package com.mirth.connect.plugins.httpauth.digest;

import com.mirth.connect.donkey.model.message.ConnectorMessage;
import com.mirth.connect.donkey.util.MessageMaps;
import com.mirth.connect.plugins.httpauth.AuthenticationResult;
import com.mirth.connect.plugins.httpauth.Authenticator;
import com.mirth.connect.plugins.httpauth.RequestInfo;
import com.mirth.connect.plugins.httpauth.digest.DigestHttpAuthProperties;
import com.mirth.connect.server.channel.MirthMessageMaps;
import com.mirth.connect.server.util.TemplateValueReplacer;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.collections4.map.CaseInsensitiveMap;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.util.QuotedStringTokenizer;
import org.eclipse.jetty.util.TypeUtil;

/* loaded from: input_file:com/mirth/connect/plugins/httpauth/digest/DigestAuthenticator.class */
public class DigestAuthenticator extends Authenticator {
    private static final String USERNAME = "username";
    private static final String REALM = "realm";
    private static final String DOMAIN = "domain";
    private static final String URI = "uri";
    private static final String NONCE = "nonce";
    private static final String NONCE_COUNT = "nc";
    private static final String CLIENT_NONCE = "cnonce";
    private static final String ALGORITHM = "algorithm";
    private static final String QOP = "qop";
    private static final String RESPONSE = "response";
    private static final String OPAQUE = "opaque";
    private static final String STALE = "stale";
    private static final long MAX_NONCE_AGE = 60000000000L;
    private static final int MAX_NONCE_COUNT = 1024;
    private DigestAuthenticatorProvider provider;
    private MessageMaps messageMaps;
    private Logger logger = LogManager.getLogger(getClass());
    private TemplateValueReplacer replacer = new TemplateValueReplacer();
    private SecureRandom rng = new SecureRandom();
    private Map<String, Nonce> nonceMap = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/mirth/connect/plugins/httpauth/digest/DigestAuthenticator$Nonce.class */
    public class Nonce {
        private String value;
        private String opaque;
        private long created;
        private long count;

        public Nonce(String str) {
            this.opaque = StringUtils.trimToEmpty(str);
            byte[] bArr = new byte[24];
            DigestAuthenticator.this.rng.nextBytes(bArr);
            this.value = new String(Base64.encodeBase64(bArr), StandardCharsets.ISO_8859_1);
            this.created = System.nanoTime();
            this.count = 0L;
        }

        public String getValue() {
            return this.value;
        }

        public String getOpaque() {
            return this.opaque;
        }

        public boolean isExpired() {
            return System.nanoTime() - this.created > DigestAuthenticator.MAX_NONCE_AGE;
        }

        public synchronized Status incrementCount() {
            this.count++;
            return this.count <= 1024 ? Status.VALID : Status.STALE;
        }

        public synchronized Status updateCount(long j) {
            if (j <= this.count) {
                return Status.INVALID;
            }
            this.count = j;
            return this.count > 1024 ? Status.STALE : Status.VALID;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/mirth/connect/plugins/httpauth/digest/DigestAuthenticator$Status.class */
    public enum Status {
        VALID,
        INVALID,
        STALE
    }

    public DigestAuthenticator(DigestAuthenticatorProvider digestAuthenticatorProvider) {
        this.provider = digestAuthenticatorProvider;
        this.messageMaps = new MirthMessageMaps(digestAuthenticatorProvider.getConnector().getChannelId());
    }

    DigestAuthenticator(DigestAuthenticatorProvider digestAuthenticatorProvider, MessageMaps messageMaps) {
        this.provider = digestAuthenticatorProvider;
        this.messageMaps = messageMaps;
    }

    @Override // com.mirth.connect.plugins.httpauth.Authenticator
    public AuthenticationResult authenticate(RequestInfo requestInfo) {
        String digest;
        String digest2;
        String digest3;
        char charAt;
        DigestHttpAuthProperties replacedProperties = getReplacedProperties(requestInfo);
        List<String> list = requestInfo.getHeaders().get(HttpHeader.AUTHORIZATION.asString());
        CaseInsensitiveMap caseInsensitiveMap = new CaseInsensitiveMap();
        String str = null;
        String str2 = null;
        String str3 = "";
        Status status = Status.INVALID;
        if (CollectionUtils.isNotEmpty(list)) {
            QuotedStringTokenizer quotedStringTokenizer = new QuotedStringTokenizer(list.iterator().next(), "=, ", true, false);
            String str4 = null;
            String str5 = null;
            while (quotedStringTokenizer.hasMoreTokens()) {
                String nextToken = quotedStringTokenizer.nextToken();
                if (nextToken.length() != 1 || ((charAt = nextToken.charAt(0)) != '=' && charAt != ',' && charAt != ' ')) {
                    if (str4 != null) {
                        caseInsensitiveMap.put(str4, nextToken);
                        str4 = null;
                    }
                    str5 = nextToken;
                } else if (charAt == '=') {
                    str4 = str5;
                } else if (charAt == ',') {
                    str4 = null;
                }
            }
            str = (String) caseInsensitiveMap.get(NONCE);
            str2 = (String) caseInsensitiveMap.get(NONCE_COUNT);
            if (StringUtils.isNotBlank(str)) {
                Nonce nonce = this.nonceMap.get(str);
                if (nonce != null) {
                    str3 = nonce.getOpaque();
                    if (nonce.isExpired()) {
                        status = Status.STALE;
                    } else if (StringUtils.isNotBlank(str2)) {
                        try {
                            status = nonce.updateCount(Long.parseLong(str2, 16));
                        } catch (NumberFormatException e) {
                        }
                    } else {
                        status = nonce.incrementCount();
                    }
                } else {
                    status = Status.STALE;
                }
            }
        }
        cleanupNonces();
        if (status != Status.INVALID) {
            try {
                String str6 = (String) caseInsensitiveMap.get(USERNAME);
                String str7 = (String) caseInsensitiveMap.get(REALM);
                String str8 = (String) caseInsensitiveMap.get(URI);
                String str9 = (String) caseInsensitiveMap.get(RESPONSE);
                String str10 = (String) caseInsensitiveMap.get(CLIENT_NONCE);
                String str11 = (String) caseInsensitiveMap.get(QOP);
                String str12 = (String) caseInsensitiveMap.get(ALGORITHM);
                String trimToEmpty = StringUtils.trimToEmpty((String) caseInsensitiveMap.get(OPAQUE));
                if (StringUtils.isBlank(str6)) {
                    throw new Exception("Username missing.");
                }
                if (StringUtils.isBlank(str7)) {
                    throw new Exception("Realm missing.");
                }
                if (str8 == null) {
                    throw new Exception("URI missing.");
                }
                if (StringUtils.isBlank(str9)) {
                    throw new Exception("Response digest missing.");
                }
                String requestURI = requestInfo.getRequestURI();
                if (StringUtils.isEmpty(str8) && StringUtils.equals(requestURI, "/")) {
                    requestURI = "";
                }
                if (!StringUtils.equalsIgnoreCase(replacedProperties.getRealm(), str7)) {
                    throw new Exception("Realm \"" + str7 + "\" does not match expected realm \"" + replacedProperties.getRealm() + "\".");
                }
                if (!StringUtils.equalsIgnoreCase(requestURI, str8)) {
                    throw new Exception("URI \"" + str8 + "\" does not match the request URI \"" + requestURI + "\".");
                }
                if (!StringUtils.equals(trimToEmpty, str3)) {
                    throw new Exception("Opaque value \"" + trimToEmpty + "\" does not match the expected value \"" + replacedProperties.getOpaque() + "\".");
                }
                String str13 = getCredentials(replacedProperties).get(str6);
                if (str13 == null) {
                    throw new Exception("Credentials for username " + str6 + " not found.");
                }
                if (str12 == null || (StringUtils.equalsIgnoreCase(str12, DigestHttpAuthProperties.Algorithm.MD5.toString()) && replacedProperties.getAlgorithms().contains(DigestHttpAuthProperties.Algorithm.MD5))) {
                    digest = digest(str6, str7, str13);
                } else {
                    if (!StringUtils.equalsIgnoreCase(str12, DigestHttpAuthProperties.Algorithm.MD5_SESS.toString()) || !replacedProperties.getAlgorithms().contains(DigestHttpAuthProperties.Algorithm.MD5_SESS)) {
                        throw new Exception("Algorithm \"" + str12 + "\" not supported.");
                    }
                    if (StringUtils.isBlank(str10)) {
                        throw new Exception("Client nonce missing.");
                    }
                    digest = digest(digest(str6, str7, str13), str, str10);
                }
                if (str11 == null || (StringUtils.equalsIgnoreCase(str11, DigestHttpAuthProperties.QOPMode.AUTH.toString()) && replacedProperties.getQopModes().contains(DigestHttpAuthProperties.QOPMode.AUTH))) {
                    digest2 = digest(requestInfo.getMethod(), str8);
                } else {
                    if (!StringUtils.equalsIgnoreCase(str11, DigestHttpAuthProperties.QOPMode.AUTH_INT.toString()) || !replacedProperties.getQopModes().contains(DigestHttpAuthProperties.QOPMode.AUTH_INT)) {
                        throw new Exception("Quality of protection mode \"" + str11 + "\" not supported.");
                    }
                    digest2 = digest(requestInfo.getMethod(), str8, digest(requestInfo.getEntityProvider().getEntity()));
                }
                if (str11 == null) {
                    digest3 = digest(digest, str, digest2);
                } else {
                    if (StringUtils.isBlank(str2)) {
                        throw new Exception("Nonce count missing.");
                    }
                    if (StringUtils.isBlank(str10)) {
                        throw new Exception("Client nonce missing.");
                    }
                    digest3 = digest(digest, str, str2, str10, str11, digest2);
                }
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("H(A1): " + digest);
                    this.logger.trace("H(A2): " + digest2);
                    this.logger.trace("response: " + digest3);
                }
                if (!StringUtils.equalsIgnoreCase(digest3, str9)) {
                    throw new Exception("Response digest \"" + str9 + "\" does not match expected digest \"" + digest3 + "\".");
                }
                if (status == Status.VALID) {
                    return AuthenticationResult.Success(str6, str7);
                }
            } catch (Exception e2) {
                this.logger.debug("Error validating digest response.", e2);
                status = Status.INVALID;
            }
        }
        Nonce nonce2 = new Nonce(replacedProperties.getOpaque());
        this.nonceMap.put(nonce2.getValue(), nonce2);
        String str14 = "/";
        try {
            str14 = new URI(requestInfo.getRequestURI()).getPath();
        } catch (URISyntaxException e3) {
        }
        HashMap hashMap = new HashMap();
        hashMap.put(REALM, replacedProperties.getRealm());
        hashMap.put(DOMAIN, str14);
        hashMap.put(NONCE, nonce2.getValue());
        hashMap.put(ALGORITHM, StringUtils.join(replacedProperties.getAlgorithms(), ','));
        if (CollectionUtils.isNotEmpty(replacedProperties.getQopModes())) {
            hashMap.put(QOP, StringUtils.join(replacedProperties.getQopModes(), ','));
        }
        if (StringUtils.isNotBlank(nonce2.getOpaque())) {
            hashMap.put(OPAQUE, nonce2.getOpaque());
        }
        if (status == Status.STALE) {
            hashMap.put(STALE, "true");
        }
        StringBuilder sb = new StringBuilder("Digest ");
        Iterator it = hashMap.entrySet().iterator();
        while (it.hasNext()) {
            Map.Entry entry = (Map.Entry) it.next();
            sb.append((String) entry.getKey());
            sb.append("=\"");
            sb.append((String) entry.getValue());
            sb.append('\"');
            if (it.hasNext()) {
                sb.append(", ");
            }
        }
        return AuthenticationResult.Challenged(sb.toString());
    }

    protected Map<String, String> getCredentials(DigestHttpAuthProperties digestHttpAuthProperties) {
        Map<String, String> credentialsMap;
        if (digestHttpAuthProperties.isUseCredentialsVariable()) {
            credentialsMap = new HashMap();
            try {
                Map map = (Map) this.messageMaps.get(digestHttpAuthProperties.getCredentialsVariable(), (ConnectorMessage) null);
                if (map != null) {
                    for (Map.Entry entry : map.entrySet()) {
                        credentialsMap.put(String.valueOf(entry.getKey()), String.valueOf(entry.getValue()));
                    }
                } else {
                    this.logger.warn("Credentials map variable '" + digestHttpAuthProperties.getCredentialsVariable() + "' not found.");
                }
            } catch (Exception e) {
                this.logger.warn("Error getting credentials from map " + digestHttpAuthProperties.getCredentialsVariable() + "'.", e);
            }
        } else {
            credentialsMap = digestHttpAuthProperties.getCredentialsMap();
        }
        return credentialsMap;
    }

    private void cleanupNonces() {
        Set<String> keySet = this.nonceMap.keySet();
        for (String str : (String[]) keySet.toArray(new String[keySet.size()])) {
            Nonce nonce = this.nonceMap.get(str);
            if (nonce != null && nonce.isExpired()) {
                this.nonceMap.remove(str);
            }
        }
    }

    private String digest(Object... objArr) throws NoSuchAlgorithmException, IOException {
        MessageDigest messageDigest = MessageDigest.getInstance("MD5");
        for (int i = 0; i < objArr.length; i++) {
            if (objArr[i] instanceof InputStream) {
                InputStream inputStream = (InputStream) objArr[i];
                byte[] bArr = new byte[MAX_NONCE_COUNT];
                while (true) {
                    int read = IOUtils.read(inputStream, bArr, 0, bArr.length);
                    if (read <= 0) {
                        break;
                    }
                    messageDigest.update(bArr, 0, read);
                }
            } else if (objArr[i] instanceof byte[]) {
                messageDigest.update((byte[]) objArr[i]);
            } else {
                messageDigest.update(String.valueOf(objArr[i]).getBytes(StandardCharsets.ISO_8859_1));
            }
            if (i < objArr.length - 1) {
                messageDigest.update((byte) 58);
            }
        }
        return TypeUtil.toString(messageDigest.digest(), 16);
    }

    private DigestHttpAuthProperties getReplacedProperties(RequestInfo requestInfo) {
        DigestHttpAuthProperties digestHttpAuthProperties = new DigestHttpAuthProperties(this.provider.getProperties());
        String channelId = this.provider.getConnector().getChannelId();
        String name = this.provider.getConnector().getChannel().getName();
        HashMap hashMap = new HashMap();
        requestInfo.populateMap(hashMap);
        digestHttpAuthProperties.setRealm(this.replacer.replaceValues(digestHttpAuthProperties.getRealm(), channelId, name, hashMap));
        digestHttpAuthProperties.setOpaque(this.replacer.replaceValues(digestHttpAuthProperties.getOpaque(), channelId, name, hashMap));
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (Map.Entry entry : digestHttpAuthProperties.getCredentialsMap().entrySet()) {
            String replaceValues = this.replacer.replaceValues((String) entry.getKey(), channelId, name, hashMap);
            if (StringUtils.isNotBlank(replaceValues)) {
                linkedHashMap.put(replaceValues, this.replacer.replaceValues((String) entry.getValue(), channelId, name, hashMap));
            }
        }
        digestHttpAuthProperties.setCredentialsMap(linkedHashMap);
        digestHttpAuthProperties.setCredentialsVariable(this.replacer.replaceValues(digestHttpAuthProperties.getCredentialsVariable(), hashMap));
        return digestHttpAuthProperties;
    }
}
