package net.corda.node.services.rpc;

import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.security.cert.X509Certificate;
import kotlin.Metadata;
import kotlin.TypeCastException;
import kotlin.Unit;
import kotlin.jvm.functions.Function1;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import net.corda.core.internal.InternalUtils;
import net.corda.node.internal.artemis.CertificateChainCheckPolicy;
import net.corda.node.internal.security.Password;
import net.corda.node.internal.security.RPCSecurityManager;
import org.apache.activemq.artemis.spi.core.security.jaas.CertificateCallback;
import org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal;
import org.apache.activemq.artemis.spi.core.security.jaas.UserPrincipal;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* compiled from: NodeLoginModule.kt */
@Metadata(mv = {1, 1, 8}, bv = {1, 0, 2}, k = 1, d1 = {"��f\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\u0010\u000e\n\u0002\u0010\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0010\u000b\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0010\u0011\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0002\b\u0007\n\u0002\u0010$\n\u0002\b\u0005\b��\u0018�� -2\u00020\u0001:\u0001-B\u0005¢\u0006\u0002\u0010\u0002J\b\u0010\u0018\u001a\u00020\u000bH\u0016J\u001b\u0010\u0019\u001a\u00020\b2\f\u0010\u001a\u001a\b\u0012\u0004\u0012\u00020\u001c0\u001bH\u0002¢\u0006\u0002\u0010\u001dJ3\u0010\u001e\u001a\u00020\b2\u0006\u0010\u001f\u001a\u00020\u00072\u0006\u0010 \u001a\u00020!2\f\u0010\u001a\u001a\b\u0012\u0004\u0012\u00020\u001c0\u001b2\u0006\u0010\u0016\u001a\u00020\u000bH\u0002¢\u0006\u0002\u0010\"J\b\u0010#\u001a\u00020\bH\u0002J\b\u0010$\u001a\u00020\u000bH\u0016J-\u0010%\u001a\u0004\u0018\u00010\u00072\f\u0010\u001a\u001a\b\u0012\u0004\u0012\u00020\u001c0\u001b2\u0006\u0010\u001f\u001a\u00020\u00072\u0006\u0010\u0016\u001a\u00020\u000bH\u0002¢\u0006\u0002\u0010&J<\u0010'\u001a\u00020\b2\u0006\u0010\u0014\u001a\u00020\u00152\u0006\u0010\u0003\u001a\u00020\u00042\u0010\u0010(\u001a\f\u0012\u0004\u0012\u00020\u0007\u0012\u0002\b\u00030)2\u0010\u0010*\u001a\f\u0012\u0004\u0012\u00020\u0007\u0012\u0002\b\u00030)H\u0016J\b\u0010+\u001a\u00020\u000bH\u0016J\b\u0010,\u001a\u00020\u000bH\u0016R\u000e\u0010\u0003\u001a\u00020\u0004X\u0082.¢\u0006\u0002\n��R\u001e\u0010\u0005\u001a\u0012\u0012\u0004\u0012\u00020\u0007\u0012\u0004\u0012\u00020\b0\u0006j\u0002`\tX\u0082.¢\u0006\u0002\n��R\u000e\u0010\n\u001a\u00020\u000bX\u0082\u000e¢\u0006\u0002\n��R\u000e\u0010\f\u001a\u00020\rX\u0082.¢\u0006\u0002\n��R\u0014\u0010\u000e\u001a\b\u0012\u0004\u0012\u00020\u00100\u000fX\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0011\u001a\u00020\rX\u0082.¢\u0006\u0002\n��R\u000e\u0010\u0012\u001a\u00020\u0013X\u0082.¢\u0006\u0002\n��R\u000e\u0010\u0014\u001a\u00020\u0015X\u0082.¢\u0006\u0002\n��R\u0012\u0010\u0016\u001a\u0004\u0018\u00010\u000bX\u0082\u000e¢\u0006\u0004\n\u0002\u0010\u0017¨\u0006."}, d2 = {"Lnet/corda/node/services/rpc/NodeLoginModule;", "Ljavax/security/auth/spi/LoginModule;", "()V", "callbackHandler", "Ljavax/security/auth/callback/CallbackHandler;", "loginListener", "Lkotlin/Function1;", "", "", "Lnet/corda/node/services/rpc/LoginListener;", "loginSucceeded", "", "nodeCertCheck", "Lnet/corda/node/internal/artemis/CertificateChainCheckPolicy$Check;", "principals", "Ljava/util/ArrayList;", "Ljava/security/Principal;", "rpcCertCheck", "securityManager", "Lnet/corda/node/internal/security/RPCSecurityManager;", "subject", "Ljavax/security/auth/Subject;", NodeLoginModule.USE_SSL_ARG, "Ljava/lang/Boolean;", "abort", "authenticateNode", "certificates", "", "Ljavax/security/cert/X509Certificate;", "([Ljavax/security/cert/X509Certificate;)V", "authenticateRpcUser", "username", "password", "Lnet/corda/node/internal/security/Password;", "(Ljava/lang/String;Lnet/corda/node/internal/security/Password;[Ljavax/security/cert/X509Certificate;Z)V", "clear", "commit", "determineUserRole", "([Ljavax/security/cert/X509Certificate;Ljava/lang/String;Z)Ljava/lang/String;", "initialize", "sharedState", "", "options", "login", "logout", "Companion", "node"})
/* loaded from: input_file:net/corda/node/services/rpc/NodeLoginModule.class */
public final class NodeLoginModule implements LoginModule {
    private boolean loginSucceeded;
    private Subject subject;
    private CallbackHandler callbackHandler;
    private RPCSecurityManager securityManager;
    private Function1<? super String, Unit> loginListener;
    private Boolean useSsl;
    private CertificateChainCheckPolicy.Check nodeCertCheck;
    private CertificateChainCheckPolicy.Check rpcCertCheck;
    private final ArrayList<Principal> principals = new ArrayList<>();

    @NotNull
    public static final String NODE_ROLE = "SystemRoles/Node";

    @NotNull
    public static final String RPC_ROLE = "SystemRoles/RPC";

    @NotNull
    public static final String CERT_CHAIN_CHECKS_ARG = "CertChainChecks";

    @NotNull
    public static final String USE_SSL_ARG = "useSsl";
    private static final Logger log;
    public static final Companion Companion = new Companion(null);

    @NotNull
    private static final String SECURITY_MANAGER_ARG = SECURITY_MANAGER_ARG;

    @NotNull
    private static final String SECURITY_MANAGER_ARG = SECURITY_MANAGER_ARG;

    @NotNull
    private static final String LOGIN_LISTENER_ARG = LOGIN_LISTENER_ARG;

    @NotNull
    private static final String LOGIN_LISTENER_ARG = LOGIN_LISTENER_ARG;

    /* compiled from: NodeLoginModule.kt */
    @Metadata(mv = {1, 1, 8}, bv = {1, 0, 2}, k = 1, d1 = {"��\u001c\n\u0002\u0018\u0002\n\u0002\u0010��\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0002\b\t\n\u0002\u0018\u0002\n\u0002\b\u0003\b\u0086\u0003\u0018��2\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002R\u000e\u0010\u0003\u001a\u00020\u0004X\u0080T¢\u0006\u0002\n��R\u0014\u0010\u0005\u001a\u00020\u0004X\u0080D¢\u0006\b\n��\u001a\u0004\b\u0006\u0010\u0007R\u000e\u0010\b\u001a\u00020\u0004X\u0080T¢\u0006\u0002\n��R\u000e\u0010\t\u001a\u00020\u0004X\u0080T¢\u0006\u0002\n��R\u0014\u0010\n\u001a\u00020\u0004X\u0080D¢\u0006\b\n��\u001a\u0004\b\u000b\u0010\u0007R\u000e\u0010\f\u001a\u00020\u0004X\u0080T¢\u0006\u0002\n��R\u0014\u0010\r\u001a\u00020\u000eX\u0082\u0004¢\u0006\b\n��\u001a\u0004\b\u000f\u0010\u0010¨\u0006\u0011"}, d2 = {"Lnet/corda/node/services/rpc/NodeLoginModule$Companion;", "", "()V", "CERT_CHAIN_CHECKS_ARG", "", "LOGIN_LISTENER_ARG", "getLOGIN_LISTENER_ARG$node", "()Ljava/lang/String;", "NODE_ROLE", "RPC_ROLE", "SECURITY_MANAGER_ARG", "getSECURITY_MANAGER_ARG$node", "USE_SSL_ARG", "log", "Lorg/slf4j/Logger;", "getLog", "()Lorg/slf4j/Logger;", "node"})
    /* loaded from: input_file:net/corda/node/services/rpc/NodeLoginModule$Companion.class */
    public static final class Companion {
        @NotNull
        public final String getSECURITY_MANAGER_ARG$node() {
            return NodeLoginModule.SECURITY_MANAGER_ARG;
        }

        @NotNull
        public final String getLOGIN_LISTENER_ARG$node() {
            return NodeLoginModule.LOGIN_LISTENER_ARG;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public final Logger getLog() {
            return NodeLoginModule.log;
        }

        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }
    }

    public void initialize(@NotNull Subject subject, @NotNull CallbackHandler callbackHandler, @NotNull Map<String, ?> map, @NotNull Map<String, ?> map2) {
        Intrinsics.checkParameterIsNotNull(subject, "subject");
        Intrinsics.checkParameterIsNotNull(callbackHandler, "callbackHandler");
        Intrinsics.checkParameterIsNotNull(map, "sharedState");
        Intrinsics.checkParameterIsNotNull(map2, "options");
        this.subject = subject;
        this.callbackHandler = callbackHandler;
        this.securityManager = (RPCSecurityManager) InternalUtils.uncheckedCast(map2.get(Companion.getSECURITY_MANAGER_ARG$node()));
        this.loginListener = (Function1) InternalUtils.uncheckedCast(map2.get(Companion.getLOGIN_LISTENER_ARG$node()));
        Object obj = map2.get(USE_SSL_ARG);
        if (obj == null) {
            throw new TypeCastException("null cannot be cast to non-null type kotlin.Boolean");
        }
        this.useSsl = (Boolean) obj;
        Map map3 = (Map) InternalUtils.uncheckedCast(map2.get("CertChainChecks"));
        Object obj2 = map3.get("SystemRoles/Node");
        if (obj2 == null) {
            Intrinsics.throwNpe();
        }
        this.nodeCertCheck = (CertificateChainCheckPolicy.Check) obj2;
        Object obj3 = map3.get(RPC_ROLE);
        if (obj3 == null) {
            Intrinsics.throwNpe();
        }
        this.rpcCertCheck = (CertificateChainCheckPolicy.Check) obj3;
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Failed to find 'out' block for switch in B:43:0x0147. Please report as an issue. */
    public boolean login() {
        String str;
        Callback nameCallback = new NameCallback("Username: ");
        PasswordCallback passwordCallback = new PasswordCallback("Password: ", false);
        Callback certificateCallback = new CertificateCallback();
        try {
            CallbackHandler callbackHandler = this.callbackHandler;
            if (callbackHandler == null) {
                Intrinsics.throwUninitializedPropertyAccessException("callbackHandler");
            }
            callbackHandler.handle(new Callback[]{nameCallback, passwordCallback, certificateCallback});
            String name = nameCallback.getName();
            if (name == null) {
                throw new FailedLoginException("Username not provided");
            }
            char[] password = passwordCallback.getPassword();
            if (password == null) {
                throw new FailedLoginException("Password not provided");
            }
            String str2 = new String(password);
            X509Certificate[] certificates = certificateCallback.getCertificates();
            if (certificates == null) {
                certificates = new X509Certificate[0];
            }
            X509Certificate[] x509CertificateArr = certificates;
            CertificateChainCheckPolicy.Check check = this.rpcCertCheck;
            if (check == null) {
                Intrinsics.throwUninitializedPropertyAccessException("rpcCertCheck");
            }
            if (check instanceof CertificateChainCheckPolicy.UsernameMustMatchCommonNameCheck) {
                CertificateChainCheckPolicy.Check check2 = this.rpcCertCheck;
                if (check2 == null) {
                    Intrinsics.throwUninitializedPropertyAccessException("rpcCertCheck");
                }
                if (check2 == null) {
                    throw new TypeCastException("null cannot be cast to non-null type net.corda.node.internal.artemis.CertificateChainCheckPolicy.UsernameMustMatchCommonNameCheck");
                }
                ((CertificateChainCheckPolicy.UsernameMustMatchCommonNameCheck) check2).setUsername(name);
            }
            Companion.getLog().debug("Logging user in");
            try {
                Boolean bool = this.useSsl;
                if (bool == null) {
                    Intrinsics.throwNpe();
                }
                String determineUserRole = determineUserRole(x509CertificateArr, name, bool.booleanValue());
                if (determineUserRole != null) {
                    switch (determineUserRole.hashCode()) {
                        case -1787398685:
                            if (determineUserRole.equals("SystemRoles/Node")) {
                                authenticateNode(x509CertificateArr);
                                str = "SystemUsers/Node";
                                this.principals.add(new UserPrincipal(str));
                                this.loginSucceeded = true;
                                return this.loginSucceeded;
                            }
                            break;
                        case -750391836:
                            if (determineUserRole.equals(RPC_ROLE)) {
                                Password password2 = new Password(str2);
                                Boolean bool2 = this.useSsl;
                                if (bool2 == null) {
                                    Intrinsics.throwNpe();
                                }
                                authenticateRpcUser(name, password2, x509CertificateArr, bool2.booleanValue());
                                str = name;
                                this.principals.add(new UserPrincipal(str));
                                this.loginSucceeded = true;
                                return this.loginSucceeded;
                            }
                            break;
                    }
                }
                throw new FailedLoginException("Peer does not belong on our network");
            } catch (FailedLoginException e) {
                Companion.getLog().warn("" + e);
                throw e;
            }
        } catch (IOException e2) {
            throw new LoginException(e2.getMessage());
        } catch (UnsupportedCallbackException e3) {
            throw new LoginException("" + e3.getMessage() + " not available to obtain information from user");
        }
    }

    private final void authenticateNode(X509Certificate[] x509CertificateArr) {
        CertificateChainCheckPolicy.Check check = this.nodeCertCheck;
        if (check == null) {
            Intrinsics.throwUninitializedPropertyAccessException("nodeCertCheck");
        }
        check.checkCertificateChain(x509CertificateArr);
        this.principals.add(new RolePrincipal("SystemRoles/Node"));
    }

    private final void authenticateRpcUser(String str, Password password, X509Certificate[] x509CertificateArr, boolean z) {
        if (z) {
            CertificateChainCheckPolicy.Check check = this.rpcCertCheck;
            if (check == null) {
                Intrinsics.throwUninitializedPropertyAccessException("rpcCertCheck");
            }
            check.checkCertificateChain(x509CertificateArr);
        }
        RPCSecurityManager rPCSecurityManager = this.securityManager;
        if (rPCSecurityManager == null) {
            Intrinsics.throwUninitializedPropertyAccessException("securityManager");
        }
        rPCSecurityManager.authenticate(str, password);
        Function1<? super String, Unit> function1 = this.loginListener;
        if (function1 == null) {
            Intrinsics.throwUninitializedPropertyAccessException("loginListener");
        }
        function1.invoke(str);
        this.principals.add(new RolePrincipal(RPC_ROLE));
        this.principals.add(new RolePrincipal("rpc.client." + str));
    }

    private final String determineUserRole(X509Certificate[] x509CertificateArr, String str, boolean z) {
        switch (str.hashCode()) {
            case -1678946952:
                if (str.equals("SystemUsers/Node")) {
                    if (!(x509CertificateArr.length == 0)) {
                        return "SystemRoles/Node";
                    }
                    throw new IllegalArgumentException("No TLS?".toString());
                }
                break;
        }
        if (!z) {
            return RPC_ROLE;
        }
        if (!(x509CertificateArr.length == 0)) {
            return RPC_ROLE;
        }
        throw new IllegalArgumentException("No TLS?".toString());
    }

    public boolean commit() {
        boolean z = this.loginSucceeded;
        if (z) {
            Subject subject = this.subject;
            if (subject == null) {
                Intrinsics.throwUninitializedPropertyAccessException("subject");
            }
            subject.getPrincipals().addAll(this.principals);
        }
        clear();
        return z;
    }

    public boolean abort() {
        clear();
        return true;
    }

    public boolean logout() {
        Subject subject = this.subject;
        if (subject == null) {
            Intrinsics.throwUninitializedPropertyAccessException("subject");
        }
        subject.getPrincipals().removeAll(this.principals);
        return true;
    }

    private final void clear() {
        this.loginSucceeded = false;
    }

    static {
        Logger logger = LoggerFactory.getLogger(NodeLoginModule.class);
        Intrinsics.checkExpressionValueIsNotNull(logger, "LoggerFactory.getLogger(T::class.java)");
        log = logger;
    }
}
