package io.hawt.web;

import io.hawt.system.AuthInfo;
import io.hawt.system.Authenticator;
import io.hawt.system.ConfigManager;
import io.hawt.system.ExtractAuthInfoCallback;
import io.hawt.system.Helpers;
import io.hawt.system.PrivilegedCallback;
import io.hawt.web.tomcat.TomcatAuthenticationContainerDiscovery;
import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.aries.blueprint.ext.impl.ExtNamespaceHandler;
import org.codehaus.plexus.PlexusConstants;
import org.eclipse.jgit.lib.ConfigConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:hawtio.war:WEB-INF/lib/hawtio-system-1.4.0.redhat-630347-06.jar:io/hawt/web/AuthenticationFilter.class */
public class AuthenticationFilter implements Filter {
    private static final transient Logger LOG = LoggerFactory.getLogger(AuthenticationFilter.class);
    public static final String HAWTIO_NO_CREDENTIALS_401 = "hawtio.noCredentials401";
    public static final String HAWTIO_AUTHENTICATION_ENABLED = "hawtio.authenticationEnabled";
    public static final String HAWTIO_REALM = "hawtio.realm";
    public static final String HAWTIO_ROLE = "hawtio.role";
    public static final String HAWTIO_ROLES = "hawtio.roles";
    public static final String HAWTIO_ROLE_PRINCIPAL_CLASSES = "hawtio.rolePrincipalClasses";
    public static final String AUTHENTICATION_CONFIGURATION = "authenticationConfig";
    private final AuthenticationConfiguration configuration = new AuthenticationConfiguration();
    private final AuthenticationContainerDiscovery[] discoveries = {new TomcatAuthenticationContainerDiscovery()};

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
        ConfigManager configManager = (ConfigManager) filterConfig.getServletContext().getAttribute("ConfigManager");
        String str = System.getProperty("karaf.name") != null ? "org.apache.karaf.jaas.boot.principal.RolePrincipal,org.apache.karaf.jaas.modules.RolePrincipal,org.apache.karaf.jaas.boot.principal.GroupPrincipal" : "";
        if (configManager != null) {
            this.configuration.setRealm(configManager.get(PlexusConstants.REALM_VISIBILITY, "karaf"));
            String str2 = configManager.get(ExtNamespaceHandler.ROLE_ATTRIBUTE, null);
            if (str2 == null) {
                str2 = configManager.get("roles", null);
            }
            if (str2 == null) {
                str2 = "admin,viewer";
            }
            this.configuration.setRole(str2);
            this.configuration.setRolePrincipalClasses(configManager.get("rolePrincipalClasses", str));
            this.configuration.setEnabled(Boolean.parseBoolean(configManager.get("authenticationEnabled", ConfigConstants.CONFIG_KEY_TRUE)));
            this.configuration.setNoCredentials401(Boolean.parseBoolean(configManager.get("noCredentials401", ConfigConstants.CONFIG_KEY_FALSE)));
        }
        if (System.getProperty(HAWTIO_AUTHENTICATION_ENABLED) != null) {
            this.configuration.setEnabled(Boolean.getBoolean(HAWTIO_AUTHENTICATION_ENABLED));
        }
        if (System.getProperty(HAWTIO_NO_CREDENTIALS_401) != null) {
            this.configuration.setNoCredentials401(Boolean.getBoolean(HAWTIO_NO_CREDENTIALS_401));
        }
        if (System.getProperty(HAWTIO_REALM) != null) {
            this.configuration.setRealm(System.getProperty(HAWTIO_REALM));
        }
        if (System.getProperty(HAWTIO_ROLE) != null) {
            this.configuration.setRole(System.getProperty(HAWTIO_ROLE));
        }
        if (System.getProperty(HAWTIO_ROLES) != null) {
            this.configuration.setRole(System.getProperty(HAWTIO_ROLES));
        }
        if (System.getProperty(HAWTIO_ROLE_PRINCIPAL_CLASSES) != null) {
            this.configuration.setRolePrincipalClasses(System.getProperty(HAWTIO_ROLE_PRINCIPAL_CLASSES));
        }
        if (this.configuration.isEnabled()) {
            AuthenticationContainerDiscovery[] authenticationContainerDiscoveryArr = this.discoveries;
            int length = authenticationContainerDiscoveryArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                AuthenticationContainerDiscovery authenticationContainerDiscovery = authenticationContainerDiscoveryArr[i];
                if (authenticationContainerDiscovery.canAuthenticate(this.configuration)) {
                    LOG.info("Discovered container {} to use with hawtio authentication filter", authenticationContainerDiscovery.getContainerName());
                    break;
                }
                i++;
            }
        }
        filterConfig.getServletContext().setAttribute("authenticationEnabled", Boolean.valueOf(this.configuration.isEnabled()));
        filterConfig.getServletContext().setAttribute(AUTHENTICATION_CONFIGURATION, this.configuration);
        if (this.configuration.isEnabled()) {
            LOG.info("Starting hawtio authentication filter, JAAS realm: \"{}\" authorized role(s): \"{}\" role principal classes: \"{}\"", new Object[]{this.configuration.getRealm(), this.configuration.getRole(), this.configuration.getRolePrincipalClasses()});
        } else {
            LOG.info("Starting hawtio authentication filter, JAAS authentication disabled");
        }
    }

    @Override // javax.servlet.Filter
    public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
        Subject subject;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String servletPath = httpServletRequest.getServletPath();
        LOG.debug("Handling request for path {}", servletPath);
        if (this.configuration.getRealm() == null || this.configuration.getRealm().equals("") || !this.configuration.isEnabled()) {
            LOG.debug("No authentication needed for path {}", servletPath);
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null && (subject = (Subject) session.getAttribute("subject")) != null && validateSession(httpServletRequest, session, subject)) {
            executeAs(servletRequest, servletResponse, filterChain, subject);
            return;
        }
        LOG.debug("Doing authentication and authorization for path {}", servletPath);
        switch (Authenticator.authenticate(this.configuration.getRealm(), this.configuration.getRole(), this.configuration.getRolePrincipalClasses(), this.configuration.getConfiguration(), httpServletRequest, new PrivilegedCallback() { // from class: io.hawt.web.AuthenticationFilter.1
            @Override // io.hawt.system.PrivilegedCallback
            public void execute(Subject subject2) throws Exception {
                AuthenticationFilter.executeAs(servletRequest, servletResponse, filterChain, subject2);
            }
        })) {
            case AUTHORIZED:
            default:
                return;
            case NOT_AUTHORIZED:
                Helpers.doForbidden((HttpServletResponse) servletResponse);
                return;
            case NO_CREDENTIALS:
                if (this.configuration.isNoCredentials401()) {
                    Helpers.doAuthPrompt(this.configuration.getRealm(), (HttpServletResponse) servletResponse);
                    return;
                } else {
                    Helpers.doForbidden((HttpServletResponse) servletResponse);
                    return;
                }
        }
    }

    private boolean validateSession(HttpServletRequest httpServletRequest, HttpSession httpSession, Subject subject) {
        String header = httpServletRequest.getHeader("Authorization");
        final AuthInfo authInfo = new AuthInfo();
        if (header != null && !header.equals("")) {
            Authenticator.extractAuthInfo(header, new ExtractAuthInfoCallback() { // from class: io.hawt.web.AuthenticationFilter.2
                @Override // io.hawt.system.ExtractAuthInfoCallback
                public void getAuthInfo(String str, String str2) {
                    authInfo.username = str;
                }
            });
        }
        String str = (String) httpSession.getAttribute("user");
        if (authInfo.username == null || authInfo.username.equals(str)) {
            LOG.debug("Session subject - {}", subject);
            return true;
        }
        LOG.debug("User differs, re-authenticating: {} (request) != {} (session)", authInfo.username, str);
        httpSession.invalidate();
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void executeAs(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain, Subject subject) {
        try {
            if (System.getProperty("jboss.server.name") == null) {
                Subject.doAs(subject, new PrivilegedExceptionAction<Object>() { // from class: io.hawt.web.AuthenticationFilter.3
                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        FilterChain.this.doFilter(servletRequest, servletResponse);
                        return null;
                    }
                });
                return;
            }
            LOG.debug("Running on WildFly / JBoss EAP. Directly invoking filter chain instead of privileged action");
            servletRequest.setAttribute("subject", subject);
            filterChain.doFilter(servletRequest, servletResponse);
        } catch (IOException | PrivilegedActionException | ServletException e) {
            LOG.info("Failed to invoke action " + ((HttpServletRequest) servletRequest).getPathInfo() + " due to:", e);
        }
    }

    @Override // javax.servlet.Filter
    public void destroy() {
        LOG.info("Destroying hawtio authentication filter");
    }
}
