package info.magnolia.jaas.sp.jcr;

import info.magnolia.cms.security.MgnlUser;
import info.magnolia.cms.security.MgnlUserManager;
import info.magnolia.cms.security.SecuritySupport;
import info.magnolia.cms.security.User;
import info.magnolia.cms.security.UserManager;
import info.magnolia.jaas.sp.AbstractLoginModule;
import info.magnolia.jaas.sp.UserAwareLoginModule;
import java.io.Serializable;
import java.security.Principal;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import javax.security.auth.login.AccountLockedException;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.jackrabbit.core.security.SecurityConstants;
import org.apache.jackrabbit.core.security.UserPrincipal;
import org.apache.jackrabbit.core.security.principal.AdminPrincipal;

/* loaded from: input_file:WEB-INF/lib/magnolia-jaas-5.2.3.jar:info/magnolia/jaas/sp/jcr/MagnoliaAuthenticationModule.class */
public class MagnoliaAuthenticationModule extends AbstractLoginModule implements UserAwareLoginModule, Serializable {
    private static final boolean logAdmin = false;
    protected User user;

    /* loaded from: input_file:WEB-INF/lib/magnolia-jaas-5.2.3.jar:info/magnolia/jaas/sp/jcr/MagnoliaAuthenticationModule$MagnoliaJRAdminPrincipal.class */
    public class MagnoliaJRAdminPrincipal extends AdminPrincipal implements Principal, Serializable {
        public MagnoliaJRAdminPrincipal(String str) {
            super(str);
        }
    }

    @Override // info.magnolia.jaas.sp.AbstractLoginModule
    public void validateUser() throws LoginException {
        initUser();
        if (this.user == null) {
            throw new AccountNotFoundException("User account " + this.f123name + " not found.");
        }
        matchPassword();
        if (!this.user.isEnabled()) {
            throw new AccountLockedException("User account " + this.f123name + " is locked.");
        }
        if ("anonymous".equals(this.user.getName()) || isAdmin()) {
            return;
        }
        getUserManager().updateLastAccessTimestamp(this.user);
    }

    private UserManager getUserManager() {
        if (!SecurityConstants.ADMIN_ID.equals(this.f123name)) {
            this.log.debug("getting user manager for realm " + this.realm.getName());
        }
        return SecuritySupport.Factory.getInstance().getUserManager(this.realm.getName());
    }

    protected void initUser() throws LoginException {
        if (!SecurityConstants.ADMIN_ID.equals(this.f123name)) {
            this.log.debug("initializing user {}", this.f123name);
        }
        if (isAdmin()) {
            HashMap hashMap = new HashMap();
            hashMap.put(MgnlUserManager.PROPERTY_PASSWORD, new String(Base64.encodeBase64(SecurityConstants.ADMIN_ID.getBytes())));
            this.user = new MgnlUser(this.f123name, null, Collections.EMPTY_LIST, Collections.EMPTY_LIST, hashMap);
        } else {
            long currentTimeMillis = System.currentTimeMillis();
            this.user = getUserManager().getUser(this.f123name);
            if (SecurityConstants.ADMIN_ID.equals(this.f123name)) {
                return;
            }
            this.log.debug("initialized user {} in {}ms", this.f123name, Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
        }
    }

    protected void matchPassword() throws LoginException {
        String password = this.user.getPassword();
        if (StringUtils.isEmpty(password)) {
            throw new FailedLoginException("we do not allow users with no password");
        }
        if (!StringUtils.equals(password, new String(this.pswd))) {
            throw new FailedLoginException("passwords do not match");
        }
    }

    @Override // info.magnolia.jaas.sp.AbstractLoginModule
    public void setEntity() {
        if (isAdmin()) {
            this.subject.getPrincipals().add(new MagnoliaJRAdminPrincipal(this.f123name));
            return;
        }
        if ("superuser".equals(this.f123name)) {
            this.subject.getPrincipals().add(new MagnoliaJRAdminPrincipal(this.f123name));
        } else {
            this.subject.getPrincipals().add(new UserPrincipal(this.f123name));
        }
        this.subject.getPrincipals().add(this.user);
        this.subject.getPrincipals().add(this.realm);
        collectGroupNames();
        collectRoleNames();
    }

    private boolean isAdmin() {
        return this.f123name != null && this.f123name.equals(SecurityConstants.ADMIN_ID);
    }

    @Override // info.magnolia.jaas.sp.AbstractLoginModule
    public void setACL() {
    }

    public void collectRoleNames() {
        Iterator<String> it2 = this.user.getAllRoles().iterator();
        while (it2.hasNext()) {
            addRoleName(it2.next());
        }
    }

    public void collectGroupNames() {
        Iterator<String> it2 = this.user.getAllGroups().iterator();
        while (it2.hasNext()) {
            addGroupName(it2.next());
        }
    }

    @Override // info.magnolia.jaas.sp.UserAwareLoginModule
    public User getUser() {
        return this.user;
    }
}
