package org.josso.jb7.agent;

import java.io.IOException;
import java.security.Principal;
import java.security.acl.Group;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Date;
import java.util.Enumeration;
import java.util.Locale;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.security.auth.message.callback.GroupPrincipalCallback;
import javax.security.auth.message.callback.PasswordValidationCallback;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.SecurityConstraint;
import org.jboss.as.web.WebLogger;
import org.jboss.as.web.security.JBossGenericPrincipal;
import org.jboss.as.web.security.JBossWebRealm;
import org.jboss.as.web.security.jaspi.WebJASPIAuthenticator;
import org.jboss.logging.Logger;
import org.jboss.security.CacheableManager;
import org.jboss.security.ServerAuthenticationManager;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.message.GenericMessageInfo;
import org.josso.agent.LocalSession;
import org.josso.agent.Lookup;
import org.josso.agent.SSOAgentRequest;
import org.josso.agent.http.HttpSSOAgent;
import org.josso.jaspi.agent.JASPICallbackHandler;
import org.josso.jaspi.agent.JASPISSOAgentRequest;

/* loaded from: input_file:org/josso/jb7/agent/JOSSOJASPIAuthenticator.class */
public class JOSSOJASPIAuthenticator extends WebJASPIAuthenticator {
    public static final String KEY_SESSION_MAP = "org.josso.servlet.agent.sessionMap";
    private static Logger log = Logger.getLogger(JOSSOJASPIAuthenticator.class);
    private static final String DATE_ONE = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss zzz", Locale.US).format(new Date(1));
    private static HttpSSOAgent _agent;

    public JOSSOJASPIAuthenticator() {
        try {
            if (_agent == null) {
                Lookup lookup = Lookup.getInstance();
                lookup.init("josso-agent-config.xml");
                _agent = lookup.lookupSSOAgent();
                if (log.isDebugEnabled()) {
                    _agent.setDebug(1);
                }
                _agent.start();
            }
        } catch (Exception e) {
            log.error("Error starting SSO Agent : " + e.getMessage(), e);
            throw new RuntimeException("Error starting SSO Agent : " + e.getMessage(), e);
        }
    }

    public void invoke(Request request, Response response) throws IOException, ServletException {
        String[] findAuthRoles;
        Session sessionInternal;
        if (log.isDebugEnabled()) {
            log.debug("Security checking request " + request.getMethod() + " " + request.getRequestURI());
        }
        LoginConfig loginConfig = this.context.getLoginConfig();
        if (this.cache && request.getUserPrincipal() == null && (sessionInternal = request.getSessionInternal(false)) != null) {
            if (!jossoCookieExists(request)) {
                sessionInternal.setPrincipal((Principal) null);
            }
            Principal principal = sessionInternal.getPrincipal();
            if (principal != null) {
                if (log.isDebugEnabled()) {
                    log.debug("We have cached auth type " + sessionInternal.getAuthType() + " for principal " + sessionInternal.getPrincipal());
                }
                request.setAuthType(sessionInternal.getAuthType());
                request.setUserPrincipal(principal);
            }
        }
        String path = this.context.getPath();
        String decodedRequestURI = request.getDecodedRequestURI();
        if (((decodedRequestURI.startsWith(path) && decodedRequestURI.endsWith("/j_security_check")) || isJossoReservedUri(path, decodedRequestURI)) && !authenticate(request, response, loginConfig)) {
            if (log.isDebugEnabled()) {
                log.debug(" Failed authenticate() test ??" + decodedRequestURI);
                return;
            }
            return;
        }
        if (this.disableProxyCaching && !"POST".equalsIgnoreCase(request.getMethod())) {
            if (this.securePagesWithPragma) {
                response.setHeader("Pragma", "No-cache");
                response.setHeader("Cache-Control", "no-cache");
            } else {
                response.setHeader("Cache-Control", "private");
            }
            response.setHeader("Expires", DATE_ONE);
        }
        Realm realm = this.context.getRealm();
        SecurityConstraint[] findSecurityConstraints = realm.findSecurityConstraints(request, this.context);
        if (findSecurityConstraints == null) {
            findSecurityConstraints = new SecurityConstraint[0];
        }
        if (log.isDebugEnabled()) {
            log.debug(" Calling hasUserDataPermission()");
        }
        if (!realm.hasUserDataPermission(request, response, findSecurityConstraints)) {
            if (log.isDebugEnabled()) {
                log.debug(" Failed hasUserDataPermission() test");
                return;
            }
            return;
        }
        boolean z = true;
        for (int i = 0; i < findSecurityConstraints.length && z; i++) {
            if (!findSecurityConstraints[i].getAuthConstraint()) {
                z = false;
            } else if (!findSecurityConstraints[i].getAllRoles() && ((findAuthRoles = findSecurityConstraints[i].findAuthRoles()) == null || findAuthRoles.length == 0)) {
                z = false;
            }
        }
        if (z) {
            if (log.isDebugEnabled()) {
                log.debug(" Calling authenticate()");
            }
            if (!authenticate(request, response, loginConfig)) {
                if (log.isDebugEnabled()) {
                    log.debug(" Failed authenticate() test");
                    return;
                }
                return;
            }
        }
        if (log.isDebugEnabled()) {
            log.debug(" Calling accessControl()");
        }
        if (realm.hasResourcePermission(request, response, findSecurityConstraints, this.context)) {
            if (log.isDebugEnabled()) {
                log.debug(" Successfully passed all security constraints");
            }
            getNext().invoke(request, response);
        } else if (log.isDebugEnabled()) {
            log.debug(" Failed accessControl() test");
        }
    }

    protected boolean authenticate(Request request, HttpServletResponse httpServletResponse, LoginConfig loginConfig) throws IOException {
        String[] findAuthRoles;
        String authMethod = loginConfig.getAuthMethod();
        Principal userPrincipal = request.getUserPrincipal();
        String str = (String) request.getNote("org.apache.catalina.request.SSOID");
        if (userPrincipal != null) {
            WebLogger.WEB_SECURITY_LOGGER.tracef("Already authenticated '%s'", userPrincipal.getName());
            if (str != null) {
                associate(str, request.getSessionInternal(true));
            }
            if (!_agent.isAgentReservedUri(this.context.getPath(), request.getDecodedRequestURI())) {
                return true;
            }
        }
        if (("BASIC".equalsIgnoreCase(authMethod) || "FORM".equalsIgnoreCase(authMethod)) && str != null) {
            WebLogger.WEB_SECURITY_LOGGER.tracef("SSO Id %s set; attempting reauthentication", str);
            if (reauthenticateFromSSO(str, request)) {
                return true;
            }
        }
        SecurityConstraint[] findSecurityConstraints = this.context.getRealm().findSecurityConstraints(request, this.context);
        if (!jossoCookieExists(request) && userPrincipal == null && findSecurityConstraints != null && findSecurityConstraints.length > 0) {
            boolean z = true;
            for (int i = 0; i < findSecurityConstraints.length && z; i++) {
                if (!findSecurityConstraints[i].getAuthConstraint()) {
                    z = false;
                } else if (!findSecurityConstraints[i].getAllRoles() && ((findAuthRoles = findSecurityConstraints[i].findAuthRoles()) == null || findAuthRoles.length == 0)) {
                    z = false;
                }
            }
            if (z) {
                forwardToLoginPage(request, request.getResponse(), loginConfig);
                return false;
            }
        }
        GenericMessageInfo genericMessageInfo = new GenericMessageInfo();
        genericMessageInfo.setRequestMessage(request);
        genericMessageInfo.setResponseMessage(request.getResponse());
        genericMessageInfo.getMap().put("CACHE", String.valueOf(this.cache));
        genericMessageInfo.getMap().put("javax.security.auth.message.MessagePolicy.isMandatory", "true");
        JASPICallbackHandler jASPICallbackHandler = new JASPICallbackHandler();
        ServerAuthenticationManager serverAuthenticationManager = getServerAuthenticationManager();
        String str2 = request.getLocalName() + " " + request.getContextPath();
        Subject subject = new Subject();
        boolean isValid = serverAuthenticationManager != null ? serverAuthenticationManager.isValid(genericMessageInfo, subject, "HttpServlet", str2, jASPICallbackHandler) : false;
        if (isValid) {
            PasswordValidationCallback passwordValidationCallback = jASPICallbackHandler.getPasswordValidationCallback();
            CallerPrincipalCallback callerPrincipalCallback = jASPICallbackHandler.getCallerPrincipalCallback();
            GroupPrincipalCallback groupPrincipalCallback = jASPICallbackHandler.getGroupPrincipalCallback();
            if (callerPrincipalCallback == null) {
                return findSecurityConstraints == null;
            }
            SimplePrincipal principal = callerPrincipalCallback.getPrincipal();
            if (principal == null) {
                principal = new SimplePrincipal(callerPrincipalCallback.getName());
            }
            if (!(principal instanceof JBossGenericPrincipal)) {
                principal = buildJBossPrincipal(subject, principal, groupPrincipalCallback);
            }
            register(request, httpServletResponse, principal, authMethod, (passwordValidationCallback == null || passwordValidationCallback.getUsername() == null) ? null : passwordValidationCallback.getUsername(), (passwordValidationCallback == null || passwordValidationCallback.getPassword() == null) ? null : new String(passwordValidationCallback.getPassword()));
            if (this.secureResponse) {
                serverAuthenticationManager.secureResponse(genericMessageInfo, new Subject(), "HttpServlet", str2, jASPICallbackHandler);
            }
        }
        return isValid;
    }

    protected Principal buildJBossPrincipal(Subject subject, Principal principal, GroupPrincipalCallback groupPrincipalCallback) {
        ArrayList arrayList = new ArrayList();
        for (Principal principal2 : subject.getPrincipals()) {
            if ((principal2 instanceof Group) && principal2.getName().equals("Roles")) {
                Enumeration<? extends Principal> members = ((Group) principal2).members();
                while (members.hasMoreElements()) {
                    arrayList.add(members.nextElement().getName());
                }
            }
        }
        if (groupPrincipalCallback != null && groupPrincipalCallback.getGroups() != null) {
            for (String str : groupPrincipalCallback.getGroups()) {
                arrayList.add(str);
            }
        }
        JBossWebRealm realm = getContainer().getRealm();
        Set set = (Set) realm.getPrincipalVersusRolesMap().get(principal.getName());
        if (set != null) {
            arrayList.addAll(set);
        }
        return new JBossGenericPrincipal(realm, principal.getName(), (String) null, arrayList, principal, (LoginContext) null, (Object) null, (CacheableManager) null, subject);
    }

    protected void forwardToLoginPage(Request request, Response response, LoginConfig loginConfig) {
        RequestDispatcher requestDispatcher = this.context.getServletContext().getRequestDispatcher(loginConfig.getLoginPage());
        try {
            Lookup lookup = Lookup.getInstance();
            lookup.init("josso-agent-config.xml");
            lookup.lookupSSOAgent().setAttribute(request.getRequest(), response.getResponse(), "JOSSO_SAVED_REQUEST", getRequestURI(request));
            requestDispatcher.forward(request.getRequest(), response.getResponse());
            response.finishResponse();
        } catch (Throwable th) {
            log.warn("Unexpected error forwarding to login page", th);
        }
    }

    protected String getRequestURI(Request request) {
        StringBuffer stringBuffer = new StringBuffer(request.getRequestURI());
        if (request.getQueryString() != null) {
            stringBuffer.append('?');
            stringBuffer.append(request.getQueryString());
        }
        return stringBuffer.toString();
    }

    protected boolean jossoCookieExists(Request request) {
        boolean z = false;
        Cookie[] cookies = request.getCookies();
        if (cookies != null) {
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (!"JOSSO_SESSIONID".equals(cookie.getName())) {
                    i++;
                } else if (cookie.getValue() != null && !cookie.getValue().equals("-")) {
                    z = true;
                }
            }
        }
        return z;
    }

    protected void saveLoginBackToURL(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession, boolean z) {
        String header = httpServletRequest.getHeader("referer");
        if ((getSavedRequestURL(httpServletRequest) != null && !z) || header == null || header.equals("")) {
            return;
        }
        _agent.setAttribute(httpServletRequest, httpServletResponse, "JOSSO_SAVED_REQUEST", header);
    }

    private String getSavedRequestURL(HttpServletRequest httpServletRequest) {
        return _agent.getAttribute(httpServletRequest, "JOSSO_SAVED_REQUEST");
    }

    private String getSavedSplashResource(HttpServletRequest httpServletRequest) {
        return _agent.getAttribute(httpServletRequest, "josso_splash_resource");
    }

    protected SSOAgentRequest doMakeSSOAgentRequest(String str, int i, String str2, LocalSession localSession, String str3, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        JASPISSOAgentRequest jASPISSOAgentRequest = new JASPISSOAgentRequest(str, i, str2, localSession, str3);
        jASPISSOAgentRequest.setRequest(httpServletRequest);
        jASPISSOAgentRequest.setResponse(httpServletResponse);
        return jASPISSOAgentRequest;
    }

    protected boolean isJossoReservedUri(String str, String str2) {
        return _agent.isAgentReservedUri(str, str2);
    }
}
