package com.sun.identity.authentication.modules.wss;

import com.iplanet.sso.SSOToken;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.spi.InvalidPasswordException;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.AMIdentityRepository;
import com.sun.identity.idm.IdSearchControl;
import com.sun.identity.idm.IdSearchOpModifier;
import com.sun.identity.idm.IdType;
import com.sun.identity.liberty.ws.disco.plugins.DefaultDiscoAuthorizer;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.wss.security.UserNameToken;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.Set;
import java.util.StringTokenizer;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.LoginException;

/* loaded from: input_file:com/sun/identity/authentication/modules/wss/WSSAuthModule.class */
public class WSSAuthModule extends AMLoginModule {
    protected Principal userPrincipal;
    private String userId = null;
    private String userSearchAttribute = null;
    private String userPasswordAttribute = null;
    private String realm = null;
    private static final String UN_SEARCH_ATTRIBUTE = "sunWebservicesUserSearchAttribute";
    private static final String REALM = "sunWebServicesUserRealm";
    private static final String UN_PASSWORD_ATTRIBUTE = "sunWebservicesUserpasswordAttribute";
    private static Debug debug = Debug.getInstance("WebServicesSecurity");
    private static ResourceBundle bundle = ResourceBundle.getBundle("fmWSSecurity");

    public WSSAuthModule() throws LoginException {
        if (debug.messageEnabled()) {
            debug.message("WSSAuthModule()");
        }
    }

    public void init(Subject subject, Map map, Map map2) {
        if (debug.messageEnabled()) {
            debug.message("WSSAuthModule initialization" + map2);
        }
        this.userSearchAttribute = CollectionHelper.getMapAttr(map2, UN_SEARCH_ATTRIBUTE, "uid");
        this.userPasswordAttribute = CollectionHelper.getMapAttr(map2, UN_PASSWORD_ATTRIBUTE, "userPassword");
        this.realm = CollectionHelper.getMapAttr(map2, REALM, "/");
        if (debug.messageEnabled()) {
            debug.message("WSSAuthModule.init: User search attribute= " + this.userSearchAttribute + "\n User password attribute=" + this.userPasswordAttribute + "\n Realm = " + this.realm);
        }
    }

    public int process(Callback[] callbackArr, int i) throws AuthLoginException {
        getHttpServletRequest();
        String name = ((NameCallback) callbackArr[0]).getName();
        String str = null;
        String str2 = null;
        String str3 = null;
        String charToString = charToString(((PasswordCallback) callbackArr[1]).getPassword(), callbackArr[1]);
        if (charToString == null || charToString.length() == 0) {
            throw new InvalidPasswordException(bundle.getString("invalidPassword"));
        }
        boolean z = false;
        if (charToString.indexOf(DefaultDiscoAuthorizer.RESOURCE_SEPERATOR) != -1) {
            z = true;
        }
        if (z) {
            if (debug.messageEnabled()) {
                debug.message("WSSAuthModule.process: In password digest");
            }
            StringTokenizer stringTokenizer = new StringTokenizer(charToString, DefaultDiscoAuthorizer.RESOURCE_SEPERATOR);
            while (stringTokenizer.hasMoreTokens()) {
                String nextToken = stringTokenizer.nextToken();
                if (nextToken.indexOf("PasswordDigest") != -1) {
                    str = nextToken.substring("PasswordDigest=".length());
                } else if (nextToken.indexOf("Nonce=") != -1) {
                    str2 = nextToken.substring("Nonce=".length());
                } else if (nextToken.indexOf("Timestamp=") != -1) {
                    str3 = nextToken.substring("Timestamp=".length());
                }
            }
            if (debug.messageEnabled()) {
                debug.message("WSSAuthModule: Digest =" + str + " Nonce = " + str2 + " Timestamp = " + str3);
            }
            AMIdentity searchUser = searchUser(this.userSearchAttribute, name);
            try {
                Set attribute = searchUser.getAttribute(this.userPasswordAttribute);
                if (attribute == null || attribute.isEmpty()) {
                    throw new AuthLoginException(bundle.getString("nullUserPassword"));
                }
                String passwordDigest = UserNameToken.getPasswordDigest((String) attribute.iterator().next(), str2, str3);
                if (passwordDigest.equals(str)) {
                    this.userId = searchUser.getUniversalId();
                    if (!debug.messageEnabled()) {
                        return -1;
                    }
                    debug.message("WSSAuthModule: Login succeeded for " + this.userId);
                    return -1;
                }
                if (debug.messageEnabled()) {
                    debug.message("WSSAuthModule: Digest does not match Expected digest: " + passwordDigest + " Digest sent: " + str);
                }
            } catch (Exception e) {
                debug.error("WSSAuthModule.process: exception", e);
                throw new AuthLoginException(bundle.getString("authenticationFailed"));
            }
        } else {
            AMIdentity searchUser2 = searchUser(this.userSearchAttribute, name);
            if (searchUser2 == null) {
                throw new InvalidPasswordException(bundle.getString("noUserFound"));
            }
            try {
                Set attribute2 = searchUser2.getAttribute(this.userPasswordAttribute);
                if (attribute2 == null || attribute2.isEmpty()) {
                    throw new AuthLoginException(bundle.getString("nullUserPassword"));
                }
                if (charToString.equals((String) attribute2.iterator().next())) {
                    this.userId = searchUser2.getUniversalId();
                    if (!debug.messageEnabled()) {
                        return -1;
                    }
                    debug.message("WSSAuthModule. Authentication succeeded for " + this.userId);
                    return -1;
                }
            } catch (Exception e2) {
                debug.error("WSSAuthModule.process: Idrepo exception", e2);
                throw new AuthLoginException(bundle.getString("authenticationFailed"));
            }
        }
        throw new InvalidPasswordException(bundle.getString("authenticationFailed"));
    }

    private String charToString(char[] cArr, Callback callback) {
        if (cArr == null) {
            cArr = new char[0];
        }
        char[] cArr2 = new char[cArr.length];
        System.arraycopy(cArr, 0, cArr2, 0, cArr.length);
        ((PasswordCallback) callback).clearPassword();
        return new String(cArr2);
    }

    private static SSOToken getAdminToken() {
        return (SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance());
    }

    private AMIdentity searchUser(String str, String str2) throws AuthLoginException {
        try {
            if (debug.messageEnabled()) {
                debug.message("WSSAuthModule. Search attr:" + str + " Attr value: " + str2);
            }
            AMIdentityRepository aMIdentityRepository = new AMIdentityRepository(getAdminToken(), this.realm);
            IdSearchControl idSearchControl = new IdSearchControl();
            idSearchControl.setAllReturnAttributes(true);
            idSearchControl.setTimeOut(0);
            HashMap hashMap = new HashMap();
            HashSet hashSet = new HashSet();
            hashSet.add(str2);
            hashMap.put(str, hashSet);
            idSearchControl.setSearchModifiers(IdSearchOpModifier.OR, hashMap);
            Set searchResults = aMIdentityRepository.searchIdentities(IdType.USER, "*", idSearchControl).getSearchResults();
            if (searchResults != null && !searchResults.isEmpty()) {
                return (AMIdentity) searchResults.iterator().next();
            }
            if (debug.messageEnabled()) {
                debug.message("WSSAuthModule. No user found with " + str2);
            }
            throw new InvalidPasswordException(bundle.getString("noUsersFound"));
        } catch (Exception e) {
            debug.error("WSSAuthModule.searchUser: ", e);
            throw new AuthLoginException(bundle.getString("userSearchFailed"));
        }
    }

    public Principal getPrincipal() {
        if (this.userPrincipal != null) {
            return this.userPrincipal;
        }
        if (this.userId == null) {
            return null;
        }
        this.userPrincipal = new WSSUserPrincipal(this.userId);
        return this.userPrincipal;
    }
}
