package com.caucho.hemp.servlet;

import com.caucho.bam.NotAuthorizedException;
import com.caucho.cloud.security.SecurityService;
import com.caucho.config.Admin;
import com.caucho.config.inject.InjectManager;
import com.caucho.hmtp.NonceQuery;
import com.caucho.hmtp.SignedCredentials;
import com.caucho.security.Authenticator;
import com.caucho.security.BasicPrincipal;
import com.caucho.security.DigestCredentials;
import com.caucho.security.PasswordCredentials;
import com.caucho.util.CurrentTime;
import com.caucho.util.L10N;
import com.caucho.util.LruCache;
import java.lang.annotation.Annotation;
import java.security.Key;
import java.security.KeyPair;
import java.util.logging.Logger;
import javax.crypto.Cipher;
import javax.enterprise.util.AnnotationLiteral;
import oracle.security.pki.PKIConstants;

/* loaded from: input_file:BOOT-INF/lib/resin-4.0.65.jar:com/caucho/hemp/servlet/ServerAuthManager.class */
public class ServerAuthManager {
    private static final Logger log = Logger.getLogger(ServerAuthManager.class.getName());
    private static final L10N L = new L10N(ServerAuthManager.class);
    private Authenticator _auth;
    private KeyPair _authKeyPair;
    private boolean _isAuthenticationRequired = true;
    private LruCache<String, String> _nonceMap = new LruCache<>(4096);
    private SecurityService _security = SecurityService.getCurrent();

    public ServerAuthManager() {
        InjectManager current = InjectManager.getCurrent();
        this._auth = (Authenticator) current.getReference(Authenticator.class, new AnnotationLiteral<Admin>() { // from class: com.caucho.hemp.servlet.ServerAuthManager.1
        });
        if (this._auth == null) {
            this._auth = (Authenticator) current.getReference(Authenticator.class, new Annotation[0]);
        }
    }

    public void setAuthenticationRequired(boolean z) {
        this._isAuthenticationRequired = z;
    }

    public Authenticator getAuth() {
        return this._auth != null ? this._auth : this._security.getAuthenticator();
    }

    public boolean isClusterSystemKey() {
        return this._security.isSystemAuthKey();
    }

    public Key decryptKey(String str, byte[] bArr) {
        try {
            Cipher cipher = Cipher.getInstance(PKIConstants.RSA);
            cipher.init(4, this._authKeyPair.getPrivate());
            return cipher.unwrap(bArr, str, 3);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void authenticate(String str, Object obj, String str2) {
        String signSystem;
        Authenticator auth = getAuth();
        if (obj instanceof SignedCredentials) {
            SignedCredentials signedCredentials = (SignedCredentials) obj;
            String uid = signedCredentials.getUid();
            String nonce = signedCredentials.getNonce();
            String signature = signedCredentials.getSignature();
            if (uid != null && !uid.equals("")) {
                signSystem = this._security.signSystem(uid, nonce);
            } else {
                if (!this._security.isSystemAuthKey() && this._isAuthenticationRequired) {
                    log.info("Authentication failed because cluster-system-key is not configured");
                    throw new NotAuthorizedException(L.l("No user and password credentials were presented and cluster-system-key is not configured"));
                }
                signSystem = this._security.signSystem(uid, nonce);
            }
            if (!signSystem.equals(signature)) {
                throw new NotAuthorizedException(L.l("'{0}' has invalid credentials", uid));
            }
            return;
        }
        if (auth != null || this._isAuthenticationRequired) {
            if (auth == null) {
                log.finer("Authentication failed because no authenticator configured");
                throw new NotAuthorizedException(L.l("'{0}' has missing authenticator", obj));
            }
            if (obj instanceof DigestCredentials) {
                DigestCredentials digestCredentials = (DigestCredentials) obj;
                if (auth.authenticate(new BasicPrincipal(digestCredentials.getUserName()), digestCredentials, null) == null) {
                    throw new NotAuthorizedException(L.l("'{0}' has invalid digest credentials", digestCredentials.getUserName()));
                }
            } else {
                if (!(obj instanceof String)) {
                    throw new NotAuthorizedException(L.l("'{0}' is an unknown credential", obj));
                }
                if (auth.authenticate(new BasicPrincipal(str), new PasswordCredentials((String) obj), null) == null) {
                    throw new NotAuthorizedException(L.l("'{0}' has invalid password credentials", str));
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public NonceQuery generateNonce(NonceQuery nonceQuery) {
        String uid = nonceQuery.getUid();
        return new NonceQuery(this._security.getAlgorithm(uid), uid, String.valueOf(CurrentTime.getCurrentTime()), this._security.signSystem(uid, nonceQuery.getNonce()));
    }

    public String toString() {
        return getClass().getSimpleName() + "[" + getAuth() + "]";
    }
}
