package com.apusic.security;

import com.apusic.logging.Logger;
import com.apusic.net.Muxer;
import com.apusic.security.auth.login.PasswordCredential;
import com.apusic.security.realm.SecurityRealm;
import com.apusic.server.VMOptions;
import java.io.IOException;
import java.net.Socket;
import java.security.Principal;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import java.util.concurrent.ConcurrentHashMap;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.x500.X500Principal;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/apusic/security/ServerAuthenticator.class */
public final class ServerAuthenticator extends Authenticator {
    protected MasterSecurityController msc;
    protected Logger log;
    private static ConcurrentHashMap<String, User> userCache = new ConcurrentHashMap<>(30);

    /* JADX INFO: Access modifiers changed from: package-private */
    public ServerAuthenticator(MasterSecurityController masterSecurityController, Logger logger) {
        this.msc = masterSecurityController;
        this.log = logger;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ServerAuthenticator(MasterSecurityControllerImpl masterSecurityControllerImpl, Logger logger, Socket socket) throws IOException {
        super(socket);
        this.msc = masterSecurityControllerImpl;
        this.log = logger;
    }

    String getClientHost() {
        return this.socket.getInetAddress().getHostAddress();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void service() throws Exception {
        Object obj;
        try {
            switch (this.in.readByte()) {
                case 1:
                    obj = servicePasswordAuthenticate();
                    break;
                case 2:
                case 3:
                case 5:
                default:
                    throw new IOException("protocol problem");
                case 4:
                    obj = serviceKrb5Authenticate();
                    break;
                case 6:
                    obj = serviceCertificateAuthenticate();
                    break;
                case 7:
                    obj = serviceSSOAuthenticate();
                    break;
                case 8:
                    obj = servicePasswordAuthenticate2();
                    break;
            }
        } catch (AuthenticationException e) {
            obj = e;
        }
        if (obj != null) {
            this.out.writeByte(3);
            writeObject(obj);
            this.out.flush();
        }
    }

    private Object serviceSSOAuthenticate() throws Exception {
        String readUTF = readUTF();
        String clientHost = getClientHost();
        String substring = readUTF.substring(0, readUTF.lastIndexOf("@"));
        PrincipalImpl principalImpl = new PrincipalImpl(substring, readUTF.substring(readUTF.lastIndexOf("@") + 1));
        this.log.notice(substring + ": LOGON FROM " + clientHost);
        return this.msc.createAccessToken(readUTF, principalImpl, clientHost);
    }

    private Object servicePasswordAuthenticate() throws Exception, AuthenticationException {
        String substring;
        String substring2;
        String readUTF = readUTF();
        String clientHost = getClientHost();
        if (readUTF.lastIndexOf("@") == -1) {
            substring = readUTF;
            substring2 = Security.getCurrentRealm();
            if (substring2 == null) {
                substring2 = Security.getDefaultRealm();
            }
        } else {
            substring = readUTF.substring(0, readUTF.lastIndexOf("@"));
            substring2 = readUTF.substring(readUTF.lastIndexOf("@") + 1);
        }
        PrincipalImpl principalImpl = new PrincipalImpl(substring, substring2);
        SecurityRealm realm = SecurityRealm.getRealm(substring2);
        if (realm == null) {
            throw new FailedAuthenticationException("Invalid realm");
        }
        Object findUser = realm.findUser(substring);
        if (findUser == null) {
            this.log.notice(substring + ": FAILED LOGON FROM " + clientHost);
            throw new FailedAuthenticationException();
        }
        if (!(findUser instanceof User)) {
            this.log.notice("Not supported authentication provider.Realm[" + substring2 + "]");
            throw new FailedAuthenticationException();
        }
        User user = userCache.get(readUTF);
        if (user != null && isRejectedUser(user)) {
            this.log.notice(substring + " has had " + VMOptions.lockoutThreshold() + " invalid login attempts, locking account for " + VMOptions.lockoutDuration() + " minutes.");
            user.setLocking(true);
            throw new FailedAuthenticationException();
        }
        if (user == null) {
            user = (User) findUser;
        }
        if (user.isDisabled()) {
            this.log.notice(substring + ": LOGON DISABLED FROM " + clientHost);
            throw new AccountDisabledException();
        }
        byte[] bArr = new byte[32];
        this.msc.getSecureRandom().nextBytes(bArr);
        int currentTimeMillis = (int) (System.currentTimeMillis() / 1000);
        bArr[0] = (byte) (currentTimeMillis >> 24);
        bArr[1] = (byte) (currentTimeMillis >> 16);
        bArr[2] = (byte) (currentTimeMillis >> 8);
        bArr[3] = (byte) (currentTimeMillis >> 0);
        this.out.writeByte(2);
        writeBytes(bArr);
        this.out.flush();
        if (this.in.readByte() != 2) {
            throw new IOException("protocol problem");
        }
        byte[] readBytes = readBytes();
        Password password = user.getPassword();
        if (!Arrays.equals(readBytes, computeDigest(readUTF, password.getBytes(), bArr))) {
            this.log.notice(substring + ": FAILED LOGON FROM " + clientHost);
            user.LoginFail();
            userCache.put(readUTF, user);
            throw new FailedAuthenticationException();
        }
        if (password.isExpired(Long.MAX_VALUE)) {
            this.log.notice(substring + ": Credential expired");
            if (!readUTF.equals(Security.ADMIN.getName())) {
                throw new CredentialExpiredException();
            }
        }
        user.setLocking(false);
        userCache.remove(readUTF);
        this.log.notice(substring + "[realm:" + substring2 + "] : LOGON FROM " + clientHost);
        return this.msc.createAccessToken(substring, principalImpl, clientHost);
    }

    public Object localPasswordAuthenticate(char[] cArr, PasswordCredential passwordCredential) throws AuthenticationException {
        String substring;
        String realm = passwordCredential.getRealm();
        String str = new String(cArr);
        if (str.lastIndexOf("@") == -1) {
            substring = str;
        } else {
            substring = str.substring(0, str.lastIndexOf("@"));
            if (realm == null) {
                realm = str.substring(str.lastIndexOf("@") + 1);
            }
        }
        if (realm == null || realm.isEmpty()) {
            realm = Security.getCurrentRealm();
        }
        if (realm == null || realm.isEmpty()) {
            realm = Security.getDefaultRealm();
        }
        SecurityRealm realm2 = SecurityRealm.getRealm(realm);
        Principal authenticate = realm2.authenticate(substring, passwordCredential);
        String name = authenticate != null ? authenticate.getName() : substring;
        Object findUser = realm2.findUser(name);
        if (findUser == null) {
            this.log.notice(name + ": FAILED LOGON FROM " + name);
            throw new FailedAuthenticationException();
        }
        if (!(findUser instanceof User)) {
            this.log.notice("Not supported authentication provider.Realm[" + realm + "]");
            throw new FailedAuthenticationException();
        }
        User user = userCache.get(str);
        if (user != null && isRejectedUser(user)) {
            this.log.notice(name + " has had " + VMOptions.lockoutThreshold() + " invalid login attempts, locking account for " + VMOptions.lockoutDuration() + " minutes.");
            user.setLocking(true);
            throw new FailedAuthenticationException();
        }
        if (user == null) {
            user = (User) findUser;
        }
        if (user.isDisabled()) {
            this.log.notice(name + ": LOGON DISABLED FROM " + name);
            throw new AccountDisabledException();
        }
        if (authenticate == null) {
            this.log.notice(name + ": FAILED LOGON FROM " + name);
            user.LoginFail();
            userCache.put(str, user);
            throw new FailedAuthenticationException();
        }
        if (user.getPassword().isExpired(Long.MAX_VALUE)) {
            this.log.notice(name + ": Credential expired");
            if (!str.equals(Security.ADMIN.getName())) {
                throw new CredentialExpiredException();
            }
        }
        user.setLocking(false);
        userCache.remove(str);
        this.log.notice(name + "[realm:" + realm + "] : LOGON FROM " + name);
        try {
            return this.msc.createAccessToken(name, authenticate, name);
        } catch (Exception e) {
            throw new FailedAuthenticationException();
        }
    }

    private Object servicePasswordAuthenticate2() throws Exception, AuthenticationException {
        String substring;
        String substring2;
        String readUTF = readUTF();
        String clientHost = getClientHost();
        if (readUTF.lastIndexOf("@") == -1) {
            substring = readUTF;
            substring2 = Security.getCurrentRealm();
        } else {
            substring = readUTF.substring(0, readUTF.lastIndexOf("@"));
            substring2 = readUTF.substring(readUTF.lastIndexOf("@") + 1);
        }
        SecurityRealm realm = SecurityRealm.getRealm(substring2);
        try {
            this.out.writeByte(2);
            this.out.flush();
            Principal authenticate = realm.authenticate(substring, new PasswordCredential(substring, readUTF().toCharArray()));
            if (authenticate == null) {
                this.log.notice(substring + ": FAILED LOGON FROM " + clientHost);
                throw new FailedAuthenticationException();
            }
            this.log.notice(substring + "[realm:" + substring2 + "] : LOGON FROM " + clientHost);
            return this.msc.createAccessToken(substring, authenticate, clientHost);
        } catch (IOException e) {
            throw new IOException("protocol problem");
        }
    }

    private Object serviceCertificateAuthenticate() throws Exception, AuthenticationException {
        String clientHost = getClientHost();
        try {
            List<? extends Certificate> certificates = ((CertPath) readObject()).getCertificates();
            X509Certificate[] x509CertificateArr = new X509Certificate[certificates.size()];
            certificates.toArray(x509CertificateArr);
            String name = x509CertificateArr[0].getSubjectDN().getName();
            int indexOf = name.indexOf("CN=") + 3;
            int indexOf2 = name.indexOf(",", indexOf);
            String trim = (indexOf < 0 || indexOf2 < 0) ? name : name.substring(indexOf, indexOf2).trim();
            X500Principal x500Principal = new X500Principal(name);
            if (verifyCertPath(x509CertificateArr)) {
                this.log.notice(trim + ": LOGON FROM " + clientHost);
                return this.msc.createAccessToken(trim, x500Principal, clientHost);
            }
            this.log.notice(trim + ": FAILED LOGON FROM " + clientHost);
            throw new FailedAuthenticationException();
        } catch (ClassNotFoundException e) {
            throw new IOException("unexpected error: " + e);
        }
    }

    private boolean verifyCertPath(X509Certificate[] x509CertificateArr) {
        try {
            getTrustManager().checkClientTrusted(x509CertificateArr, x509CertificateArr[0].getPublicKey().getAlgorithm());
            return true;
        } catch (CertificateException e) {
            return false;
        }
    }

    private X509TrustManager getTrustManager() {
        TrustManager[] trustManagers = Muxer.getMuxer().getTrustManagerFactory().getTrustManagers();
        X509TrustManager x509TrustManager = null;
        if (trustManagers != null) {
            int i = 0;
            while (true) {
                if (i >= trustManagers.length) {
                    break;
                }
                if (trustManagers[i] instanceof X509TrustManager) {
                    x509TrustManager = (X509TrustManager) trustManagers[i];
                    break;
                }
                i++;
            }
        }
        if (x509TrustManager == null) {
            x509TrustManager = new X509TrustManager() { // from class: com.apusic.security.ServerAuthenticator.1
                @Override // javax.net.ssl.X509TrustManager
                public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                    throw new CertificateException();
                }

                @Override // javax.net.ssl.X509TrustManager
                public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                    throw new CertificateException();
                }

                @Override // javax.net.ssl.X509TrustManager
                public X509Certificate[] getAcceptedIssuers() {
                    return new X509Certificate[0];
                }
            };
        }
        return x509TrustManager;
    }

    private Object serviceKrb5Authenticate() throws Exception, AuthenticationException {
        String krb5Principal = this.msc.getKrb5Principal();
        this.out.writeByte(4);
        writeUTF(krb5Principal);
        this.out.flush();
        if (krb5Principal == null) {
            return null;
        }
        GSSContext gSSContext = null;
        GSSCredential krb5Credential = this.msc.getKrb5Credential();
        String clientHost = getClientHost();
        try {
            try {
                GSSContext createContext = GSSManager.getInstance().createContext(krb5Credential);
                while (!createContext.isEstablished()) {
                    if (this.in.readByte() != 5) {
                        throw new IOException("protocol problem");
                    }
                    byte[] readBytes = readBytes();
                    this.log.debug("Read input token of size " + readBytes.length + " for processing by acceptSecContext");
                    byte[] acceptSecContext = createContext.acceptSecContext(readBytes, 0, readBytes.length);
                    if (acceptSecContext != null) {
                        this.log.debug("Send token of size " + acceptSecContext.length + " from acceptSecContext");
                        this.out.writeByte(5);
                        writeBytes(acceptSecContext);
                        this.out.flush();
                    }
                }
                this.log.debug("Context established! Client is " + createContext.getSrcName() + " Server is " + createContext.getTargName());
                String gSSName = createContext.getSrcName().toString();
                Principal kerberosPrincipal = new KerberosPrincipal(gSSName);
                if (createContext != null) {
                    try {
                        createContext.dispose();
                    } catch (GSSException e) {
                    }
                }
                this.log.notice(gSSName + ": LOGON FROM " + clientHost);
                return this.msc.createAccessToken(gSSName, kerberosPrincipal, clientHost);
            } catch (Throwable th) {
                if (0 != 0) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e2) {
                    }
                }
                throw th;
            }
        } catch (GSSException e3) {
            throw new FailedAuthenticationException(e3.getMessage());
        }
    }

    private boolean isRejectedUser(User user) {
        boolean z = false;
        if (!VMOptions.isLockoutEnable()) {
            return false;
        }
        long firstTimeOfLoginFail = user.getFirstTimeOfLoginFail();
        long loginFailCount = user.getLoginFailCount();
        int lockoutThreshold = VMOptions.lockoutThreshold();
        int lockoutDuration = VMOptions.lockoutDuration();
        int lockoutResetDuration = VMOptions.lockoutResetDuration();
        long currentTimeMillis = System.currentTimeMillis();
        boolean z2 = currentTimeMillis - firstTimeOfLoginFail < ((long) ((lockoutResetDuration * 60) * 1000));
        boolean z3 = currentTimeMillis - firstTimeOfLoginFail > ((long) ((lockoutDuration * 60) * 1000));
        if (user.isLocking()) {
            if (z3) {
                user.setLocking(false);
            } else {
                z = true;
            }
        } else if (loginFailCount >= lockoutThreshold) {
            if (z2) {
                z = true;
            } else {
                user.resetDuaration();
            }
        }
        return z;
    }
}
