package org.glassfish.epicyro.config.servlet.sam;

import jakarta.security.auth.message.AuthException;
import jakarta.security.auth.message.AuthStatus;
import jakarta.security.auth.message.MessageInfo;
import jakarta.security.auth.message.MessagePolicy;
import jakarta.security.auth.message.callback.CallerPrincipalCallback;
import jakarta.security.auth.message.callback.GroupPrincipalCallback;
import jakarta.security.auth.message.callback.PasswordValidationCallback;
import jakarta.security.auth.message.module.ServerAuthModule;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import java.io.IOException;
import java.security.Principal;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import org.apache.catalina.authenticator.Constants;
import org.glassfish.epicyro.config.helper.Caller;
import org.glassfish.epicyro.config.helper.HttpServletConstants;

/* loaded from: input_file:org/glassfish/epicyro/config/servlet/sam/FormServerAuthModule.class */
public class FormServerAuthModule implements ServerAuthModule {
    private static final String IS_MANDATORY = "jakarta.security.auth.message.MessagePolicy.isMandatory";
    public static final String IS_AUTHENTICATION = "org.glassfish.elios.security.message.request.authentication";
    public static final String IS_NEW_AUTHENTICATION = "org.glassfish.elios.security.message.request.new.authentication";
    private static final String ORIGINAL_REQUEST_DATA_SESSION_NAME = "org.glassfish.elios.original.request";
    private static final String AUTHENTICATION_DATA_SESSION_NAME = "org.glassfish.elios.authentication";
    private static final String CALLER_INITIATED_AUTHENTICATION_SESSION_NAME = "org.glassfish.elios.caller_initiated_authentication";
    private CallbackHandler handler;
    private String loginPage = "";
    private String errorPage = "";
    boolean useForwardToLogin = true;

    @Override // jakarta.security.auth.message.module.ServerAuthModule
    public Class<?>[] getSupportedMessageTypes() {
        return new Class[]{HttpServletRequest.class, HttpServletResponse.class};
    }

    @Override // jakarta.security.auth.message.module.ServerAuthModule
    public void initialize(MessagePolicy messagePolicy, MessagePolicy messagePolicy2, CallbackHandler callbackHandler, Map map) throws AuthException {
        this.handler = callbackHandler;
        this.loginPage = (String) map.get("formLoginPage");
        this.errorPage = (String) map.get("formErrorPage");
    }

    @Override // jakarta.security.auth.message.ServerAuth
    public AuthStatus validateRequest(MessageInfo messageInfo, Subject subject, Subject subject2) throws AuthException {
        try {
            return validateRequestAutoApplySession(messageInfo, subject, subject2);
        } catch (Exception e) {
            AuthException authException = new AuthException();
            authException.initCause(e);
            throw authException;
        }
    }

    @Override // jakarta.security.auth.message.ServerAuth
    public AuthStatus secureResponse(MessageInfo messageInfo, Subject subject) throws AuthException {
        return AuthStatus.SEND_SUCCESS;
    }

    @Override // jakarta.security.auth.message.ServerAuth
    public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException {
    }

    public AuthStatus validateRequestAutoApplySession(MessageInfo messageInfo, Subject subject, Subject subject2) throws Exception {
        Principal principal = getPrincipal((HttpServletRequest) messageInfo.getRequestMessage());
        if (principal != null) {
            this.handler.handle(new Callback[]{new CallerPrincipalCallback(subject, principal)});
            return AuthStatus.SUCCESS;
        }
        AuthStatus validateRequestLoginToContinue = validateRequestLoginToContinue(messageInfo, subject, subject2);
        if (AuthStatus.SUCCESS.equals(validateRequestLoginToContinue)) {
            messageInfo.getMap().put(HttpServletConstants.REGISTER_SESSION, Boolean.TRUE.toString());
        }
        return validateRequestLoginToContinue;
    }

    public AuthStatus validateRequestLoginToContinue(MessageInfo messageInfo, Subject subject, Subject subject2) throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) messageInfo.getRequestMessage();
        tryClean(messageInfo, httpServletRequest);
        return isCallerInitiatedAuthentication(httpServletRequest) ? processCallerInitiatedAuthentication(messageInfo, subject, subject2) : processContainerInitiatedAuthentication(messageInfo, subject, subject2);
    }

    public AuthStatus validateRequestForm(MessageInfo messageInfo, Subject subject, Subject subject2) throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) messageInfo.getRequestMessage();
        if (!isValidFormPostback(httpServletRequest)) {
            this.handler.handle(new Callback[]{new CallerPrincipalCallback(subject, (Principal) null)});
            return AuthStatus.SUCCESS;
        }
        PasswordValidationCallback passwordValidationCallback = new PasswordValidationCallback(subject, httpServletRequest.getParameter(Constants.FORM_USERNAME), httpServletRequest.getParameter(Constants.FORM_PASSWORD).toCharArray());
        this.handler.handle(new Callback[]{passwordValidationCallback});
        return passwordValidationCallback.getResult() ? AuthStatus.SUCCESS : AuthStatus.SEND_FAILURE;
    }

    private void tryClean(MessageInfo messageInfo, HttpServletRequest httpServletRequest) {
        if (isOnProtectedURLWithStaleData(messageInfo, httpServletRequest)) {
            removeSavedRequest(httpServletRequest);
            removeCallerInitiatedAuthentication(httpServletRequest);
        }
        if (isNewAuthentication(httpServletRequest)) {
            saveCallerInitiatedAuthentication(httpServletRequest);
            removeSavedRequest(httpServletRequest);
            removeSavedAuthentication(httpServletRequest);
        }
    }

    private AuthStatus processCallerInitiatedAuthentication(MessageInfo messageInfo, Subject subject, Subject subject2) throws Exception {
        AuthStatus authStatus;
        HttpServletRequest httpServletRequest = (HttpServletRequest) messageInfo.getRequestMessage();
        try {
            authStatus = validateRequestForm(messageInfo, subject, subject2);
        } catch (AuthException e) {
            authStatus = AuthStatus.SEND_FAILURE;
        }
        if (authStatus == AuthStatus.SUCCESS) {
            Caller fromSubject = Caller.fromSubject(subject);
            if (fromSubject == null || fromSubject.getCallerPrincipal() == null) {
                return AuthStatus.SUCCESS;
            }
            removeCallerInitiatedAuthentication(httpServletRequest);
        }
        return authStatus;
    }

    private AuthStatus processContainerInitiatedAuthentication(MessageInfo messageInfo, Subject subject, Subject subject2) throws Exception {
        AuthStatus authStatus;
        HttpServletRequest httpServletRequest = (HttpServletRequest) messageInfo.getRequestMessage();
        HttpServletResponse httpServletResponse = (HttpServletResponse) messageInfo.getResponseMessage();
        if (isOnInitialProtectedURL(messageInfo, httpServletRequest)) {
            saveRequest(httpServletRequest);
            return this.useForwardToLogin ? forward(this.loginPage, httpServletRequest, httpServletResponse) : redirect(Utils.getBaseURL(httpServletRequest) + this.loginPage, httpServletResponse);
        }
        if (isOnLoginPostback(httpServletRequest)) {
            try {
                authStatus = validateRequestForm(messageInfo, subject, subject2);
            } catch (AuthException e) {
                authStatus = AuthStatus.SEND_FAILURE;
            }
            if (authStatus != AuthStatus.SUCCESS) {
                if (authStatus == AuthStatus.SEND_FAILURE && !Utils.isEmpty(this.errorPage)) {
                    return redirect(Utils.getBaseURL(httpServletRequest) + this.errorPage, httpServletResponse);
                }
                return authStatus;
            }
            Caller fromSubject = Caller.fromSubject(subject);
            if (fromSubject == null || fromSubject.getCallerPrincipal() == null || fromSubject.getCallerPrincipal().getName() == null) {
                return AuthStatus.SUCCESS;
            }
            RequestData savedRequest = getSavedRequest(httpServletRequest);
            if (!savedRequest.matchesRequest(httpServletRequest)) {
                saveAuthentication(httpServletRequest, new AuthenticationData(fromSubject.getCallerPrincipal(), fromSubject.getGroups()));
                return redirect(savedRequest.getFullRequestURL(), httpServletResponse);
            }
        }
        if (!isOnOriginalURLAfterAuthenticate(httpServletRequest)) {
            return validateRequestForm(messageInfo, subject, subject2);
        }
        RequestData removeSavedRequest = removeSavedRequest(httpServletRequest);
        AuthenticationData removeSavedAuthentication = removeSavedAuthentication(httpServletRequest);
        messageInfo.setRequestMessage(new HttpServletRequestDelegator(httpServletRequest, removeSavedRequest));
        this.handler.handle(new Callback[]{new CallerPrincipalCallback(subject, removeSavedAuthentication.getPrincipal()), new GroupPrincipalCallback(subject, (String[]) removeSavedAuthentication.getGroups().toArray(i -> {
            return new String[i];
        }))});
        return AuthStatus.SUCCESS;
    }

    private boolean isCallerInitiatedAuthentication(HttpServletRequest httpServletRequest) {
        return Boolean.TRUE.equals(getCallerInitiatedAuthentication(httpServletRequest));
    }

    private boolean isOnProtectedURLWithStaleData(MessageInfo messageInfo, HttpServletRequest httpServletRequest) {
        return (!isProtected(messageInfo) || isAuthenticationRequest(httpServletRequest) || getSavedRequest(httpServletRequest) == null || getSavedAuthentication(httpServletRequest) != null || httpServletRequest.getRequestURI().endsWith("j_security_check")) ? false : true;
    }

    private boolean isOnInitialProtectedURL(MessageInfo messageInfo, HttpServletRequest httpServletRequest) {
        return isProtected(messageInfo) && !isAuthenticationRequest(httpServletRequest) && getSavedRequest(httpServletRequest) == null && getSavedAuthentication(httpServletRequest) == null && !httpServletRequest.getRequestURI().endsWith("j_security_check");
    }

    private boolean isOnLoginPostback(HttpServletRequest httpServletRequest) {
        return getSavedRequest(httpServletRequest) != null && getSavedAuthentication(httpServletRequest) == null;
    }

    private boolean isOnOriginalURLAfterAuthenticate(HttpServletRequest httpServletRequest) {
        RequestData savedRequest = getSavedRequest(httpServletRequest);
        return Utils.notNull(savedRequest, getSavedAuthentication(httpServletRequest)) && savedRequest.matchesRequest(httpServletRequest);
    }

    private void saveCallerInitiatedAuthentication(HttpServletRequest httpServletRequest) {
        httpServletRequest.getSession().setAttribute(CALLER_INITIATED_AUTHENTICATION_SESSION_NAME, Boolean.TRUE);
    }

    private Boolean getCallerInitiatedAuthentication(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null) {
            return null;
        }
        return (Boolean) session.getAttribute(CALLER_INITIATED_AUTHENTICATION_SESSION_NAME);
    }

    private void removeCallerInitiatedAuthentication(HttpServletRequest httpServletRequest) {
        httpServletRequest.getSession().removeAttribute(CALLER_INITIATED_AUTHENTICATION_SESSION_NAME);
    }

    private void saveRequest(HttpServletRequest httpServletRequest) {
        httpServletRequest.getSession().setAttribute(ORIGINAL_REQUEST_DATA_SESSION_NAME, RequestData.of(httpServletRequest));
    }

    private RequestData getSavedRequest(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null) {
            return null;
        }
        return (RequestData) session.getAttribute(ORIGINAL_REQUEST_DATA_SESSION_NAME);
    }

    private RequestData removeSavedRequest(HttpServletRequest httpServletRequest) {
        RequestData savedRequest = getSavedRequest(httpServletRequest);
        httpServletRequest.getSession().removeAttribute(ORIGINAL_REQUEST_DATA_SESSION_NAME);
        return savedRequest;
    }

    private void saveAuthentication(HttpServletRequest httpServletRequest, AuthenticationData authenticationData) {
        httpServletRequest.getSession().setAttribute(AUTHENTICATION_DATA_SESSION_NAME, authenticationData);
    }

    private AuthenticationData getSavedAuthentication(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null) {
            return null;
        }
        return (AuthenticationData) session.getAttribute(AUTHENTICATION_DATA_SESSION_NAME);
    }

    private AuthenticationData removeSavedAuthentication(HttpServletRequest httpServletRequest) {
        AuthenticationData savedAuthentication = getSavedAuthentication(httpServletRequest);
        httpServletRequest.getSession().removeAttribute(AUTHENTICATION_DATA_SESSION_NAME);
        return savedAuthentication;
    }

    private static boolean isProtected(MessageInfo messageInfo) {
        return Boolean.valueOf((String) messageInfo.getMap().get("jakarta.security.auth.message.MessagePolicy.isMandatory")).booleanValue();
    }

    private static boolean isAuthenticationRequest(HttpServletRequest httpServletRequest) {
        return Boolean.TRUE.equals(httpServletRequest.getAttribute(IS_AUTHENTICATION));
    }

    private static boolean isNewAuthentication(HttpServletRequest httpServletRequest) {
        return Boolean.TRUE.equals(httpServletRequest.getAttribute(IS_NEW_AUTHENTICATION));
    }

    private static AuthStatus redirect(String str, HttpServletResponse httpServletResponse) {
        Utils.redirect(httpServletResponse, str);
        return AuthStatus.SEND_CONTINUE;
    }

    private static AuthStatus forward(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            httpServletRequest.getRequestDispatcher(str).forward(httpServletRequest, httpServletResponse);
            return AuthStatus.SEND_CONTINUE;
        } catch (ServletException | IOException e) {
            throw new IllegalStateException(e);
        }
    }

    private static boolean isValidFormPostback(HttpServletRequest httpServletRequest) {
        return "POST".equals(httpServletRequest.getMethod()) && httpServletRequest.getRequestURI().endsWith("/j_security_check") && Utils.notNull(httpServletRequest.getParameter(Constants.FORM_USERNAME), httpServletRequest.getParameter(Constants.FORM_PASSWORD));
    }

    private Principal getPrincipal(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getUserPrincipal();
    }
}
