package org.jivesoftware.openfire.net;

import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.regex.Pattern;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import javax.security.sasl.SaslServerFactory;
import org.apache.commons.httpclient.HttpState;
import org.dom4j.DocumentHelper;
import org.dom4j.Element;
import org.dom4j.Namespace;
import org.dom4j.QName;
import org.jivesoftware.openfire.XMPPServer;
import org.jivesoftware.openfire.XMPPServerInfo;
import org.jivesoftware.openfire.auth.AuthFactory;
import org.jivesoftware.openfire.auth.AuthToken;
import org.jivesoftware.openfire.keystore.CertificateStoreManager;
import org.jivesoftware.openfire.lockout.LockOutManager;
import org.jivesoftware.openfire.sasl.AnonymousSaslServer;
import org.jivesoftware.openfire.sasl.Failure;
import org.jivesoftware.openfire.sasl.JiveSharedSecretSaslServer;
import org.jivesoftware.openfire.sasl.SaslFailureException;
import org.jivesoftware.openfire.sasl.SaslProvider;
import org.jivesoftware.openfire.session.ClientSession;
import org.jivesoftware.openfire.session.ConnectionSettings;
import org.jivesoftware.openfire.session.IncomingServerSession;
import org.jivesoftware.openfire.session.LocalClientSession;
import org.jivesoftware.openfire.session.LocalIncomingServerSession;
import org.jivesoftware.openfire.session.LocalSession;
import org.jivesoftware.openfire.session.Session;
import org.jivesoftware.openfire.spi.ConnectionManagerImpl;
import org.jivesoftware.openfire.spi.ConnectionType;
import org.jivesoftware.util.CertificateManager;
import org.jivesoftware.util.JiveGlobals;
import org.jivesoftware.util.PropertyEventDispatcher;
import org.jivesoftware.util.PropertyEventListener;
import org.jivesoftware.util.StringUtils;
import org.logicalcobwebs.proxool.ProxoolConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jivesoftware/openfire/net/SASLAuthentication.class */
public class SASLAuthentication {
    private static final String SASL_NAMESPACE = "urn:ietf:params:xml:ns:xmpp-sasl";
    private static final Logger Log = LoggerFactory.getLogger(SASLAuthentication.class);
    private static final Pattern BASE64_ENCODED = Pattern.compile("^(=|([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==))$");
    private static Set<String> mechanisms = new HashSet();

    /* loaded from: input_file:org/jivesoftware/openfire/net/SASLAuthentication$ElementType.class */
    public enum ElementType {
        ABORT,
        AUTH,
        RESPONSE,
        CHALLENGE,
        FAILURE,
        UNDEF;

        public static ElementType valueOfCaseInsensitive(String str) {
            if (str == null || str.isEmpty()) {
                return UNDEF;
            }
            try {
                return valueOf(str.toUpperCase());
            } catch (Throwable th) {
                return UNDEF;
            }
        }
    }

    /* loaded from: input_file:org/jivesoftware/openfire/net/SASLAuthentication$Status.class */
    public enum Status {
        needResponse,
        failed,
        authenticated
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static String getSASLMechanisms(LocalSession localSession) {
        if (localSession instanceof ClientSession) {
            return getSASLMechanismsElement((ClientSession) localSession).asXML();
        }
        if (localSession instanceof LocalIncomingServerSession) {
            return getSASLMechanismsElement((LocalIncomingServerSession) localSession).asXML();
        }
        Log.debug("Unable to determine SASL mechanisms that are applicable to session '{}'. Unrecognized session type.", localSession);
        return "";
    }

    public static Element getSASLMechanismsElement(ClientSession clientSession) {
        Element createElement = DocumentHelper.createElement(new QName("mechanisms", new Namespace("", SASL_NAMESPACE)));
        Iterator<String> it = getSupportedMechanisms().iterator();
        while (it.hasNext()) {
            createElement.addElement("mechanism").setText(it.next());
        }
        return createElement;
    }

    public static Element getSASLMechanismsElement(LocalIncomingServerSession localIncomingServerSession) {
        Element createElement = DocumentHelper.createElement(new QName("mechanisms", new Namespace("", SASL_NAMESPACE)));
        if (localIncomingServerSession.isSecure()) {
            X509Certificate endEntityCertificate = CertificateManager.getEndEntityCertificate(localIncomingServerSession.getConnection().getPeerCertificates(), localIncomingServerSession.getConnection().getConfiguration().getIdentityStore().getStore(), localIncomingServerSession.getConnection().getConfiguration().getTrustStore().getStore());
            boolean z = endEntityCertificate != null;
            if (endEntityCertificate != null && localIncomingServerSession.getDefaultIdentity() != null) {
                z = verifyCertificate(endEntityCertificate, localIncomingServerSession.getDefaultIdentity());
            }
            if (z) {
                createElement.addElement("mechanism").setText("EXTERNAL");
            }
        }
        return createElement;
    }

    public static Status handle(LocalSession localSession, Element element) {
        byte[] bArr;
        try {
            if (!element.getNamespaceURI().equals(SASL_NAMESPACE)) {
                throw new IllegalStateException("Unexpected data received while negotiating SASL authentication. Name of the offending root element: " + element.getName() + " Namespace: " + element.getNamespaceURI());
            }
            switch (ElementType.valueOfCaseInsensitive(element.getName())) {
                case ABORT:
                    throw new SaslFailureException(Failure.ABORTED);
                case AUTH:
                    if (element.attributeValue("mechanism") != null) {
                        String upperCase = element.attributeValue("mechanism").toUpperCase();
                        if (!mechanisms.contains(upperCase)) {
                            throw new SaslFailureException(Failure.INVALID_MECHANISM, "The configuration of Openfire does not contain or allow the mechanism.");
                        }
                        XMPPServerInfo serverInfo = XMPPServer.getInstance().getServerInfo();
                        String xMPPDomain = upperCase.equals("DIGEST-MD5") ? serverInfo.getXMPPDomain() : serverInfo.getHostname();
                        HashMap hashMap = new HashMap();
                        hashMap.put(LocalSession.class.getCanonicalName(), localSession);
                        hashMap.put("javax.security.sasl.policy.noanonymous", Boolean.toString(!JiveGlobals.getBooleanProperty("xmpp.auth.anonymous")));
                        hashMap.put("com.sun.security.sasl.digest.realm", serverInfo.getXMPPDomain());
                        SaslServer createSaslServer = Sasl.createSaslServer(upperCase, ConnectionManagerImpl.XMPP_CODEC_FILTER_NAME, xMPPDomain, hashMap, new XMPPCallbackHandler());
                        if (createSaslServer != null) {
                            localSession.setSessionData("SaslServer", createSaslServer);
                            if (upperCase.equals("DIGEST-MD5")) {
                                element.setText("");
                                break;
                            }
                        } else {
                            throw new SaslFailureException(Failure.INVALID_MECHANISM, "There is no provider that can provide a SASL server for the desired mechanism and properties.");
                        }
                    } else {
                        throw new SaslFailureException(Failure.INVALID_MECHANISM, "Peer did not specify a mechanism.");
                    }
                    break;
                case RESPONSE:
                    break;
                default:
                    throw new IllegalStateException("Unexpected data received while negotiating SASL authentication. Name of the offending root element: " + element.getName() + " Namespace: " + element.getNamespaceURI());
            }
            SaslServer saslServer = (SaslServer) localSession.getSessionData("SaslServer");
            if (saslServer == null) {
                throw new IllegalStateException("A SaslServer instance was not initialized and/or stored on the session.");
            }
            String textTrim = element.getTextTrim();
            if (textTrim == null || textTrim.isEmpty() || textTrim.equals("=")) {
                bArr = new byte[0];
            } else {
                if (!BASE64_ENCODED.matcher(textTrim).matches()) {
                    throw new SaslFailureException(Failure.INCORRECT_ENCODING);
                }
                bArr = StringUtils.decodeBase64(textTrim);
            }
            byte[] evaluateResponse = saslServer.evaluateResponse(bArr);
            if (!saslServer.isComplete()) {
                sendChallenge(localSession, evaluateResponse);
                return Status.needResponse;
            }
            if ((localSession instanceof IncomingServerSession) && JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_CERTIFICATE_VERIFY, true)) {
                if (!verifyCertificates(localSession.getConnection().getPeerCertificates(), saslServer.getAuthorizationID(), true)) {
                    throw new SaslFailureException(Failure.NOT_AUTHORIZED, "Server-to-Server certificate verification failed.");
                }
                ((LocalIncomingServerSession) localSession).tlsAuth();
            }
            authenticationSuccessful(localSession, saslServer.getAuthorizationID(), evaluateResponse);
            localSession.removeSessionData("SaslServer");
            return Status.authenticated;
        } catch (Exception e) {
            Log.warn("An unexpected exception occurred during SASL negotiation. Affected session: {}", localSession, e);
            authenticationFailed(localSession, Failure.NOT_AUTHORIZED);
            localSession.removeSessionData("SaslServer");
            return Status.failed;
        } catch (SaslException e2) {
            Log.debug("SASL negotiation failed for session: {}", localSession, e2);
            authenticationFailed(localSession, (!(e2 instanceof SaslFailureException) || ((SaslFailureException) e2).getFailure() == null) ? Failure.NOT_AUTHORIZED : ((SaslFailureException) e2).getFailure());
            localSession.removeSessionData("SaslServer");
            return Status.failed;
        }
    }

    public static boolean verifyCertificate(X509Certificate x509Certificate, String str) {
        for (String str2 : CertificateManager.getServerIdentities(x509Certificate)) {
            if ((str2.startsWith("*.") && (str.endsWith(str2.replace("*.", ProxoolConstants.ALIAS_DELIMITER)) || str.equals(str2.replace("*.", "")))) || str.equals(str2)) {
                return true;
            }
        }
        return false;
    }

    public static boolean verifyCertificates(Certificate[] certificateArr, String str, boolean z) {
        CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager();
        ConnectionType connectionType = z ? ConnectionType.SOCKET_S2S : ConnectionType.SOCKET_C2S;
        X509Certificate endEntityCertificate = CertificateManager.getEndEntityCertificate(certificateArr, certificateStoreManager.getIdentityStore(connectionType).getStore(), certificateStoreManager.getTrustStore(connectionType).getStore());
        if (endEntityCertificate != null) {
            return verifyCertificate(endEntityCertificate, str);
        }
        return false;
    }

    private static void sendElement(Session session, String str, byte[] bArr) {
        StringBuilder sb = new StringBuilder(250);
        sb.append("<");
        sb.append(str);
        sb.append(" xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\"");
        if (bArr != null) {
            sb.append(">");
            String trim = StringUtils.encodeBase64(bArr).trim();
            if ("".equals(trim)) {
                trim = "=";
            }
            sb.append(trim);
            sb.append("</");
            sb.append(str);
            sb.append(">");
        } else {
            sb.append("/>");
        }
        session.deliverRawText(sb.toString());
    }

    private static void sendChallenge(Session session, byte[] bArr) {
        sendElement(session, "challenge", bArr);
    }

    private static void authenticationSuccessful(LocalSession localSession, String str, byte[] bArr) {
        if (str != null && LockOutManager.getInstance().isAccountDisabled(str)) {
            LockOutManager.getInstance().recordFailedLogin(str);
            authenticationFailed(localSession, Failure.ACCOUNT_DISABLED);
            return;
        }
        sendElement(localSession, "success", bArr);
        if (localSession instanceof ClientSession) {
            ((LocalClientSession) localSession).setAuthToken(new AuthToken(str));
        } else if (localSession instanceof IncomingServerSession) {
            ((LocalIncomingServerSession) localSession).addValidatedDomain(str);
            Log.info("Inbound Server {} authenticated (via TLS)", str);
        }
    }

    private static void authenticationFailed(LocalSession localSession, Failure failure) {
        StringBuilder sb = new StringBuilder(80);
        sb.append("<failure xmlns=\"urn:ietf:params:xml:ns:xmpp-sasl\"><");
        sb.append(failure.toString());
        sb.append("/></failure>");
        localSession.deliverRawText(sb.toString());
        Integer num = (Integer) localSession.getSessionData("authRetries");
        Integer valueOf = num == null ? 1 : Integer.valueOf(num.intValue() + 1);
        localSession.setSessionData("authRetries", valueOf);
        if (valueOf.intValue() >= JiveGlobals.getIntProperty("xmpp.auth.retries", 3)) {
            localSession.close();
        }
    }

    public static void addSupportedMechanism(String str) {
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("Argument 'mechanism' must cannot be null or an empty string.");
        }
        mechanisms.add(str.toUpperCase());
        Log.info("Support added for the '{}' SASL mechanism.", str.toUpperCase());
    }

    public static void removeSupportedMechanism(String str) {
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("Argument 'mechanism' must cannot be null or an empty string.");
        }
        if (mechanisms.remove(str.toUpperCase())) {
            Log.info("Support removed for the '{}' SASL mechanism.", str.toUpperCase());
        }
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:8:0x0052. Please report as an issue. */
    public static Set<String> getSupportedMechanisms() {
        Set<String> implementedMechanisms = getImplementedMechanisms();
        HashSet hashSet = new HashSet(mechanisms);
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            if (implementedMechanisms.contains(str)) {
                boolean z = -1;
                switch (str.hashCode()) {
                    case -1796511348:
                        if (str.equals("CRAM-MD5")) {
                            z = false;
                            break;
                        }
                        break;
                    case -824267275:
                        if (str.equals("DIGEST-MD5")) {
                            z = true;
                            break;
                        }
                        break;
                    case 588964500:
                        if (str.equals(JiveSharedSecretSaslServer.NAME)) {
                            z = 4;
                            break;
                        }
                        break;
                    case 690783309:
                        if (str.equals(AnonymousSaslServer.NAME)) {
                            z = 3;
                            break;
                        }
                        break;
                    case 1312013393:
                        if (str.equals("SCRAM-SHA-1")) {
                            z = 2;
                            break;
                        }
                        break;
                    case 2111859635:
                        if (str.equals("GSSAPI")) {
                            z = 5;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                    case true:
                        if (!AuthFactory.supportsPasswordRetrieval()) {
                            Log.trace("Cannot support '{}' as the AuthFactory that's in used does not support password retrieval.", str);
                            it.remove();
                            break;
                        } else {
                            break;
                        }
                    case true:
                        if (!AuthFactory.supportsPasswordRetrieval() || !AuthFactory.supportsScram()) {
                            Log.trace("Cannot support '{}' as the AuthFactory that's in used does not support password retrieval nor SCRAM.", str);
                            it.remove();
                            break;
                        } else {
                            break;
                        }
                    case true:
                        if (!JiveGlobals.getBooleanProperty("xmpp.auth.anonymous")) {
                            Log.trace("Cannot support '{}' as it has been disabled by configuration.", str);
                            it.remove();
                            break;
                        } else {
                            break;
                        }
                    case true:
                        if (!JiveSharedSecretSaslServer.isSharedSecretAllowed()) {
                            Log.trace("Cannot support '{}' as it has been disabled by configuration.", str);
                            it.remove();
                            break;
                        } else {
                            break;
                        }
                    case true:
                        String property = JiveGlobals.getProperty("sasl.gssapi.config");
                        if (property == null) {
                            Log.trace("Cannot support '{}' as the 'sasl.gssapi.config' property has not been defined.", str);
                            it.remove();
                            break;
                        } else {
                            System.setProperty("java.security.krb5.debug", JiveGlobals.getProperty("sasl.gssapi.debug", HttpState.PREEMPTIVE_DEFAULT));
                            System.setProperty("java.security.auth.login.config", property);
                            System.setProperty("javax.security.auth.useSubjectCredsOnly", JiveGlobals.getProperty("sasl.gssapi.useSubjectCredsOnly", HttpState.PREEMPTIVE_DEFAULT));
                            break;
                        }
                }
            } else {
                Log.trace("Cannot support '{}' as there's no implementation available.", str);
                it.remove();
            }
        }
        return hashSet;
    }

    public static Set<String> getImplementedMechanisms() {
        HashSet hashSet = new HashSet();
        Enumeration saslServerFactories = Sasl.getSaslServerFactories();
        while (saslServerFactories.hasMoreElements()) {
            Collections.addAll(hashSet, ((SaslServerFactory) saslServerFactories.nextElement()).getMechanismNames((Map) null));
        }
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void initMechanisms() {
        StringTokenizer stringTokenizer = new StringTokenizer(JiveGlobals.getProperty("sasl.mechs", "ANONYMOUS,PLAIN,DIGEST-MD5,CRAM-MD5,SCRAM-SHA-1,JIVE-SHAREDSECRET,GSSAPI,EXTERNAL"), " ,\t\n\r\f");
        mechanisms = new HashSet();
        while (stringTokenizer.hasMoreTokens()) {
            String upperCase = stringTokenizer.nextToken().toUpperCase();
            try {
                addSupportedMechanism(upperCase);
            } catch (Exception e) {
                Log.warn("An exception occurred while trying to add support for SASL Mechanism '{}':", upperCase, e);
            }
        }
    }

    static {
        Security.addProvider(new SaslProvider());
        JiveGlobals.migrateProperty("sasl.mechs");
        JiveGlobals.migrateProperty("sasl.gssapi.debug");
        JiveGlobals.migrateProperty("sasl.gssapi.config");
        JiveGlobals.migrateProperty("sasl.gssapi.useSubjectCredsOnly");
        initMechanisms();
        PropertyEventDispatcher.addListener(new PropertyEventListener() { // from class: org.jivesoftware.openfire.net.SASLAuthentication.1
            @Override // org.jivesoftware.util.PropertyEventListener
            public void propertySet(String str, Map<String, Object> map) {
                if ("sasl.mechs".equals(str)) {
                    SASLAuthentication.initMechanisms();
                }
            }

            @Override // org.jivesoftware.util.PropertyEventListener
            public void propertyDeleted(String str, Map<String, Object> map) {
                if ("sasl.mechs".equals(str)) {
                    SASLAuthentication.initMechanisms();
                }
            }

            @Override // org.jivesoftware.util.PropertyEventListener
            public void xmlPropertySet(String str, Map<String, Object> map) {
            }

            @Override // org.jivesoftware.util.PropertyEventListener
            public void xmlPropertyDeleted(String str, Map<String, Object> map) {
            }
        });
    }
}
