package org.n52.security.authentication.loginmodule;

import java.io.Serializable;
import java.util.regex.Pattern;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import org.n52.security.common.crypto.DigestUtil;
import org.n52.security.common.subject.LoginNamePrincipal;
import org.n52.security.common.subject.RolePrincipal;
import org.n52.security.common.subject.UsernameIDPrincipal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/n52/security/authentication/loginmodule/SingleUserLoginModule.class */
public class SingleUserLoginModule extends AbstractPasswordLoginModule implements Serializable {
    protected static final String OPTION_ALLOWED_PASSWORD = "allowedPassword";
    protected static final String OPTION_PASSWORD_ENCRYPTION_ALG = "pwdEncAlg";
    protected static final String OPTION_ALLOWED_USERNAME = "allowedUsername";
    protected static final String OPTION_ALLOWED_USERNAME_IS_REGEX = "allowedUsernameIsRegex";
    protected static final String OPTION_USERROLES = "userRoles";
    protected static final String PW_ENC_ALG_PLAIN = "plain";
    private static final long serialVersionUID = -97291032500611905L;
    protected String m_allowedUserName;
    protected boolean m_allowedUserNameIsRegex = false;
    protected char[] m_allowedPassword;
    protected String m_passwordEncryptionAlg;
    protected String[] m_userRoles;
    protected boolean m_plainPW;
    private static final Logger LOG = LoggerFactory.getLogger(SingleUserLoginModule.class);
    private static final String[] EMPTY_STRING_ARRAY = new String[0];

    @Override // org.n52.security.authentication.loginmodule.AbstractLoginModule
    protected String getDescription() {
        return new StringBuffer(150).append("The authentication is performed through the '").append(SingleUserLoginModule.class.getName()).append("' login module. It requires a user name and password.").toString();
    }

    @Override // org.n52.security.authentication.loginmodule.AbstractLoginModule
    protected void initialize() {
        Options options = getOptions();
        this.m_allowedUserName = options.getAsString(OPTION_ALLOWED_USERNAME, "");
        this.m_allowedUserNameIsRegex = options.is(OPTION_ALLOWED_USERNAME_IS_REGEX);
        this.m_allowedPassword = options.getAsString(OPTION_ALLOWED_PASSWORD, "").toCharArray();
        this.m_passwordEncryptionAlg = options.getAsString(OPTION_PASSWORD_ENCRYPTION_ALG, PW_ENC_ALG_PLAIN);
        this.m_plainPW = PW_ENC_ALG_PLAIN.equalsIgnoreCase(this.m_passwordEncryptionAlg);
        if (!this.m_plainPW) {
            if (!DigestUtil.isDigestAlgorithm(this.m_passwordEncryptionAlg)) {
                throw new IllegalArgumentException(new StringBuffer().append("login module wrong configured. Check the '").append(OPTION_PASSWORD_ENCRYPTION_ALG).append("' for a correct value.").toString());
            }
            if (!DigestUtil.isDigestOf(this.m_allowedPassword, this.m_passwordEncryptionAlg)) {
                String stringBuffer = new StringBuffer().append("password has not the correct format for algorithm:").append(this.m_passwordEncryptionAlg).toString();
                if (LOG.isErrorEnabled()) {
                    LOG.error(stringBuffer);
                }
                throw new IllegalArgumentException(stringBuffer);
            }
        }
        this.m_userRoles = options.getAsStringArray(OPTION_USERROLES, EMPTY_STRING_ARRAY, "|");
        if (this.m_allowedUserName.length() == 0 && LOG.isWarnEnabled()) {
            LOG.warn("option 'allowedUsername' is empty, this can be a security risk!");
        }
        if (this.m_allowedPassword.length == 0 && LOG.isWarnEnabled()) {
            LOG.warn("option 'allowedPassword' is empty, this can be a security risk!");
        }
        if (this.m_plainPW && LOG.isWarnEnabled()) {
            LOG.warn("option 'pwdEncAlg' contains a value of 'plain', this can be a security risk!");
        }
        if (this.m_userRoles.length == 0 && LOG.isWarnEnabled()) {
            LOG.warn("option 'userRoles' is empty, therewith authenticated users will have no role prinicipals.");
        }
    }

    @Override // org.n52.security.authentication.loginmodule.AbstractPasswordLoginModule
    protected boolean login(String str, char[] cArr) throws LoginException {
        if (LOG.isTraceEnabled()) {
            LOG.trace("SingleUserLoginModule.login(" + str + ")");
        }
        if (!this.m_allowedUserNameIsRegex ? this.m_allowedUserName.equals(str) : Pattern.matches(this.m_allowedUserName, str)) {
            if (this.m_plainPW && isEqual(this.m_allowedPassword, cArr, false)) {
                return true;
            }
            if (!this.m_plainPW) {
                Options options = getOptions();
                if (options.isTryMappedPass() || options.isUseMappedPass()) {
                    if (DigestUtil.calculateAndTestForEquality(this.m_allowedPassword, cArr, this.m_passwordEncryptionAlg)) {
                        return true;
                    }
                } else if (DigestUtil.areEqualDigests(this.m_allowedPassword, cArr) && DigestUtil.isDigestOf(cArr, this.m_passwordEncryptionAlg)) {
                    return true;
                }
            }
        }
        throw new FailedLoginException("wrong username or password.");
    }

    @Override // org.n52.security.authentication.loginmodule.AbstractLoginModule
    protected void prepareCommitState() throws LoginException {
        if (isLoginSucceeded()) {
            addPrincipal(new LoginNamePrincipal(getUsername()));
            addPrincipal(new UsernameIDPrincipal(getUsername()));
            int length = this.m_userRoles.length;
            for (int i = 0; i < length; i++) {
                addPrincipal(new RolePrincipal(this.m_userRoles[i]));
            }
        }
    }
}
