package org.jivesoftware.openfire.net;

import java.io.UnsupportedEncodingException;
import java.net.UnknownHostException;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.TreeMap;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.commons.httpclient.HttpState;
import org.dom4j.DocumentHelper;
import org.dom4j.Element;
import org.dom4j.Namespace;
import org.dom4j.QName;
import org.jivesoftware.openfire.Connection;
import org.jivesoftware.openfire.XMPPServer;
import org.jivesoftware.openfire.auth.AuthFactory;
import org.jivesoftware.openfire.auth.AuthToken;
import org.jivesoftware.openfire.auth.AuthorizationManager;
import org.jivesoftware.openfire.lockout.LockOutManager;
import org.jivesoftware.openfire.sasl.SaslProvider;
import org.jivesoftware.openfire.session.ClientSession;
import org.jivesoftware.openfire.session.IncomingServerSession;
import org.jivesoftware.openfire.session.LocalClientSession;
import org.jivesoftware.openfire.session.LocalIncomingServerSession;
import org.jivesoftware.openfire.session.LocalSession;
import org.jivesoftware.openfire.session.Session;
import org.jivesoftware.util.CertificateManager;
import org.jivesoftware.util.JiveGlobals;
import org.jivesoftware.util.StringUtils;
import org.logicalcobwebs.cglib.asm.Constants;
import org.logicalcobwebs.proxool.ProxoolConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jivesoftware/openfire/net/SASLAuthentication.class */
public class SASLAuthentication {
    private static final String SASL_NAMESPACE = "xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\"";
    private static final Logger Log = LoggerFactory.getLogger(SASLAuthentication.class);
    protected static String CHARSET = "UTF-8";
    private static Map<String, ElementType> typeMap = new TreeMap();
    private static Set<String> mechanisms = null;

    /* loaded from: input_file:org/jivesoftware/openfire/net/SASLAuthentication$ElementType.class */
    public enum ElementType {
        AUTH("auth"),
        RESPONSE("response"),
        CHALLENGE("challenge"),
        FAILURE("failure"),
        UNDEF("");

        private String name;

        @Override // java.lang.Enum
        public String toString() {
            return this.name;
        }

        ElementType(String str) {
            this.name = null;
            this.name = str;
            SASLAuthentication.typeMap.put(this.name, this);
        }

        public static ElementType valueof(String str) {
            ElementType elementType;
            if (str != null && (elementType = (ElementType) SASLAuthentication.typeMap.get(str)) != null) {
                return elementType;
            }
            return UNDEF;
        }
    }

    /* loaded from: input_file:org/jivesoftware/openfire/net/SASLAuthentication$Status.class */
    public enum Status {
        needResponse,
        failed,
        authenticated
    }

    public static String getSASLMechanisms(LocalSession localSession) {
        if (!(localSession instanceof ClientSession) && !(localSession instanceof IncomingServerSession)) {
            return "";
        }
        StringBuilder sb = new StringBuilder(Constants.MONITOREXIT);
        sb.append("<mechanisms xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\">");
        if (!(localSession instanceof IncomingServerSession)) {
            for (String str : getSupportedMechanisms()) {
                sb.append("<mechanism>");
                sb.append(str);
                sb.append("</mechanism>");
            }
        } else if (localSession.isSecure()) {
            boolean z = false;
            for (Certificate certificate : localSession.getConnection().getLocalCertificates()) {
                try {
                    if (CertificateManager.isSelfSignedCertificate(SSLConfig.getKeyStore(), (X509Certificate) certificate)) {
                        z = true;
                    }
                } catch (Exception e) {
                    z = true;
                }
            }
            if (!z) {
                sb.append("<mechanism>EXTERNAL</mechanism>");
            }
        }
        sb.append("</mechanisms>");
        return sb.toString();
    }

    public static Element getSASLMechanismsElement(Session session) {
        if (!(session instanceof ClientSession) && !(session instanceof IncomingServerSession)) {
            return null;
        }
        Element createElement = DocumentHelper.createElement(new QName("mechanisms", new Namespace("", "urn:ietf:params:xml:ns:xmpp-sasl")));
        if (!(session instanceof IncomingServerSession)) {
            Iterator<String> it = getSupportedMechanisms().iterator();
            while (it.hasNext()) {
                createElement.addElement("mechanism").setText(it.next());
            }
        } else if (session.isSecure()) {
            createElement.addElement("mechanism").setText("EXTERNAL");
        }
        return createElement;
    }

    public static Status handle(LocalSession localSession, Element element) throws UnsupportedEncodingException {
        Status status;
        if (element.getNamespace().asXML().equals(SASL_NAMESPACE)) {
            switch (ElementType.valueof(element.getName())) {
                case AUTH:
                    String attributeValue = element.attributeValue("mechanism");
                    localSession.setSessionData("SaslMechanism", attributeValue);
                    if (!attributeValue.equalsIgnoreCase("ANONYMOUS") || !mechanisms.contains("ANONYMOUS")) {
                        if (!attributeValue.equalsIgnoreCase("EXTERNAL")) {
                            if (!mechanisms.contains(attributeValue)) {
                                Log.warn("Client wants to do a MECH we don't support: '" + attributeValue + "'");
                                authenticationFailed(localSession);
                                status = Status.failed;
                                break;
                            } else {
                                try {
                                    TreeMap treeMap = new TreeMap();
                                    treeMap.put("javax.security.sasl.qop", "auth");
                                    if (attributeValue.equals("GSSAPI")) {
                                        treeMap.put("javax.security.sasl.server.authentication", "TRUE");
                                    }
                                    SaslServer createSaslServer = Sasl.createSaslServer(attributeValue, "xmpp", JiveGlobals.getProperty("xmpp.fqdn", localSession.getServerName()), treeMap, new XMPPCallbackHandler());
                                    byte[] bArr = new byte[0];
                                    if (element.getText().length() > 0) {
                                        bArr = StringUtils.decodeBase64(element.getText().trim());
                                        if (bArr == null) {
                                            bArr = new byte[0];
                                        }
                                    }
                                    if (attributeValue.equals("DIGEST-MD5")) {
                                        bArr = new byte[0];
                                    }
                                    byte[] evaluateResponse = createSaslServer.evaluateResponse(bArr);
                                    if (createSaslServer.isComplete()) {
                                        authenticationSuccessful(localSession, createSaslServer.getAuthorizationID(), evaluateResponse);
                                        status = Status.authenticated;
                                    } else {
                                        sendChallenge(localSession, evaluateResponse);
                                        status = Status.needResponse;
                                    }
                                    localSession.setSessionData("SaslServer", createSaslServer);
                                    break;
                                } catch (SaslException e) {
                                    Log.info("User Login Failed. " + e.getMessage());
                                    authenticationFailed(localSession);
                                    status = Status.failed;
                                    break;
                                }
                            }
                        } else {
                            status = doExternalAuthentication(localSession, element);
                            break;
                        }
                    } else {
                        status = doAnonymousAuthentication(localSession);
                        break;
                    }
                    break;
                case RESPONSE:
                    String str = (String) localSession.getSessionData("SaslMechanism");
                    if (!str.equalsIgnoreCase("EXTERNAL")) {
                        if (!str.equalsIgnoreCase("JIVE-SHAREDSECRET")) {
                            if (!mechanisms.contains(str)) {
                                Log.warn("Client responded to a MECH we don't support: '" + str + "'");
                                authenticationFailed(localSession);
                                status = Status.failed;
                                break;
                            } else {
                                SaslServer saslServer = (SaslServer) localSession.getSessionData("SaslServer");
                                if (saslServer == null) {
                                    Log.error("SaslServer is null, should be valid object instead.");
                                    authenticationFailed(localSession);
                                    status = Status.failed;
                                    break;
                                } else {
                                    boolean isComplete = saslServer.isComplete();
                                    String textTrim = element.getTextTrim();
                                    try {
                                        if (isComplete) {
                                            authenticationSuccessful(localSession, saslServer.getAuthorizationID(), null);
                                            status = Status.authenticated;
                                        } else {
                                            byte[] decodeBase64 = StringUtils.decodeBase64(textTrim);
                                            if (decodeBase64 == null) {
                                                decodeBase64 = new byte[0];
                                            }
                                            byte[] evaluateResponse2 = saslServer.evaluateResponse(decodeBase64);
                                            if (saslServer.isComplete()) {
                                                authenticationSuccessful(localSession, saslServer.getAuthorizationID(), evaluateResponse2);
                                                status = Status.authenticated;
                                            } else {
                                                sendChallenge(localSession, evaluateResponse2);
                                                status = Status.needResponse;
                                            }
                                        }
                                        break;
                                    } catch (SaslException e2) {
                                        Log.debug("SASLAuthentication: SaslException", e2);
                                        authenticationFailed(localSession);
                                        status = Status.failed;
                                        break;
                                    }
                                }
                            }
                        } else {
                            status = doSharedSecretAuthentication(localSession, element);
                            break;
                        }
                    } else {
                        status = doExternalAuthentication(localSession, element);
                        break;
                    }
                default:
                    authenticationFailed(localSession);
                    status = Status.failed;
                    break;
            }
        } else {
            Log.debug("SASLAuthentication: Unknown namespace sent in auth element: " + element.asXML());
            authenticationFailed(localSession);
            status = Status.failed;
        }
        if (status == Status.failed || status == Status.authenticated) {
            localSession.removeSessionData("SaslServer");
            localSession.removeSessionData("SaslMechanism");
        }
        return status;
    }

    public static boolean isSharedSecretAllowed() {
        return JiveGlobals.getBooleanProperty("xmpp.auth.sharedSecretEnabled");
    }

    public static void setSharedSecretAllowed(boolean z) {
        JiveGlobals.setProperty("xmpp.auth.sharedSecretEnabled", z ? "true" : HttpState.PREEMPTIVE_DEFAULT);
    }

    public static String getSharedSecret() {
        if (!isSharedSecretAllowed()) {
            return null;
        }
        String property = JiveGlobals.getProperty("xmpp.auth.sharedSecret");
        if (property == null) {
            property = StringUtils.randomString(8);
            JiveGlobals.setProperty("xmpp.auth.sharedSecret", property);
        }
        return property;
    }

    public static boolean authenticateSharedSecret(String str) {
        if (isSharedSecretAllowed()) {
            return StringUtils.hash(getSharedSecret()).equals(str);
        }
        return false;
    }

    private static Status doAnonymousAuthentication(LocalSession localSession) {
        if (!XMPPServer.getInstance().getIQAuthHandler().isAnonymousAllowed()) {
            authenticationFailed(localSession);
            return Status.failed;
        }
        boolean z = false;
        try {
            String hostAddress = localSession.getConnection().getHostAddress();
            if (!LocalClientSession.getAllowedAnonymIPs().isEmpty() && !LocalClientSession.getAllowedAnonymIPs().containsKey(hostAddress)) {
                byte[] address = localSession.getConnection().getAddress();
                String str = (address[0] & 255) + ProxoolConstants.ALIAS_DELIMITER + (address[1] & 255) + ProxoolConstants.ALIAS_DELIMITER + (address[2] & 255) + ".*";
                String str2 = (address[0] & 255) + ProxoolConstants.ALIAS_DELIMITER + (address[1] & 255) + ".*.*";
                String str3 = (address[0] & 255) + ".*.*.*";
                if (!LocalClientSession.getAllowedAnonymIPs().containsKey(str) && !LocalClientSession.getAllowedAnonymIPs().containsKey(str2)) {
                    if (!LocalClientSession.getAllowedAnonymIPs().containsKey(str3)) {
                        z = true;
                    }
                }
            }
        } catch (UnknownHostException e) {
            z = true;
        }
        if (z) {
            authenticationFailed(localSession);
            return Status.failed;
        }
        authenticationSuccessful(localSession, null, null);
        return Status.authenticated;
    }

    private static Status doExternalAuthentication(LocalSession localSession, Element element) throws UnsupportedEncodingException {
        if (localSession instanceof IncomingServerSession) {
            String textTrim = element.getTextTrim();
            if (textTrim == null || textTrim.length() == 0) {
                sendChallenge(localSession, new byte[0]);
                return Status.needResponse;
            }
            String str = new String(StringUtils.decodeBase64(textTrim), CHARSET);
            if (!JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify", true)) {
                authenticationSuccessful(localSession, str, null);
                return Status.authenticated;
            }
            for (Certificate certificate : localSession.getConnection().getPeerCertificates()) {
                for (String str2 : CertificateManager.getPeerIdentities((X509Certificate) certificate)) {
                    if ((str2.startsWith("*.") && (str.endsWith(str2.replace("*.", ProxoolConstants.ALIAS_DELIMITER)) || str.equals(str2.replace("*.", "")))) || str.equals(str2)) {
                        authenticationSuccessful(localSession, str, null);
                        return Status.authenticated;
                    }
                }
            }
        } else if (localSession instanceof LocalClientSession) {
            Log.debug("SASLAuthentication: EXTERNAL authentication via SSL certs for c2s connection");
            String str3 = new String(StringUtils.decodeBase64(element.getTextTrim()), CHARSET);
            String str4 = "";
            ArrayList arrayList = new ArrayList();
            Connection connection = localSession.getConnection();
            if (connection.getPeerCertificates().length < 1) {
                Log.debug("SASLAuthentication: EXTERNAL authentication requested, but no certificates found.");
                authenticationFailed(localSession);
                return Status.failed;
            }
            for (Certificate certificate2 : connection.getPeerCertificates()) {
                arrayList.addAll(CertificateManager.getPeerIdentities((X509Certificate) certificate2));
            }
            if (arrayList.size() == 1) {
                str4 = (String) arrayList.get(0);
            } else if (arrayList.size() > 1) {
                Log.debug("SASLAuthentication: EXTERNAL authentication: more than one principal found, using first.");
                str4 = (String) arrayList.get(0);
            } else {
                Log.debug("SASLAuthentication: EXTERNAL authentication: No principals found.");
            }
            if (str3 == null || str3.length() == 0) {
                Iterator it = arrayList.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    String str5 = (String) it.next();
                    String map = AuthorizationManager.map(str5);
                    if (!map.equals(str5)) {
                        str3 = map;
                        str4 = str5;
                        break;
                    }
                }
                if (str3 == null || str3.length() == 0) {
                    str3 = str4;
                }
                Log.debug("SASLAuthentication: no username requested, using " + str3);
            }
            if (AuthorizationManager.authorize(str3, str4)) {
                Log.debug("SASLAuthentication: " + str4 + " authorized to " + str3);
                authenticationSuccessful(localSession, str3, null);
                return Status.authenticated;
            }
        } else {
            Log.debug("SASLAuthentication: unknown session type. Cannot perform EXTERNAL authentication");
        }
        authenticationFailed(localSession);
        return Status.failed;
    }

    private static Status doSharedSecretAuthentication(LocalSession localSession, Element element) throws UnsupportedEncodingException {
        String textTrim = element.getTextTrim();
        if (textTrim == null || textTrim.length() == 0) {
            sendChallenge(localSession, new byte[0]);
            return Status.needResponse;
        }
        StringTokenizer stringTokenizer = new StringTokenizer(new String(StringUtils.decodeBase64(textTrim), CHARSET), "��");
        stringTokenizer.nextToken();
        if (authenticateSharedSecret(stringTokenizer.nextToken())) {
            authenticationSuccessful(localSession, null, null);
            return Status.authenticated;
        }
        authenticationFailed(localSession);
        return Status.failed;
    }

    private static void sendChallenge(Session session, byte[] bArr) {
        StringBuilder sb = new StringBuilder(250);
        if (bArr == null) {
            bArr = new byte[0];
        }
        String trim = StringUtils.encodeBase64(bArr).trim();
        if ("".equals(trim)) {
            trim = "=";
        }
        sb.append("<challenge xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\">");
        sb.append(trim);
        sb.append("</challenge>");
        session.deliverRawText(sb.toString());
    }

    private static void authenticationSuccessful(LocalSession localSession, String str, byte[] bArr) {
        if (str != null && LockOutManager.getInstance().isAccountDisabled(str)) {
            LockOutManager.getInstance().recordFailedLogin(str);
            authenticationFailed(localSession);
            return;
        }
        StringBuilder sb = new StringBuilder(80);
        sb.append("<success xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\"");
        if (bArr != null) {
            sb.append(">").append(StringUtils.encodeBase64(bArr).trim()).append("</success>");
        } else {
            sb.append("/>");
        }
        localSession.deliverRawText(sb.toString());
        if (localSession instanceof ClientSession) {
            ((LocalClientSession) localSession).setAuthToken(new AuthToken(str));
        } else if (localSession instanceof IncomingServerSession) {
            ((LocalIncomingServerSession) localSession).addValidatedDomain(str);
        }
    }

    private static void authenticationFailed(LocalSession localSession) {
        StringBuilder sb = new StringBuilder(80);
        sb.append("<failure xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\">");
        sb.append("<not-authorized/></failure>");
        localSession.deliverRawText(sb.toString());
        Integer num = (Integer) localSession.getSessionData("authRetries");
        Integer valueOf = num == null ? 1 : Integer.valueOf(num.intValue() + 1);
        localSession.setSessionData("authRetries", valueOf);
        if (valueOf.intValue() >= JiveGlobals.getIntProperty("xmpp.auth.retries", 3)) {
            localSession.close();
        }
    }

    public static void addSupportedMechanism(String str) {
        mechanisms.add(str);
    }

    public static void removeSupportedMechanism(String str) {
        mechanisms.remove(str);
    }

    public static Set<String> getSupportedMechanisms() {
        HashSet hashSet = new HashSet(mechanisms);
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            if (str.equals("CRAM-MD5") || str.equals("DIGEST-MD5")) {
                if (!AuthFactory.getAuthProvider().supportsPasswordRetrieval()) {
                    it.remove();
                }
            } else if (str.equals("ANONYMOUS")) {
                if (!XMPPServer.getInstance().getIQAuthHandler().isAnonymousAllowed()) {
                    it.remove();
                }
            } else if (str.equals("JIVE-SHAREDSECRET") && !isSharedSecretAllowed()) {
                it.remove();
            }
        }
        return hashSet;
    }

    private static void initMechanisms() {
        JiveGlobals.migrateProperty("sasl.mechs");
        JiveGlobals.migrateProperty("sasl.gssapi.debug");
        JiveGlobals.migrateProperty("sasl.gssapi.config");
        JiveGlobals.migrateProperty("sasl.gssapi.useSubjectCredsOnly");
        mechanisms = new HashSet();
        String property = JiveGlobals.getProperty("sasl.mechs");
        if (property == null) {
            mechanisms.add("ANONYMOUS");
            mechanisms.add("PLAIN");
            mechanisms.add("DIGEST-MD5");
            mechanisms.add("CRAM-MD5");
            mechanisms.add("JIVE-SHAREDSECRET");
        } else {
            StringTokenizer stringTokenizer = new StringTokenizer(property, " ,\t\n\r\f");
            while (stringTokenizer.hasMoreTokens()) {
                String upperCase = stringTokenizer.nextToken().toUpperCase();
                if (upperCase.equals("ANONYMOUS") || upperCase.equals("PLAIN") || upperCase.equals("DIGEST-MD5") || upperCase.equals("CRAM-MD5") || upperCase.equals("GSSAPI") || upperCase.equals("EXTERNAL") || upperCase.equals("JIVE-SHAREDSECRET")) {
                    Log.debug("SASLAuthentication: Added " + upperCase + " to mech list");
                    mechanisms.add(upperCase);
                }
            }
            if (mechanisms.contains("GSSAPI")) {
                if (JiveGlobals.getProperty("sasl.gssapi.config") != null) {
                    System.setProperty("java.security.krb5.debug", JiveGlobals.getProperty("sasl.gssapi.debug", HttpState.PREEMPTIVE_DEFAULT));
                    System.setProperty("java.security.auth.login.config", JiveGlobals.getProperty("sasl.gssapi.config"));
                    System.setProperty("javax.security.auth.useSubjectCredsOnly", JiveGlobals.getProperty("sasl.gssapi.useSubjectCredsOnly", HttpState.PREEMPTIVE_DEFAULT));
                } else {
                    Log.debug("SASLAuthentication: Removed GSSAPI from mech list");
                    mechanisms.remove("GSSAPI");
                }
            }
        }
        Security.addProvider(new SaslProvider());
    }

    static {
        initMechanisms();
    }
}
