package org.bzdev.ejws;

import com.sun.net.httpserver.Authenticator;
import com.sun.net.httpserver.BasicAuthenticator;
import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpPrincipal;
import java.io.IOException;
import java.net.InetAddress;
import java.security.GeneralSecurityException;
import java.security.cert.Certificate;
import java.time.Instant;
import java.util.Iterator;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.BiConsumer;
import org.bzdev.net.SecureBasicUtilities;
import org.bzdev.util.SafeFormatter;

/* loaded from: input_file:libbzdev-ejws.jar:org/bzdev/ejws/EjwsSecureBasicAuth.class */
public class EjwsSecureBasicAuth extends BasicAuthenticator {
    private Appendable tracer;
    private static ResourceBundle exbundle = ResourceBundle.getBundle("org.bzdev.ejws.lpack.SecureBasicAuth");
    Map<String, Entry> map;
    Certificate[] certificates;
    SecureBasicUtilities.Mode mode;
    private String unencodedRealm;
    private int lowerTimeDiffLimit;
    private int upperTimeDiffLimit;
    private int passphraseTimeout;
    private String loginPath;
    private boolean loginPathUsed;
    private boolean loginRequired;
    private BiConsumer<EjwsPrincipal, HttpExchange> loginFunction;
    private ThreadLocal<Boolean> foundLoginTL;
    private ThreadLocal<Integer> flCode;
    private String logoutPath;
    private boolean logoutPathUsed;
    private BiConsumer<EjwsPrincipal, HttpExchange> logoutFunction;
    private ThreadLocal<Boolean> foundLogoutTL;
    private ThreadLocal<String> usernameTL;
    private BiConsumer<EjwsPrincipal, HttpExchange> authFunction;
    ThreadLocal<Integer> utdl;
    ThreadLocal<InetAddress> addr;
    FileHandler fileHandler;
    private Map<PWInfoKey, PWInfo> pwmap;
    private long TOFFSET;

    /* loaded from: input_file:libbzdev-ejws.jar:org/bzdev/ejws/EjwsSecureBasicAuth$Entry.class */
    public static class Entry {
        String pw;
        Set<String> roles;
        SecureBasicUtilities keyops;

        public Entry(String str, Set<String> set) {
            this.pw = str;
            this.roles = set;
            this.keyops = new SecureBasicUtilities();
        }

        public Entry(String str, String str2, Set<String> set) {
            this.pw = str2;
            this.roles = set;
            try {
                this.keyops = new SecureBasicUtilities(str);
            } catch (IOException e) {
                throw new IllegalArgumentException("PEM", e);
            } catch (GeneralSecurityException e2) {
                throw new IllegalArgumentException("PEM", e2);
            }
        }

        public String getPassword() {
            return this.pw;
        }

        public Set<String> getRoles() {
            return this.roles;
        }

        public SecureBasicUtilities getSecureBasicUtilities() {
            return this.keyops;
        }
    }

    /* loaded from: input_file:libbzdev-ejws.jar:org/bzdev/ejws/EjwsSecureBasicAuth$PWInfo.class */
    private static class PWInfo {
        long expires;
        String password;

        public PWInfo(long j, String str) {
            this.expires = j;
            this.password = str;
        }
    }

    /* loaded from: input_file:libbzdev-ejws.jar:org/bzdev/ejws/EjwsSecureBasicAuth$PWInfoKey.class */
    private static class PWInfoKey {
        String username;
        InetAddress address;

        public PWInfoKey(String str, InetAddress inetAddress) {
            this.username = str;
            this.address = inetAddress;
        }

        public boolean equals(Object obj) {
            if (!(obj instanceof PWInfoKey)) {
                return false;
            }
            PWInfoKey pWInfoKey = (PWInfoKey) obj;
            return this.username.equals(pWInfoKey.username) && this.address.equals(pWInfoKey.address);
        }

        public int hashCode() {
            return (127 * ((127 * 1) + (this.username == null ? 0 : this.username.hashCode()))) + (this.address == null ? 0 : this.address.hashCode());
        }
    }

    public void setTracer(Appendable appendable) {
        this.tracer = appendable;
    }

    static String errorMsg(String str, Object... objArr) {
        return new SafeFormatter().format(exbundle.getString(str), objArr).toString();
    }

    public SecureBasicUtilities.Mode getMode() {
        return this.mode;
    }

    public void setTimeLimits(int i, int i2, int i3) throws IllegalArgumentException {
        if (i > 0) {
            throw new IllegalArgumentException(errorMsg("positiveLowerTDL", Integer.valueOf(i)));
        }
        if (i2 < 0) {
            throw new IllegalArgumentException(errorMsg("negativeUpperTDL", Integer.valueOf(i2)));
        }
        if (i3 < i2) {
            throw new IllegalArgumentException(errorMsg("passphraseTimeout", Integer.valueOf(i3), Integer.valueOf(i2)));
        }
        this.lowerTimeDiffLimit = i;
        this.upperTimeDiffLimit = i2;
        this.passphraseTimeout = i3;
    }

    public EjwsSecureBasicAuth(String str) {
        this(str, new ConcurrentHashMap());
    }

    public EjwsSecureBasicAuth(String str, Map<String, Entry> map) {
        super(SecureBasicUtilities.encodeRealm(str, SecureBasicUtilities.Mode.DIGEST));
        this.tracer = null;
        this.map = null;
        this.lowerTimeDiffLimit = -10;
        this.upperTimeDiffLimit = 150;
        this.passphraseTimeout = 1200;
        this.loginPath = null;
        this.loginPathUsed = true;
        this.loginRequired = false;
        this.loginFunction = null;
        this.foundLoginTL = new ThreadLocal<>();
        this.flCode = new ThreadLocal<>();
        this.logoutPath = null;
        this.logoutPathUsed = true;
        this.logoutFunction = null;
        this.foundLogoutTL = new ThreadLocal<>();
        this.usernameTL = new ThreadLocal<>();
        this.authFunction = null;
        this.utdl = new ThreadLocal<>();
        this.addr = new ThreadLocal<>();
        this.fileHandler = null;
        this.pwmap = new ConcurrentHashMap();
        this.TOFFSET = 30L;
        this.unencodedRealm = str;
        this.mode = SecureBasicUtilities.Mode.DIGEST;
        this.map = map;
    }

    private static SecureBasicUtilities.Mode getMode(Certificate certificate) {
        return certificate == null ? SecureBasicUtilities.Mode.SIGNATURE_WITHOUT_CERT : SecureBasicUtilities.Mode.SIGNATURE_WITH_CERT;
    }

    private static SecureBasicUtilities.Mode getMode(Certificate[] certificateArr) {
        if (certificateArr == null) {
            return SecureBasicUtilities.Mode.SIGNATURE_WITHOUT_CERT;
        }
        int i = 0;
        for (Certificate certificate : certificateArr) {
            if (certificate != null) {
                i++;
            }
        }
        return getMode(i);
    }

    private static SecureBasicUtilities.Mode getMode(int i) {
        return i == 0 ? SecureBasicUtilities.Mode.SIGNATURE_WITHOUT_CERT : SecureBasicUtilities.Mode.SIGNATURE_WITH_CERT;
    }

    public EjwsSecureBasicAuth(String str, Certificate[] certificateArr) {
        this(str, certificateArr, new ConcurrentHashMap());
    }

    public EjwsSecureBasicAuth(String str, Certificate[] certificateArr, Map<String, Entry> map) {
        super(SecureBasicUtilities.encodeRealm(str, getMode(certificateArr)));
        this.tracer = null;
        this.map = null;
        this.lowerTimeDiffLimit = -10;
        this.upperTimeDiffLimit = 150;
        this.passphraseTimeout = 1200;
        this.loginPath = null;
        this.loginPathUsed = true;
        this.loginRequired = false;
        this.loginFunction = null;
        this.foundLoginTL = new ThreadLocal<>();
        this.flCode = new ThreadLocal<>();
        this.logoutPath = null;
        this.logoutPathUsed = true;
        this.logoutFunction = null;
        this.foundLogoutTL = new ThreadLocal<>();
        this.usernameTL = new ThreadLocal<>();
        this.authFunction = null;
        this.utdl = new ThreadLocal<>();
        this.addr = new ThreadLocal<>();
        this.fileHandler = null;
        this.pwmap = new ConcurrentHashMap();
        this.TOFFSET = 30L;
        this.unencodedRealm = str;
        this.map = map;
        if (certificateArr == null) {
            this.mode = getMode(0);
            return;
        }
        int i = 0;
        for (Certificate certificate : certificateArr) {
            if (certificate != null) {
                i++;
            }
        }
        if (i != 0) {
            int i2 = 0;
            this.certificates = new Certificate[i];
            for (Certificate certificate2 : certificateArr) {
                if (certificate2 != null) {
                    int i3 = i2;
                    i2++;
                    this.certificates[i3] = certificate2;
                }
            }
        }
        this.mode = getMode(i);
    }

    public void add(String str, String str2) throws UnsupportedOperationException {
        if (this.mode != SecureBasicUtilities.Mode.DIGEST) {
            throw new IllegalStateException(errorMsg("wrongMode", this.mode));
        }
        this.map.put(str, new Entry(str2, null));
    }

    public void add(String str, String str2, Set<String> set) throws UnsupportedOperationException {
        if (this.mode != SecureBasicUtilities.Mode.DIGEST) {
            throw new IllegalStateException(errorMsg("wrongMode", this.mode));
        }
        this.map.put(str, new Entry(str2, set));
    }

    public void add(String str, String str2, String str3) throws UnsupportedOperationException {
        add(str, str2, str3, null);
    }

    public void add(String str, String str2, String str3, Set<String> set) throws UnsupportedOperationException {
        if (this.mode == SecureBasicUtilities.Mode.DIGEST) {
            throw new IllegalStateException(errorMsg("wrongMode", this.mode));
        }
        this.map.put(str, new Entry(str2, str3, set));
    }

    public void setLoginFunction(BiConsumer<EjwsPrincipal, HttpExchange> biConsumer) {
        this.loginFunction = biConsumer;
    }

    public void setAuthorizedFunction(BiConsumer<EjwsPrincipal, HttpExchange> biConsumer) {
        this.authFunction = biConsumer;
    }

    public void setLogoutFunction(BiConsumer<EjwsPrincipal, HttpExchange> biConsumer) {
        this.logoutFunction = biConsumer;
    }

    public Authenticator.Result authenticate(HttpExchange httpExchange) {
        String first;
        if (this.tracer != null) {
            try {
                this.tracer.append("(" + (Thread.currentThread().getId()) + ") authenticating " + httpExchange.getRequestURI().toString() + "\n");
            } catch (IOException e) {
            }
        }
        if (this.loginPathUsed && this.loginPath == null) {
            HttpHandler handler = httpExchange.getHttpContext().getHandler();
            if (handler instanceof FileHandler) {
                this.fileHandler = (FileHandler) handler;
                String loginAlias = this.fileHandler.getLoginAlias();
                if (loginAlias != null) {
                    String path = httpExchange.getHttpContext().getPath();
                    if (!path.endsWith("/")) {
                        path = path + "/";
                    }
                    this.loginPath = path + loginAlias;
                    this.loginRequired = this.fileHandler.isLoginRequired();
                } else {
                    this.loginPathUsed = false;
                }
            } else {
                this.loginPathUsed = false;
            }
        }
        boolean z = false;
        if (this.loginPathUsed && httpExchange.getRequestURI().getPath().equals(this.loginPath)) {
            z = true;
        }
        if (this.loginRequired) {
            this.foundLoginTL.set(Boolean.valueOf(z));
            this.flCode.set(0);
        }
        if (this.logoutPathUsed && this.logoutPath == null) {
            HttpHandler handler2 = httpExchange.getHttpContext().getHandler();
            if (handler2 instanceof FileHandler) {
                this.fileHandler = (FileHandler) handler2;
                String logoutAlias = this.fileHandler.getLogoutAlias();
                if (logoutAlias != null) {
                    String path2 = httpExchange.getHttpContext().getPath();
                    if (!path2.endsWith("/")) {
                        path2 = path2 + "/";
                    }
                    this.logoutPath = path2 + logoutAlias;
                } else {
                    this.logoutPathUsed = false;
                }
            } else {
                this.logoutPathUsed = false;
            }
        }
        boolean z2 = false;
        if (this.logoutPathUsed && httpExchange.getRequestURI().getPath().equals(this.logoutPath)) {
            z2 = true;
        }
        if (this.loginRequired) {
            this.foundLogoutTL.set(Boolean.valueOf(z2));
        }
        if (this.tracer != null && ((first = httpExchange.getRequestHeaders().getFirst("Authorization")) == null || first.trim().length() == 0)) {
            try {
                this.tracer.append("(" + (Thread.currentThread().getId()) + ") ... no Authorization header\n");
            } catch (IOException e2) {
            }
        }
        InetAddress address = httpExchange.getRemoteAddress().getAddress();
        this.addr.set(address);
        Authenticator.Success authenticate = super.authenticate(httpExchange);
        if (!(authenticate instanceof Authenticator.Success)) {
            if (this.tracer != null) {
                try {
                    this.tracer.append("(" + (Thread.currentThread().getId()) + ") authentication failed\n");
                } catch (IOException e3) {
                }
            }
            if (this.loginRequired) {
                int intValue = this.flCode.get().intValue();
                if (intValue != 0) {
                    if (intValue == 307) {
                        String upperCase = httpExchange.getProtocol().toUpperCase();
                        intValue = (upperCase.startsWith("HTTP") && upperCase.endsWith("/1.0")) ? 302 : 307;
                        httpExchange.getResponseHeaders().set("Location", this.fileHandler.getLogoutURI().toASCIIString());
                        String str = this.usernameTL.get();
                        EjwsPrincipal ejwsPrincipal = new EjwsPrincipal(str, this.unencodedRealm, this.map.get(str).roles);
                        if (this.logoutFunction != null) {
                            this.logoutFunction.accept(ejwsPrincipal, null);
                        }
                    }
                    return new Authenticator.Failure(intValue);
                }
            }
            return authenticate;
        }
        HttpPrincipal principal = authenticate.getPrincipal();
        String username = principal.getUsername();
        if (this.tracer != null) {
            try {
                this.tracer.append("(" + (Thread.currentThread().getId()) + ") authenticated user \"" + username + "\" for realm " + principal.getRealm() + "\n");
            } catch (IOException e4) {
            }
        }
        EjwsPrincipal ejwsPrincipal2 = new EjwsPrincipal(username, SecureBasicUtilities.decodeRealm(principal.getRealm()), this.map.get(username).roles);
        if (z && this.loginFunction != null) {
            this.loginFunction.accept(ejwsPrincipal2, httpExchange);
        } else if (z2) {
            if (this.logoutFunction != null) {
                this.logoutFunction.accept(ejwsPrincipal2, httpExchange);
            }
            this.pwmap.remove(new PWInfoKey(username, address));
        } else if (!z && !z2 && this.authFunction != null) {
            this.authFunction.accept(ejwsPrincipal2, httpExchange);
        }
        return new Authenticator.Success(ejwsPrincipal2);
    }

    public void prune() {
        long epochSecond = Instant.now().getEpochSecond();
        Iterator<Map.Entry<PWInfoKey, PWInfo>> it = this.pwmap.entrySet().iterator();
        while (it.hasNext()) {
            Map.Entry<PWInfoKey, PWInfo> next = it.next();
            if (next.getValue().expires < epochSecond - this.TOFFSET) {
                String str = next.getKey().username;
                it.remove();
                EjwsPrincipal ejwsPrincipal = new EjwsPrincipal(str, this.unencodedRealm, this.map.get(str).roles);
                if (this.logoutFunction != null) {
                    this.logoutFunction.accept(ejwsPrincipal, null);
                }
            }
        }
    }

    public boolean checkCredentials(String str, String str2) {
        long epochSecond = Instant.now().getEpochSecond();
        PWInfoKey pWInfoKey = new PWInfoKey(str, this.addr.get());
        PWInfo pWInfo = this.pwmap.get(pWInfoKey);
        if (pWInfo != null) {
            if (pWInfo.expires - epochSecond >= 0) {
                if (pWInfo.password.equals(str2)) {
                    pWInfo.expires = this.passphraseTimeout + epochSecond;
                    if (this.tracer == null) {
                        return true;
                    }
                    try {
                        this.tracer.append("(" + (Thread.currentThread().getId()) + ") ... authentication cache hit found\n");
                        return true;
                    } catch (IOException e) {
                        return true;
                    }
                }
            } else if (pWInfo.password.equals(str2)) {
                this.pwmap.remove(pWInfoKey);
                if (this.tracer != null) {
                    try {
                        this.tracer.append("(" + (Thread.currentThread().getId()) + ") ... authentication extended timeout expired\n");
                    } catch (IOException e2) {
                    }
                }
                if (!this.loginRequired) {
                    return false;
                }
                this.flCode.set(307);
                this.usernameTL.set(str);
                return false;
            }
        } else if (this.loginRequired) {
            boolean booleanValue = this.foundLoginTL.get().booleanValue();
            boolean booleanValue2 = this.foundLogoutTL.get().booleanValue();
            if (!booleanValue && !booleanValue2) {
                this.flCode.set(403);
                return false;
            }
        }
        Entry entry = this.map.get(str);
        if (entry == null) {
            return false;
        }
        SecureBasicUtilities secureBasicUtilities = entry.keyops;
        byte[] decodePassword = SecureBasicUtilities.decodePassword(str2);
        if (decodePassword == null) {
            return false;
        }
        int timeDiff = SecureBasicUtilities.getTimeDiff(decodePassword);
        if (timeDiff < this.lowerTimeDiffLimit || timeDiff > this.upperTimeDiffLimit) {
            if (this.tracer == null) {
                return false;
            }
            try {
                this.tracer.append("(" + (Thread.currentThread().getId()) + ") ... authentication timeout expired\n");
                return false;
            } catch (IOException e3) {
                return false;
            }
        }
        try {
            if (this.certificates == null) {
                if (!secureBasicUtilities.checkPassword(decodePassword, null, entry.pw)) {
                    return false;
                }
                this.pwmap.put(pWInfoKey, new PWInfo(epochSecond + this.passphraseTimeout, str2));
                if (this.tracer == null) {
                    return true;
                }
                try {
                    this.tracer.append("(" + (Thread.currentThread().getId()) + ") ... authentication OK (no certificates to check)\n");
                    return true;
                } catch (IOException e4) {
                    return true;
                }
            }
            for (int i = 0; i < this.certificates.length; i++) {
                if (secureBasicUtilities.checkPassword(decodePassword, this.certificates[i], entry.pw)) {
                    this.pwmap.put(pWInfoKey, new PWInfo(epochSecond + this.passphraseTimeout, str2));
                    if (this.tracer == null) {
                        return true;
                    }
                    try {
                        this.tracer.append("(" + (Thread.currentThread().getId()) + ") ... authentication OK (found a matching certificate)\n");
                        return true;
                    } catch (IOException e5) {
                        return true;
                    }
                }
            }
            return false;
        } catch (GeneralSecurityException e6) {
            return false;
        }
    }
}
