package info.magnolia.jaas.sp.jcr;

import info.magnolia.cms.security.MgnlUser;
import info.magnolia.cms.security.SecuritySupport;
import info.magnolia.cms.security.SecurityUtil;
import info.magnolia.cms.security.User;
import info.magnolia.cms.security.UserManager;
import info.magnolia.jaas.sp.AbstractLoginModule;
import info.magnolia.jaas.sp.UserAwareLoginModule;
import java.io.Serializable;
import java.util.Arrays;
import java.util.GregorianCalendar;
import java.util.Iterator;
import java.util.TimeZone;
import javax.security.auth.login.AccountLockedException;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.jackrabbit.value.ValueFactoryImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:info/magnolia/jaas/sp/jcr/JCRAuthenticationModule.class */
public class JCRAuthenticationModule extends AbstractLoginModule implements UserAwareLoginModule, Serializable {
    private static final Logger log = LoggerFactory.getLogger(JCRAuthenticationModule.class);
    protected User user;

    public int getMaxAttempts() {
        if (!(this.user instanceof MgnlUser)) {
            return 0;
        }
        return SecuritySupport.Factory.getInstance().getUserManager(this.user.getRealm()).getMaxFailedLoginAttempts();
    }

    public long getTimeLock() {
        if (!(this.user instanceof MgnlUser)) {
            return 0L;
        }
        return SecuritySupport.Factory.getInstance().getUserManager(this.user.getRealm()).getLockTimePeriod();
    }

    @Override // info.magnolia.jaas.sp.AbstractLoginModule
    public void validateUser() throws LoginException {
        initUser();
        if (this.user == null) {
            throw new AccountNotFoundException("User account " + this.name + " not found.");
        }
        if (!this.user.isEnabled()) {
            throw new AccountLockedException("User account " + this.name + " is locked.");
        }
        matchPassword();
        if ("anonymous".equals(this.user.getName())) {
            return;
        }
        getUserManager().updateLastAccessTimestamp(this.user);
    }

    private UserManager getUserManager() {
        log.debug("getting user manager for realm " + this.realm.getName());
        return SecuritySupport.Factory.getInstance().getUserManager(this.realm.getName());
    }

    protected void initUser() throws LoginException {
        log.debug("initializing user {}", this.name);
        long currentTimeMillis = System.currentTimeMillis();
        this.user = getUserManager().getUser(this.name);
        log.debug("initialized user {} in {}ms", this.name, Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
    }

    protected void matchPassword() throws LoginException {
        if (getMaxAttempts() > 0 && !"anonymous".equals(this.user.getName()) && getTimeLock() > 0) {
            GregorianCalendar gregorianCalendar = new GregorianCalendar(TimeZone.getDefault());
            GregorianCalendar gregorianCalendar2 = new GregorianCalendar(TimeZone.getDefault());
            MgnlUser mgnlUser = this.user;
            if (mgnlUser.getReleaseTime() != null) {
                gregorianCalendar2.clear();
                gregorianCalendar2.setTime(mgnlUser.getReleaseTime().getTime());
            }
            if (gregorianCalendar2.after(gregorianCalendar) && mgnlUser.getReleaseTime() != null) {
                throw new LoginException("User account " + this.name + " is locked until " + mgnlUser.getReleaseTime().getTime() + ".");
            }
        }
        String password = this.user.getPassword();
        if (StringUtils.isEmpty(password)) {
            throw new FailedLoginException("Magnolia CMS does not allow login to users with no password.");
        }
        if (Base64.isArrayByteBase64(password.getBytes()) ? Arrays.equals(Base64.decodeBase64(password), new String(this.pswd).getBytes()) : SecurityUtil.matchBCrypted(new String(this.pswd), password)) {
            return;
        }
        if (getMaxAttempts() > 0 && !"anonymous".equals(this.user.getName())) {
            UserManager userManager = getUserManager();
            MgnlUser mgnlUser2 = this.user;
            userManager.setProperty(mgnlUser2, "failedLoginAttempts", ValueFactoryImpl.getInstance().createValue(mgnlUser2.getFailedLoginAttempts() + 1));
            if (mgnlUser2.getFailedLoginAttempts() >= getMaxAttempts() && getTimeLock() <= 0) {
                userManager.setProperty(mgnlUser2, "enabled", ValueFactoryImpl.getInstance().createValue(false));
                userManager.setProperty(mgnlUser2, "failedLoginAttempts", ValueFactoryImpl.getInstance().createValue(0L));
                log.warn("Account " + this.name + " was locked due to high number of failed login attempts.");
            } else if (mgnlUser2.getFailedLoginAttempts() >= getMaxAttempts() && getTimeLock() > 0) {
                userManager.setProperty(mgnlUser2, "failedLoginAttempts", ValueFactoryImpl.getInstance().createValue(0L));
                GregorianCalendar gregorianCalendar3 = new GregorianCalendar(TimeZone.getDefault());
                gregorianCalendar3.add(12, (int) getTimeLock());
                userManager.setProperty(mgnlUser2, "releaseTime", ValueFactoryImpl.getInstance().createValue(gregorianCalendar3));
                log.warn("Account " + this.name + " was locked for " + getTimeLock() + " minute(s) due to high number of failed login attempts.");
            }
        }
        if (this.user instanceof MgnlUser) {
            MgnlUser mgnlUser3 = this.user;
            UserManager userManager2 = getUserManager();
            if (getMaxAttempts() > 0 && !"anonymous".equals(mgnlUser3.getName()) && mgnlUser3.getFailedLoginAttempts() > 0) {
                userManager2.setProperty(mgnlUser3, "failedLoginAttempts", ValueFactoryImpl.getInstance().createValue(0L));
            }
        }
        throw new FailedLoginException("Passwords do not match");
    }

    @Override // info.magnolia.jaas.sp.AbstractLoginModule
    public void setEntity() {
        this.subject.getPrincipals().add(this.user);
        this.subject.getPrincipals().add(this.realm);
        collectGroupNames();
        collectRoleNames();
    }

    @Override // info.magnolia.jaas.sp.AbstractLoginModule
    public void setACL() {
    }

    public void collectRoleNames() {
        Iterator it = this.user.getAllRoles().iterator();
        while (it.hasNext()) {
            addRoleName((String) it.next());
        }
    }

    public void collectGroupNames() {
        Iterator it = this.user.getAllGroups().iterator();
        while (it.hasNext()) {
            addGroupName((String) it.next());
        }
    }

    @Override // info.magnolia.jaas.sp.UserAwareLoginModule
    public User getUser() {
        return this.user;
    }
}
