package net.shibboleth.idp.authn.impl;

import com.google.common.base.Strings;
import jakarta.servlet.ServletConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Enumeration;
import java.util.Iterator;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.AuthenticationFlowDescriptor;
import net.shibboleth.idp.authn.ExternalAuthentication;
import net.shibboleth.idp.authn.ExternalAuthenticationException;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.principal.UsernamePrincipal;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.StringSupport;
import org.slf4j.Logger;

/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-5.1.0.jar:net/shibboleth/idp/authn/impl/RemoteUserAuthServlet.class */
public class RemoteUserAuthServlet extends HttpServlet {
    private static final long serialVersionUID = -3162057736238514851L;

    @Nonnull
    @NotEmpty
    private static final String CHECK_REMOTE_USER_PARAM = "checkRemoteUser";

    @Nonnull
    @NotEmpty
    private static final String CHECK_ATTRIBUTES_PARAM = "checkAttributes";

    @Nonnull
    @NotEmpty
    private static final String CHECK_HEADERS_PARAM = "checkHeaders";

    @Nonnull
    @NotEmpty
    private static final String SUBJECT_ATTRIBUTE_PARAM = "subjectAttribute";

    @Nonnull
    @NotEmpty
    private static final String AUTHN_METHOD_HEADER_PARAM = "authnMethodHeader";

    @Nonnull
    @NotEmpty
    private static final String AUTHN_AUTHORITY_HEADER_PARAM = "authnAuthorityHeader";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) RemoteUserAuthServlet.class);
    private boolean checkRemoteUser = true;

    @Nonnull
    private Collection<String> checkAttributes = CollectionSupport.emptyList();

    @Nonnull
    private Collection<String> checkHeaders = CollectionSupport.emptyList();

    @NotEmpty
    @Nullable
    private String subjectAttribute;

    @NotEmpty
    @Nullable
    private String authnMethodHeader;

    @NotEmpty
    @Nullable
    private String authnAuthorityHeader;
    static final /* synthetic */ boolean $assertionsDisabled;

    public void setCheckRemoteUser(boolean z) {
        this.checkRemoteUser = z;
    }

    public void setCheckAttributes(@Nonnull Collection<String> collection) {
        this.checkAttributes = CollectionSupport.copyToList(collection);
    }

    public void setCheckHeaders(@Nonnull Collection<String> collection) {
        this.checkHeaders = CollectionSupport.copyToList(collection);
    }

    public void setSubjectAttribute(@NotEmpty @Nullable String str) {
        this.subjectAttribute = StringSupport.trimOrNull(str);
    }

    public void setAuthnMethodHeader(@NotEmpty @Nullable String str) {
        this.authnMethodHeader = StringSupport.trimOrNull(str);
    }

    public void setAuthnAuthorityHeader(@NotEmpty @Nullable String str) {
        this.authnAuthorityHeader = StringSupport.trimOrNull(str);
    }

    public void init(ServletConfig servletConfig) throws ServletException {
        String[] split;
        String[] split2;
        super.init(servletConfig);
        String initParameter = servletConfig.getInitParameter(CHECK_REMOTE_USER_PARAM);
        if (initParameter != null) {
            this.checkRemoteUser = Boolean.parseBoolean(initParameter);
        }
        String initParameter2 = servletConfig.getInitParameter(CHECK_ATTRIBUTES_PARAM);
        if (initParameter2 != null && (split2 = initParameter2.split(" ")) != null) {
            this.checkAttributes = StringSupport.normalizeStringCollection(Arrays.asList(split2));
        }
        String initParameter3 = servletConfig.getInitParameter(CHECK_HEADERS_PARAM);
        if (initParameter3 != null && (split = initParameter3.split(" ")) != null) {
            this.checkHeaders = StringSupport.normalizeStringCollection(Arrays.asList(split));
        }
        String initParameter4 = servletConfig.getInitParameter(SUBJECT_ATTRIBUTE_PARAM);
        if (initParameter4 != null) {
            setSubjectAttribute(initParameter4);
        }
        String initParameter5 = servletConfig.getInitParameter(AUTHN_METHOD_HEADER_PARAM);
        if (initParameter5 != null) {
            setAuthnMethodHeader(initParameter5);
        }
        String initParameter6 = servletConfig.getInitParameter(AUTHN_AUTHORITY_HEADER_PARAM);
        if (initParameter6 != null) {
            setAuthnAuthorityHeader(initParameter6);
        }
        Logger logger = this.log;
        Object[] objArr = new Object[3];
        objArr[0] = this.checkRemoteUser ? "will" : "will not";
        objArr[1] = this.checkAttributes;
        objArr[2] = this.checkHeaders;
        logger.info("RemoteUserAuthServlet {} process REMOTE_USER, along with attributes {} and headers {}", objArr);
        if (this.subjectAttribute != null) {
            this.log.info("RemoteUserAuthServlet will check for a javax.security.auth.Subject in attribute: {}", this.subjectAttribute);
        }
        if (this.authnMethodHeader != null) {
            this.log.info("RemoteUserAuthServlet will check for authentication methods in header: {}", this.authnMethodHeader);
        }
        if (this.authnAuthorityHeader != null) {
            this.log.info("RemoteUserAuthServlet will check for authenticating authorities in header: {}", this.authnAuthorityHeader);
        }
    }

    protected void service(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        Enumeration headers;
        if (!$assertionsDisabled && (httpServletRequest == null || httpServletResponse == null)) {
            throw new AssertionError();
        }
        try {
            String startExternalAuthentication = ExternalAuthentication.startExternalAuthentication(httpServletRequest);
            if (this.subjectAttribute != null) {
                Object attribute = httpServletRequest.getAttribute(this.subjectAttribute);
                if (attribute != null && (attribute instanceof Subject)) {
                    this.log.debug("{}: Java Subject extracted from attribute {}: {}", startExternalAuthentication, this.subjectAttribute, attribute);
                    httpServletRequest.setAttribute(ExternalAuthentication.SUBJECT_KEY, attribute);
                    ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
                    return;
                }
                this.log.info("{}: Java Subject not found in attribute {}", startExternalAuthentication, this.subjectAttribute);
            }
            String str = null;
            if (this.checkRemoteUser) {
                str = httpServletRequest.getRemoteUser();
                if (str != null && !str.isEmpty()) {
                    this.log.debug("{}: User identity extracted from REMOTE_USER: {}", startExternalAuthentication, str);
                }
            }
            if (str == null) {
                Iterator<String> it = this.checkAttributes.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    String next = it.next();
                    Object attribute2 = httpServletRequest.getAttribute(next);
                    if (attribute2 != null && !attribute2.toString().isEmpty()) {
                        str = attribute2.toString();
                        this.log.debug("{}: User identity extracted from attribute {}: {}", startExternalAuthentication, next, str);
                        break;
                    }
                }
            }
            if (str == null) {
                Iterator<String> it2 = this.checkHeaders.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    String next2 = it2.next();
                    str = httpServletRequest.getHeader(next2);
                    if (str != null && !str.isEmpty()) {
                        this.log.debug("{}: User identity extracted from header {}: {}", startExternalAuthentication, next2, str);
                        break;
                    }
                }
            }
            if (str == null) {
                this.log.info("{}: User identity not found in request", startExternalAuthentication);
                ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
                return;
            }
            if (this.authnAuthorityHeader != null && (headers = httpServletRequest.getHeaders(this.authnAuthorityHeader)) != null && headers.hasMoreElements()) {
                ArrayList arrayList = new ArrayList();
                while (headers.hasMoreElements()) {
                    String str2 = (String) headers.nextElement();
                    if (!Strings.isNullOrEmpty(str2)) {
                        arrayList.add(str2);
                    }
                }
                if (!arrayList.isEmpty()) {
                    httpServletRequest.setAttribute(ExternalAuthentication.AUTHENTICATING_AUTHORITIES_KEY, arrayList);
                }
            }
            if (this.authnMethodHeader != null) {
                Enumeration headers2 = httpServletRequest.getHeaders(this.authnMethodHeader);
                if (headers2 != null && headers2.hasMoreElements()) {
                    AuthenticationFlowDescriptor authenticationFlowDescriptor = getAuthenticationFlowDescriptor(startExternalAuthentication, httpServletRequest);
                    if (authenticationFlowDescriptor != null) {
                        Subject subject = new Subject();
                        subject.getPrincipals().add(new UsernamePrincipal(str));
                        while (headers2.hasMoreElements()) {
                            String str3 = (String) headers2.nextElement();
                            if (!Strings.isNullOrEmpty(str3)) {
                                if (!$assertionsDisabled && str3 == null) {
                                    throw new AssertionError();
                                }
                                Principal principal = getPrincipal(authenticationFlowDescriptor, str3);
                                if (principal != null) {
                                    this.log.debug("{}: Successfully processed authentication method from header {}: {}", startExternalAuthentication, this.authnMethodHeader, str3);
                                    subject.getPrincipals().add(principal);
                                } else {
                                    this.log.warn("{}: Unable to locate a suitable Principal for authentication method from header {}: {}", startExternalAuthentication, this.authnMethodHeader, str3);
                                }
                            }
                        }
                        httpServletRequest.setAttribute(ExternalAuthentication.SUBJECT_KEY, subject);
                        ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
                        return;
                    }
                    this.log.error("{}: Unable to locate AuthenticationFlowDescriptor, can't process authentication methods from header", startExternalAuthentication);
                }
                httpServletRequest.setAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY, str);
            } else {
                httpServletRequest.setAttribute(ExternalAuthentication.PRINCIPAL_NAME_KEY, str);
            }
            ExternalAuthentication.finishExternalAuthentication(startExternalAuthentication, httpServletRequest, httpServletResponse);
        } catch (ExternalAuthenticationException e) {
            throw new ServletException("Error in RemoteUserAuthServlet processing external authentication request", e);
        }
    }

    @Nullable
    public AuthenticationFlowDescriptor getAuthenticationFlowDescriptor(@Nonnull @NotEmpty String str, @Nonnull HttpServletRequest httpServletRequest) throws ExternalAuthenticationException {
        AuthenticationContext authenticationContext = (AuthenticationContext) ExternalAuthentication.getProfileRequestContext(str, httpServletRequest).getSubcontext(AuthenticationContext.class);
        if (authenticationContext != null) {
            return authenticationContext.getAttemptedFlow();
        }
        return null;
    }

    @Nullable
    public Principal getPrincipal(@Nonnull AuthenticationFlowDescriptor authenticationFlowDescriptor, @Nonnull @NotEmpty String str) {
        for (Principal principal : authenticationFlowDescriptor.getSupportedPrincipals()) {
            if (principal.getName().equals(str)) {
                return principal;
            }
        }
        return null;
    }

    static {
        $assertionsDisabled = !RemoteUserAuthServlet.class.desiredAssertionStatus();
    }
}
