package de.adorsys.oauth.server;

import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.ResourceOwnerPasswordCredentialsGrant;
import com.nimbusds.oauth2.sdk.TokenRequest;
import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.PasswordCredential;
import io.undertow.server.HttpServerExchange;
import io.undertow.servlet.handlers.ServletRequestContext;
import io.undertow.servlet.spec.HttpServletRequestImpl;
import io.undertow.servlet.spec.HttpServletResponseImpl;
import io.undertow.util.AttachmentKey;
import java.io.IOException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.codec.binary.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/adorsys/oauth/server/PasswordFlowAuthenticatorMatcher.class */
public class PasswordFlowAuthenticatorMatcher implements AuthenticatorMatcher {
    private static final Logger LOG = LoggerFactory.getLogger(PasswordFlowAuthenticatorMatcher.class);
    private static final AttachmentKey<TokenRequest> TOKEN_REQUEST_ATTACHMENT_KEY = AttachmentKey.create(TokenRequest.class);
    private String clientSecurityDomain;
    private String mechanismName;

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        HttpServletRequestImpl originalRequest = servletRequestContext.getOriginalRequest();
        HttpServletResponseImpl originalResponse = servletRequestContext.getOriginalResponse();
        TokenRequest tokenRequest = (TokenRequest) httpServerExchange.getAttachment(TOKEN_REQUEST_ATTACHMENT_KEY);
        if (tokenRequest == null) {
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        }
        ResourceOwnerPasswordCredentialsGrant authorizationGrant = tokenRequest.getAuthorizationGrant();
        if (authorizationGrant.getType() != GrantType.PASSWORD) {
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        }
        if (!verifyClientCredentials(originalRequest)) {
            try {
                originalResponse.setStatus(403);
                originalResponse.getWriter().write("client authentification failed");
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
            } catch (Exception e) {
            }
        }
        ResourceOwnerPasswordCredentialsGrant resourceOwnerPasswordCredentialsGrant = authorizationGrant;
        String username = resourceOwnerPasswordCredentialsGrant.getUsername();
        String value = resourceOwnerPasswordCredentialsGrant.getPassword().getValue() == null ? "" : resourceOwnerPasswordCredentialsGrant.getPassword().getValue();
        LOG.debug("PasswordFlow - login {} {}", username, value.replaceAll(".", "x"));
        Account verify = securityContext.getIdentityManager().verify(username, new PasswordCredential(value.toCharArray()));
        if (verify == null) {
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
        securityContext.authenticationComplete(verify, this.mechanismName, true);
        return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
    }

    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        return new AuthenticationMechanism.ChallengeResult(true, 401);
    }

    private boolean verifyClientCredentials(HttpServletRequest httpServletRequest) {
        if (this.clientSecurityDomain == null) {
            return true;
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.startsWith("Basic ")) {
            return false;
        }
        String str = new String(Base64.decodeBase64(header.substring(6)));
        final String[] split = str.contains(":") ? str.split(":") : new String[]{str, ""};
        CallbackHandler callbackHandler = new CallbackHandler() { // from class: de.adorsys.oauth.server.PasswordFlowAuthenticatorMatcher.1
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                for (Callback callback : callbackArr) {
                    if (callback instanceof NameCallback) {
                        ((NameCallback) callback).setName(split[0]);
                    } else if (callback instanceof PasswordCallback) {
                        ((PasswordCallback) callback).setPassword(split[1].toCharArray());
                    }
                }
            }
        };
        try {
            LoginContext loginContext = new LoginContext(this.clientSecurityDomain, new Subject(), callbackHandler);
            loginContext.login();
            loginContext.logout();
            return true;
        } catch (LoginException e) {
            LOG.error("call securitydomain " + callbackHandler, e);
            return false;
        }
    }

    private TokenRequest resolveTokenRequest(HttpServletRequest httpServletRequest) {
        try {
            return TokenRequest.parse(FixedServletUtils.createHTTPRequest(httpServletRequest));
        } catch (Exception e) {
            return null;
        }
    }

    @Override // de.adorsys.oauth.server.AuthenticatorMatcher
    public void initialize(ServletContext servletContext) {
        this.clientSecurityDomain = servletContext.getInitParameter("clientSecurityDomain");
        this.mechanismName = "OAUTH_PASSWORD";
    }

    @Override // de.adorsys.oauth.server.AuthenticatorMatcher
    public boolean match(HttpServerExchange httpServerExchange, HttpServletRequest httpServletRequest) {
        TokenRequest resolveTokenRequest = resolveTokenRequest(httpServletRequest);
        if (resolveTokenRequest == null) {
            return false;
        }
        httpServerExchange.putAttachment(TOKEN_REQUEST_ATTACHMENT_KEY, resolveTokenRequest);
        return true;
    }
}
