package org.sonatype.nexus.security.internal;

import java.util.ConcurrentModificationException;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import org.apache.shiro.authc.AccountException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.DisabledAccountException;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.CredentialsMatcher;
import org.apache.shiro.authc.credential.PasswordMatcher;
import org.apache.shiro.authc.credential.PasswordService;
import org.apache.shiro.realm.AuthenticatingRealm;
import org.apache.shiro.realm.Realm;
import org.eclipse.sisu.Description;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.sonatype.nexus.security.config.CUser;
import org.sonatype.nexus.security.config.SecurityConfigurationManager;
import org.sonatype.nexus.security.user.UserNotFoundException;

@Singleton
@Named(AuthenticatingRealmImpl.NAME)
@Description("Nexus Authenticating Realm")
/* loaded from: input_file:org/sonatype/nexus/security/internal/AuthenticatingRealmImpl.class */
public class AuthenticatingRealmImpl extends AuthenticatingRealm implements Realm {
    private static final Logger logger = LoggerFactory.getLogger(AuthenticatingRealmImpl.class);
    public static final String NAME = "NexusAuthenticatingRealm";
    private static final int MAX_LEGACY_PASSWORD_LENGTH = 40;
    private final SecurityConfigurationManager configuration;
    private final PasswordService passwordService;

    @Inject
    public AuthenticatingRealmImpl(SecurityConfigurationManager securityConfigurationManager, PasswordService passwordService) {
        this.configuration = securityConfigurationManager;
        this.passwordService = passwordService;
        PasswordMatcher passwordMatcher = new PasswordMatcher();
        passwordMatcher.setPasswordService(this.passwordService);
        setCredentialsMatcher(passwordMatcher);
        setName(NAME);
        setAuthenticationCachingEnabled(true);
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) {
        UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
        try {
            CUser readUser = this.configuration.readUser(usernamePasswordToken.getUsername());
            if (readUser.getPassword() == null) {
                throw new AccountException("User '" + usernamePasswordToken.getUsername() + "' has no password, cannot authenticate.");
            }
            if (!CUser.STATUS_ACTIVE.equals(readUser.getStatus())) {
                if (CUser.STATUS_DISABLED.equals(readUser.getStatus())) {
                    throw new DisabledAccountException("User '" + usernamePasswordToken.getUsername() + "' is disabled.");
                }
                throw new AccountException("User '" + usernamePasswordToken.getUsername() + "' is in illegal status '" + readUser.getStatus() + "'.");
            }
            if (hasLegacyPassword(readUser) && isValidCredentials(usernamePasswordToken, readUser)) {
                reHashPassword(readUser, new String(usernamePasswordToken.getPassword()));
            }
            return createAuthenticationInfo(readUser);
        } catch (UserNotFoundException e) {
            throw new AccountException("User '" + usernamePasswordToken.getUsername() + "' cannot be retrieved.", e);
        }
    }

    private void reHashPassword(CUser cUser, String str) {
        String encryptPassword = this.passwordService.encryptPassword(str);
        boolean z = false;
        do {
            try {
                this.configuration.readUser(cUser.getId()).setPassword(encryptPassword);
                try {
                    this.configuration.updateUser(cUser);
                    z = true;
                } catch (ConcurrentModificationException unused) {
                    logger.debug("Could not re-hash user '{}' password as user was concurrently being updated. Retrying...", cUser.getId());
                }
            } catch (Exception e) {
                logger.error("Unable to update hash for user {}", cUser.getId(), e);
                return;
            }
        } while (!z);
        cUser.setPassword(encryptPassword);
    }

    private boolean isValidCredentials(UsernamePasswordToken usernamePasswordToken, CUser cUser) {
        boolean z = false;
        AuthenticationInfo createAuthenticationInfo = createAuthenticationInfo(cUser);
        CredentialsMatcher credentialsMatcher = getCredentialsMatcher();
        if (credentialsMatcher != null && credentialsMatcher.doCredentialsMatch(usernamePasswordToken, createAuthenticationInfo)) {
            z = true;
        }
        return z;
    }

    private boolean hasLegacyPassword(CUser cUser) {
        return cUser.getPassword().length() <= MAX_LEGACY_PASSWORD_LENGTH;
    }

    private AuthenticationInfo createAuthenticationInfo(CUser cUser) {
        return new SimpleAuthenticationInfo(cUser.getId(), cUser.getPassword().toCharArray(), getName());
    }
}
