package com.liferay.portal.security.auth.tunnel;

import com.liferay.petra.encryptor.Encryptor;
import com.liferay.petra.encryptor.EncryptorException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.model.User;
import com.liferay.portal.kernel.security.auth.AuthException;
import com.liferay.portal.kernel.security.auth.RemoteAuthException;
import com.liferay.portal.kernel.security.auth.http.HttpAuthManagerUtil;
import com.liferay.portal.kernel.security.auth.http.HttpAuthorizationHeader;
import com.liferay.portal.kernel.security.auth.tunnel.TunnelAuthenticationManager;
import com.liferay.portal.kernel.service.UserLocalServiceUtil;
import com.liferay.portal.kernel.util.GetterUtil;
import com.liferay.portal.kernel.util.StringUtil;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.util.PortalInstances;
import com.liferay.portal.util.PropsValues;
import java.net.HttpURLConnection;
import java.security.Key;
import java.util.Objects;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;

/* loaded from: input_file:com/liferay/portal/security/auth/tunnel/TunnelAuthenticationManagerImpl.class */
public class TunnelAuthenticationManagerImpl implements TunnelAuthenticationManager {
    private static final Log _log = LogFactoryUtil.getLog((Class<?>) TunnelAuthenticationManagerImpl.class);

    @Override // com.liferay.portal.kernel.security.auth.tunnel.TunnelAuthenticationManager
    public long getUserId(HttpServletRequest httpServletRequest) throws AuthException {
        HttpAuthorizationHeader parse = HttpAuthManagerUtil.parse(httpServletRequest);
        if (parse == null) {
            return 0L;
        }
        String scheme = parse.getScheme();
        if (!StringUtil.equalsIgnoreCase(scheme, "Basic")) {
            RemoteAuthException remoteAuthException = new RemoteAuthException("Invalid scheme " + scheme);
            remoteAuthException.setType(1);
            throw remoteAuthException;
        }
        String authParameter = parse.getAuthParameter(HttpAuthorizationHeader.AUTH_PARAMETER_NAME_USERNAME);
        try {
            if (!Objects.equals(Encryptor.encrypt(getSharedSecretKey(), authParameter), parse.getAuthParameter("password"))) {
                RemoteAuthException remoteAuthException2 = new RemoteAuthException();
                remoteAuthException2.setType(101);
                throw remoteAuthException2;
            }
            User fetchUser = UserLocalServiceUtil.fetchUser(GetterUtil.getLong(authParameter));
            if (fetchUser == null) {
                long companyId = PortalInstances.getCompanyId(httpServletRequest);
                fetchUser = UserLocalServiceUtil.fetchUserByEmailAddress(companyId, authParameter);
                if (fetchUser == null) {
                    fetchUser = UserLocalServiceUtil.fetchUserByScreenName(companyId, authParameter);
                }
            }
            if (fetchUser != null) {
                return fetchUser.getUserId();
            }
            RemoteAuthException remoteAuthException3 = new RemoteAuthException("Unable to find user " + authParameter);
            remoteAuthException3.setType(1);
            throw remoteAuthException3;
        } catch (EncryptorException e) {
            RemoteAuthException remoteAuthException4 = new RemoteAuthException(e);
            remoteAuthException4.setType(1);
            throw remoteAuthException4;
        } catch (AuthException e2) {
            RemoteAuthException remoteAuthException5 = new RemoteAuthException(e2);
            remoteAuthException5.setType(e2.getType());
            throw remoteAuthException5;
        }
    }

    @Override // com.liferay.portal.kernel.security.auth.tunnel.TunnelAuthenticationManager
    public void setCredentials(String str, HttpURLConnection httpURLConnection) throws Exception {
        if (Validator.isBlank(str)) {
            throw new IllegalArgumentException("Login is null");
        }
        HttpAuthorizationHeader httpAuthorizationHeader = new HttpAuthorizationHeader("Basic");
        httpAuthorizationHeader.setAuthParameter("password", Encryptor.encrypt(getSharedSecretKey(), str));
        httpAuthorizationHeader.setAuthParameter(HttpAuthorizationHeader.AUTH_PARAMETER_NAME_USERNAME, str);
        httpURLConnection.setRequestProperty("Authorization", httpAuthorizationHeader.toString());
    }

    protected Key getSharedSecretKey() throws AuthException {
        byte[] decodeHex;
        String str = PropsValues.TUNNELING_SERVLET_SHARED_SECRET;
        if (Validator.isNull(str)) {
            if (_log.isWarnEnabled()) {
                _log.warn("Please configure tunneling.servlet.shared.secret");
            }
            AuthException authException = new AuthException("Please configure tunneling.servlet.shared.secret");
            authException.setType(3);
            throw authException;
        }
        if (PropsValues.TUNNELING_SERVLET_SHARED_SECRET_HEX) {
            try {
                decodeHex = Hex.decodeHex(str.toCharArray());
            } catch (DecoderException e) {
                if (_log.isWarnEnabled()) {
                    _log.warn(e, e);
                }
                AuthException authException2 = new AuthException();
                authException2.setType(2);
                throw authException2;
            }
        } else {
            decodeHex = str.getBytes();
        }
        if (decodeHex.length < 8) {
            if (_log.isWarnEnabled()) {
                _log.warn("tunneling.servlet.shared.secret is too short");
            }
            AuthException authException3 = new AuthException("tunneling.servlet.shared.secret is too short");
            authException3.setType(2);
            throw authException3;
        }
        if (!StringUtil.equalsIgnoreCase(PropsValues.TUNNELING_SERVLET_ENCRYPTION_ALGORITHM, "AES") || decodeHex.length == 16 || decodeHex.length == 32) {
            return new SecretKeySpec(decodeHex, PropsValues.TUNNELING_SERVLET_ENCRYPTION_ALGORITHM);
        }
        if (_log.isWarnEnabled()) {
            _log.warn("tunneling.servlet.shared.secret must have 16 or 32 bytes when used with AES");
        }
        AuthException authException4 = new AuthException("tunneling.servlet.shared.secret must have 16 or 32 bytes when used with AES");
        authException4.setType(2);
        throw authException4;
    }
}
