            fdefaultresponse = fsslserverlogincontext.login(fdriver, feventinputstream, feventoutputstream);
            fsubject = fsslserverlogincontext.getSubject();
            if (fAuthConstants.sDebug) {
                fConstants.logger.log(debugPrefix() + "Accepted user without authentication - Subject=" + fsubject);
            }
        }
        setSubject(fsubject);
        if (fdriver != null) {
            fdriver.setSubject(fsubject);
        }
        return fdefaultresponse;
    }

    private String loginJavaAPI(String str, String str2, ServerMessage serverMessage) throws IOException, ClassNotFoundException {
        byte[] bArr;
        if (!fAuthentication.isEnabledDirectory()) {
            throw new SaslException("SASL-" + str + " requires Directory support");
        }
        CredentialsHandler credentialsHandler = new CredentialsHandler();
        HashMap hashMap = null;
        if (str.equalsIgnoreCase(Defs.MECHNAME_DIGESTMD5)) {
            hashMap = new HashMap();
            hashMap.put("com.sun.security.sasl.digest.realm", Defs.DIGESTMD5_REALM);
        }
        SaslServer createSaslServer = Sasl.createSaslServer(str, Message.PROTONAME, str2, hashMap, credentialsHandler);
        if (createSaslServer == null) {
            serverMessage.sendChallenge((byte) 3, null);
            throw new SaslException("SASL-" + str + " not supported");
        }
        while (!createSaslServer.isComplete()) {
            try {
                byte[] readMessage = serverMessage.readMessage();
                if (fAuthConstants.sDebug) {
                    fConstants.logger.log(debugPrefix() + "Received response=" + (readMessage == null ? null : readMessage.length + "/" + new String(readMessage)));
                }
                if (readMessage == null) {
                    try {
                        bArr = Message.NULLMSG;
                    } catch (SaslException e) {
                        serverMessage.sendChallenge((byte) 3, null);
                        throw e;
                    }
                } else {
                    bArr = readMessage;
                }
                byte[] evaluateResponse = createSaslServer.evaluateResponse(bArr);
                if (fAuthConstants.sDebug) {
                    fConstants.logger.log(debugPrefix() + "Sending challenge=" + (evaluateResponse == null ? null : evaluateResponse.length + "/" + new String(evaluateResponse)) + " - complete=" + createSaslServer.isComplete());
                }
                serverMessage.sendChallenge(createSaslServer.isComplete() ? (byte) 2 : (byte) 1, evaluateResponse);
            } finally {
                try {
                    createSaslServer.dispose();
                } catch (Throwable th) {
                    fConstants.logger.log(debugPrefix() + "Failed to dispose of " + createSaslServer.getClass().getName() + " for mech=" + str + " - " + th);
                }
            }
        }
        return createSaslServer.getAuthorizationID();
    }

    private String loginSaslPlain(ServerMessage serverMessage, SagCredentials sagCredentials) throws fAuthenticationException, IOException, ClassNotFoundException, NamingException {
        byte[] readMessage = serverMessage.readMessage();
        if (fAuthConstants.sDebug) {
            fConstants.logger.log(debugPrefix() + "Received PLAIN response=" + (readMessage == null ? null : Integer.valueOf(readMessage.length)));
        }
        String str = null;
        fAuthenticationException fauthenticationexception = null;
        try {
            str = processSaslPlainResponse(readMessage, this.session_id, sagCredentials);
        } catch (fAuthenticationException e) {
            fauthenticationexception = e;
        }
        if (fauthenticationexception == null) {
            return str;
        }
        serverMessage.sendChallenge((byte) 3, null);
        throw fauthenticationexception;
    }

    public static String processSaslPlainResponse(byte[] bArr, int i, int i2, boolean z, SagCredentials sagCredentials) throws fAuthenticationException, IOException, NamingException {
        return processSaslPlainResponse(bArr, i, i2, z, 0, sagCredentials);
    }

    private static String processSaslPlainResponse(byte[] bArr, int i, int i2, boolean z, int i3, SagCredentials sagCredentials) throws fAuthenticationException, IOException, NamingException {
        ArrayList<String> parseSaslPlainResponse = parseSaslPlainResponse(bArr, i, i2);
        String str = parseSaslPlainResponse.get(0);
        String str2 = parseSaslPlainResponse.get(1);
        String str3 = parseSaslPlainResponse.get(2);
        if (fAuthConstants.sDebug) {
            fConstants.logger.log(debugPrefix(i3) + "Authenticating PLAIN username=" + str2 + " - authorisation-ID=" + str + "/allowed=" + z);
        }
        sagCredentials.setUserName(str2);
        sagCredentials.setPassword(str3 == null ? null : str3.toCharArray());
        if (str != null) {
            sagCredentials.setExtendedProperty(fAuthConstants.SASL_AUTHORIZATION_ID_KEY, str);
        }
        String authenticate = fAuthentication.authenticate(sagCredentials);
        if (authenticate == null) {
            throw new fAuthenticationException("SASL-PLAIN authentication failed on username=" + authenticate);
        }
        if (str != null && !str.equals(authenticate)) {
            if (!z) {
                throw new fAuthenticationException("SASL-PLAIN authentication failed - rejecting alternative authorisation-ID=" + str + " for user=" + authenticate);
            }
            if (fAuthConstants.sDebug) {
                fConstants.logger.log(debugPrefix(i3) + "authorisation-ID=" + str + " is acting identity for authentication-ID=" + authenticate);
            }
            authenticate = str;
        }
        return authenticate;
    }

    public static ArrayList<String> parseSaslPlainResponse(byte[] bArr, int i, int i2) throws fAuthenticationException {
        ArrayList<String> arrayList = new ArrayList<>();
        int i3 = i + i2;
        int i4 = i;
        for (int i5 = i; i5 != i3; i5++) {
            if (bArr[i5] == 0) {
                arrayList.add(parseResponseElement(bArr, i4, i5));
                i4 = i5 + 1;
            }
        }
        arrayList.add(parseResponseElement(bArr, i4, i3));
        if (arrayList.size() != 3) {
            throw new fAuthenticationException("Invalid SASL-Plain response - NULs=" + (arrayList.size() - 1));
        }
        return arrayList;
    }

    public static String processSaslPlainResponse(byte[] bArr, SagCredentials sagCredentials) throws fAuthenticationException, IOException, NamingException {
        return processSaslPlainResponse(bArr, 0, bArr.length, ALT_AUTHID_PERMITTED, 0, sagCredentials);
    }

    private static String processSaslPlainResponse(byte[] bArr, int i, SagCredentials sagCredentials) throws fAuthenticationException, IOException, NamingException {
        return processSaslPlainResponse(bArr, 0, bArr.length, ALT_AUTHID_PERMITTED, i, sagCredentials);
    }

    public static ArrayList<String> parseSaslPlainResponse(byte[] bArr) throws fAuthenticationException {
        return parseSaslPlainResponse(bArr, 0, bArr.length);
    }

    private static String parseResponseElement(byte[] bArr, int i, int i2) {
        int i3 = i2 - i;
        if (i3 == 0) {
            return null;
        }
        return new String(bArr, i, i3);
    }

    public static boolean isMechanismEnabled(String str) {
        if (ENABLED_MECHANISMS == null) {
            return true;
        }
        for (int i = 0; i != ENABLED_MECHANISMS.length; i++) {
            if (str.equalsIgnoreCase(ENABLED_MECHANISMS[i])) {
                return true;
            }
        }
        return false;
    }

    public static String getEnabledMechanism(String[] strArr) {
        for (int i = 0; i != strArr.length; i++) {
            String str = strArr[i];
            if (isMechanismEnabled(str)) {
                return str;
            }
        }
        return null;
    }

    private static String[] getEnabledMechanisms(String str) {
        String property = fSystemConfiguration.getProperty(str);
        if (property == null) {
            return null;
        }
        String[] split = property.split(",");
        for (int i = 0; i != split.length; i++) {
            split[i] = split[i].trim();
        }
        if (split.length == 1 && split[0].length() == 0) {
            return null;
        }
        return split;
    }

    static {
        String str;
        try {
            str = InetAddress.getLocalHost().getCanonicalHostName();
        } catch (Exception e) {
            fConstants.logger.info("SaslServerLoginContext failed to determine local hostname - " + e);
            str = "localhost";
        }
        URI_hostname = str;
        authenticationMandatory = fAuthentication.authenticationMandatory;
    }
}
