package org.wildfly.swarm.monitor.runtime;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.AuthenticationMode;
import io.undertow.security.handlers.AuthenticationCallHandler;
import io.undertow.security.handlers.AuthenticationConstraintHandler;
import io.undertow.security.handlers.AuthenticationMechanismsHandler;
import io.undertow.security.handlers.SecurityInitialHandler;
import io.undertow.security.idm.DigestAlgorithm;
import io.undertow.security.impl.BasicAuthenticationMechanism;
import io.undertow.security.impl.CachedAuthenticatedSessionMechanism;
import io.undertow.security.impl.DigestAuthenticationMechanism;
import io.undertow.security.impl.DigestQop;
import io.undertow.security.impl.SimpleNonceManager;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.handlers.PredicateHandler;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Optional;
import java.util.Set;
import javax.enterprise.inject.Vetoed;
import javax.naming.NamingException;
import org.jboss.as.domain.http.server.security.AuthenticationMechanismWrapper;
import org.jboss.as.domain.http.server.security.RealmIdentityManager;
import org.jboss.as.domain.management.AuthMechanism;
import org.jboss.as.domain.management.SecurityRealm;

@Vetoed
/* loaded from: input_file:org/wildfly/swarm/monitor/runtime/SecureHttpContexts.class */
public class SecureHttpContexts implements HttpHandler {
    private final HttpHandler delegate;
    private final Monitor monitor;
    private final HttpHandler next;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.wildfly.swarm.monitor.runtime.SecureHttpContexts$1, reason: invalid class name */
    /* loaded from: input_file:org/wildfly/swarm/monitor/runtime/SecureHttpContexts$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$jboss$as$domain$management$AuthMechanism = new int[AuthMechanism.values().length];

        static {
            try {
                $SwitchMap$org$jboss$as$domain$management$AuthMechanism[AuthMechanism.DIGEST.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$jboss$as$domain$management$AuthMechanism[AuthMechanism.PLAIN.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$jboss$as$domain$management$AuthMechanism[AuthMechanism.LOCAL.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public SecureHttpContexts(HttpHandler httpHandler) {
        this.next = httpHandler;
        try {
            this.monitor = Monitor.lookup();
            Optional<SecurityRealm> securityRealm = this.monitor.getSecurityRealm();
            if (securityRealm.isPresent()) {
                this.delegate = secureHandler(new HttpContexts(httpHandler), securityRealm.get());
            } else {
                this.delegate = new HttpContexts(httpHandler);
            }
        } catch (NamingException e) {
            throw new RuntimeException("Failed to lookup monitor", e);
        }
    }

    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        this.delegate.handleRequest(httpServerExchange);
    }

    private HttpHandler secureHandler(HttpHandler httpHandler, SecurityRealm securityRealm) {
        AuthenticationConstraintHandler authenticationConstraintHandler = new AuthenticationConstraintHandler(new AuthenticationCallHandler(httpHandler));
        RealmIdentityManager realmIdentityManager = new RealmIdentityManager(securityRealm);
        Set<AuthMechanism> supportedAuthenticationMechanisms = securityRealm.getSupportedAuthenticationMechanisms();
        ArrayList arrayList = new ArrayList(supportedAuthenticationMechanisms.size());
        arrayList.add(wrap(new CachedAuthenticatedSessionMechanism(), null));
        for (AuthMechanism authMechanism : supportedAuthenticationMechanisms) {
            switch (AnonymousClass1.$SwitchMap$org$jboss$as$domain$management$AuthMechanism[authMechanism.ordinal()]) {
                case 1:
                    arrayList.add(wrap(new DigestAuthenticationMechanism(Collections.singletonList(DigestAlgorithm.MD5), Collections.singletonList(DigestQop.AUTH), securityRealm.getName(), "Monitor", new SimpleNonceManager()), authMechanism));
                    break;
                case 2:
                    arrayList.add(wrap(new BasicAuthenticationMechanism(securityRealm.getName()), authMechanism));
                    break;
            }
        }
        return new PredicateHandler(httpServerExchange -> {
            if (!this.monitor.getSecurityRealm().isPresent()) {
                return false;
            }
            if (Queries.isAggregatorEndpoint(this.monitor, httpServerExchange.getRelativePath())) {
                return true;
            }
            return Queries.isDirectAccessToHealthEndpoint(this.monitor, httpServerExchange.getRelativePath()) ? !hasTokenAuth(httpServerExchange) : HttpContexts.getDefaultContextNames().contains(httpServerExchange.getRelativePath());
        }, new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, realmIdentityManager, new AuthenticationMechanismsHandler(authenticationConstraintHandler, arrayList)), httpHandler);
    }

    private boolean hasTokenAuth(HttpServerExchange httpServerExchange) {
        String str = (String) httpServerExchange.getAttachment(HttpContexts.TOKEN);
        return str != null && HttpContexts.EPHEMERAL_TOKEN.equals(str);
    }

    private static AuthenticationMechanism wrap(AuthenticationMechanism authenticationMechanism, AuthMechanism authMechanism) {
        return new AuthenticationMechanismWrapper(authenticationMechanism, authMechanism);
    }
}
