package org.apache.jackrabbit.oak.security.user;

import java.security.Principal;
import java.util.Collections;
import java.util.concurrent.TimeUnit;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.Credentials;
import javax.jcr.GuestCredentials;
import javax.jcr.RepositoryException;
import javax.jcr.SimpleCredentials;
import javax.security.auth.Subject;
import javax.security.auth.login.AccountLockedException;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.oak.api.AuthInfo;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authentication.Authentication;
import org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials;
import org.apache.jackrabbit.oak.spi.security.authentication.PreAuthenticatedLogin;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:resources/install/15/oak-core-1.8.8.jar:org/apache/jackrabbit/oak/security/user/UserAuthentication.class */
class UserAuthentication implements Authentication, UserConstants {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) UserAuthentication.class);
    private final UserConfiguration config;
    private final Root root;
    private final String loginId;
    private String userId;
    private Principal principal;

    /* JADX INFO: Access modifiers changed from: package-private */
    public UserAuthentication(@Nonnull UserConfiguration userConfiguration, @Nonnull Root root, @Nullable String str) {
        this.config = userConfiguration;
        this.root = root;
        this.loginId = str;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.Authentication
    public boolean authenticate(@Nullable Credentials credentials) throws LoginException {
        if (credentials == null || this.loginId == null) {
            return false;
        }
        boolean z = false;
        try {
            Authorizable authorizable = this.config.getUserManager(this.root, NamePathMapper.DEFAULT).getAuthorizable(this.loginId);
            if (authorizable == null) {
                return false;
            }
            if (authorizable.isGroup()) {
                throw new AccountNotFoundException("Not a user " + this.loginId);
            }
            User user = (User) authorizable;
            if (user.isDisabled()) {
                throw new AccountLockedException("User with ID " + this.loginId + " has been disabled: " + user.getDisabledReason());
            }
            if (credentials instanceof SimpleCredentials) {
                SimpleCredentials simpleCredentials = (SimpleCredentials) credentials;
                Credentials credentials2 = user.getCredentials();
                if (this.loginId.equals(simpleCredentials.getUserID()) && (credentials2 instanceof CredentialsImpl)) {
                    z = PasswordUtil.isSame(((CredentialsImpl) credentials2).getPasswordHash(), simpleCredentials.getPassword());
                }
                checkSuccess(z, "UserId/Password mismatch.");
                if (isPasswordExpired(user) && !changePassword(user, simpleCredentials)) {
                    throw new CredentialExpiredException("User password has expired");
                }
            } else if (credentials instanceof ImpersonationCredentials) {
                ImpersonationCredentials impersonationCredentials = (ImpersonationCredentials) credentials;
                z = equalUserId(impersonationCredentials, this.loginId) && impersonate(impersonationCredentials.getImpersonatorInfo(), user);
                checkSuccess(z, "Impersonation not allowed.");
            } else {
                z = (credentials instanceof GuestCredentials) || credentials == PreAuthenticatedLogin.PRE_AUTHENTICATED;
            }
            this.userId = user.getID();
            this.principal = user.getPrincipal();
            return z;
        } catch (RepositoryException e) {
            throw new LoginException(e.getMessage());
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.Authentication
    @CheckForNull
    public String getUserId() {
        if (this.userId == null) {
            throw new IllegalStateException("UserId can only be retrieved after successful authentication.");
        }
        return this.userId;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.Authentication
    @CheckForNull
    public Principal getUserPrincipal() {
        if (this.principal == null) {
            throw new IllegalStateException("Principal can only be retrieved after successful authentication.");
        }
        return this.principal;
    }

    private static void checkSuccess(boolean z, String str) throws LoginException {
        if (!z) {
            throw new FailedLoginException(str);
        }
    }

    private static boolean equalUserId(@Nonnull ImpersonationCredentials impersonationCredentials, @Nonnull String str) {
        Credentials baseCredentials = impersonationCredentials.getBaseCredentials();
        return (baseCredentials instanceof SimpleCredentials) && str.equals(((SimpleCredentials) baseCredentials).getUserID());
    }

    private boolean changePassword(User user, SimpleCredentials simpleCredentials) {
        try {
            Object attribute = simpleCredentials.getAttribute("user.newpassword");
            if (attribute != null) {
                if (attribute instanceof String) {
                    user.changePassword((String) attribute);
                    this.root.commit();
                    log.debug("User " + this.loginId + ": changed user password");
                    return true;
                }
                log.warn("Aborted password change for user " + this.loginId + ": provided new password is of incompatible type " + attribute.getClass().getName());
            }
            return false;
        } catch (CommitFailedException e) {
            this.root.refresh();
            log.error("Failed to change password for user " + this.loginId, e.getMessage());
            return false;
        } catch (PasswordHistoryException e2) {
            simpleCredentials.setAttribute(e2.getClass().getSimpleName(), e2.getMessage());
            log.error("Failed to change password for user " + this.loginId, e2.getMessage());
            return false;
        } catch (RepositoryException e3) {
            log.error("Failed to change password for user " + this.loginId, e3.getMessage());
            return false;
        }
    }

    private boolean impersonate(AuthInfo authInfo, User user) {
        try {
            if (user.getID().equals(authInfo.getUserID())) {
                log.debug("User " + authInfo.getUserID() + " wants to impersonate himself -> success.");
                return true;
            }
            log.debug("User " + authInfo.getUserID() + " wants to impersonate " + user.getID());
            return user.getImpersonation().allows(new Subject(true, authInfo.getPrincipals(), Collections.emptySet(), Collections.emptySet()));
        } catch (RepositoryException e) {
            log.debug("Error while validating impersonation: {}", e.getMessage());
            return false;
        }
    }

    @CheckForNull
    private Long getPasswordLastModified(User user) throws RepositoryException {
        PropertyState property = (user instanceof UserImpl ? ((UserImpl) user).getTree() : this.root.getTree(user.getPath())).getChild(UserConstants.REP_PWD).getProperty(UserConstants.REP_PASSWORD_LAST_MODIFIED);
        if (property != null) {
            return (Long) property.getValue(Type.LONG);
        }
        return null;
    }

    private boolean isPasswordExpired(@Nonnull User user) throws RepositoryException {
        if (user.isAdmin()) {
            return false;
        }
        boolean z = false;
        ConfigurationParameters parameters = this.config.getParameters();
        int intValue = ((Integer) parameters.getConfigValue(UserConstants.PARAM_PASSWORD_MAX_AGE, 0)).intValue();
        boolean booleanValue = ((Boolean) parameters.getConfigValue(UserConstants.PARAM_PASSWORD_INITIAL_CHANGE, false)).booleanValue();
        if (intValue > 0) {
            Long passwordLastModified = getPasswordLastModified(user);
            if (passwordLastModified == null) {
                z = true;
            } else {
                z = passwordLastModified.longValue() + TimeUnit.MILLISECONDS.convert((long) intValue, TimeUnit.DAYS) < System.currentTimeMillis();
            }
        } else if (booleanValue) {
            z = null == getPasswordLastModified(user);
        }
        return z;
    }
}
