package org.apache.derby.impl.jdbc.authentication;

import java.security.AccessController;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.sql.Connection;
import java.sql.SQLException;
import java.sql.SQLWarning;
import java.util.Arrays;
import java.util.Properties;
import org.apache.derby.authentication.UserAuthenticator;
import org.apache.derby.catalog.SystemProcedures;
import org.apache.derby.iapi.error.SQLWarningFactory;
import org.apache.derby.iapi.error.StandardException;
import org.apache.derby.iapi.reference.Attribute;
import org.apache.derby.iapi.reference.Property;
import org.apache.derby.iapi.services.monitor.ModuleFactory;
import org.apache.derby.iapi.services.monitor.Monitor;
import org.apache.derby.iapi.services.property.PropertyUtil;
import org.apache.derby.iapi.sql.dictionary.DataDictionary;
import org.apache.derby.iapi.sql.dictionary.PasswordHasher;
import org.apache.derby.iapi.sql.dictionary.UserDescriptor;
import org.apache.derby.iapi.store.access.TransactionController;
import org.apache.derby.iapi.util.IdUtil;
import org.apache.derby.impl.jdbc.Util;
import org.apache.derby.jdbc.InternalDriver;
import org.apache.derby.shared.common.reference.SQLState;

/* loaded from: input_file:WEB-INF/lib/derby-10.14.1.0.jar:org/apache/derby/impl/jdbc/authentication/NativeAuthenticationServiceImpl.class */
public final class NativeAuthenticationServiceImpl extends AuthenticationServiceBase implements UserAuthenticator {
    private String _credentialsDB;
    private boolean _authenticateDatabaseOperationsLocally;
    private String _badlyFormattedPasswordProperty;
    private boolean _creatingCredentialsDB = false;
    private long _passwordLifetimeMillis = Property.AUTHENTICATION_NATIVE_PASSWORD_LIFETIME_DEFAULT;
    private double _passwordExpirationThreshold = 0.125d;

    @Override // org.apache.derby.iapi.services.monitor.ModuleSupportable
    public boolean canSupport(Properties properties) {
        if (!requireAuthentication(properties) || !PropertyUtil.nativeAuthenticationEnabled(properties)) {
            return false;
        }
        parseNativeSpecification(properties);
        return true;
    }

    private void parseNativeSpecification(Properties properties) {
        String propertyFromSet = PropertyUtil.getPropertyFromSet(properties, Property.AUTHENTICATION_PROVIDER_PARAMETER);
        this._authenticateDatabaseOperationsLocally = PropertyUtil.localNativeAuthenticationEnabled(properties);
        int indexOf = propertyFromSet.indexOf(":") + 1;
        int lastIndexOf = this._authenticateDatabaseOperationsLocally ? propertyFromSet.lastIndexOf(":") : propertyFromSet.length();
        if (lastIndexOf > indexOf) {
            this._credentialsDB = propertyFromSet.substring(indexOf, lastIndexOf);
            if (this._credentialsDB.length() == 0) {
                this._credentialsDB = null;
            }
        }
        this._badlyFormattedPasswordProperty = null;
        String propertyFromSet2 = PropertyUtil.getPropertyFromSet(properties, Property.AUTHENTICATION_NATIVE_PASSWORD_LIFETIME);
        if (propertyFromSet2 != null) {
            Long parsePasswordLifetime = parsePasswordLifetime(propertyFromSet2);
            if (parsePasswordLifetime != null) {
                this._passwordLifetimeMillis = parsePasswordLifetime.longValue();
            } else {
                this._badlyFormattedPasswordProperty = Property.AUTHENTICATION_NATIVE_PASSWORD_LIFETIME;
            }
        }
        String propertyFromSet3 = PropertyUtil.getPropertyFromSet(properties, Property.AUTHENTICATION_PASSWORD_EXPIRATION_THRESHOLD);
        if (propertyFromSet3 != null) {
            Double parsePasswordThreshold = parsePasswordThreshold(propertyFromSet3);
            if (parsePasswordThreshold != null) {
                this._passwordExpirationThreshold = parsePasswordThreshold.doubleValue();
            } else {
                this._badlyFormattedPasswordProperty = Property.AUTHENTICATION_PASSWORD_EXPIRATION_THRESHOLD;
            }
        }
    }

    private boolean validAuthenticationProvider() throws StandardException {
        boolean z = getServiceName() == null;
        if (this._credentialsDB != null) {
            if (getMonitor().getCanonicalServiceName(this._credentialsDB) == null) {
                throw StandardException.newException(SQLState.BAD_CREDENTIALS_DB_NAME, this._credentialsDB);
            }
            return true;
        }
        if (z) {
            return false;
        }
        return this._authenticateDatabaseOperationsLocally;
    }

    @Override // org.apache.derby.impl.jdbc.authentication.AuthenticationServiceBase, org.apache.derby.iapi.services.monitor.ModuleControl
    public void boot(boolean z, Properties properties) throws StandardException {
        super.boot(z, properties);
        if (!validAuthenticationProvider()) {
            throw StandardException.newException(SQLState.BAD_NATIVE_AUTH_SPEC, new Object[0]);
        }
        if (this._badlyFormattedPasswordProperty != null) {
            throw StandardException.newException(SQLState.BAD_PASSWORD_LIFETIME, this._badlyFormattedPasswordProperty);
        }
        try {
            MessageDigest.getInstance(Property.AUTHENTICATION_BUILTIN_ALGORITHM_FALLBACK).reset();
            if (z && authenticatingInThisService(getCanonicalServiceName())) {
                this._creatingCredentialsDB = true;
            } else {
                this._creatingCredentialsDB = false;
            }
            setAuthenticationService(this);
        } catch (NoSuchAlgorithmException e) {
            throw Monitor.exceptionStartingModule(e);
        }
    }

    @Override // org.apache.derby.impl.jdbc.authentication.AuthenticationServiceBase, org.apache.derby.iapi.jdbc.AuthenticationService
    public String getSystemCredentialsDatabaseName() {
        return this._credentialsDB;
    }

    @Override // org.apache.derby.authentication.UserAuthenticator
    public boolean authenticateUser(String str, String str2, String str3, Properties properties) throws SQLException {
        if (str == null || str2 == null) {
            return false;
        }
        if (str3 != null) {
            try {
                if (authenticatingInThisDatabase(str3)) {
                    return authenticateLocally(str, str2, str3);
                }
            } catch (StandardException e) {
                throw Util.generateCsSQLException(e);
            }
        }
        return authenticateRemotely(str, str2, str3);
    }

    private boolean authenticatingInThisDatabase(String str) throws StandardException {
        return authenticatingInThisService(getMonitor().getCanonicalServiceName(str));
    }

    private boolean authenticatingInThisService(String str) throws StandardException {
        if (this._authenticateDatabaseOperationsLocally) {
            return true;
        }
        return isCredentialsService(str);
    }

    private boolean isCredentialsService(String str) throws StandardException {
        String canonicalServiceName = getCanonicalServiceName(this._credentialsDB);
        getMonitor().getCanonicalServiceName(str);
        if (canonicalServiceName == null) {
            return false;
        }
        return canonicalServiceName.equals(str);
    }

    private String getCanonicalServiceName() throws StandardException {
        return getCanonicalServiceName(getServiceName());
    }

    private String getCanonicalServiceName(String str) throws StandardException {
        return getMonitor().getCanonicalServiceName(str);
    }

    private boolean authenticateRemotely(String str, String str2, String str3) throws StandardException, SQLWarning {
        if (this._credentialsDB == null) {
            throw StandardException.newException(SQLState.BAD_NATIVE_AUTH_SPEC, new Object[0]);
        }
        try {
            Properties properties = new Properties();
            properties.setProperty("user", str);
            properties.setProperty("password", str2);
            Connection connect = InternalDriver.activeDriver().connect(Attribute.PROTOCOL + this._credentialsDB, properties, 0);
            SQLWarning warnings = connect.getWarnings();
            connect.close();
            if (warnings != null) {
                throw warnings;
            }
            return true;
        } catch (SQLException e) {
            String sQLState = e.getSQLState();
            if (SQLState.LOGIN_FAILED.equals(sQLState)) {
                return false;
            }
            if (SQLState.DATABASE_NOT_FOUND.startsWith(sQLState)) {
                throw StandardException.newException(SQLState.MISSING_CREDENTIALS_DB, this._credentialsDB);
            }
            throw wrap(e);
        }
    }

    private StandardException wrap(Throwable th) {
        return StandardException.plainWrapException(th);
    }

    private boolean authenticateLocally(String str, String str2, String str3) throws StandardException, SQLException {
        String userAuthorizationId = IdUtil.getUserAuthorizationId(str);
        if (this._creatingCredentialsDB) {
            this._creatingCredentialsDB = false;
            TransactionController transaction = getTransaction();
            SystemProcedures.addUser(userAuthorizationId, str2, transaction);
            transaction.commit();
            return true;
        }
        DataDictionary dataDictionary = (DataDictionary) AuthenticationServiceBase.getServiceModule(this, "org.apache.derby.iapi.sql.dictionary.DataDictionary");
        UserDescriptor user = dataDictionary.getUser(userAuthorizationId);
        if (user == null) {
            dataDictionary.makePasswordHasher(getDatabaseProperties()).hashPasswordIntoString(userAuthorizationId, str2).toCharArray();
            return false;
        }
        char[] charArray = new PasswordHasher(user.getHashingScheme()).hashPasswordIntoString(userAuthorizationId, str2).toCharArray();
        char[] andZeroPassword = user.getAndZeroPassword();
        if (charArray == null || andZeroPassword == null) {
            if (charArray != null) {
                Arrays.fill(charArray, (char) 0);
            }
            if (andZeroPassword != null) {
                Arrays.fill(andZeroPassword, (char) 0);
            }
            return false;
        }
        try {
            if (charArray.length != andZeroPassword.length) {
                return false;
            }
            for (int i = 0; i < charArray.length; i++) {
                if (charArray[i] != andZeroPassword[i]) {
                    if (charArray != null) {
                        Arrays.fill(charArray, (char) 0);
                    }
                    if (andZeroPassword != null) {
                        Arrays.fill(andZeroPassword, (char) 0);
                    }
                    return false;
                }
            }
            if (charArray != null) {
                Arrays.fill(charArray, (char) 0);
            }
            if (andZeroPassword != null) {
                Arrays.fill(andZeroPassword, (char) 0);
            }
            if (this._passwordLifetimeMillis <= 0) {
                return true;
            }
            long currentTimeMillis = this._passwordLifetimeMillis - (System.currentTimeMillis() - user.getLastModified().getTime());
            if (currentTimeMillis <= 0) {
                if (!dataDictionary.getAuthorizationDatabaseOwner().equals(userAuthorizationId)) {
                    return false;
                }
                currentTimeMillis = 0;
            }
            if (currentTimeMillis > ((long) (this._passwordLifetimeMillis * this._passwordExpirationThreshold))) {
                return true;
            }
            if (dataDictionary.getAuthorizationDatabaseOwner().equals(userAuthorizationId)) {
                throw SQLWarningFactory.newSQLWarning(SQLState.DBO_PASSWORD_EXPIRES_SOON, str3);
            }
            throw SQLWarningFactory.newSQLWarning(SQLState.PASSWORD_EXPIRES_SOON, Long.toString(currentTimeMillis / 86400000), str3);
        } finally {
            if (charArray != null) {
                Arrays.fill(charArray, (char) 0);
            }
            if (andZeroPassword != null) {
                Arrays.fill(andZeroPassword, (char) 0);
            }
        }
    }

    private static ModuleFactory getMonitor() {
        return (ModuleFactory) AccessController.doPrivileged(new PrivilegedAction<ModuleFactory>() { // from class: org.apache.derby.impl.jdbc.authentication.NativeAuthenticationServiceImpl.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public ModuleFactory run() {
                return Monitor.getMonitor();
            }
        });
    }

    private static String getServiceName(final Object obj) {
        return (String) AccessController.doPrivileged(new PrivilegedAction<String>() { // from class: org.apache.derby.impl.jdbc.authentication.NativeAuthenticationServiceImpl.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public String run() {
                return Monitor.getServiceName(obj);
            }
        });
    }
}
