package org.jboss.as.domain.http.server.security;

import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.sasl.RealmCallback;
import org.jboss.as.domain.http.server.Constants;
import org.jboss.as.domain.http.server.HttpServerLogger;
import org.jboss.as.domain.http.server.HttpServerMessages;
import org.jboss.as.domain.management.AuthenticationMechanism;
import org.jboss.as.domain.management.AuthorizingCallbackHandler;
import org.jboss.as.domain.management.SecurityRealm;
import org.jboss.com.sun.net.httpserver.Authenticator;
import org.jboss.com.sun.net.httpserver.Headers;
import org.jboss.com.sun.net.httpserver.HttpExchange;
import org.jboss.com.sun.net.httpserver.HttpPrincipal;
import org.jboss.com.sun.net.httpserver.HttpsExchange;
import org.jboss.sasl.callback.DigestHashCallback;
import org.jboss.sasl.util.HexConverter;

/* loaded from: input_file:org/jboss/as/domain/http/server/security/DigestAuthenticator.class */
public class DigestAuthenticator extends Authenticator {
    private static final String USE_CONNECTION_LOCAL_NONCES_PROPERTY = "org.jboss.domain.http.USE_LOCAL_NONCES";
    private static final boolean USE_CONNECTION_LOCAL_NONCES = SecurityActions.getBoolean(USE_CONNECTION_LOCAL_NONCES_PROPERTY);
    private final SecurityRealm securityRealm;
    private final String realmName;
    private final boolean preDigested;
    private static final byte COLON = 58;
    private static final String CHALLENGE = "Digest";
    private static final String NONCE = "nonce";
    private static final String MD5 = "MD5";
    private static final String REALM = "realm";
    private static final String RESPONSE = "response";
    private static final String USERNAME = "username";
    private static final String URI = "uri";
    private final NonceFactory theNonceFactory = new NonceFactory();
    private final ThreadLocal<AuthorizingCallbackHandler> callbackHandler = new ThreadLocal<>();

    /* loaded from: input_file:org/jboss/as/domain/http/server/security/DigestAuthenticator$DigestContext.class */
    public static class DigestContext {
        private static final String KEY = "DIGEST_CONTEXT";
        private final NonceFactory theNonceFactory;
        private final boolean localStore;
        private HttpPrincipal principal = null;
        private String nonce = null;

        DigestContext(NonceFactory nonceFactory, boolean z) {
            this.localStore = z;
            this.theNonceFactory = nonceFactory;
        }

        boolean isAuthenticated() {
            return this.principal != null;
        }

        HttpPrincipal getPrincipal() {
            return this.principal;
        }

        String createNonce() {
            String createNonce = this.theNonceFactory.createNonce(!this.localStore);
            if (this.localStore) {
                this.nonce = createNonce;
            }
            return createNonce;
        }

        public boolean useNonce(String str) {
            if (!this.localStore) {
                return this.theNonceFactory.useNonce(str);
            }
            if (!str.equals(this.nonce)) {
                return false;
            }
            this.nonce = null;
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jboss/as/domain/http/server/security/DigestAuthenticator$HeaderParser.class */
    public class HeaderParser {
        private static final char EQUALS = '=';
        private static final char DELIMITER = ',';
        private static final char QUOTE = '\"';
        private static final char ESCAPE = '\\';
        private final String message;
        private final int length;
        private int pos = 0;
        private boolean hasNextConfirmed;

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:org/jboss/as/domain/http/server/security/DigestAuthenticator$HeaderParser$Parameter.class */
        public class Parameter {
            String key;
            String value;

            Parameter() {
            }
        }

        HeaderParser(String str) {
            this.message = str;
            this.length = str.length();
        }

        boolean hasNext() {
            int indexOf;
            if (this.hasNextConfirmed) {
                return true;
            }
            if (this.pos >= this.length || (indexOf = this.message.indexOf(EQUALS, this.pos)) < 0 || indexOf >= this.length - 1) {
                return false;
            }
            this.hasNextConfirmed = true;
            return true;
        }

        Parameter next() {
            if (!this.hasNextConfirmed && !hasNext()) {
                return null;
            }
            Parameter parameter = new Parameter();
            int indexOf = this.message.indexOf(EQUALS, this.pos);
            parameter.key = this.message.substring(this.pos, indexOf).trim();
            this.pos = indexOf + 1;
            int indexOf2 = this.message.indexOf(DELIMITER, this.pos);
            int indexOf3 = this.message.indexOf(QUOTE, this.pos);
            boolean z = false;
            if (indexOf3 > 0 && (indexOf2 < 0 || indexOf3 < indexOf2)) {
                z = true;
            }
            if (z) {
                String trim = this.message.substring(this.pos, indexOf3).trim();
                if (!"".equals(trim)) {
                    throw HttpServerMessages.MESSAGES.unexpectedHeaderChar(trim, parameter.key);
                }
                this.pos = indexOf3;
                int i = -1;
                while (i < 0) {
                    indexOf3 = this.message.indexOf(QUOTE, indexOf3 + 1);
                    if (indexOf3 < 0) {
                        throw HttpServerMessages.MESSAGES.missingClosingQuote(parameter.key);
                    }
                    if (this.message.charAt(indexOf3 - 1) != ESCAPE) {
                        i = indexOf3;
                    }
                }
                parameter.value = this.message.substring(this.pos + 1, i);
                int indexOf4 = this.message.indexOf(DELIMITER, this.pos);
                if (indexOf4 > 0) {
                    this.pos = indexOf4 + 1;
                }
            } else {
                int indexOf5 = this.message.indexOf(DELIMITER, this.pos);
                if (indexOf5 > 0) {
                    parameter.value = this.message.substring(this.pos, indexOf5).trim();
                    this.pos = indexOf5 + 1;
                } else {
                    parameter.value = this.message.substring(this.pos, this.length - 1).trim();
                    this.pos = this.length + 1;
                }
            }
            this.hasNextConfirmed = false;
            return parameter;
        }
    }

    public DigestAuthenticator(SecurityRealm securityRealm, boolean z) {
        this.securityRealm = securityRealm;
        this.realmName = securityRealm.getName();
        this.preDigested = z;
    }

    public Authenticator.Result authenticate(HttpExchange httpExchange) {
        Subject subject = (Subject) httpExchange.getAttribute(Subject.class.getName(), HttpExchange.AttributeScope.CONNECTION);
        if (subject != null) {
            Set principals = subject.getPrincipals(HttpPrincipal.class);
            if (principals.size() > 0) {
                return new Authenticator.Success((HttpPrincipal) principals.iterator().next());
            }
        }
        this.callbackHandler.set(this.securityRealm.getAuthorizingCallbackHandler(AuthenticationMechanism.DIGEST));
        try {
            Authenticator.Result _authenticate = _authenticate(httpExchange);
            this.callbackHandler.set(null);
            return _authenticate;
        } catch (Throwable th) {
            this.callbackHandler.set(null);
            throw th;
        }
    }

    private Authenticator.Result _authenticate(HttpExchange httpExchange) {
        SSLSession sSLSession;
        Authenticator.Success success = null;
        if ((httpExchange instanceof HttpsExchange) && (sSLSession = ((HttpsExchange) httpExchange).getSSLSession()) != null) {
            try {
                success = new Authenticator.Success(new HttpPrincipal(sSLSession.getPeerPrincipal().getName(), this.realmName));
            } catch (SSLPeerUnverifiedException e) {
            }
        }
        if (success == null) {
            success = digestAuth(httpExchange);
        }
        if (success instanceof Authenticator.Success) {
            HttpPrincipal principal = success.getPrincipal();
            try {
                HashSet hashSet = new HashSet();
                hashSet.add(principal);
                httpExchange.setAttribute(Subject.class.getName(), this.callbackHandler.get().createSubjectUserInfo(hashSet).getSubject(), HttpExchange.AttributeScope.CONNECTION);
            } catch (IOException e2) {
                HttpServerLogger.ROOT_LOGGER.debug("Unable to create SubjectUserInfo", e2);
                success = new Authenticator.Failure(Constants.INTERNAL_SERVER_ERROR);
            }
        }
        return success;
    }

    private Authenticator.Result digestAuth(HttpExchange httpExchange) {
        DigestContext orCreateNegotiationContext = getOrCreateNegotiationContext(httpExchange, this.theNonceFactory, false);
        if (orCreateNegotiationContext.isAuthenticated()) {
            return new Authenticator.Success(orCreateNegotiationContext.getPrincipal());
        }
        Headers requestHeaders = httpExchange.getRequestHeaders();
        if (!requestHeaders.containsKey(Constants.AUTHORIZATION_HEADER)) {
            httpExchange.getResponseHeaders().add(Constants.WWW_AUTHENTICATE_HEADER, "Digest " + createChallenge(orCreateNegotiationContext, this.realmName, false));
            return new Authenticator.Retry(Constants.UNAUTHORIZED);
        }
        String first = requestHeaders.getFirst(Constants.AUTHORIZATION_HEADER);
        if (!first.startsWith("Digest ")) {
            throw HttpServerMessages.MESSAGES.invalidAuthorizationHeader();
        }
        Map<String, String> parseDigestChallenge = parseDigestChallenge(first.substring(CHALLENGE.length() + 1));
        HttpPrincipal validateUser = validateUser(httpExchange, parseDigestChallenge);
        if (validateUser == null) {
            if (parseDigestChallenge.containsKey(NONCE)) {
                orCreateNegotiationContext.useNonce(parseDigestChallenge.get(NONCE));
            }
            httpExchange.getResponseHeaders().add(Constants.WWW_AUTHENTICATE_HEADER, "Digest " + createChallenge(orCreateNegotiationContext, this.realmName, false));
            return new Authenticator.Retry(Constants.UNAUTHORIZED);
        }
        if (orCreateNegotiationContext.useNonce(parseDigestChallenge.get(NONCE))) {
            orCreateNegotiationContext.principal = validateUser;
            return new Authenticator.Success(validateUser);
        }
        httpExchange.getResponseHeaders().add(Constants.WWW_AUTHENTICATE_HEADER, "Digest " + createChallenge(orCreateNegotiationContext, this.realmName, true));
        return new Authenticator.Retry(Constants.UNAUTHORIZED);
    }

    private HttpPrincipal validateUser(HttpExchange httpExchange, Map<String, String> map) {
        byte[] convertToHexBytes;
        String str = map.get(REALM);
        String str2 = map.get(USERNAME);
        if (str == null || str.length() == 0 || str2 == null || str2.length() == 0) {
            return null;
        }
        Callback realmCallback = new RealmCallback("Realm", str);
        Callback nameCallback = new NameCallback("Username", str2);
        DigestHashCallback digestHashCallback = this.preDigested ? new DigestHashCallback("Password Digest") : new PasswordCallback("Password", false);
        try {
            this.callbackHandler.get().handle(new Callback[]{realmCallback, nameCallback, digestHashCallback});
            try {
                MessageDigest messageDigest = MessageDigest.getInstance(MD5);
                if (this.preDigested) {
                    convertToHexBytes = digestHashCallback.getHexHash().getBytes();
                } else {
                    messageDigest.update(map.get(USERNAME).getBytes());
                    messageDigest.update((byte) 58);
                    messageDigest.update(map.get(REALM).getBytes());
                    messageDigest.update((byte) 58);
                    messageDigest.update(new String(((PasswordCallback) digestHashCallback).getPassword()).getBytes());
                    convertToHexBytes = HexConverter.convertToHexBytes(messageDigest.digest());
                }
                messageDigest.update(httpExchange.getRequestMethod().getBytes());
                messageDigest.update((byte) 58);
                messageDigest.update(map.get(URI).getBytes());
                byte[] convertToHexBytes2 = HexConverter.convertToHexBytes(messageDigest.digest());
                messageDigest.update(convertToHexBytes);
                messageDigest.update((byte) 58);
                messageDigest.update(map.get(NONCE).getBytes());
                messageDigest.update((byte) 58);
                messageDigest.update(convertToHexBytes2);
                if (MessageDigest.isEqual(HexConverter.convertToHexBytes(messageDigest.digest()), map.get(RESPONSE).getBytes())) {
                    return new HttpPrincipal(map.get(USERNAME), map.get(REALM));
                }
                return null;
            } catch (NoSuchAlgorithmException e) {
                throw HttpServerMessages.MESSAGES.md5Unavailable(e);
            }
        } catch (Exception e2) {
            if (!HttpServerLogger.ROOT_LOGGER.isDebugEnabled()) {
                return null;
            }
            HttpServerLogger.ROOT_LOGGER.debug("Callback handler failed", e2);
            return null;
        }
    }

    public static String createChallenge(DigestContext digestContext, String str, boolean z) {
        StringBuilder sb = new StringBuilder();
        sb.append("realm=\"").append(str).append("\",");
        sb.append("nonce=\"").append(digestContext.createNonce()).append("\"");
        if (z) {
            sb.append(",stale=true");
        }
        return sb.toString();
    }

    private Map<String, String> parseDigestChallenge(String str) {
        HashMap hashMap = new HashMap();
        HeaderParser headerParser = new HeaderParser(str);
        while (headerParser.hasNext()) {
            HeaderParser.Parameter next = headerParser.next();
            hashMap.put(next.key, next.value);
        }
        return hashMap;
    }

    public static DigestContext getOrCreateNegotiationContext(HttpExchange httpExchange, NonceFactory nonceFactory, boolean z) {
        if (httpExchange.getRequestHeaders().containsKey(Constants.VIA) || z) {
            return new DigestContext(nonceFactory, false);
        }
        DigestContext digestContext = (DigestContext) httpExchange.getAttribute("DIGEST_CONTEXT", HttpExchange.AttributeScope.CONNECTION);
        if (digestContext == null) {
            digestContext = new DigestContext(nonceFactory, USE_CONNECTION_LOCAL_NONCES);
            httpExchange.setAttribute("DIGEST_CONTEXT", digestContext, HttpExchange.AttributeScope.CONNECTION);
        }
        return digestContext;
    }
}
