package org.forgerock.openam.radius.server.spi.handlers;

import com.google.common.base.Strings;
import com.google.common.eventbus.EventBus;
import com.google.inject.Inject;
import com.sun.identity.authentication.AuthContext;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.spi.HttpCallback;
import com.sun.identity.authentication.spi.PagePropertiesCallback;
import com.sun.identity.authentication.spi.RedirectCallback;
import com.sun.identity.shared.debug.Debug;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Properties;
import javax.inject.Named;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.ChoiceCallback;
import javax.security.auth.callback.ConfirmationCallback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import org.forgerock.openam.radius.common.AccessAccept;
import org.forgerock.openam.radius.common.AccessChallenge;
import org.forgerock.openam.radius.common.AccessReject;
import org.forgerock.openam.radius.common.ReplyMessageAttribute;
import org.forgerock.openam.radius.common.StateAttribute;
import org.forgerock.openam.radius.common.UserNameAttribute;
import org.forgerock.openam.radius.common.UserPasswordAttribute;
import org.forgerock.openam.radius.server.RadiusProcessingException;
import org.forgerock.openam.radius.server.RadiusRequest;
import org.forgerock.openam.radius.server.RadiusRequestContext;
import org.forgerock.openam.radius.server.RadiusResponse;
import org.forgerock.openam.radius.server.config.RadiusServerConstants;
import org.forgerock.openam.radius.server.events.AuthRequestReceivedEvent;
import org.forgerock.openam.radius.server.spi.AccessRequestHandler;
import org.forgerock.openam.radius.server.spi.handlers.amhandler.ContextHolder;
import org.forgerock.openam.radius.server.spi.handlers.amhandler.ContextHolderCache;
import org.forgerock.openam.radius.server.spi.handlers.amhandler.OpenAMAuthFactory;
import org.forgerock.openam.utils.Time;

/* loaded from: input_file:org/forgerock/openam/radius/server/spi/handlers/OpenAMAuthHandler.class */
public class OpenAMAuthHandler implements AccessRequestHandler {
    private static final Debug LOG = Debug.getInstance(RadiusServerConstants.RADIUS_SERVER_LOGGER);
    private final ContextHolderCache contextCache;
    private static final String REALM_KEY = "realm";
    private static final String AUTH_CHAIN_KEY = "chain";
    private String realm = null;
    private String authChain = null;
    private final OpenAMAuthFactory amAuthFactory;
    private EventBus eventBus;

    @Inject
    public OpenAMAuthHandler(OpenAMAuthFactory openAMAuthFactory, ContextHolderCache contextHolderCache, @Named("RadiusEventBus") EventBus eventBus) {
        this.amAuthFactory = openAMAuthFactory;
        this.contextCache = contextHolderCache;
        this.eventBus = eventBus;
    }

    @Override // org.forgerock.openam.radius.server.spi.AccessRequestHandler
    public void init(Properties properties) {
        this.realm = getConfigProperty(REALM_KEY, properties, true);
        this.authChain = getConfigProperty(AUTH_CHAIN_KEY, properties, true);
    }

    @Override // org.forgerock.openam.radius.server.spi.AccessRequestHandler
    public void handle(RadiusRequest radiusRequest, RadiusResponse radiusResponse, RadiusRequestContext radiusRequestContext) throws RadiusProcessingException {
        LOG.message("Entering OpenAMAuthHandler.handle");
        radiusResponse.setRealm(this.realm);
        StateAttribute stateAttribute = (StateAttribute) radiusRequest.getAttribute(StateAttribute.class);
        ContextHolder contextHolder = null;
        if (stateAttribute != null) {
            contextHolder = this.contextCache.get(stateAttribute.getState());
        }
        try {
            String extractPassword = radiusRequest.getAttribute(UserPasswordAttribute.class).extractPassword(radiusRequestContext.getRequestAuthenticator(), radiusRequestContext.getClientSecret());
            if (contextHolder == null) {
                ContextHolder createCachedContextHolder = this.contextCache.createCachedContextHolder();
                radiusRequest.setContextHolderKey(createCachedContextHolder.getCacheKey());
                this.eventBus.post(new AuthRequestReceivedEvent(radiusRequest, radiusResponse, radiusRequestContext));
                UserNameAttribute userNameAttribute = (UserNameAttribute) radiusRequest.getAttribute(UserNameAttribute.class);
                if (userNameAttribute == null) {
                    LOG.error("Request is missing USER_NAME attribute. Denying Access.");
                    rejectAccessAndTerminateProcess(radiusResponse, createCachedContextHolder);
                    LOG.message("Leaving OpenAMAuthHandler.handle()");
                    return;
                } else {
                    contextHolder = startAuthProcess(createCachedContextHolder, radiusResponse, userNameAttribute, extractPassword);
                    if (contextHolder == null || contextHolder.getAuthPhase() == ContextHolder.AuthPhase.TERMINATED) {
                        LOG.message("Leaving OpenAMAuthHandler.handle(); Auth phase is TERMINATED.");
                        return;
                    }
                }
            } else {
                radiusRequest.setContextHolderKey(contextHolder.getCacheKey());
                this.eventBus.post(new AuthRequestReceivedEvent(radiusRequest, radiusResponse, radiusRequestContext));
            }
            gatherUserInput(radiusResponse, contextHolder, extractPassword, stateAttribute);
            if (contextHolder.getAuthPhase() == ContextHolder.AuthPhase.FINALIZING) {
                finalizeAuthProcess(radiusResponse, contextHolder);
            }
            LOG.message("Leaving OpenAMAuthHandler.handle();");
        } catch (IOException e) {
            LOG.error("Unable to extract credential field from RADIUS request. Denying Access.", e);
            rejectAccessAndTerminateProcess(radiusResponse, contextHolder);
            LOG.message("Leaving OpenAMAuthHandler.handle();");
        }
    }

    private static String getConfigProperty(String str, Properties properties, boolean z) {
        String property = properties.getProperty(str);
        if (z && Strings.isNullOrEmpty(property)) {
            throw new IllegalStateException("Configuration property '" + str + "' not found in handler configuration. It must be added to the Configuration Properties for this class in the Radius Client's configuration.");
        }
        return property;
    }

    private void finalizeAuthProcess(RadiusResponse radiusResponse, ContextHolder contextHolder) throws RadiusProcessingException {
        LOG.message("Entering OpenAMAuthHandler.finalizeAuthProcess()");
        if (contextHolder.getAuthContext().getStatus().equals(AuthContext.Status.SUCCESS)) {
            allowAccessAndTerminateProcess(radiusResponse, contextHolder);
        } else {
            rejectAccessAndTerminateProcess(radiusResponse, contextHolder);
        }
    }

    private void gatherUserInput(RadiusResponse radiusResponse, ContextHolder contextHolder, String str, StateAttribute stateAttribute) {
        LOG.message("Entering gatherUserInput();");
        while (contextHolder.getAuthPhase() == ContextHolder.AuthPhase.GATHERING_INPUT) {
            if (contextHolder.getCallbacks() == null) {
                LOG.message("--- callbacks == null in gatherUserInput");
                if (!isNextCallbackSetAvailable(radiusResponse, contextHolder)) {
                    if (contextHolder.getAuthPhase() == ContextHolder.AuthPhase.TERMINATED) {
                        return;
                    }
                    LOG.message("--- NextCallbackSet not-available in gatherUserInput - move to finalization");
                    contextHolder.setAuthPhase(ContextHolder.AuthPhase.FINALIZING);
                    return;
                }
            } else {
                LOG.warning("--- callbacks[" + contextHolder.getCallbacks().length + "] in gatherUserInput - ");
                if (!injectAnswerForCallback(radiusResponse, contextHolder, str)) {
                    return;
                }
            }
            Callback[] callbacks = contextHolder.getCallbacks();
            if (contextHolder.getIdxOfCurrentCallback() <= callbacks.length - 1) {
                ReplyMessageAttribute nextCallbackReplyMsg = getNextCallbackReplyMsg(radiusResponse, contextHolder);
                if (nextCallbackReplyMsg == null) {
                    return;
                }
                AccessChallenge accessChallenge = new AccessChallenge();
                if (stateAttribute == null) {
                    stateAttribute = new StateAttribute(contextHolder.getCacheKey());
                }
                accessChallenge.addAttribute(stateAttribute);
                accessChallenge.addAttribute(nextCallbackReplyMsg);
                radiusResponse.setResponsePacket(accessChallenge);
                return;
            }
            LOG.warning("--- holder.idxOfCurrentCallback " + contextHolder.getIdxOfCurrentCallback() + " > holder.callbacks.length-1 " + (contextHolder.getCallbacks().length - 1) + " in gatherUserInput - submitting/set callbacks=null");
            try {
                contextHolder.getAuthContext().submitRequirements(callbacks);
                contextHolder.setCallbacks(null);
            } catch (Throwable th) {
                LOG.error("Exception thrown while submitting callbacks. Rejecting access.", th);
                rejectAccessAndTerminateProcess(radiusResponse, contextHolder);
                return;
            }
        }
    }

    private boolean isNextCallbackSetAvailable(RadiusResponse radiusResponse, ContextHolder contextHolder) {
        if (!contextHolder.getAuthContext().hasMoreRequirements()) {
            contextHolder.setCallbacks(null);
            return false;
        }
        Callback[] requirements = contextHolder.getAuthContext().getRequirements(true);
        contextHolder.setCallbacks(requirements);
        if (contextHolder.getCallbacks() == null) {
            return false;
        }
        if (!(requirements[0] instanceof PagePropertiesCallback)) {
            LOG.error("Callback at index 0 is not of type PagePropertiesCallback!!!");
            rejectAccessAndTerminateProcess(radiusResponse, contextHolder);
            return false;
        }
        PagePropertiesCallback pagePropertiesCallback = (PagePropertiesCallback) requirements[0];
        contextHolder.setCallbackSetProps(pagePropertiesCallback);
        contextHolder.setIdxOfCurrentCallback(1);
        String moduleName = pagePropertiesCallback.getModuleName();
        if (moduleName.equals(contextHolder.getModuleName())) {
            contextHolder.incrementIdxOfCallbackSetInModule();
        } else {
            contextHolder.setModuleName(moduleName);
            contextHolder.incrementChainModuleIndex();
            contextHolder.setIdxOfCallbackSetInModule(0);
        }
        contextHolder.setMillisExpiryForCurrentCallbacks(Long.valueOf(1000 * pagePropertiesCallback.getTimeOutValue()));
        contextHolder.setMillisExpiryPoint(Long.valueOf(Time.currentTimeMillis() + contextHolder.getMillisExpiryForCurrentCallbacks().longValue()));
        boolean z = false;
        boolean z2 = false;
        int i = 1;
        while (true) {
            if (i >= requirements.length) {
                break;
            }
            Callback callback = requirements[i];
            if (callback instanceof HttpCallback) {
                z = true;
                break;
            }
            if (callback instanceof RedirectCallback) {
                z2 = true;
                break;
            }
            i++;
        }
        if (!z && !z2) {
            return true;
        }
        LOG.error("Radius can not support " + (z ? HttpCallback.class.getSimpleName() : RedirectCallback.class.getSimpleName()) + " used by module " + contextHolder.getChainModuleIndex() + " with name " + contextHolder.getModuleName() + " in chain '" + this.authChain + "'. Denying Access.");
        rejectAccessAndTerminateProcess(radiusResponse, contextHolder);
        return false;
    }

    private void rejectAccessAndTerminateProcess(RadiusResponse radiusResponse, ContextHolder contextHolder) {
        radiusResponse.setResponsePacket(new AccessReject());
        radiusResponse.setUniversalId(contextHolder.getUniversalId());
        terminateAuthnProcess(contextHolder);
    }

    private void allowAccessAndTerminateProcess(RadiusResponse radiusResponse, ContextHolder contextHolder) throws RadiusProcessingException {
        radiusResponse.setResponsePacket(new AccessAccept());
        radiusResponse.setUniversalId(contextHolder.getUniversalId());
        terminateAuthnProcess(contextHolder);
    }

    private void terminateAuthnProcess(ContextHolder contextHolder) {
        this.contextCache.remove(contextHolder.getCacheKey());
        contextHolder.setAuthPhase(ContextHolder.AuthPhase.TERMINATED);
        if (contextHolder.getAuthContext() == null || contextHolder.getAuthContext().getStatus() != AuthContext.Status.SUCCESS) {
            return;
        }
        try {
            contextHolder.getAuthContext().logout();
        } catch (AuthLoginException e) {
            LOG.error("Unable to logout of AuthContext while terminating RADIUS auth sequence.", e);
        }
    }

    private boolean injectAnswerForCallback(RadiusResponse radiusResponse, ContextHolder contextHolder, String str) {
        NameCallback[] callbacks = contextHolder.getCallbacks();
        if (callbacks == null) {
            return false;
        }
        NameCallback nameCallback = callbacks[contextHolder.getIdxOfCurrentCallback()];
        contextHolder.incrementIdxOfCurrentCallback();
        if (nameCallback instanceof NameCallback) {
            nameCallback.setName(str);
        } else if (nameCallback instanceof PasswordCallback) {
            ((PasswordCallback) nameCallback).setPassword(str.toCharArray());
        } else if (nameCallback instanceof ChoiceCallback) {
            ChoiceCallback choiceCallback = (ChoiceCallback) nameCallback;
            int length = choiceCallback.getChoices().length - 1;
            if ("".equals(str)) {
                choiceCallback.setSelectedIndex(choiceCallback.getDefaultChoice());
                return true;
            }
            boolean z = str.indexOf(32) != -1;
            if (!choiceCallback.allowMultipleSelections() || !z) {
                int parseInt = parseInt(radiusResponse, str, str, length, contextHolder, nameCallback);
                if (parseInt == -1) {
                    return false;
                }
                choiceCallback.setSelectedIndex(parseInt);
            } else if (z) {
                String[] split = str.split(" ");
                ArrayList arrayList = new ArrayList();
                for (String str2 : split) {
                    if (!"".equals(str2)) {
                        int parseInt2 = parseInt(radiusResponse, str2, str, length, contextHolder, nameCallback);
                        if (parseInt2 == -1) {
                            return false;
                        }
                        arrayList.add(Integer.valueOf(parseInt2));
                    }
                }
                int[] iArr = new int[arrayList.size()];
                for (int i = 0; i < iArr.length; i++) {
                    iArr[i] = ((Integer) arrayList.get(i)).intValue();
                }
                choiceCallback.setSelectedIndexes(iArr);
            }
        } else {
            if (!(nameCallback instanceof ConfirmationCallback)) {
                LOG.error("Unrecognized callback type '" + nameCallback.getClass().getSimpleName() + "' while processing challenge response. Unable to submit answer. Denying Access.");
                rejectAccessAndTerminateProcess(radiusResponse, contextHolder);
                return false;
            }
            ConfirmationCallback confirmationCallback = (ConfirmationCallback) nameCallback;
            int length2 = confirmationCallback.getOptions().length - 1;
            if ("".equals(str)) {
                confirmationCallback.setSelectedIndex(confirmationCallback.getDefaultOption());
                return true;
            }
            int parseInt3 = parseInt(radiusResponse, str, str, length2, contextHolder, nameCallback);
            if (parseInt3 == -1) {
                return false;
            }
            confirmationCallback.setSelectedIndex(parseInt3);
        }
        contextHolder.setMillisExpiryPoint(Long.valueOf(Time.currentTimeMillis() + contextHolder.getMillisExpiryForCurrentCallbacks().longValue()));
        return true;
    }

    private int parseInt(RadiusResponse radiusResponse, String str, String str2, int i, ContextHolder contextHolder, Callback callback) {
        int i2 = -1;
        try {
            i2 = Integer.parseInt(str);
            if (i2 >= 0 && i2 <= i) {
                return i2;
            }
            LOG.error("Out of range index specified in answer '" + str2 + "' for callback " + contextHolder.getIdxOfCurrentCallback() + " of type " + callback.getClass().getSimpleName() + " for callback set " + contextHolder.getIdxOfCallbackSetInModule() + " in module " + contextHolder.getChainModuleIndex() + (contextHolder.getModuleName() != null ? " with name " + contextHolder.getModuleName() : "") + " of authentication chain " + this.authChain + " in realm " + this.realm + ". Must be from 0 to " + i + ". Denying Access.");
            rejectAccessAndTerminateProcess(radiusResponse, contextHolder);
            return -1;
        } catch (NumberFormatException e) {
            LOG.error("Invalid number '" + str + "' specified in answer '" + str2 + "' for callback " + contextHolder.getIdxOfCurrentCallback() + " of type " + callback.getClass().getSimpleName() + " for callback set " + contextHolder.getIdxOfCallbackSetInModule() + " in module " + contextHolder.getChainModuleIndex() + (contextHolder.getModuleName() != null ? " with name " + contextHolder.getModuleName() : "") + " of authentication chain " + this.authChain + " in realm " + this.realm + ". Denying Access.");
            rejectAccessAndTerminateProcess(radiusResponse, contextHolder);
            return i2;
        }
    }

    private ContextHolder startAuthProcess(ContextHolder contextHolder, RadiusResponse radiusResponse, UserNameAttribute userNameAttribute, String str) {
        LOG.message("Entering OpenAMAuthHandler.startAuthProcess");
        try {
            contextHolder.setAuthContext(this.amAuthFactory.getAuthContext(this.realm));
            try {
                contextHolder.getAuthContext().login(AuthContext.IndexType.SERVICE, this.authChain);
                if (!isNextCallbackSetAvailable(radiusResponse, contextHolder)) {
                    if (contextHolder.getAuthPhase() != ContextHolder.AuthPhase.TERMINATED) {
                        LOG.error("Unable to start login process. No callbacks available. Denying Access.");
                        rejectAccessAndTerminateProcess(radiusResponse, contextHolder);
                    }
                    LOG.message("Leaving OpenAMAuthHandler.startAuthProcess");
                    return contextHolder;
                }
                boolean z = false;
                boolean z2 = false;
                NameCallback[] callbacks = contextHolder.getCallbacks();
                for (int idxOfCurrentCallback = contextHolder.getIdxOfCurrentCallback(); idxOfCurrentCallback < callbacks.length; idxOfCurrentCallback++) {
                    if (callbacks[idxOfCurrentCallback] instanceof NameCallback) {
                        contextHolder.incrementIdxOfCurrentCallback();
                        callbacks[idxOfCurrentCallback].setName(userNameAttribute.getName());
                        z = true;
                    } else if (callbacks[idxOfCurrentCallback] instanceof PasswordCallback) {
                        contextHolder.incrementIdxOfCurrentCallback();
                        ((PasswordCallback) callbacks[idxOfCurrentCallback]).setPassword(str.toCharArray());
                        z2 = true;
                    } else {
                        contextHolder.incrementIdxOfCurrentCallback();
                    }
                }
                if (z && z2) {
                    contextHolder.getAuthContext().submitRequirements(callbacks);
                    contextHolder.setCallbacks(null);
                } else {
                    LOG.error("First callback set for first module" + (contextHolder.getModuleName() != null ? " '" + contextHolder.getModuleName() + "'" : "") + " in authentication chain '" + this.authChain + "' does not support Username and Password callbacks. Denying Access.");
                    rejectAccessAndTerminateProcess(radiusResponse, contextHolder);
                }
                contextHolder.setAuthPhase(ContextHolder.AuthPhase.GATHERING_INPUT);
                LOG.message("Leaving OpenAMAuthHandler.startAuthProcess");
                return contextHolder;
            } catch (AuthLoginException e) {
                LOG.error("Unable to start login process. Denying Access.", e);
                rejectAccessAndTerminateProcess(radiusResponse, contextHolder);
                LOG.message("Leaving OpenAMAuthHandler.startAuthProcess");
                return contextHolder;
            }
        } catch (AuthLoginException e2) {
            LOG.error("Unable to start create " + AuthContext.class.getName() + ". Denying Access.", e2);
            rejectAccessAndTerminateProcess(radiusResponse, contextHolder);
            LOG.message("Leaving OpenAMAuthHandler.startAuthProcess");
            return contextHolder;
        }
    }

    private ReplyMessageAttribute getNextCallbackReplyMsg(RadiusResponse radiusResponse, ContextHolder contextHolder) {
        LOG.message("Entering getNextCallbackReplyMsg()");
        ReplyMessageAttribute replyMessageAttribute = null;
        NameCallback[] callbacks = contextHolder.getCallbacks();
        if (callbacks == null) {
            return null;
        }
        NameCallback nameCallback = callbacks[contextHolder.getIdxOfCurrentCallback()];
        String str = "";
        PagePropertiesCallback callbackSetProps = contextHolder.getCallbackSetProps();
        if (callbackSetProps != null && !"".equals(callbackSetProps.getHeader())) {
            str = callbackSetProps.getHeader() + " ";
        }
        if (nameCallback instanceof NameCallback) {
            LOG.message("getNextCallbackReplyMsg(); - processing NameCallback.");
            replyMessageAttribute = new ReplyMessageAttribute(str + nameCallback.getPrompt());
        } else if (nameCallback instanceof PasswordCallback) {
            LOG.message("getNextCallbackReplyMsg(); - processing PasswordCallback.");
            replyMessageAttribute = new ReplyMessageAttribute(str + ((PasswordCallback) nameCallback).getPrompt());
        } else if (nameCallback instanceof ChoiceCallback) {
            LOG.message("getNextCallbackReplyMsg(); - processing ChoiceCallback.");
            ChoiceCallback choiceCallback = (ChoiceCallback) nameCallback;
            StringBuilder sb = new StringBuilder();
            sb.append(str);
            sb.append(choiceCallback.getPrompt());
            if (choiceCallback.allowMultipleSelections()) {
                sb.append(" (Separate Selected Numbers by Spaces");
                if (choiceCallback.getDefaultChoice() >= 0) {
                    sb.append(". Default is " + choiceCallback.getDefaultChoice());
                }
                sb.append(".)");
            }
            sb.append('\n');
            String[] choices = choiceCallback.getChoices();
            for (int i = 0; i < choices.length; i++) {
                String str2 = choices[i];
                if (i != 0) {
                    sb.append(",\n");
                }
                sb.append(i);
                sb.append(" = ");
                sb.append(str2);
            }
            replyMessageAttribute = new ReplyMessageAttribute(sb.toString());
        } else if (nameCallback instanceof ConfirmationCallback) {
            LOG.message("getNextCallbackReplyMsg(); - processing ConformationCallback.");
            ConfirmationCallback confirmationCallback = (ConfirmationCallback) nameCallback;
            StringBuilder sb2 = new StringBuilder();
            sb2.append(str);
            String prompt = confirmationCallback.getPrompt();
            if (prompt != null) {
                sb2.append(prompt);
            }
            if (confirmationCallback.getDefaultOption() >= 0) {
                sb2.append(" (Default is ");
                sb2.append(confirmationCallback.getDefaultOption());
                sb2.append(".)");
            }
            sb2.append('\n');
            String[] options = confirmationCallback.getOptions();
            for (int i2 = 0; i2 < options.length; i2++) {
                String str3 = options[i2];
                if (i2 != 0) {
                    sb2.append(",\n");
                }
                sb2.append(i2);
                sb2.append(" = ");
                sb2.append(str3);
            }
            replyMessageAttribute = new ReplyMessageAttribute(sb2.toString());
        } else {
            LOG.error("Radius can not support " + nameCallback.getClass().getSimpleName() + " used by module " + contextHolder.getChainModuleIndex() + " with name " + contextHolder.getModuleName() + " in chain '" + this.authChain + "'. Denying Access.");
            rejectAccessAndTerminateProcess(radiusResponse, contextHolder);
        }
        LOG.message("Entering getNextCallbackReplyMsg() returning '" + replyMessageAttribute + "'");
        return replyMessageAttribute;
    }
}
