package org.w3c.jigsaw.auth;

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Date;
import org.apache.velocity.tools.generic.LinkTool;
import org.w3c.jigsaw.frames.HTTPFrame;
import org.w3c.jigsaw.html.HtmlGenerator;
import org.w3c.jigsaw.http.HTTPException;
import org.w3c.jigsaw.http.Reply;
import org.w3c.jigsaw.http.Request;
import org.w3c.jigsaw.http.httpd;
import org.w3c.tools.resources.AttributeRegistry;
import org.w3c.tools.resources.FramedResource;
import org.w3c.tools.resources.IntegerAttribute;
import org.w3c.tools.resources.InvalidResourceException;
import org.w3c.tools.resources.ProtocolException;
import org.w3c.tools.resources.ReplyInterface;
import org.w3c.tools.resources.RequestInterface;
import org.w3c.tools.resources.ResourceReference;
import org.w3c.tools.resources.StringArrayAttribute;
import org.w3c.tools.resources.StringAttribute;
import org.w3c.util.StringUtils;
import org.w3c.www.http.HttpChallenge;
import org.w3c.www.http.HttpCredential;
import org.w3c.www.http.HttpFactory;
import org.w3c.www.webdav.xml.DAVNode;

/* loaded from: input_file:org/w3c/jigsaw/auth/DigestAuthFilter.class */
public class DigestAuthFilter extends AuthFilter {
    protected static int ATTR_ALLOWED_USERS;
    protected static int ATTR_ALLOWED_GROUPS;
    protected static int ATTR_ALGORITHM;
    protected static int ATTR_NONCE_TTL;
    protected RealmsCatalog catalog = null;
    protected ResourceReference rr_realm = null;
    protected String loaded_realm = null;
    protected HttpChallenge challenge = null;
    protected String nonce = null;
    protected String old_nonce = null;
    private long prev_date = 0;
    private int nonce_ttl = 600;

    /* loaded from: input_file:org/w3c/jigsaw/auth/DigestAuthFilter$DigestAuthContext.class */
    public class DigestAuthContext {
        String dac_user;
        String dac_realm;
        String dac_nonce;
        String dac_uri;
        String dac_response;
        String dac_method;
        private final DigestAuthFilter this$0;
        String dac_algorithm = null;
        boolean stale = false;

        DigestAuthContext(DigestAuthFilter digestAuthFilter, Request request) throws DigestAuthFilterException, ProtocolException {
            this.this$0 = digestAuthFilter;
            this.dac_user = null;
            this.dac_realm = null;
            this.dac_nonce = null;
            this.dac_uri = null;
            this.dac_response = null;
            this.dac_method = null;
            HttpCredential proxyAuthorization = request.isProxy() ? request.getProxyAuthorization() : request.getAuthorization();
            if (!proxyAuthorization.getScheme().equalsIgnoreCase("Digest")) {
                throw new DigestAuthFilterException(new StringBuffer().append("Invalid authentication scheme \"").append(proxyAuthorization.getScheme()).append(" expecting \"Digest\"").toString());
            }
            this.dac_user = proxyAuthorization.getAuthParameter("username");
            this.dac_uri = proxyAuthorization.getAuthParameter(LinkTool.URI_KEY);
            this.dac_response = proxyAuthorization.getAuthParameter(DAVNode.RESPONSE_NODE);
            this.dac_realm = proxyAuthorization.getAuthParameter("realm");
            this.dac_method = request.getMethod();
            this.dac_nonce = proxyAuthorization.getAuthParameter("nonce");
            if (this.dac_user == null || this.dac_uri == null || this.dac_response == null || this.dac_realm == null) {
                throw new DigestAuthFilterException("Invalid authentication header");
            }
        }

        boolean authenticate(String str, String str2, String str3) {
            this.stale = false;
            if (!this.dac_user.equals(str) || !this.dac_realm.equals(str2)) {
                return false;
            }
            if (this.dac_algorithm != null && !this.dac_algorithm.equals(this.this$0.getAlgorithm())) {
                return false;
            }
            if (!this.dac_nonce.equals(this.this$0.nonce)) {
                if (!this.dac_nonce.equals(this.this$0.old_nonce)) {
                    String stringBuffer = new StringBuffer().append(str).append(":").append(str2).append(":").append(str3).toString();
                    String stringBuffer2 = new StringBuffer().append(this.dac_method).append(":").append(this.dac_uri).toString();
                    try {
                        MessageDigest messageDigest = MessageDigest.getInstance(this.this$0.getAlgorithm());
                        messageDigest.update(stringBuffer.getBytes());
                        String hexString = StringUtils.toHexString(messageDigest.digest());
                        messageDigest.reset();
                        messageDigest.update(stringBuffer2.getBytes());
                        String hexString2 = StringUtils.toHexString(messageDigest.digest());
                        messageDigest.reset();
                        messageDigest.update(new StringBuffer().append(hexString).append(":").append(this.dac_nonce).append(":").append(hexString2).toString().getBytes());
                        this.stale = StringUtils.toHexString(messageDigest.digest()).equals(this.dac_response);
                        return false;
                    } catch (NoSuchAlgorithmException e) {
                        return false;
                    }
                }
                this.stale = true;
            }
            String stringBuffer3 = new StringBuffer().append(str).append(":").append(str2).append(":").append(str3).toString();
            String stringBuffer4 = new StringBuffer().append(this.dac_method).append(":").append(this.dac_uri).toString();
            try {
                MessageDigest messageDigest2 = MessageDigest.getInstance(this.this$0.getAlgorithm());
                messageDigest2.update(stringBuffer3.getBytes());
                String hexString3 = StringUtils.toHexString(messageDigest2.digest());
                messageDigest2.reset();
                messageDigest2.update(stringBuffer4.getBytes());
                String hexString4 = StringUtils.toHexString(messageDigest2.digest());
                messageDigest2.reset();
                messageDigest2.update((this.stale ? new StringBuffer().append(hexString3).append(":").append(this.this$0.old_nonce).append(":").append(hexString4).toString() : new StringBuffer().append(hexString3).append(":").append(this.this$0.nonce).append(":").append(hexString4).toString()).getBytes());
                return StringUtils.toHexString(messageDigest2.digest()).equals(this.dac_response);
            } catch (NoSuchAlgorithmException e2) {
                return false;
            }
        }
    }

    protected synchronized void acquireRealm() {
        if (this.catalog == null) {
            this.catalog = ((httpd) ((FramedResource) getTargetResource()).getServer()).getRealmsCatalog();
        }
        String realm = getRealm();
        if (realm == null) {
            return;
        }
        if (this.rr_realm == null || !realm.equals(this.loaded_realm)) {
            this.rr_realm = this.catalog.loadRealm(realm);
            this.loaded_realm = realm;
        }
    }

    protected synchronized boolean checkRealm() {
        acquireRealm();
        return true;
    }

    public String[] getAllowedUsers() {
        return (String[]) getValue(ATTR_ALLOWED_USERS, (Object) null);
    }

    public String[] getAllowedGroups() {
        return (String[]) getValue(ATTR_ALLOWED_GROUPS, (Object) null);
    }

    public String getAlgorithm() {
        return (String) getValue(ATTR_ALGORITHM, "MD5");
    }

    public synchronized ResourceReference lookupUser(String str) {
        if (this.rr_realm == null) {
            acquireRealm();
        }
        try {
            ResourceReference loadUser = ((AuthRealm) this.rr_realm.lock()).loadUser(str);
            this.rr_realm.unlock();
            return loadUser;
        } catch (InvalidResourceException e) {
            this.rr_realm.unlock();
            return null;
        } catch (Throwable th) {
            this.rr_realm.unlock();
            throw th;
        }
    }

    protected boolean checkUser(AuthUser authUser) {
        String[] groups;
        String[] allowedUsers = getAllowedUsers();
        if (allowedUsers != null) {
            for (String str : allowedUsers) {
                if (str.equals(authUser.getName())) {
                    return true;
                }
            }
        }
        String[] allowedGroups = getAllowedGroups();
        if (allowedGroups != null && (groups = authUser.getGroups()) != null) {
            for (String str2 : groups) {
                for (String str3 : allowedGroups) {
                    if (str3.equals(str2)) {
                        return true;
                    }
                }
            }
        }
        return allowedUsers == null && allowedGroups == null;
    }

    @Override // org.w3c.tools.resources.ResourceFrame, org.w3c.tools.resources.FramedResource, org.w3c.tools.resources.Resource, org.w3c.tools.resources.AttributeHolder
    public void setValue(int i, Object obj) {
        super.setValue(i, obj);
        if (i == ATTR_REALM) {
            this.challenge = HttpFactory.makeChallenge("Digest");
            this.challenge.setAuthParameter("realm", getRealm());
        }
        if (i == ATTR_NONCE_TTL && (obj instanceof Integer)) {
            this.nonce_ttl = ((Integer) obj).intValue();
        }
    }

    @Override // org.w3c.jigsaw.auth.AuthFilter
    public void authenticate(Request request) throws ProtocolException {
        HttpChallenge httpChallenge;
        Reply makeReply;
        if (checkRealm() && request.getClient() != null) {
            Date date = new Date();
            if ((date.getTime() - this.prev_date) / 1000 > this.nonce_ttl) {
                this.prev_date = date.getTime();
                updateNonce();
            }
            DigestAuthContext digestAuthContext = null;
            if ((request.hasAuthorization() && !request.isProxy()) || (request.isProxy() && request.hasProxyAuthorization())) {
                try {
                    digestAuthContext = new DigestAuthContext(this, request);
                } catch (DigestAuthFilterException e) {
                    digestAuthContext = null;
                }
                if (digestAuthContext != null) {
                    ResourceReference lookupUser = lookupUser(digestAuthContext.dac_user);
                    try {
                        AuthUser authUser = (AuthUser) lookupUser.lock();
                        if (authUser != null && authUser.definesAttribute("password") && digestAuthContext.authenticate(authUser.getName(), this.loaded_realm, authUser.getPassword())) {
                            request.setState(AuthFilter.STATE_AUTHUSER, digestAuthContext.dac_user);
                            request.setState(AuthFilter.STATE_AUTHTYPE, "Digest");
                            request.setState(AuthFilter.STATE_AUTHCONTEXT, digestAuthContext);
                            lookupUser.unlock();
                            return;
                        }
                        lookupUser.unlock();
                    } catch (InvalidResourceException e2) {
                        lookupUser.unlock();
                    } catch (Throwable th) {
                        lookupUser.unlock();
                        throw th;
                    }
                }
            }
            if (digestAuthContext == null || !digestAuthContext.stale) {
                httpChallenge = this.challenge;
            } else {
                httpChallenge = this.challenge.getClone();
                if (httpChallenge != null) {
                    httpChallenge.setAuthParameter("stale", "true", false);
                } else {
                    httpChallenge = this.challenge;
                }
            }
            if (request.isProxy()) {
                makeReply = request.makeReply(407);
                makeReply.setProxyAuthenticate(httpChallenge);
            } else {
                makeReply = request.makeReply(401);
                makeReply.setWWWAuthenticate(httpChallenge);
            }
            HtmlGenerator htmlGenerator = new HtmlGenerator("Unauthorized");
            htmlGenerator.append("<h1>Unauthorized access</h1><p>You are denied access to this resource.");
            makeReply.setStream(htmlGenerator);
            throw new HTTPException(makeReply);
        }
    }

    private void updateNonce() {
        updateNonce(getResource());
    }

    private synchronized void updateNonce(FramedResource framedResource) {
        if (framedResource instanceof HTTPFrame) {
            HTTPFrame hTTPFrame = (HTTPFrame) framedResource;
            try {
                MessageDigest messageDigest = MessageDigest.getInstance(getAlgorithm());
                messageDigest.update(new Date().toString().getBytes());
                try {
                    messageDigest.update(hTTPFrame.getETag().getTag().getBytes());
                } catch (Exception e) {
                    messageDigest.update(hTTPFrame.getURLPath().getBytes());
                }
                byte[] digest = messageDigest.digest();
                if (this.nonce != null) {
                    this.old_nonce = this.nonce;
                }
                this.nonce = StringUtils.toHexString(digest);
                this.challenge.setAuthParameter("nonce", this.nonce);
            } catch (NoSuchAlgorithmException e2) {
            }
        }
    }

    @Override // org.w3c.jigsaw.auth.AuthFilter, org.w3c.tools.resources.ResourceFilter
    public ReplyInterface outgoingFilter(RequestInterface requestInterface, ReplyInterface replyInterface) {
        Request request = (Request) requestInterface;
        Reply reply = (Reply) replyInterface;
        if (getPrivateCachability()) {
            reply.setMustRevalidate(true);
        } else if (getSharedCachability()) {
            reply.setProxyRevalidate(true);
        } else if (getPublicCachability()) {
            reply.setPublic(true);
        }
        if (!request.hasState(AuthFilter.STATE_AUTHCONTEXT) || !((DigestAuthContext) request.getState(AuthFilter.STATE_AUTHCONTEXT)).stale) {
            return null;
        }
        reply.addAuthenticationInfo("nextnonce", this.nonce);
        return null;
    }

    @Override // org.w3c.tools.resources.FramedResource, org.w3c.tools.resources.Resource, org.w3c.tools.resources.AttributeHolder
    public void initialize(Object[] objArr) {
        super.initialize(objArr);
        if (getRealm() != null) {
            this.challenge = HttpFactory.makeChallenge("Digest");
            this.challenge.setAuthParameter("realm", getRealm());
            updateNonce();
            this.challenge.setAuthParameter("domain", getURLPath());
            this.challenge.setAuthParameter("algorithm", getAlgorithm(), false);
        }
    }

    static {
        ATTR_ALLOWED_USERS = -1;
        ATTR_ALLOWED_GROUPS = -1;
        ATTR_ALGORITHM = -1;
        ATTR_NONCE_TTL = -1;
        Class<?> cls = null;
        try {
            cls = Class.forName("org.w3c.jigsaw.auth.DigestAuthFilter");
        } catch (Exception e) {
            e.printStackTrace();
            System.exit(1);
        }
        ATTR_ALLOWED_USERS = AttributeRegistry.registerAttribute(cls, new StringArrayAttribute("users", null, 2));
        ATTR_ALLOWED_GROUPS = AttributeRegistry.registerAttribute(cls, new StringArrayAttribute("groups", null, 2));
        ATTR_ALGORITHM = AttributeRegistry.registerAttribute(cls, new StringAttribute("algorithm", null, 2));
        ATTR_NONCE_TTL = AttributeRegistry.registerAttribute(cls, new IntegerAttribute("nonce_ttl", new Integer(300), 2));
    }
}
