package edu.internet2.middleware.grouper.j2ee;

import edu.internet2.middleware.grouper.authentication.GrouperPassword;
import edu.internet2.middleware.grouper.authentication.GrouperPasswordSave;
import edu.internet2.middleware.grouper.cfg.GrouperConfig;
import edu.internet2.middleware.grouper.cfg.GrouperHibernateConfig;
import edu.internet2.middleware.grouper.misc.GrouperDAOFactory;
import edu.internet2.middleware.grouper.util.GrouperUtil;
import edu.internet2.middleware.grouperClient.collections.MultiKey;
import edu.internet2.middleware.grouperClient.util.ExpirableCache;
import edu.internet2.middleware.morphString.Morph;
import java.security.SecureRandom;
import java.time.Instant;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import java.util.StringTokenizer;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;

/* loaded from: input_file:edu/internet2/middleware/grouper/j2ee/Authentication.class */
public class Authentication {
    private static final Log LOG = GrouperUtil.getLog(Authentication.class);
    private static Map<GrouperPassword.Application, ExpirableCache<MultiKey, Boolean>> authenticationCache = new HashMap();

    public static void main(String[] strArr) {
        System.out.println("indexOfFirst a:b:c:sddfgdfgdfgdfg: " + colonIndexOf("a:b:c:sddfgdfgdfgdfg", true));
        System.out.println("indexOfLast a:b:c:sddfgdfgdfgdfg: " + colonIndexOf("a:b:c:sddfgdfgdfgdfg", false));
        System.out.println("unescapeTrue a&#x3a;b&#x3a;c: " + unescapeColons("a&#x3a;b&#x3a;c", true));
        System.out.println("unescapeFalse a&#x3a;b&#x3a;c: " + unescapeColons("a&#x3a;b&#x3a;c", false));
    }

    public static int colonIndexOf(String str) {
        return colonIndexOf(str, GrouperConfig.retrieveConfig().propertyValueBoolean("grouper.authentication.splitBasicAuthOnFirstColon", false));
    }

    private static int colonIndexOf(String str, boolean z) {
        return z ? str.indexOf(":") : str.lastIndexOf(":");
    }

    public static String unescapeColons(String str) {
        return unescapeColons(str, GrouperConfig.retrieveConfig().propertyValueBoolean("grouper.authentication.basicAuthUnescapeColon", true));
    }

    private static String unescapeColons(String str, boolean z) {
        if (str != null && z) {
            return StringUtils.replace(str, "&#x3a;", ":");
        }
        return str;
    }

    public static final String retrieveUsername(String str) {
        String str2;
        int colonIndexOf;
        if (StringUtils.isBlank(str)) {
            return null;
        }
        try {
            StringTokenizer stringTokenizer = new StringTokenizer(str);
            if (stringTokenizer.hasMoreTokens() && stringTokenizer.nextToken().equalsIgnoreCase("Basic") && (colonIndexOf = colonIndexOf((str2 = new String(Base64.getDecoder().decode(stringTokenizer.nextToken()), "UTF-8")))) != -1) {
                return unescapeColons(str2.substring(0, colonIndexOf).trim());
            }
            return null;
        } catch (Exception e) {
            LOG.error("Error retrieving username from authHeader");
            return null;
        }
    }

    private static ExpirableCache<MultiKey, Boolean> authenticationCache(GrouperPassword.Application application) {
        GrouperUtil.assertion(application != null, "application cant be null");
        ExpirableCache<MultiKey, Boolean> expirableCache = null;
        if (GrouperConfig.retrieveConfig().propertyValueBoolean("grouper.authentication." + application.name() + ".cache", true)) {
            expirableCache = authenticationCache.get(application);
            if (expirableCache == null) {
                expirableCache = new ExpirableCache<>(GrouperConfig.retrieveConfig().propertyValueInt("grouper.authentication." + application.name() + ".cacheTimeMinutes", 2));
                authenticationCache.put(application, expirableCache);
            }
        }
        return expirableCache;
    }

    public boolean authenticate(String str, GrouperPassword.Application application) {
        String str2;
        int colonIndexOf;
        if (StringUtils.isBlank(str)) {
            return false;
        }
        ExpirableCache<MultiKey, Boolean> authenticationCache2 = authenticationCache(application);
        try {
            StringTokenizer stringTokenizer = new StringTokenizer(str);
            if (!stringTokenizer.hasMoreTokens() || !stringTokenizer.nextToken().equalsIgnoreCase("Basic") || (colonIndexOf = colonIndexOf((str2 = new String(Base64.getDecoder().decode(stringTokenizer.nextToken()), "UTF-8")))) == -1) {
                return false;
            }
            String trim = str2.substring(0, colonIndexOf).trim();
            String trim2 = str2.substring(colonIndexOf + 1).trim();
            String unescapeColons = unescapeColons(trim);
            String unescapeColons2 = unescapeColons(trim2);
            MultiKey multiKey = null;
            if (authenticationCache2 != null) {
                multiKey = new MultiKey(application, unescapeColons, Morph.encrypt(unescapeColons2));
                Boolean bool = (Boolean) authenticationCache2.get(multiKey);
                if (bool != null && bool.booleanValue()) {
                    return true;
                }
            }
            GrouperPassword findByUsernameApplication = GrouperDAOFactory.getFactory().getGrouperPassword().findByUsernameApplication(unescapeColons, application.name());
            boolean equals = findByUsernameApplication != null ? StringUtils.equals(Morph.encrypt(findByUsernameApplication.getEncryptionType().generateHash(findByUsernameApplication.getTheSalt() + unescapeColons2)), findByUsernameApplication.getThePassword()) : StringUtils.equals(unescapeColons2, Morph.decryptIfFile(GrouperHibernateConfig.retrieveConfig().propertyValueString("grouperPasswordConfigOverride_" + application.name() + "_" + unescapeColons + "_pass")));
            if (equals && authenticationCache2 != null) {
                authenticationCache2.put(multiKey, true);
            }
            return equals;
        } catch (Exception e) {
            LOG.error("Error authenticating", e);
            return false;
        }
    }

    public void assignUserPassword(GrouperPasswordSave grouperPasswordSave) {
        try {
            if (StringUtils.isBlank(grouperPasswordSave.getUsername())) {
                throw new RuntimeException("username is required");
            }
            if (StringUtils.isBlank(grouperPasswordSave.getThePassword())) {
                throw new RuntimeException("password is required");
            }
            String thePassword = grouperPasswordSave.getThePassword();
            try {
                thePassword = Morph.decrypt(thePassword);
            } catch (Exception e) {
            }
            if (null == grouperPasswordSave.getApplication()) {
                throw new RuntimeException("application is required");
            }
            if (grouperPasswordSave.getUsername().contains(":") && thePassword.contains(":")) {
                throw new RuntimeException("username and password cannot both contain a colon due to http basic auth");
            }
            byte[] bArr = new byte[16];
            new SecureRandom().nextBytes(bArr);
            String propertyValueString = GrouperConfig.retrieveConfig().propertyValueString("grouper.authentication.encryptionType", null);
            if (StringUtils.isBlank(propertyValueString)) {
                throw new RuntimeException("grouper.authentication.encryptionType must be set to SHA-256 or RS-256");
            }
            try {
                GrouperPassword.EncryptionType valueOf = GrouperPassword.EncryptionType.valueOf(propertyValueString.replace("-", "_"));
                String encodeHexString = Hex.encodeHexString(bArr);
                String encrypt = Morph.encrypt(valueOf.generateHash(encodeHexString + thePassword));
                GrouperPassword findByUsernameApplication = GrouperDAOFactory.getFactory().getGrouperPassword().findByUsernameApplication(grouperPasswordSave.getUsername(), grouperPasswordSave.getApplication().name());
                if (findByUsernameApplication == null) {
                    findByUsernameApplication = new GrouperPassword();
                    findByUsernameApplication.setApplication(grouperPasswordSave.getApplication());
                    findByUsernameApplication.setUsername(grouperPasswordSave.getUsername());
                }
                findByUsernameApplication.setEncryptionType(valueOf);
                findByUsernameApplication.setEntityType(grouperPasswordSave.getEntityType());
                findByUsernameApplication.setThePassword(encrypt);
                findByUsernameApplication.setHashed(valueOf == GrouperPassword.EncryptionType.SHA_256);
                findByUsernameApplication.setTheSalt(encodeHexString);
                findByUsernameApplication.setLastEdited(Long.valueOf(Instant.now().toEpochMilli()));
                GrouperDAOFactory.getFactory().getGrouperPassword().saveOrUpdate(findByUsernameApplication);
            } catch (Exception e2) {
                throw new RuntimeException("grouper.authentication.encryptionType must be set to SHA-256 or RS-256");
            }
        } catch (Exception e3) {
            throw new RuntimeException("error", e3);
        }
    }
}
