package io.undertow.security.impl;

import io.undertow.UndertowMessages;
import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.AuthenticationMode;
import io.undertow.security.api.NotificationReceiver;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.api.SecurityNotification;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.IdentityManager;
import io.undertow.security.idm.PasswordCredential;
import io.undertow.server.HttpServerExchange;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;

/* loaded from: input_file:io/undertow/security/impl/SecurityContextImpl.class */
public class SecurityContextImpl implements SecurityContext {
    private static final RuntimePermission PERMISSION = new RuntimePermission("MODIFY_UNDERTOW_SECURITY_CONTEXT");
    private final AuthenticationMode authenticationMode;
    private boolean authenticationRequired;
    private String programaticMechName;
    private AuthenticationState authenticationState;
    private final HttpServerExchange exchange;
    private final List<AuthenticationMechanism> authMechanisms;
    private final IdentityManager identityManager;
    private final List<NotificationReceiver> notificationReceivers;
    private String mechanismName;
    private Account account;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/undertow/security/impl/SecurityContextImpl$AuthAttempter.class */
    public class AuthAttempter {
        private final Iterator<AuthenticationMechanism> mechanismIterator;
        private final HttpServerExchange exchange;

        private AuthAttempter(Iterator<AuthenticationMechanism> it, HttpServerExchange httpServerExchange) {
            this.mechanismIterator = it;
            this.exchange = httpServerExchange;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public AuthenticationState transition() {
            if (!this.mechanismIterator.hasNext()) {
                return AuthenticationState.ATTEMPTED;
            }
            AuthenticationMechanism.AuthenticationMechanismOutcome authenticate = this.mechanismIterator.next().authenticate(this.exchange, SecurityContextImpl.this);
            if (authenticate == null) {
                throw UndertowMessages.MESSAGES.authMechanismOutcomeNull();
            }
            switch (authenticate) {
                case AUTHENTICATED:
                    return AuthenticationState.AUTHENTICATED;
                case NOT_AUTHENTICATED:
                    SecurityContextImpl.this.setAuthenticationRequired();
                    return AuthenticationState.ATTEMPTED;
                case NOT_ATTEMPTED:
                    return transition();
                default:
                    throw new IllegalStateException();
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/undertow/security/impl/SecurityContextImpl$AuthenticationState.class */
    public enum AuthenticationState {
        NOT_ATTEMPTED,
        ATTEMPTED,
        AUTHENTICATED,
        CHALLENGE_SENT
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/undertow/security/impl/SecurityContextImpl$ChallengeSender.class */
    public class ChallengeSender {
        private final Iterator<AuthenticationMechanism> mechanismIterator;
        private final HttpServerExchange exchange;
        private boolean atLeastOneChallenge;
        private Integer chosenStatusCode;

        private ChallengeSender(Iterator<AuthenticationMechanism> it, HttpServerExchange httpServerExchange) {
            this.atLeastOneChallenge = false;
            this.chosenStatusCode = null;
            this.mechanismIterator = it;
            this.exchange = httpServerExchange;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public AuthenticationState transition() {
            if (!this.mechanismIterator.hasNext()) {
                if (!this.exchange.isResponseStarted()) {
                    if (!this.atLeastOneChallenge) {
                        this.exchange.setResponseCode(403);
                    } else if (this.chosenStatusCode != null) {
                        this.exchange.setResponseCode(this.chosenStatusCode.intValue());
                    }
                }
                return AuthenticationState.CHALLENGE_SENT;
            }
            AuthenticationMechanism.ChallengeResult sendChallenge = this.mechanismIterator.next().sendChallenge(this.exchange, SecurityContextImpl.this);
            if (sendChallenge.isChallengeSent()) {
                this.atLeastOneChallenge = true;
                Integer desiredResponseCode = sendChallenge.getDesiredResponseCode();
                if (this.chosenStatusCode == null) {
                    this.chosenStatusCode = desiredResponseCode;
                } else if (desiredResponseCode != null && this.chosenStatusCode.equals(200)) {
                    this.chosenStatusCode = desiredResponseCode;
                }
            }
            return transition();
        }
    }

    public SecurityContextImpl(HttpServerExchange httpServerExchange, IdentityManager identityManager) {
        this(httpServerExchange, AuthenticationMode.PRO_ACTIVE, identityManager);
    }

    public SecurityContextImpl(HttpServerExchange httpServerExchange, AuthenticationMode authenticationMode, IdentityManager identityManager) {
        this.programaticMechName = "Programatic";
        this.authenticationState = AuthenticationState.NOT_ATTEMPTED;
        this.authMechanisms = new ArrayList();
        this.notificationReceivers = new ArrayList();
        this.authenticationMode = authenticationMode;
        this.identityManager = identityManager;
        this.exchange = httpServerExchange;
        if (System.getSecurityManager() != null) {
            System.getSecurityManager().checkPermission(PERMISSION);
        }
    }

    @Override // io.undertow.security.api.SecurityContext
    public boolean authenticate() {
        if (this.authenticationState == AuthenticationState.ATTEMPTED) {
            this.authenticationState = AuthenticationState.NOT_ATTEMPTED;
        }
        return !authTransition();
    }

    private boolean authTransition() {
        if (!authTransitionRequired()) {
            switch (this.authenticationState) {
                case NOT_ATTEMPTED:
                case ATTEMPTED:
                case AUTHENTICATED:
                    return false;
                default:
                    return true;
            }
        }
        switch (this.authenticationState) {
            case NOT_ATTEMPTED:
                this.authenticationState = attemptAuthentication();
                break;
            case ATTEMPTED:
                this.authenticationState = sendChallenges();
                break;
            default:
                throw new IllegalStateException("It should not be possible to reach this.");
        }
        return authTransition();
    }

    private AuthenticationState attemptAuthentication() {
        return new AuthAttempter(this.authMechanisms.iterator(), this.exchange).transition();
    }

    private AuthenticationState sendChallenges() {
        return new ChallengeSender(this.authMechanisms.iterator(), this.exchange).transition();
    }

    private boolean authTransitionRequired() {
        switch (this.authenticationState) {
            case NOT_ATTEMPTED:
                return this.authenticationRequired || this.authenticationMode == AuthenticationMode.PRO_ACTIVE;
            case ATTEMPTED:
                return this.authenticationRequired;
            default:
                return false;
        }
    }

    @Override // io.undertow.security.api.SecurityContext
    public void setAuthenticationRequired() {
        this.authenticationRequired = true;
    }

    @Override // io.undertow.security.api.SecurityContext
    public boolean isAuthenticationRequired() {
        return this.authenticationRequired;
    }

    @Override // io.undertow.security.api.SecurityContext
    public boolean isAuthenticated() {
        return this.authenticationState == AuthenticationState.AUTHENTICATED;
    }

    public void setProgramaticMechName(String str) {
        this.programaticMechName = str;
    }

    @Override // io.undertow.security.api.SecurityContext
    public String getMechanismName() {
        return this.mechanismName;
    }

    @Override // io.undertow.security.api.SecurityContext
    public void addAuthenticationMechanism(AuthenticationMechanism authenticationMechanism) {
        this.authMechanisms.add(authenticationMechanism);
    }

    @Override // io.undertow.security.api.SecurityContext
    public List<AuthenticationMechanism> getAuthenticationMechanisms() {
        return Collections.unmodifiableList(this.authMechanisms);
    }

    @Override // io.undertow.security.api.SecurityContext
    public Account getAuthenticatedAccount() {
        return this.account;
    }

    @Override // io.undertow.security.api.SecurityContext
    public IdentityManager getIdentityManager() {
        return this.identityManager;
    }

    @Override // io.undertow.security.api.SecurityContext
    public boolean login(String str, String str2) {
        Account verify = this.identityManager.verify(str, new PasswordCredential(str2.toCharArray()));
        if (verify == null) {
            return false;
        }
        authenticationComplete(verify, this.programaticMechName, true);
        this.authenticationState = AuthenticationState.AUTHENTICATED;
        return true;
    }

    @Override // io.undertow.security.api.SecurityContext
    public void logout() {
        if (isAuthenticated()) {
            sendNoticiation(new SecurityNotification(this.exchange, SecurityNotification.EventType.LOGGED_OUT, this.account, this.mechanismName, true, UndertowMessages.MESSAGES.userLoggedOut(this.account.getPrincipal().getName()), true));
            this.account = null;
            this.mechanismName = null;
            this.authenticationState = AuthenticationState.NOT_ATTEMPTED;
        }
    }

    @Override // io.undertow.security.api.SecurityContext
    public void authenticationComplete(Account account, String str, boolean z) {
        authenticationComplete(account, str, false, z);
    }

    protected void authenticationComplete(Account account, String str, boolean z, boolean z2) {
        this.account = account;
        this.mechanismName = str;
        sendNoticiation(new SecurityNotification(this.exchange, SecurityNotification.EventType.AUTHENTICATED, account, str, z, UndertowMessages.MESSAGES.userAuthenticated(account.getPrincipal().getName()), z2));
    }

    @Override // io.undertow.security.api.SecurityContext
    public void authenticationFailed(String str, String str2) {
        sendNoticiation(new SecurityNotification(this.exchange, SecurityNotification.EventType.FAILED_AUTHENTICATION, null, str2, false, str, true));
    }

    private void sendNoticiation(SecurityNotification securityNotification) {
        Iterator<NotificationReceiver> it = this.notificationReceivers.iterator();
        while (it.hasNext()) {
            it.next().handleNotification(securityNotification);
        }
    }

    @Override // io.undertow.security.api.SecurityContext
    public void registerNotificationReceiver(NotificationReceiver notificationReceiver) {
        this.notificationReceivers.add(notificationReceiver);
    }

    @Override // io.undertow.security.api.SecurityContext
    public void removeNotificationReceiver(NotificationReceiver notificationReceiver) {
        this.notificationReceivers.remove(notificationReceiver);
    }
}
