package io.helidon.security.providers.httpauth;

import io.helidon.config.Config;
import io.helidon.config.metadata.Configured;
import io.helidon.security.AuthenticationResponse;
import io.helidon.security.Principal;
import io.helidon.security.ProviderRequest;
import io.helidon.security.Role;
import io.helidon.security.SecurityEnvironment;
import io.helidon.security.SecurityResponse;
import io.helidon.security.Subject;
import io.helidon.security.SubjectType;
import io.helidon.security.providers.httpauth.HttpDigest;
import io.helidon.security.providers.httpauth.SecureUserStore;
import io.helidon.security.spi.AuthenticationProvider;
import io.helidon.security.spi.SecurityProvider;
import io.helidon.security.spi.SynchronousProvider;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Base64;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Random;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;

/* loaded from: input_file:io/helidon/security/providers/httpauth/HttpDigestAuthProvider.class */
public final class HttpDigestAuthProvider extends SynchronousProvider implements AuthenticationProvider {
    static final String HEADER_AUTHENTICATION_REQUIRED = "WWW-Authenticate";
    static final String HEADER_AUTHENTICATION = "authorization";
    static final String DIGEST_PREFIX = "digest ";
    private static final int UNAUTHORIZED_STATUS_CODE = 401;
    private static final int SALT_LENGTH = 16;
    private static final int AES_NONCE_LENGTH = 12;
    private static final Logger LOGGER = Logger.getLogger(HttpDigestAuthProvider.class.getName());
    private final List<HttpDigest.Qop> digestQopOptions = new LinkedList();
    private final SecureUserStore userStore;
    private final boolean optional;
    private final String realm;
    private final SubjectType subjectType;
    private final HttpDigest.Algorithm digestAlgorithm;
    private final SecureRandom random;
    private final long digestNonceTimeoutMillis;
    private final char[] digestServerSecret;

    @Configured(prefix = "http-digest-auth", description = "Http digest authentication security provider", provides = {SecurityProvider.class, AuthenticationProvider.class})
    /* loaded from: input_file:io/helidon/security/providers/httpauth/HttpDigestAuthProvider$Builder.class */
    public static final class Builder implements io.helidon.common.Builder<Builder, HttpDigestAuthProvider> {
        private static final String DEFAULT_REALM = "Helidon";
        private static final SecureUserStore EMPTY_STORE = str -> {
            return Optional.empty();
        };
        public static final long DEFAULT_DIGEST_NONCE_TIMEOUT = 86400000;
        private final List<HttpDigest.Qop> digestQopOptions = new LinkedList();
        private SecureUserStore userStore = EMPTY_STORE;
        private boolean optional = false;
        private String realm = DEFAULT_REALM;
        private SubjectType subjectType = SubjectType.USER;
        private HttpDigest.Algorithm digestAlgorithm = HttpDigest.Algorithm.MD5;
        private boolean noDigestQop = false;
        private long digestNonceTimeoutMillis = DEFAULT_DIGEST_NONCE_TIMEOUT;
        private char[] digestServerSecret = randomSecret();

        private Builder() {
        }

        public Builder config(Config config) {
            config.get("optional").asBoolean().ifPresent((v1) -> {
                optional(v1);
            });
            config.get("realm").asString().ifPresent(this::realm);
            config.get("users").as(ConfigUserStore::create).ifPresent(this::userStore);
            config.get("algorithm").asString().as(HttpDigest.Algorithm::valueOf).ifPresent(this::digestAlgorithm);
            config.get("nonce-timeout-millis").asLong().ifPresent(l -> {
                digestNonceTimeout(l.longValue(), TimeUnit.MILLISECONDS);
            });
            config.get("principal-type").asString().as(SubjectType::valueOf).ifPresent(this::subjectType);
            config.get("server-secret").asString().map((v0) -> {
                return v0.toCharArray();
            }).ifPresent(this::digestServerSecret);
            config.get("qop").asList(HttpDigest.Qop::create).ifPresent(list -> {
                if (list.isEmpty()) {
                    noDigestQop();
                } else {
                    list.forEach(this::addDigestQop);
                }
            });
            return this;
        }

        private static char[] randomSecret() {
            return new BigInteger(130, new Random()).toString(32).toCharArray();
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // io.helidon.common.Builder
        /* renamed from: build */
        public HttpDigestAuthProvider build2() {
            if (this.digestQopOptions.isEmpty() && !this.noDigestQop) {
                this.digestQopOptions.add(HttpDigest.Qop.AUTH);
            }
            Objects.requireNonNull(this.userStore, "User store must be configured");
            return new HttpDigestAuthProvider(this);
        }

        public Builder subjectType(SubjectType subjectType) {
            this.subjectType = subjectType;
            switch (subjectType) {
                case USER:
                case SERVICE:
                    return this;
                default:
                    throw new SecurityException("Invalid configuration. Principal type not supported: " + subjectType);
            }
        }

        public Builder userStore(SecureUserStore secureUserStore) {
            this.userStore = secureUserStore;
            return this;
        }

        public Builder optional(boolean z) {
            this.optional = z;
            return this;
        }

        public Builder realm(String str) {
            this.realm = str;
            return this;
        }

        public Builder digestAlgorithm(HttpDigest.Algorithm algorithm) {
            this.digestAlgorithm = algorithm;
            return this;
        }

        public Builder digestNonceTimeout(long j, TimeUnit timeUnit) {
            this.digestNonceTimeoutMillis = timeUnit.toMillis(j);
            return this;
        }

        public Builder digestServerSecret(char[] cArr) {
            this.digestServerSecret = Arrays.copyOf(cArr, cArr.length);
            return this;
        }

        public Builder addDigestQop(HttpDigest.Qop qop) {
            this.digestQopOptions.add(qop);
            return this;
        }

        public Builder noDigestQop() {
            this.noDigestQop = true;
            this.digestQopOptions.clear();
            return this;
        }
    }

    private HttpDigestAuthProvider(Builder builder) {
        this.userStore = builder.userStore;
        this.optional = builder.optional;
        this.realm = builder.realm;
        this.subjectType = builder.subjectType;
        this.digestAlgorithm = builder.digestAlgorithm;
        this.digestQopOptions.addAll(builder.digestQopOptions);
        this.digestNonceTimeoutMillis = builder.digestNonceTimeoutMillis;
        this.digestServerSecret = builder.digestServerSecret;
        this.random = new SecureRandom();
    }

    public static Builder builder() {
        return new Builder();
    }

    public static HttpDigestAuthProvider create(Config config) {
        return builder().config(config).build2();
    }

    static String nonce(long j, Random random, char[] cArr) {
        byte[] bArr = new byte[16];
        random.nextBytes(bArr);
        byte[] bArr2 = new byte[12];
        random.nextBytes(bArr2);
        try {
            byte[] doFinal = HttpAuthUtil.cipher(cArr, bArr, bArr2, 1).doFinal(HttpAuthUtil.toBytes(j));
            byte[] bArr3 = new byte[bArr.length + bArr2.length + doFinal.length];
            System.arraycopy(bArr, 0, bArr3, 0, bArr.length);
            System.arraycopy(bArr2, 0, bArr3, bArr.length, bArr2.length);
            System.arraycopy(doFinal, 0, bArr3, bArr2.length + bArr.length, doFinal.length);
            return Base64.getEncoder().encodeToString(bArr3);
        } catch (Exception e) {
            LOGGER.log(Level.SEVERE, "Encryption failed, though this should not happen. This is a bug.", (Throwable) e);
            return "failed_nonce_value";
        }
    }

    @Override // io.helidon.security.spi.SynchronousProvider
    protected AuthenticationResponse syncAuthenticate(ProviderRequest providerRequest) {
        List<String> list = providerRequest.env().headers().get(HEADER_AUTHENTICATION);
        return null == list ? failOrAbstain("No authorization header") : (AuthenticationResponse) list.stream().filter(str -> {
            return str.toLowerCase().startsWith(DIGEST_PREFIX);
        }).findFirst().map(str2 -> {
            return validateDigestAuth(str2, providerRequest.env());
        }).orElseGet(() -> {
            return failOrAbstain("Authorization header does not contain digest authentication: " + list);
        });
    }

    private AuthenticationResponse validateDigestAuth(String str, SecurityEnvironment securityEnvironment) {
        try {
            DigestToken fromAuthorizationHeader = DigestToken.fromAuthorizationHeader(str.substring(DIGEST_PREFIX.length()), securityEnvironment.method().toLowerCase());
            try {
                byte[] decode = Base64.getDecoder().decode(fromAuthorizationHeader.getNonce());
                if (decode.length < 17) {
                    return failOrAbstain("Invalid nonce length");
                }
                byte[] bArr = new byte[16];
                byte[] bArr2 = new byte[12];
                byte[] bArr3 = new byte[(decode.length - 16) - 12];
                System.arraycopy(decode, 0, bArr, 0, bArr.length);
                System.arraycopy(decode, 16, bArr2, 0, bArr2.length);
                System.arraycopy(decode, 28, bArr3, 0, bArr3.length);
                try {
                    byte[] doFinal = HttpAuthUtil.cipher(this.digestServerSecret, bArr, bArr2, 2).doFinal(bArr3);
                    return System.currentTimeMillis() - HttpAuthUtil.toLong(doFinal, 0, doFinal.length) > this.digestNonceTimeoutMillis ? failOrAbstain("Nonce timeout") : !this.realm.equals(fromAuthorizationHeader.getRealm()) ? failOrAbstain("Invalid realm") : (AuthenticationResponse) this.userStore.user(fromAuthorizationHeader.getUsername()).map(user -> {
                        return fromAuthorizationHeader.validateLogin(user) ? this.subjectType == SubjectType.USER ? AuthenticationResponse.success(buildSubject(user)) : AuthenticationResponse.successService(buildSubject(user)) : failOrAbstain("Invalid username or password");
                    }).orElse(failOrAbstain("Invalid username or password"));
                } catch (Exception e) {
                    LOGGER.log(Level.FINEST, "Failed to validate nonce", (Throwable) e);
                    return failOrAbstain("Invalid nonce value");
                }
            } catch (IllegalArgumentException e2) {
                LOGGER.log(Level.FINEST, "Failed to base64 decode nonce", (Throwable) e2);
                return failOrAbstain("Nonce must be base64 encoded");
            }
        } catch (HttpAuthException e3) {
            LOGGER.log(Level.FINEST, "Failed to process digest token", (Throwable) e3);
            return failOrAbstain(e3.getMessage());
        }
    }

    private AuthenticationResponse failOrAbstain(String str) {
        return this.optional ? ((AuthenticationResponse.Builder) ((AuthenticationResponse.Builder) AuthenticationResponse.builder().status(SecurityResponse.SecurityStatus.ABSTAIN)).description(str)).build2() : ((AuthenticationResponse.Builder) ((AuthenticationResponse.Builder) ((AuthenticationResponse.Builder) ((AuthenticationResponse.Builder) AuthenticationResponse.builder().statusCode(401)).responseHeader("WWW-Authenticate", buildChallenge())).status(SecurityResponse.SecurityStatus.FAILURE)).description(str)).build2();
    }

    private String buildChallenge() {
        StringBuilder sb = new StringBuilder();
        sb.append("Digest realm=\"").append(this.realm).append("\"");
        if (!this.digestQopOptions.isEmpty()) {
            sb.append(", qop=\"").append(join(this.digestQopOptions)).append("\"");
        }
        sb.append(", algorithm=\"").append(this.digestAlgorithm.getAlgorithm()).append("\"");
        sb.append(", nonce=\"").append(nonce(System.currentTimeMillis(), this.random, this.digestServerSecret)).append("\"");
        sb.append(", opaque=\"").append(opaque()).append("\"");
        return sb.toString();
    }

    private String opaque() {
        byte[] bArr = new byte[32];
        this.random.nextBytes(bArr);
        return Base64.getEncoder().encodeToString(bArr);
    }

    private String join(List<HttpDigest.Qop> list) {
        return (String) list.stream().map((v0) -> {
            return v0.getQop();
        }).collect(Collectors.joining(","));
    }

    private Subject buildSubject(SecureUserStore.User user) {
        Subject.Builder addPrivateCredential = Subject.builder().principal(Principal.builder().name(user.login()).build2()).addPrivateCredential(SecureUserStore.User.class, user);
        user.roles().forEach(str -> {
            addPrivateCredential.addGrant(Role.create(str));
        });
        return addPrivateCredential.build2();
    }
}
