package io.undertow.security.impl;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.server.ConduitWrapper;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.handlers.Cookie;
import io.undertow.server.handlers.CookieImpl;
import io.undertow.server.session.Session;
import io.undertow.server.session.SessionListener;
import io.undertow.server.session.SessionManager;
import io.undertow.util.ConduitFactory;
import io.undertow.util.Sessions;
import java.util.Collections;
import java.util.Iterator;
import java.util.Set;
import java.util.WeakHashMap;
import org.xnio.conduits.StreamSinkConduit;

/* loaded from: input_file:io/undertow/security/impl/SingleSignOnAuthenticationMechanism.class */
public class SingleSignOnAuthenticationMechanism implements AuthenticationMechanism {
    private static final String SSO_SESSION_ATTRIBUTE = SingleSignOnAuthenticationMechanism.class.getName() + ".SSOID";
    private boolean httpOnly;
    private boolean secure;
    private String domain;
    private final SingleSignOnManager manager;
    private final Set<SessionManager> seenSessionManagers = Collections.synchronizedSet(Collections.newSetFromMap(new WeakHashMap()));
    private String cookieName = "JSESSIONIDSSO";
    private final SessionInvalidationListener listener = new SessionInvalidationListener();
    private final ResponseListener responseListener = new ResponseListener();

    /* loaded from: input_file:io/undertow/security/impl/SingleSignOnAuthenticationMechanism$ResponseListener.class */
    final class ResponseListener implements ConduitWrapper<StreamSinkConduit> {
        ResponseListener() {
        }

        @Override // io.undertow.server.ConduitWrapper
        public StreamSinkConduit wrap(ConduitFactory<StreamSinkConduit> conduitFactory, HttpServerExchange httpServerExchange) {
            SecurityContext securityContext = httpServerExchange.getSecurityContext();
            Account authenticatedAccount = securityContext.getAuthenticatedAccount();
            if (authenticatedAccount != null) {
                SingleSignOn createSingleSignOn = SingleSignOnAuthenticationMechanism.this.manager.createSingleSignOn(authenticatedAccount, securityContext.getMechanismName());
                SingleSignOnAuthenticationMechanism.this.registerSessionIfRequired(httpServerExchange, createSingleSignOn);
                httpServerExchange.getResponseCookies().put(SingleSignOnAuthenticationMechanism.this.cookieName, new CookieImpl(SingleSignOnAuthenticationMechanism.this.cookieName, createSingleSignOn.getId()).setHttpOnly(SingleSignOnAuthenticationMechanism.this.httpOnly).setSecure(SingleSignOnAuthenticationMechanism.this.secure).setDomain(SingleSignOnAuthenticationMechanism.this.domain));
            }
            return conduitFactory.create();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/undertow/security/impl/SingleSignOnAuthenticationMechanism$SessionInvalidationListener.class */
    public final class SessionInvalidationListener implements SessionListener {
        SessionInvalidationListener() {
        }

        @Override // io.undertow.server.session.SessionListener
        public void sessionCreated(Session session, HttpServerExchange httpServerExchange) {
        }

        @Override // io.undertow.server.session.SessionListener
        public void sessionDestroyed(Session session, HttpServerExchange httpServerExchange, SessionListener.SessionDestroyedReason sessionDestroyedReason) {
            SingleSignOn findSingleSignOn;
            String str = (String) session.getAttribute(SingleSignOnAuthenticationMechanism.SSO_SESSION_ATTRIBUTE);
            if (str == null || (findSingleSignOn = SingleSignOnAuthenticationMechanism.this.manager.findSingleSignOn(str)) == null) {
                return;
            }
            findSingleSignOn.remove(session);
            if (sessionDestroyedReason == SessionListener.SessionDestroyedReason.INVALIDATED) {
                Iterator<Session> it = findSingleSignOn.iterator();
                while (it.hasNext()) {
                    it.next().invalidate(null);
                }
                SingleSignOnAuthenticationMechanism.this.manager.removeSingleSignOn(str);
            }
        }

        @Override // io.undertow.server.session.SessionListener
        public void attributeAdded(Session session, String str, Object obj) {
        }

        @Override // io.undertow.server.session.SessionListener
        public void attributeUpdated(Session session, String str, Object obj, Object obj2) {
        }

        @Override // io.undertow.server.session.SessionListener
        public void attributeRemoved(Session session, String str, Object obj) {
        }

        @Override // io.undertow.server.session.SessionListener
        public void sessionIdChanged(Session session, String str) {
        }
    }

    public SingleSignOnAuthenticationMechanism(SingleSignOnManager singleSignOnManager) {
        this.manager = singleSignOnManager;
    }

    @Override // io.undertow.security.api.AuthenticationMechanism
    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        Cookie cookie = httpServerExchange.getRequestCookies().get(this.cookieName);
        if (cookie != null) {
            SingleSignOn findSingleSignOn = this.manager.findSingleSignOn(cookie.getValue());
            if (findSingleSignOn != null) {
                registerSessionIfRequired(httpServerExchange, findSingleSignOn);
                securityContext.authenticationComplete(findSingleSignOn.getAccount(), findSingleSignOn.getMechanismName(), false);
                return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
            }
            clearSsoCookie(httpServerExchange);
        }
        httpServerExchange.addResponseWrapper(this.responseListener);
        return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void registerSessionIfRequired(HttpServerExchange httpServerExchange, SingleSignOn singleSignOn) {
        Session session = getSession(httpServerExchange);
        if (singleSignOn.contains(session)) {
            return;
        }
        singleSignOn.add(session);
        session.setAttribute(SSO_SESSION_ATTRIBUTE, singleSignOn.getId());
        SessionManager sessionManager = session.getSessionManager();
        if (this.seenSessionManagers.add(sessionManager)) {
            sessionManager.registerSessionListener(this.listener);
        }
    }

    private void clearSsoCookie(HttpServerExchange httpServerExchange) {
        httpServerExchange.getResponseCookies().put(this.cookieName, new CookieImpl(this.cookieName).setMaxAge((Integer) 0).setHttpOnly(this.httpOnly).setSecure(this.secure).setDomain(this.domain));
    }

    @Override // io.undertow.security.api.AuthenticationMechanism
    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        return new AuthenticationMechanism.ChallengeResult(false);
    }

    protected Session getSession(HttpServerExchange httpServerExchange) {
        return Sessions.getOrCreateSession(httpServerExchange);
    }

    public String getCookieName() {
        return this.cookieName;
    }

    public SingleSignOnAuthenticationMechanism setCookieName(String str) {
        this.cookieName = str;
        return this;
    }

    public boolean isHttpOnly() {
        return this.httpOnly;
    }

    public SingleSignOnAuthenticationMechanism setHttpOnly(boolean z) {
        this.httpOnly = z;
        return this;
    }

    public boolean isSecure() {
        return this.secure;
    }

    public SingleSignOnAuthenticationMechanism setSecure(boolean z) {
        this.secure = z;
        return this;
    }

    public String getDomain() {
        return this.domain;
    }

    public SingleSignOnAuthenticationMechanism setDomain(String str) {
        this.domain = str;
        return this;
    }
}
