package org.apache.jackrabbit.oak.security.authentication.user;

import java.util.Collections;
import javax.jcr.Credentials;
import javax.jcr.GuestCredentials;
import javax.jcr.RepositoryException;
import javax.jcr.SimpleCredentials;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.api.AuthInfo;
import org.apache.jackrabbit.oak.security.user.CredentialsImpl;
import org.apache.jackrabbit.oak.spi.security.authentication.Authentication;
import org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials;
import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/oak-core-0.15.jar:org/apache/jackrabbit/oak/security/authentication/user/UserAuthentication.class
 */
/* loaded from: input_file:org/apache/jackrabbit/oak/security/authentication/user/UserAuthentication.class */
class UserAuthentication implements Authentication {
    private static final Logger log = LoggerFactory.getLogger(UserAuthentication.class);
    private final String userId;
    private final UserManager userManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    public UserAuthentication(String str, UserManager userManager) {
        this.userId = str;
        this.userManager = userManager;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.Authentication
    public boolean authenticate(Credentials credentials) throws LoginException {
        if (this.userId == null || this.userManager == null) {
            return false;
        }
        boolean z = false;
        try {
            Authorizable authorizable = this.userManager.getAuthorizable(this.userId);
            if (authorizable == null || authorizable.isGroup()) {
                throw new LoginException("Unknown user " + this.userId);
            }
            User user = (User) authorizable;
            if (user.isDisabled()) {
                throw new LoginException("User with ID " + this.userId + " has been disabled: " + user.getDisabledReason());
            }
            if (credentials instanceof SimpleCredentials) {
                SimpleCredentials simpleCredentials = (SimpleCredentials) credentials;
                Credentials credentials2 = user.getCredentials();
                if (this.userId.equals(simpleCredentials.getUserID()) && (credentials2 instanceof CredentialsImpl)) {
                    z = PasswordUtil.isSame(((CredentialsImpl) credentials2).getPasswordHash(), simpleCredentials.getPassword());
                }
                checkSuccess(z, "UserId/Password mismatch.");
            } else if (credentials instanceof ImpersonationCredentials) {
                ImpersonationCredentials impersonationCredentials = (ImpersonationCredentials) credentials;
                z = equalUserId(impersonationCredentials) && impersonate(impersonationCredentials.getImpersonatorInfo(), user);
                checkSuccess(z, "Impersonation not allowed.");
            } else {
                z = credentials instanceof GuestCredentials;
            }
            return z;
        } catch (RepositoryException e) {
            throw new LoginException(e.getMessage());
        }
    }

    private static void checkSuccess(boolean z, String str) throws LoginException {
        if (!z) {
            throw new LoginException(str);
        }
    }

    private boolean equalUserId(ImpersonationCredentials impersonationCredentials) {
        Credentials baseCredentials = impersonationCredentials.getBaseCredentials();
        return (baseCredentials instanceof SimpleCredentials) && this.userId.equals(((SimpleCredentials) baseCredentials).getUserID());
    }

    private boolean impersonate(AuthInfo authInfo, User user) {
        try {
            if (user.getID().equals(authInfo.getUserID())) {
                log.debug("User " + authInfo.getUserID() + " wants to impersonate himself -> success.");
                return true;
            }
            log.debug("User " + authInfo.getUserID() + " wants to impersonate " + user.getID());
            return user.getImpersonation().allows(new Subject(true, authInfo.getPrincipals(), Collections.emptySet(), Collections.emptySet()));
        } catch (RepositoryException e) {
            log.debug("Error while validating impersonation", e.getMessage());
            return false;
        }
    }
}
