package com.huawei.es.security.auth.common;

import com.huawei.hadoop.security.crypter.CrypterUtil;
import com.huawei.solr.security.auth.common.AuthenticationException;
import com.huawei.solr.security.auth.server.AuthenticationToken;
import io.netty.handler.codec.http.FullHttpRequest;
import io.netty.handler.codec.http.FullHttpResponse;
import io.netty.handler.codec.http.HttpResponseStatus;
import java.io.IOException;
import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.wcc.framework.AppRuntimeException;

/* loaded from: input_file:com/huawei/es/security/auth/common/BasicAuthenticationExecutor.class */
public class BasicAuthenticationExecutor implements AuthenticationExcutor {
    private static final String KEYTAB_CONFIG_NAME = "use_passwd";
    private static final String KERBEROS_LOGIN_MODULE_NAME = "com.sun.security.auth.module.Krb5LoginModule";
    private volatile Map<String, UserInfo> userMap = new HashMap();
    private long validity;
    private static final Logger LOG = Loggers.getLogger(BasicAuthenticationExecutor.class, new String[]{"BasicAuthenticationExcutor"});
    private static final Map<String, String> BASIC_JAAS_OPTIONS = new HashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/huawei/es/security/auth/common/BasicAuthenticationExecutor$LoginConfigurationPwd.class */
    public static class LoginConfigurationPwd extends Configuration {
        private static final Map<String, String> PWD_KERBEROS_OPTIONS = new HashMap();
        private static final AppConfigurationEntry PWD_KERBEROS_LOGIN;
        private static final AppConfigurationEntry[] SIMPLE_CONF;

        private LoginConfigurationPwd() {
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            return BasicAuthenticationExecutor.KEYTAB_CONFIG_NAME.equals(str) ? SIMPLE_CONF : new AppConfigurationEntry[0];
        }

        static {
            PWD_KERBEROS_OPTIONS.put("useKeyTab", Boolean.TRUE.toString());
            PWD_KERBEROS_OPTIONS.put("storeKey", Boolean.TRUE.toString());
            PWD_KERBEROS_OPTIONS.put("refreshKrb5Config", Boolean.TRUE.toString());
            PWD_KERBEROS_OPTIONS.putAll(BasicAuthenticationExecutor.BASIC_JAAS_OPTIONS);
            PWD_KERBEROS_OPTIONS.put("useTicketCache", Boolean.FALSE.toString());
            PWD_KERBEROS_LOGIN = new AppConfigurationEntry(BasicAuthenticationExecutor.KERBEROS_LOGIN_MODULE_NAME, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, PWD_KERBEROS_OPTIONS);
            SIMPLE_CONF = new AppConfigurationEntry[]{PWD_KERBEROS_LOGIN};
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/huawei/es/security/auth/common/BasicAuthenticationExecutor$UserInfo.class */
    public class UserInfo {
        private String user;
        private String pwd;
        private long expiredTime;

        public UserInfo(String str, String str2, long j) {
            this.user = str;
            this.pwd = CrypterUtil.encrypt(str2);
            this.expiredTime = j;
        }

        public String getUser() {
            return this.user;
        }

        public String getPwd() {
            return CrypterUtil.decrypt(this.pwd);
        }

        public long getExpiredTime() {
            return this.expiredTime;
        }

        public boolean isExpired() {
            return System.currentTimeMillis() > getExpiredTime();
        }
    }

    public BasicAuthenticationExecutor(long j) {
        this.validity = j;
    }

    @Override // com.huawei.es.security.auth.common.AuthenticationExcutor
    public String getType() {
        return AuthConstants.BASIC;
    }

    @Override // com.huawei.es.security.auth.common.AuthenticationExcutor
    public void init(Settings settings) {
    }

    @Override // com.huawei.es.security.auth.common.AuthenticationExcutor
    public void destroy() {
    }

    @Override // com.huawei.es.security.auth.common.AuthenticationExcutor
    public AuthenticationToken authenticate(FullHttpRequest fullHttpRequest, FullHttpResponse fullHttpResponse) throws AuthenticationException {
        AuthenticationToken authenticationToken = null;
        String str = fullHttpRequest.headers().get("Authorization");
        if (str == null || !str.trim().toLowerCase(Locale.getDefault()).startsWith(AuthConstants.BASIC_KEYWORD)) {
            fullHttpResponse.headers().set("WWW-Authenticate", AuthConstants.BASIC);
            fullHttpResponse.setStatus(HttpResponseStatus.UNAUTHORIZED);
            LOG.warn("The authorization does not start with the right flag.");
            throw new AuthenticationException("Invalid client Authentication");
        }
        String[] extractCredentials = HttpHelper.extractCredentials(str);
        try {
            doAuthenticationUsePwd(extractCredentials);
            authenticationToken = new AuthenticationToken(extractCredentials[0], extractCredentials[0], getType());
        } catch (LoginException e) {
            if (extractCredentials.length > 0) {
                throw new AuthenticationException(String.format(Locale.ROOT, "Basic authorization failed for user : %s, error message : %s", StringHelper.replaceBlank(extractCredentials[0]), e.getMessage()), e);
            }
        }
        return authenticationToken;
    }

    @Override // com.huawei.es.security.auth.common.AuthenticationExcutor
    public AuthenticationToken authenticate(ThreadContext threadContext) {
        return null;
    }

    @Override // com.huawei.es.security.auth.common.AuthenticationExcutor
    public AuthenticationToken authenticate(String str) throws IOException, AuthenticationException {
        return null;
    }

    private synchronized void doAuthenticationUsePwd(String[] strArr) throws LoginException {
        if (strArr == null || strArr.length == 0) {
            throw new LoginException("user or password is null");
        }
        strArr[1] = decryptPwd(strArr[1]);
        if (authenticationByMap(strArr[0], strArr[1])) {
            return;
        }
        LoginContext loginContext = new LoginContext(KEYTAB_CONFIG_NAME, new Subject(), getUsernamePasswordHandler(strArr[0], strArr[1]), new LoginConfigurationPwd());
        LOG.debug("user account login with password. user : {}", StringHelper.replaceBlank(strArr[0]));
        loginContext.login();
        LOG.debug("login success.");
        loginContext.logout();
        this.userMap.put(strArr[0], new UserInfo(strArr[0], strArr[1], System.currentTimeMillis() + this.validity));
    }

    private boolean authenticationByMap(String str, String str2) {
        boolean z = false;
        if (this.userMap.containsKey(str)) {
            UserInfo userInfo = this.userMap.get(str);
            if (!userInfo.isExpired() && str2.equals(userInfo.getPwd())) {
                z = true;
            }
        }
        return z;
    }

    private String decryptPwd(String str) {
        try {
            return CrypterUtil.decrypt(str);
        } catch (AppRuntimeException e) {
            return str;
        }
    }

    private static CallbackHandler getUsernamePasswordHandler(final String str, final String str2) {
        return new CallbackHandler() { // from class: com.huawei.es.security.auth.common.BasicAuthenticationExecutor.1
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) {
                for (Callback callback : callbackArr) {
                    if (callback instanceof NameCallback) {
                        ((NameCallback) callback).setName(str);
                    } else if (callback instanceof PasswordCallback) {
                        ((PasswordCallback) callback).setPassword(str2.toCharArray());
                    } else {
                        BasicAuthenticationExecutor.LOG.error("Unsupported Callback: {}.", callback.getClass().getName());
                    }
                }
            }
        };
    }
}
