package org.apache.knox.gateway.shirorealm;

import java.util.LinkedHashSet;
import org.apache.knox.gateway.GatewayMessages;
import org.apache.knox.gateway.audit.api.AuditService;
import org.apache.knox.gateway.audit.api.AuditServiceFactory;
import org.apache.knox.gateway.audit.api.Auditor;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.shirorealm.impl.i18n.KnoxShiroMessages;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.crypto.hash.DefaultHashService;
import org.apache.shiro.crypto.hash.Hash;
import org.apache.shiro.crypto.hash.HashRequest;
import org.apache.shiro.crypto.hash.HashService;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.jvnet.libpam.PAM;
import org.jvnet.libpam.PAMException;
import org.jvnet.libpam.UnixUser;

/* loaded from: input_file:org/apache/knox/gateway/shirorealm/KnoxPamRealm.class */
public class KnoxPamRealm extends AuthorizingRealm {
    private static final String HASHING_ALGORITHM = "SHA-256";
    private static final String SUBJECT_USER_ROLES = "subject.userRoles";
    private static final String SUBJECT_USER_GROUPS = "subject.userGroups";
    private HashService hashService = new DefaultHashService();
    KnoxShiroMessages ShiroLog = (KnoxShiroMessages) MessagesFactory.get(KnoxShiroMessages.class);
    GatewayMessages GatewayLog = (GatewayMessages) MessagesFactory.get(GatewayMessages.class);
    private static AuditService auditService = AuditServiceFactory.getAuditService();
    private static Auditor auditor = auditService.getAuditor("audit", "knox", "knox");
    private String service;

    public KnoxPamRealm() {
        setCredentialsMatcher(new HashedCredentialsMatcher(HASHING_ALGORITHM));
    }

    public void setService(String str) {
        this.service = str;
    }

    public String getService() {
        return this.service;
    }

    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        UnixUserPrincipal unixUserPrincipal = (UnixUserPrincipal) principalCollection.oneByType(UnixUserPrincipal.class);
        if (unixUserPrincipal != null) {
            linkedHashSet.addAll(unixUserPrincipal.getUnixUser().getGroups());
        }
        SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_ROLES, linkedHashSet);
        SecurityUtils.getSubject().getSession().setAttribute(SUBJECT_USER_GROUPS, linkedHashSet);
        String str = null;
        if (unixUserPrincipal != null) {
            str = unixUserPrincipal.getName();
        }
        this.GatewayLog.lookedUpUserRoles(linkedHashSet, str);
        return new SimpleAuthorizationInfo(linkedHashSet);
    }

    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) authenticationToken;
        UnixUser unixUser = null;
        try {
            unixUser = new PAM(getService()).authenticate(usernamePasswordToken.getUsername(), new String(usernamePasswordToken.getPassword()));
        } catch (PAMException e) {
            handleAuthFailure(authenticationToken, e.getMessage(), e);
        }
        Hash computeHash = this.hashService.computeHash(new HashRequest.Builder().setSource(authenticationToken.getCredentials()).setAlgorithmName(HASHING_ALGORITHM).build());
        if (computeHash == null) {
            handleAuthFailure(authenticationToken, "Failed to compute hash", null);
        }
        return new SimpleAuthenticationInfo(new UnixUserPrincipal(unixUser), computeHash.toHex(), computeHash.getSalt(), getName());
    }

    private void handleAuthFailure(AuthenticationToken authenticationToken, String str, Exception exc) {
        auditor.audit("authentication", authenticationToken.getPrincipal().toString(), "principal", "failure", str);
        this.ShiroLog.failedLoginInfo(authenticationToken);
        if (exc == null) {
            throw new AuthenticationException(str);
        }
        this.ShiroLog.failedLoginAttempt(exc.getCause());
        throw new AuthenticationException(exc);
    }
}
