package org.wildfly.elytron.web.undertow.server.servlet;

import io.undertow.security.api.SecurityContext;
import io.undertow.server.HttpServerExchange;
import jakarta.security.auth.message.AuthException;
import jakarta.security.auth.message.AuthStatus;
import jakarta.security.auth.message.MessageInfo;
import jakarta.security.auth.message.config.AuthConfigFactory;
import jakarta.security.auth.message.config.AuthConfigProvider;
import jakarta.security.auth.message.config.RegistrationListener;
import jakarta.security.auth.message.config.ServerAuthConfig;
import jakarta.security.auth.message.config.ServerAuthContext;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import java.io.Serializable;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Collections;
import java.util.Map;
import javax.security.auth.Subject;
import org.jboss.logging.Logger;
import org.wildfly.elytron.web.undertow.server.SecurityContextImpl;
import org.wildfly.security.auth.jaspi.impl.JaspiAuthenticationContext;
import org.wildfly.security.auth.jaspi.impl.ServletMessageInfo;
import org.wildfly.security.auth.server.SecurityIdentity;

/* loaded from: input_file:org/wildfly/elytron/web/undertow/server/servlet/ServletSecurityContextImpl.class */
public class ServletSecurityContextImpl extends SecurityContextImpl {
    private static final String AUTH_TYPE = "jakarta.servlet.http.authType";
    private static final String DEFAULT_JASPI_MECHANISM = "JASPI";
    private static final String MANDATORY = "jakarta.security.auth.message.MessagePolicy.isMandatory";
    private static final String REGISTER_SESSION = "jakarta.servlet.http.registerSession";
    private static final String SERVLET_MESSAGE_LAYER = "HttpServlet";
    private final boolean enableJaspi;
    private final boolean integratedJaspi;
    private final String applicationContext;
    private final RequestResponseAccessor requestResponseAccessor;
    private static final Logger log = Logger.getLogger("org.wildfly.security.http.servlet");
    private static final String IDENTITY_KEY = IdentityContainer.class.getName();

    /* loaded from: input_file:org/wildfly/elytron/web/undertow/server/servlet/ServletSecurityContextImpl$Builder.class */
    static class Builder extends SecurityContextImpl.Builder {
        private boolean enableJaspi = true;
        private boolean integratedJaspi = true;
        private String applicationContext;
        private RequestResponseAccessor requestResponseAccessor;

        Builder() {
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setEnableJaspi(boolean z) {
            this.enableJaspi = z;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setIntegratedJaspi(boolean z) {
            this.integratedJaspi = z;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setApplicationContext(String str) {
            this.applicationContext = str;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setRequestResponseAccessor(RequestResponseAccessor requestResponseAccessor) {
            this.requestResponseAccessor = requestResponseAccessor;
            return this;
        }

        public SecurityContext build() {
            return new ServletSecurityContextImpl(this);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/wildfly/elytron/web/undertow/server/servlet/ServletSecurityContextImpl$IdentityContainer.class */
    public static class IdentityContainer implements Serializable {
        private static final long serialVersionUID = 812605442632466511L;
        private volatile SecurityIdentity securityIdentity;
        private volatile String authType;

        IdentityContainer(SecurityIdentity securityIdentity, String str) {
            this.securityIdentity = securityIdentity;
            this.authType = str;
        }

        SecurityIdentity getSecurityIdentity() {
            return this.securityIdentity;
        }

        String getAuthType() {
            return this.authType;
        }
    }

    ServletSecurityContextImpl(Builder builder) {
        super(builder);
        this.enableJaspi = builder.enableJaspi;
        this.integratedJaspi = builder.integratedJaspi;
        this.applicationContext = builder.applicationContext;
        this.requestResponseAccessor = builder.requestResponseAccessor;
        log.tracef("Created ServletSecurityContextImpl enableJapi=%b, integratedJaspi=%b, applicationContext=%s", Boolean.valueOf(this.enableJaspi), Boolean.valueOf(this.integratedJaspi), this.applicationContext);
    }

    public boolean authenticate() {
        if (isAuthenticated()) {
            return true;
        }
        if (this.enableJaspi) {
            AuthConfigFactory authConfigFactory = getAuthConfigFactory();
            if (authConfigFactory != null) {
                AuthConfigProvider configProvider = authConfigFactory.getConfigProvider(SERVLET_MESSAGE_LAYER, this.applicationContext, (RegistrationListener) null);
                if (configProvider != null) {
                    try {
                        return authenticate(configProvider);
                    } catch (AuthException | SecurityException e) {
                        log.trace("Authentication failed.", e);
                        this.exchange.setStatusCode(500);
                        return false;
                    }
                }
                log.tracef("No AuthConfigProvider for layer=%s, appContext=%s", SERVLET_MESSAGE_LAYER, this.applicationContext);
            } else {
                log.trace("No AuthConfigFactory available.");
            }
        }
        log.trace("JASPIC Unavailable, using HTTP authentication.");
        return super.authenticate();
    }

    private static AuthConfigFactory getAuthConfigFactory() {
        try {
            return System.getSecurityManager() != null ? (AuthConfigFactory) doPrivileged(AuthConfigFactory::getFactory) : AuthConfigFactory.getFactory();
        } catch (Exception e) {
            log.trace("Unable to get AuthConfigFactory", e);
            return null;
        }
    }

    private boolean authenticate(AuthConfigProvider authConfigProvider) throws AuthException, SecurityException {
        final HttpServletRequest httpServletRequest = this.requestResponseAccessor.getHttpServletRequest();
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            IdentityContainer identityContainer = (IdentityContainer) session.getAttribute(IDENTITY_KEY);
            if (identityContainer != null) {
                SecurityIdentity securityIdentity = identityContainer.getSecurityIdentity();
                String authType = identityContainer.getAuthType();
                if (securityIdentity != null) {
                    log.trace("SecurityIdentity restored from HttpSession");
                    authenticationComplete(securityIdentity, authType != null ? authType : getMechanismName());
                    return true;
                }
            } else {
                session.removeAttribute(IDENTITY_KEY);
            }
        }
        JaspiAuthenticationContext jaspiAuthenticationContext = (JaspiAuthenticationContext) doPrivileged(() -> {
            return JaspiAuthenticationContext.newInstance(this.securityDomain, this.integratedJaspi);
        });
        ServerAuthConfig serverAuthConfig = jaspiAuthenticationContext.getServerAuthConfig(authConfigProvider, SERVLET_MESSAGE_LAYER, this.applicationContext);
        HttpServletResponse httpServletResponse = this.requestResponseAccessor.getHttpServletResponse();
        final ServletMessageInfo servletMessageInfo = new ServletMessageInfo();
        servletMessageInfo.setRequestMessage(httpServletRequest);
        servletMessageInfo.setResponseMessage(httpServletResponse);
        if (isAuthenticationRequired()) {
            servletMessageInfo.getMap().put(MANDATORY, Boolean.TRUE.toString());
        }
        final ServerAuthContext authContext = serverAuthConfig.getAuthContext(serverAuthConfig.getAuthContextID(servletMessageInfo), (Subject) null, Collections.emptyMap());
        if (authContext == null) {
            log.trace("No ServerAuthContext returned, JASPI authentication can not proceed.");
            return false;
        }
        final Subject subject = new Subject();
        AuthStatus validateRequest = authContext.validateRequest(servletMessageInfo, subject, (Subject) null);
        log.tracef("ServerAuthContext.validateRequest returned AuthStatus=%s", validateRequest);
        registerCleanUpTask(this.exchange, authContext, servletMessageInfo, null);
        Map map = servletMessageInfo.getMap();
        boolean z = map.containsKey(REGISTER_SESSION) && Boolean.parseBoolean(String.valueOf(map.get(REGISTER_SESSION)));
        if (validateRequest != AuthStatus.SUCCESS && (validateRequest != AuthStatus.SEND_SUCCESS || !z)) {
            return false;
        }
        String valueOf = map.containsKey(AUTH_TYPE) ? String.valueOf(map.get(AUTH_TYPE)) : getMechanismName(DEFAULT_JASPI_MECHANISM);
        SecurityIdentity authorizedIdentity = jaspiAuthenticationContext.getAuthorizedIdentity();
        if (z) {
            log.trace("Storing SecurityIdentity in HttpSession");
            httpServletRequest.getSession(true).setAttribute(IDENTITY_KEY, new IdentityContainer(authorizedIdentity, valueOf));
        }
        if (validateRequest != AuthStatus.SUCCESS) {
            return false;
        }
        HttpServletRequest httpServletRequest2 = (HttpServletRequest) servletMessageInfo.getRequestMessage();
        if (httpServletRequest != httpServletRequest2) {
            this.requestResponseAccessor.setHttpServletRequest(httpServletRequest2);
        }
        HttpServletResponse httpServletResponse2 = (HttpServletResponse) servletMessageInfo.getResponseMessage();
        if (httpServletResponse != httpServletResponse2) {
            this.requestResponseAccessor.setHttpServletResponse(httpServletResponse2);
        }
        boolean z2 = false;
        if (authorizedIdentity != null) {
            authenticationComplete(authorizedIdentity, valueOf);
            z2 = true;
        }
        boolean z3 = z2 || !isAuthenticationRequired();
        if (z3) {
            setLogoutHandler(new Runnable() { // from class: org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.1
                @Override // java.lang.Runnable
                public void run() {
                    HttpSession session2 = httpServletRequest.getSession(false);
                    if (session2 != null) {
                        session2.removeAttribute(ServletSecurityContextImpl.IDENTITY_KEY);
                    }
                    try {
                        authContext.cleanSubject(servletMessageInfo, subject);
                    } catch (AuthException e) {
                        ServletSecurityContextImpl.log.debug("Unable to cleanSubject", e);
                    }
                }
            });
        }
        return z3;
    }

    private String getMechanismName(String str) {
        return getMechanismName() != null ? super.getMechanismName() : str;
    }

    private void registerCleanUpTask(HttpServerExchange httpServerExchange, final ServerAuthContext serverAuthContext, final MessageInfo messageInfo, final Subject subject) {
        httpServerExchange.putAttachment(CleanUpTask.ATTACHMENT_KEY, new CleanUpTask() { // from class: org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.2
            @Override // org.wildfly.elytron.web.undertow.server.servlet.CleanUpTask
            public void cleanUp(HttpServerExchange httpServerExchange2) throws Exception {
                HttpServletRequest httpServletRequest = (HttpServletRequest) messageInfo.getRequestMessage();
                HttpServletResponse httpServletResponse = (HttpServletResponse) messageInfo.getResponseMessage();
                serverAuthContext.secureResponse(messageInfo, subject);
                HttpServletRequest httpServletRequest2 = (HttpServletRequest) messageInfo.getRequestMessage();
                if (httpServletRequest != httpServletRequest2) {
                    ServletSecurityContextImpl.this.requestResponseAccessor.setHttpServletRequest(httpServletRequest2);
                }
                HttpServletResponse httpServletResponse2 = (HttpServletResponse) messageInfo.getResponseMessage();
                if (httpServletResponse != httpServletResponse2) {
                    ServletSecurityContextImpl.this.requestResponseAccessor.setHttpServletResponse(httpServletResponse2);
                }
            }
        });
    }

    private static <T> T doPrivileged(PrivilegedAction<T> privilegedAction) {
        return System.getSecurityManager() != null ? (T) AccessController.doPrivileged(privilegedAction) : privilegedAction.run();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Builder builder() {
        return new Builder();
    }
}
