package ca.nrc.cadc.auth;

import ca.nrc.cadc.date.DateUtil;
import ca.nrc.cadc.net.NetUtil;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.text.DateFormat;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import javax.servlet.http.HttpServletRequest;
import org.apache.log4j.Logger;

/* loaded from: input_file:ca/nrc/cadc/auth/AuthenticationUtil.class */
public class AuthenticationUtil {

    @Deprecated
    public static final String AUTH_HEADER = "X-CADC-DelegationToken";
    public static final String AUTHORIZATION_HEADER = "Authorization";
    public static final String AUTHENTICATE_HEADER = "WWW-Authenticate";
    public static final String VO_AUTHENTICATED_HEADER = "x-vo-authenticated";
    public static final String VO_TOKEN_BEARER = "x-vo-bearer";
    public static final String CHALLENGE_TYPE_BEARER = "Bearer";
    public static final String CHALLENGE_TYPE_BASIC = "Basic";
    public static final String CHALLENGE_TYPE_IVOA_BEARER = "ivoa_bearer";
    public static final String CHALLENGE_TYPE_IVOA_X509 = "ivoa_x509";

    @Deprecated
    public static final String TOKEN_TYPE_CADC = "X-CADC-DelegationToken";
    private static final String[] ORDERED_RDN_KEYS = {"DC", "CN", "OU", "O", "STREET", "L", "ST", "C", "UID"};
    private static Logger log = Logger.getLogger(AuthenticationUtil.class);

    private static Authenticator getAuthenticator() {
        String str = Authenticator.class.getName() + "Impl";
        String property = System.getProperty(Authenticator.class.getName());
        Class<?> cls = null;
        if (property == null) {
            property = str;
        }
        try {
            cls = Class.forName(property);
            Authenticator authenticator = (Authenticator) cls.newInstance();
            log.debug("Authenticator: " + property);
            return authenticator;
        } catch (Throwable th) {
            if (!str.equals(property) || cls != null) {
                log.error("failed to load Authenticator: " + property, th);
            }
            log.debug("failed to load Authenticator: " + property, th);
            log.debug("Authenticator: null");
            return null;
        }
    }

    public static IdentityManager getIdentityManager() {
        String str = IdentityManager.class.getName() + "Impl";
        String property = System.getProperty(IdentityManager.class.getName());
        Class<?> cls = null;
        if (property == null) {
            property = str;
        }
        try {
            cls = Class.forName(property);
            IdentityManager identityManager = (IdentityManager) cls.newInstance();
            log.debug("IdentityManager: " + property);
            return identityManager;
        } catch (Throwable th) {
            if (!str.equals(property) || cls != null) {
                log.error("failed to load configured IdentityManager: " + property, th);
            }
            log.debug("failed to load default IdentityManager: " + property, th);
            log.debug("IdentityManager: null");
            return null;
        }
    }

    public static Subject augmentSubject(Subject subject) {
        Authenticator authenticator = getAuthenticator();
        return authenticator != null ? authenticator.augment(subject) : subject;
    }

    public static Subject validateSubject(Subject subject) throws NotAuthenticatedException {
        Authenticator authenticator = getAuthenticator();
        return authenticator != null ? authenticator.validate(subject) : subject;
    }

    public static Subject getAnonSubject() {
        Subject subject = new Subject();
        setAuthMethod(subject, AuthMethod.ANON);
        return subject;
    }

    public static AuthMethod getAuthMethod(Subject subject) {
        if (subject == null) {
            return null;
        }
        Set publicCredentials = subject.getPublicCredentials(AuthMethod.class);
        if (publicCredentials.isEmpty()) {
            return null;
        }
        return (AuthMethod) publicCredentials.iterator().next();
    }

    private static void setAuthMethod(Subject subject, AuthMethod authMethod) {
        if (subject == null || authMethod == null) {
            return;
        }
        subject.getPublicCredentials().add(authMethod);
    }

    public static AuthMethod getAuthMethodFromCredentials(Subject subject) {
        if (subject == null || subject.getPublicCredentials().isEmpty()) {
            return AuthMethod.ANON;
        }
        if (!subject.getPublicCredentials(X509CertificateChain.class).isEmpty()) {
            return AuthMethod.CERT;
        }
        if (!subject.getPublicCredentials(PasswordCredentials.class).isEmpty()) {
            return AuthMethod.PASSWORD;
        }
        if (!subject.getPublicCredentials(SSOCookieCredential.class).isEmpty()) {
            return AuthMethod.COOKIE;
        }
        if (subject.getPublicCredentials(SignedToken.class).isEmpty() && subject.getPublicCredentials(AuthorizationToken.class).isEmpty()) {
            return AuthMethod.ANON;
        }
        return AuthMethod.TOKEN;
    }

    public static Subject getSubject(PrincipalExtractor principalExtractor, boolean z) {
        if (principalExtractor == null) {
            throw new IllegalArgumentException("principalExtractor cannot be null");
        }
        Set<Principal> principals = principalExtractor.getPrincipals();
        X509CertificateChain certificateChain = principalExtractor.getCertificateChain();
        AuthMethod authMethod = null;
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        if (principals.isEmpty()) {
            authMethod = AuthMethod.ANON;
        } else if (certificateChain != null) {
            hashSet.add(certificateChain);
            authMethod = AuthMethod.CERT;
        } else {
            Iterator<Principal> it = principals.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Principal next = it.next();
                if (next instanceof HttpPrincipal) {
                    authMethod = AuthMethod.PASSWORD;
                    break;
                }
                if ((next instanceof AuthorizationTokenPrincipal) || (next instanceof BearerTokenPrincipal)) {
                    break;
                }
                if (next instanceof CookiePrincipal) {
                    authMethod = AuthMethod.COOKIE;
                    break;
                }
            }
            authMethod = AuthMethod.TOKEN;
        }
        Subject validateSubject = validateSubject(new Subject(false, principals, hashSet, hashSet2));
        setAuthMethod(validateSubject, authMethod);
        return z ? augmentSubject(validateSubject) : validateSubject;
    }

    public static Subject getSubject(PrincipalExtractor principalExtractor) {
        return getSubject(principalExtractor, true);
    }

    public static Subject getSubject(HttpServletRequest httpServletRequest, boolean z) {
        return getSubject(new ServletPrincipalExtractor(httpServletRequest), z);
    }

    public static Subject getSubject(HttpServletRequest httpServletRequest) {
        return getSubject((PrincipalExtractor) new ServletPrincipalExtractor(httpServletRequest), true);
    }

    public static Subject getSubject(X509Certificate[] x509CertificateArr, PrivateKey privateKey) {
        return getSubject(new X509CertificateChain(x509CertificateArr, privateKey));
    }

    public static Subject getSubject(X509CertificateChain x509CertificateChain) {
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        HashSet hashSet3 = new HashSet();
        if (x509CertificateChain != null) {
            hashSet.add(x509CertificateChain.getX500Principal());
            hashSet2.add(x509CertificateChain);
        }
        Subject subject = new Subject(false, hashSet, hashSet2, hashSet3);
        setAuthMethod(subject, AuthMethod.CERT);
        return subject;
    }

    public static Subject getSubject(java.net.Authenticator authenticator) {
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        HashSet hashSet3 = new HashSet();
        if (authenticator != null) {
            java.net.Authenticator.setDefault(authenticator);
            hashSet2.add(new PasswordCredentials());
        }
        Subject subject = new Subject(false, hashSet, hashSet2, hashSet3);
        setAuthMethod(subject, AuthMethod.PASSWORD);
        return subject;
    }

    public static String encodeSubject(Subject subject) {
        if (subject == null) {
            return null;
        }
        StringBuilder sb = new StringBuilder();
        for (Principal principal : subject.getPrincipals()) {
            sb.append(principal.getClass().getName());
            sb.append("[");
            sb.append(NetUtil.encode(principal.getName()));
            sb.append("]");
        }
        return sb.toString();
    }

    public static Set<String> getUseridsFromSubject() {
        Subject subject = Subject.getSubject(AccessController.getContext());
        HashSet hashSet = new HashSet();
        if (subject != null) {
            Set principals = subject.getPrincipals(HttpPrincipal.class);
            subject.getPrincipals(CookiePrincipal.class);
            Iterator it = principals.iterator();
            while (it.hasNext()) {
                hashSet.add(((HttpPrincipal) it.next()).getName());
            }
        }
        return hashSet;
    }

    public static Subject decodeSubject(String str) {
        if (str == null || str.length() == 0) {
            return null;
        }
        Subject subject = null;
        int i = 0;
        int indexOf = str.indexOf("[", 0);
        while (indexOf != -1) {
            try {
                int indexOf2 = str.indexOf("]", indexOf);
                if (indexOf2 == -1) {
                    log.error("Invalid Principal encoding: " + str);
                    return null;
                }
                Principal principal = (Principal) Class.forName(str.substring(i, indexOf)).getDeclaredConstructor(String.class).newInstance(NetUtil.decode(str.substring(indexOf + 1, indexOf2)));
                if (subject == null) {
                    subject = new Subject();
                }
                subject.getPrincipals().add(principal);
                i = indexOf2 + 1;
                indexOf = str.indexOf("[", i);
            } catch (IndexOutOfBoundsException e) {
                log.error(e.getMessage(), e);
            } catch (Exception e2) {
                log.error(e2.getMessage(), e2);
            }
        }
        return subject;
    }

    public static X500Principal getOrderedForm(X500Principal x500Principal) {
        try {
            String name = x500Principal.getName("RFC2253");
            List rdns = new LdapName(name).getRdns();
            boolean z = "CN".equalsIgnoreCase(((Rdn) rdns.get(0)).getType()) || "C".equalsIgnoreCase(((Rdn) rdns.get(rdns.size() - 1)).getType());
            StringBuilder sb = new StringBuilder();
            if (z) {
                Iterator it = rdns.iterator();
                while (it.hasNext()) {
                    sb.append(((Rdn) it.next()).toString());
                    sb.append(",");
                }
            } else {
                for (int size = rdns.size() - 1; size >= 0; size--) {
                    sb.append(rdns.get(size));
                    sb.append(",");
                }
            }
            X500Principal x500Principal2 = new X500Principal(sb.substring(0, sb.length() - 1));
            log.debug("ordered form of " + name + " is " + x500Principal2);
            return x500Principal2;
        } catch (InvalidNameException e) {
            throw new IllegalArgumentException("invalid DN: " + x500Principal.getName(), e);
        }
    }

    public static <T extends Principal> Map<Class<T>, Collection<String>> groupPrincipalsByType() {
        HashMap hashMap = new HashMap();
        for (Principal principal : getCurrentSubject().getPrincipals()) {
            Class<?> cls = principal.getClass();
            if (!hashMap.containsKey(principal.getClass())) {
                hashMap.put(cls, new HashSet());
            }
            ((Collection) hashMap.get(cls)).add(principal.getName());
        }
        return hashMap;
    }

    public static boolean equals(Principal principal, Principal principal2) {
        if (principal == null && principal2 == null) {
            return true;
        }
        return (principal == null || principal2 == null || compare(principal, principal2) != 0) ? false : true;
    }

    public static int compare(Principal principal, Principal principal2) {
        if (principal == null || principal2 == null) {
            throw new IllegalArgumentException("Cannot compare null objects");
        }
        return ((principal instanceof X500Principal) && (principal2 instanceof X500Principal)) ? canonizeDistinguishedName(principal.getName()).compareTo(canonizeDistinguishedName(principal2.getName())) : ((principal instanceof HttpPrincipal) && (principal2 instanceof HttpPrincipal)) ? ((HttpPrincipal) principal).toString().compareTo(((HttpPrincipal) principal2).toString()) : principal.getClass().equals(principal2.getClass()) ? principal.getName().compareTo(principal2.getName()) : principal.getClass().getName().compareTo(principal2.getClass().getName());
    }

    public static String canonizeDistinguishedName(String str) {
        try {
            String lowerCase = getOrderedForm(new X500Principal(str)).getName().trim().toLowerCase();
            log.debug(str + " converted to " + lowerCase);
            return lowerCase;
        } catch (Exception e) {
            log.debug("Invalid dn", e);
            throw new IllegalArgumentException("Invalid DN: " + str, e);
        }
    }

    public static X500Principal getX500Principal(Subject subject) {
        X500Principal x500Principal = null;
        for (Principal principal : subject.getPrincipals()) {
            if (principal instanceof X500Principal) {
                x500Principal = (X500Principal) principal;
            }
        }
        return x500Principal;
    }

    public static void checkCertificates(Subject subject) throws CertificateException, CertificateNotYetValidException, CertificateExpiredException {
        if (subject == null) {
            throw new CertificateException("No certificates (Null subject)");
        }
        Set publicCredentials = subject.getPublicCredentials(X509CertificateChain.class);
        if (publicCredentials.isEmpty()) {
            throw new CertificateException("No certificates associated with the subject");
        }
        DateFormat dateFormat = DateUtil.getDateFormat(DateUtil.ISO_DATE_FORMAT, DateUtil.LOCAL);
        Date date = null;
        Date date2 = null;
        for (X509Certificate x509Certificate : ((X509CertificateChain) publicCredentials.iterator().next()).getChain()) {
            try {
                date = x509Certificate.getNotBefore();
                date2 = x509Certificate.getNotAfter();
                x509Certificate.checkValidity();
            } catch (CertificateExpiredException e) {
                throw new CertificateExpiredException("certificate has expired (valid from " + dateFormat.format(date) + " to " + dateFormat.format(date2) + ")");
            } catch (CertificateNotYetValidException e2) {
                throw new CertificateNotYetValidException("certificate not yet valid (valid from " + dateFormat.format(date) + " to " + dateFormat.format(date2) + ")");
            }
        }
    }

    public static Subject getCurrentSubject() {
        return Subject.getSubject(AccessController.getContext());
    }

    public static Principal createPrincipal(String str, String str2) {
        if (IdentityType.X500.getValue().equalsIgnoreCase(str2)) {
            return new X500Principal(canonizeDistinguishedName(str));
        }
        if (IdentityType.USERNAME.getValue().equalsIgnoreCase(str2)) {
            return new HttpPrincipal(str);
        }
        if (IdentityType.CADC.getValue().equalsIgnoreCase(str2)) {
            return new NumericPrincipal(UUID.fromString(str));
        }
        return null;
    }

    public static String getPrincipalType(Principal principal) {
        if (principal instanceof X500Principal) {
            return IdentityType.X500.getValue().toLowerCase();
        }
        if (principal instanceof HttpPrincipal) {
            return IdentityType.USERNAME.getValue().toLowerCase();
        }
        if (principal instanceof NumericPrincipal) {
            return IdentityType.CADC.getValue().toLowerCase();
        }
        return null;
    }
}
