package org.apache.qpid.server.security.auth.manager;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.Container;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.NamedAddressSpace;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.sasl.PasswordSource;
import org.apache.qpid.server.security.auth.sasl.SaslNegotiator;
import org.apache.qpid.server.security.auth.sasl.SaslSettings;
import org.apache.qpid.server.security.auth.sasl.crammd5.CramMd5Base64HashedNegotiator;
import org.apache.qpid.server.security.auth.sasl.crammd5.CramMd5Base64HexNegotiator;
import org.apache.qpid.server.security.auth.sasl.crammd5.CramMd5Negotiator;
import org.apache.qpid.server.security.auth.sasl.plain.PlainNegotiator;
import org.apache.qpid.server.security.auth.sasl.scram.ScramNegotiator;
import org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSource;
import org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSourceAdapter;
import org.apache.qpid.server.util.ConnectionScopedRuntimeException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/security/auth/manager/CompositeUsernamePasswordAuthenticationManagerImpl.class */
public class CompositeUsernamePasswordAuthenticationManagerImpl extends AbstractAuthenticationManager<CompositeUsernamePasswordAuthenticationManagerImpl> implements CompositeUsernamePasswordAuthenticationManager<CompositeUsernamePasswordAuthenticationManagerImpl> {
    public static final String MECHANISM_NAME = "COMPOSITE";
    private static final Logger LOGGER = LoggerFactory.getLogger(CompositeUsernamePasswordAuthenticationManagerImpl.class);

    @ManagedAttributeField
    private List<String> _delegates;
    private final Set<UsernamePasswordAuthenticationProvider<?>> _authenticationProviders;
    private final Map<String, Function<SaslSettings, SaslNegotiator>> _saslNegotiators;
    private final Map<String, ScramSaslServerSourceAdapter> _scramAdapters;
    private final Map<String, String> _hmacNames;
    private final Map<String, String> _digestNames;
    private List<String> _mechanisms;
    private List<String> _secureOnlyMechanisms;
    private List<String> _disabledMechanisms;
    final int scramIterationCount;

    @ManagedObjectFactoryConstructor
    public CompositeUsernamePasswordAuthenticationManagerImpl(Map<String, Object> map, Container<?> container) {
        super(map, container);
        this._authenticationProviders = new LinkedHashSet();
        this._saslNegotiators = new HashMap();
        this._scramAdapters = new HashMap();
        this._hmacNames = new HashMap();
        this._digestNames = new HashMap();
        this._mechanisms = new ArrayList();
        this._secureOnlyMechanisms = new ArrayList();
        this._disabledMechanisms = new ArrayList();
        this.scramIterationCount = ((Integer) getContextValue(Integer.class, AbstractScramAuthenticationManager.QPID_AUTHMANAGER_SCRAM_ITERATION_COUNT)).intValue();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void postResolveChildren() {
        super.postResolveChildren();
        PasswordSource passwordSource = getPasswordSource();
        this._scramAdapters.put("SCRAM-SHA-1", new ScramSaslServerSourceAdapter(this.scramIterationCount, ScramSHA1AuthenticationManager.HMAC_NAME, ScramSHA1AuthenticationManager.DIGEST_NAME, passwordSource));
        this._scramAdapters.put("SCRAM-SHA-256", new ScramSaslServerSourceAdapter(this.scramIterationCount, ScramSHA256AuthenticationManager.HMAC_NAME, ScramSHA256AuthenticationManager.DIGEST_NAME, passwordSource));
        if (new HashSet(this._delegates).size() != this._delegates.size()) {
            throw new IllegalConfigurationException("Composite authentication manager shouldn't contain duplicate names");
        }
        Iterator<String> it = this._delegates.iterator();
        while (it.hasNext()) {
            this._authenticationProviders.add((UsernamePasswordAuthenticationProvider) resolveDelegate(it.next()));
        }
        if (this._authenticationProviders.isEmpty()) {
            throw new IllegalConfigurationException("Composite authentication manager should contain at least one delegate");
        }
        this._mechanisms = new ArrayList(this._authenticationProviders.stream().findFirst().get().getMechanisms());
        this._authenticationProviders.forEach(usernamePasswordAuthenticationProvider -> {
            this._mechanisms.retainAll(usernamePasswordAuthenticationProvider.getMechanisms());
        });
        this._authenticationProviders.stream().filter(usernamePasswordAuthenticationProvider2 -> {
            return usernamePasswordAuthenticationProvider2.getDisabledMechanisms() != null;
        }).forEach(usernamePasswordAuthenticationProvider3 -> {
            this._mechanisms.removeAll(usernamePasswordAuthenticationProvider3.getDisabledMechanisms());
        });
        this._secureOnlyMechanisms = (List) Stream.concat(((List) Optional.ofNullable(super.getSecureOnlyMechanisms()).orElse(List.of())).stream(), this._authenticationProviders.stream().filter(usernamePasswordAuthenticationProvider4 -> {
            return usernamePasswordAuthenticationProvider4.getSecureOnlyMechanisms() != null;
        }).flatMap(usernamePasswordAuthenticationProvider5 -> {
            return usernamePasswordAuthenticationProvider5.getSecureOnlyMechanisms().stream();
        })).distinct().collect(Collectors.toList());
        this._disabledMechanisms = (List) Stream.concat(((List) Optional.ofNullable(super.getDisabledMechanisms()).orElse(List.of())).stream(), this._authenticationProviders.stream().filter(usernamePasswordAuthenticationProvider6 -> {
            return usernamePasswordAuthenticationProvider6.getDisabledMechanisms() != null;
        }).flatMap(usernamePasswordAuthenticationProvider7 -> {
            return usernamePasswordAuthenticationProvider7.getDisabledMechanisms().stream();
        })).distinct().collect(Collectors.toList());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void onOpen() {
        super.onOpen();
        this._hmacNames.put("SCRAM-SHA-1", ScramSHA1AuthenticationManager.HMAC_NAME);
        this._hmacNames.put("SCRAM-SHA-256", ScramSHA256AuthenticationManager.HMAC_NAME);
        this._digestNames.put("SCRAM-SHA-1", ScramSHA1AuthenticationManager.DIGEST_NAME);
        this._digestNames.put("SCRAM-SHA-256", ScramSHA256AuthenticationManager.DIGEST_NAME);
        this._saslNegotiators.put(CramMd5Negotiator.MECHANISM, saslSettings -> {
            return new CramMd5Negotiator(getAuthenticationProviderStub(), saslSettings.getLocalFQDN(), getPasswordSource());
        });
        this._saslNegotiators.put("CRAM-MD5-HASHED", saslSettings2 -> {
            return new CramMd5Base64HashedNegotiator(getAuthenticationProviderStub(), saslSettings2.getLocalFQDN(), getPasswordSource());
        });
        this._saslNegotiators.put("CRAM-MD5-HEX", saslSettings3 -> {
            return new CramMd5Base64HexNegotiator(getAuthenticationProviderStub(), saslSettings3.getLocalFQDN(), getPasswordSource());
        });
        this._saslNegotiators.put("PLAIN", saslSettings4 -> {
            return new PlainNegotiator(this);
        });
        this._saslNegotiators.put("SCRAM-SHA-1", saslSettings5 -> {
            return new ScramNegotiator(this, getScramSaslServerSource("SCRAM-SHA-1"), "SCRAM-SHA-1");
        });
        this._saslNegotiators.put("SCRAM-SHA-256", saslSettings6 -> {
            return new ScramNegotiator(this, getScramSaslServerSource("SCRAM-SHA-256"), "SCRAM-SHA-256");
        });
    }

    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void validateChange(ConfiguredObject<?> configuredObject, Set<String> set) {
        super.validateChange(configuredObject, set);
        Collection collection = (Collection) configuredObject.getAttribute("delegates");
        if (collection.isEmpty()) {
            throw new IllegalConfigurationException("Composite authentication manager should contain at least one delegate");
        }
        collection.forEach(this::resolveDelegate);
    }

    @Override // org.apache.qpid.server.model.AuthenticationProvider
    public List<String> getMechanisms() {
        return Collections.unmodifiableList(this._mechanisms);
    }

    @Override // org.apache.qpid.server.security.auth.manager.AbstractAuthenticationManager, org.apache.qpid.server.model.AuthenticationProvider
    public List<String> getAvailableMechanisms(boolean z) {
        return Collections.unmodifiableList((List) this._mechanisms.stream().filter(str -> {
            return z || !this._secureOnlyMechanisms.contains(str);
        }).filter(str2 -> {
            return !this._disabledMechanisms.contains(str2);
        }).collect(Collectors.toList()));
    }

    @Override // org.apache.qpid.server.model.AuthenticationProvider
    public SaslNegotiator createSaslNegotiator(String str, SaslSettings saslSettings, NamedAddressSpace namedAddressSpace) {
        return this._saslNegotiators.getOrDefault(str, saslSettings2 -> {
            return null;
        }).apply(saslSettings);
    }

    @Override // org.apache.qpid.server.security.auth.manager.UsernamePasswordAuthenticationProvider
    public AuthenticationResult authenticate(String str, String str2) {
        for (UsernamePasswordAuthenticationProvider<?> usernamePasswordAuthenticationProvider : this._authenticationProviders) {
            AuthenticationResult authenticate = usernamePasswordAuthenticationProvider.authenticate(str, str2);
            if (!AuthenticationResult.AuthenticationStatus.ERROR.equals(authenticate.getStatus())) {
                LOGGER.debug("Authentication of user '{}' against '{}' succeeded", str, usernamePasswordAuthenticationProvider.getClass().getSimpleName());
                return authenticate;
            }
            LOGGER.debug("Authentication of user '{}' against '{}' failed", str, usernamePasswordAuthenticationProvider.getClass().getSimpleName());
        }
        LOGGER.debug("All authentication attempts failed");
        return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
    }

    private ScramSaslServerSource getScramSaslServerSource(final String str) {
        return new ScramSaslServerSource() { // from class: org.apache.qpid.server.security.auth.manager.CompositeUsernamePasswordAuthenticationManagerImpl.1
            @Override // org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSource
            public int getIterationCount() {
                return CompositeUsernamePasswordAuthenticationManagerImpl.this.scramIterationCount;
            }

            @Override // org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSource
            public String getDigestName() {
                Optional ofNullable = Optional.ofNullable(CompositeUsernamePasswordAuthenticationManagerImpl.this._digestNames.get(str));
                String str2 = str;
                return (String) ofNullable.orElseThrow(() -> {
                    return new ConnectionScopedRuntimeException("Mechanism '" + str2 + "' not supported");
                });
            }

            @Override // org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSource
            public String getHmacName() {
                Optional ofNullable = Optional.ofNullable(CompositeUsernamePasswordAuthenticationManagerImpl.this._hmacNames.get(str));
                String str2 = str;
                return (String) ofNullable.orElseThrow(() -> {
                    return new ConnectionScopedRuntimeException("Mechanism '" + str2 + "' not supported");
                });
            }

            @Override // org.apache.qpid.server.security.auth.sasl.scram.ScramSaslServerSource
            public ScramSaslServerSource.SaltAndPasswordKeys getSaltAndPasswordKeys(String str2) {
                Optional<UsernamePasswordAuthenticationProvider<?>> findFirst = CompositeUsernamePasswordAuthenticationManagerImpl.this._authenticationProviders.stream().filter(usernamePasswordAuthenticationProvider -> {
                    return usernamePasswordAuthenticationProvider instanceof ConfigModelPasswordManagingAuthenticationProvider;
                }).filter(usernamePasswordAuthenticationProvider2 -> {
                    return ((ConfigModelPasswordManagingAuthenticationProvider) usernamePasswordAuthenticationProvider2).getUser(str2) != null;
                }).findFirst();
                String str3 = str;
                return (ScramSaslServerSource.SaltAndPasswordKeys) findFirst.map(usernamePasswordAuthenticationProvider3 -> {
                    return usernamePasswordAuthenticationProvider3 instanceof AbstractScramAuthenticationManager ? ((AbstractScramAuthenticationManager) usernamePasswordAuthenticationProvider3).getSaltAndPasswordKeys(str2) : CompositeUsernamePasswordAuthenticationManagerImpl.this._scramAdapters.get(str3).getSaltAndPasswordKeys(str2);
                }).orElse(CompositeUsernamePasswordAuthenticationManagerImpl.this._scramAdapters.get(str).getSaltAndPasswordKeys(str2));
            }
        };
    }

    private AuthenticationProvider<?> resolveDelegate(String str) {
        Optional<AuthenticationProvider<?>> findFirst = ((Broker) getParent()).getAuthenticationProviders().stream().filter(authenticationProvider -> {
            return authenticationProvider.getName().equals(str);
        }).findFirst();
        if (!findFirst.isPresent()) {
            throw new IllegalConfigurationException("Authentication provider '" + str + "' not found");
        }
        AuthenticationProvider<?> authenticationProvider2 = findFirst.get();
        if (!(authenticationProvider2 instanceof UsernamePasswordAuthenticationProvider)) {
            throw new IllegalConfigurationException("Authentication provider '" + str + "' is not UsernamePasswordAuthenticationProvider");
        }
        if (authenticationProvider2 instanceof CompositeUsernamePasswordAuthenticationManager) {
            throw new IllegalConfigurationException("Composite authentication providers shouldn't be nested");
        }
        return authenticationProvider2;
    }

    private PasswordSource getPasswordSource() {
        return str -> {
            return (char[]) this._authenticationProviders.stream().filter(usernamePasswordAuthenticationProvider -> {
                return usernamePasswordAuthenticationProvider instanceof ConfigModelPasswordManagingAuthenticationProvider;
            }).filter(usernamePasswordAuthenticationProvider2 -> {
                return ((ConfigModelPasswordManagingAuthenticationProvider) usernamePasswordAuthenticationProvider2).getUser(str) != null;
            }).findFirst().map(usernamePasswordAuthenticationProvider3 -> {
                return ((ConfigModelPasswordManagingAuthenticationProvider) usernamePasswordAuthenticationProvider3).getPasswordSource().getPassword(str);
            }).orElse(null);
        };
    }

    private <X extends ConfigModelPasswordManagingAuthenticationProvider<X>> ConfigModelPasswordManagingAuthenticationProvider<X> getAuthenticationProviderStub() {
        HashMap hashMap = new HashMap();
        hashMap.put("name", "AuthenticationProviderStub");
        hashMap.put("id", UUID.randomUUID());
        final PasswordSource passwordSource = getPasswordSource();
        return (ConfigModelPasswordManagingAuthenticationProvider<X>) new ConfigModelPasswordManagingAuthenticationProvider<X>(hashMap, (Container) getParent()) { // from class: org.apache.qpid.server.security.auth.manager.CompositeUsernamePasswordAuthenticationManagerImpl.2
            @Override // org.apache.qpid.server.security.auth.manager.UsernamePasswordAuthenticationProvider
            public AuthenticationResult authenticate(String str, String str2) {
                return this.authenticate(str, str2);
            }

            @Override // org.apache.qpid.server.security.auth.manager.ConfigModelPasswordManagingAuthenticationProvider
            public PasswordSource getPasswordSource() {
                return passwordSource;
            }

            /* JADX INFO: Access modifiers changed from: protected */
            @Override // org.apache.qpid.server.security.auth.manager.ConfigModelPasswordManagingAuthenticationProvider
            public String createStoredPassword(String str) {
                throw new ConnectionScopedRuntimeException("SaslNegotiator isn't supposed to call createStoredPassword()");
            }

            /* JADX INFO: Access modifiers changed from: package-private */
            @Override // org.apache.qpid.server.security.auth.manager.ConfigModelPasswordManagingAuthenticationProvider
            public void validateUser(ManagedUser managedUser) {
                throw new ConnectionScopedRuntimeException("SaslNegotiator isn't supposed to call validateUser()");
            }

            @Override // org.apache.qpid.server.model.AuthenticationProvider
            public List<String> getMechanisms() {
                throw new ConnectionScopedRuntimeException("SaslNegotiator isn't supposed to call getMechanisms()");
            }

            @Override // org.apache.qpid.server.model.AuthenticationProvider
            public SaslNegotiator createSaslNegotiator(String str, SaslSettings saslSettings, NamedAddressSpace namedAddressSpace) {
                throw new ConnectionScopedRuntimeException("SaslNegotiator isn't supposed to call createSaslNegotiator()");
            }
        };
    }

    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public String toString() {
        return "CompositeAuthenticationManagerImpl {_authenticationProviders=" + this._authenticationProviders + "}";
    }

    @Override // org.apache.qpid.server.security.auth.manager.CompositeUsernamePasswordAuthenticationManager
    public List<String> getDelegates() {
        return this._delegates;
    }
}
