package org.wildfly.elytron.web.undertow.server;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.IdentityManager;
import io.undertow.security.impl.AbstractSecurityContext;
import io.undertow.server.HttpServerExchange;
import java.security.AccessController;
import java.util.List;
import java.util.function.Supplier;
import org.jboss.logging.Logger;
import org.wildfly.common.Assert;
import org.wildfly.security.auth.server.FlexibleIdentityAssociation;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.auth.server.ServerAuthenticationContext;
import org.wildfly.security.evidence.PasswordGuessEvidence;
import org.wildfly.security.http.HttpAuthenticationException;
import org.wildfly.security.http.HttpAuthenticator;
import org.wildfly.security.http.HttpScope;
import org.wildfly.security.http.HttpServerAuthenticationMechanism;
import org.wildfly.security.http.Scope;
import org.wildfly.security.manager.WildFlySecurityManager;

/* loaded from: input_file:m2repo/org/wildfly/security/elytron-web/undertow-server/1.0.1.Final/undertow-server-1.0.1.Final.jar:org/wildfly/elytron/web/undertow/server/SecurityContextImpl.class */
public class SecurityContextImpl extends AbstractSecurityContext {
    private static final Logger log = Logger.getLogger("org.wildfly.security.http");
    private static final String AUTHENTICATED_PRINCIPAL_KEY = SecurityContextImpl.class.getName() + ".authenticated-principal";
    private final String programaticMechanismName;
    private final SecurityDomain securityDomain;
    private final Supplier<List<HttpServerAuthenticationMechanism>> mechanismSupplier;
    private final ElytronHttpExchange httpExchange;
    private Runnable logoutHandler;
    private final FlexibleIdentityAssociation flexibleIdentityAssociation;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:m2repo/org/wildfly/security/elytron-web/undertow-server/1.0.1.Final/undertow-server-1.0.1.Final.jar:org/wildfly/elytron/web/undertow/server/SecurityContextImpl$Builder.class */
    public static class Builder {
        HttpServerExchange exchange;
        String programaticMechanismName;
        SecurityDomain securityDomain;
        Supplier<List<HttpServerAuthenticationMechanism>> mechanismSupplier;
        ElytronHttpExchange httpExchange;

        private Builder() {
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setExchange(HttpServerExchange httpServerExchange) {
            this.exchange = httpServerExchange;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setProgramaticMechanismName(String str) {
            this.programaticMechanismName = str;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setSecurityDomain(SecurityDomain securityDomain) {
            this.securityDomain = securityDomain;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setMechanismSupplier(Supplier<List<HttpServerAuthenticationMechanism>> supplier) {
            this.mechanismSupplier = supplier;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setHttpExchangeSupplier(ElytronHttpExchange elytronHttpExchange) {
            this.httpExchange = elytronHttpExchange;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public SecurityContext build() {
            return new SecurityContextImpl(this);
        }
    }

    private SecurityContextImpl(Builder builder) {
        super((HttpServerExchange) Assert.checkNotNullParam("exchange", builder.exchange));
        this.programaticMechanismName = (String) Assert.checkNotNullParam("programaticMechanismName", builder.programaticMechanismName);
        this.securityDomain = builder.securityDomain;
        this.mechanismSupplier = (Supplier) Assert.checkNotNullParam("mechanismSupplier", builder.mechanismSupplier);
        this.httpExchange = (ElytronHttpExchange) Assert.checkNotNullParam("httpExchange", builder.httpExchange);
        if (this.securityDomain != null) {
            this.flexibleIdentityAssociation = this.securityDomain.getAnonymousSecurityIdentity().createFlexibleAssociation();
        } else {
            this.flexibleIdentityAssociation = null;
        }
    }

    @Override // io.undertow.security.api.SecurityContext
    public boolean authenticate() {
        if (isAuthenticated() || restoreIdentity()) {
            return true;
        }
        try {
            return HttpAuthenticator.builder().setMechanismSupplier(this.mechanismSupplier).setHttpExchangeSpi(this.httpExchange).setRequired(isAuthenticationRequired()).setIgnoreOptionalFailures(false).registerLogoutHandler(this::setLogoutHandler).build().authenticate();
        } catch (HttpAuthenticationException e) {
            log.trace("Authentication failed.", e);
            this.exchange.setStatusCode(500);
            return false;
        }
    }

    private void setLogoutHandler(Runnable runnable) {
        this.logoutHandler = runnable;
    }

    @Override // io.undertow.security.api.SecurityContext
    public boolean login(String str, String str2) {
        if (this.securityDomain == null) {
            return false;
        }
        ServerAuthenticationContext createNewAuthenticationContext = WildFlySecurityManager.isChecking() ? (ServerAuthenticationContext) AccessController.doPrivileged(() -> {
            return this.securityDomain.createNewAuthenticationContext();
        }) : this.securityDomain.createNewAuthenticationContext();
        PasswordGuessEvidence passwordGuessEvidence = new PasswordGuessEvidence(str2.toCharArray());
        try {
            try {
                createNewAuthenticationContext.setAuthenticationName(str);
                if (!createNewAuthenticationContext.verifyEvidence(passwordGuessEvidence)) {
                    authenticationFailed("Authentication Failed", this.programaticMechanismName);
                } else {
                    if (createNewAuthenticationContext.authorize()) {
                        SecurityIdentity authorizedIdentity = createNewAuthenticationContext.getAuthorizedIdentity();
                        if (this.flexibleIdentityAssociation != null) {
                            this.flexibleIdentityAssociation.setIdentity(authorizedIdentity);
                        }
                        HttpScope scope = this.httpExchange.getScope(Scope.SESSION);
                        if (scope != null && scope.supportsAttachments()) {
                            scope.setAttachment(AUTHENTICATED_PRINCIPAL_KEY, str);
                        }
                        setupProgramaticLogout(scope);
                        authenticationComplete(new ElytronAccount(authorizedIdentity), this.programaticMechanismName, false);
                        passwordGuessEvidence.destroy();
                        return true;
                    }
                    authenticationFailed("Authorization Failed", this.programaticMechanismName);
                }
                passwordGuessEvidence.destroy();
                return false;
            } catch (IllegalArgumentException | IllegalStateException | RealmUnavailableException e) {
                authenticationFailed(e.getMessage(), this.programaticMechanismName);
                passwordGuessEvidence.destroy();
                return false;
            }
        } catch (Throwable th) {
            passwordGuessEvidence.destroy();
            throw th;
        }
    }

    @Override // io.undertow.security.impl.AbstractSecurityContext, io.undertow.security.api.SecurityContext
    public void logout() {
        super.logout();
        if (this.logoutHandler != null) {
            this.logoutHandler.run();
        }
        if (this.flexibleIdentityAssociation != null) {
            this.flexibleIdentityAssociation.setIdentity(this.securityDomain.getAnonymousSecurityIdentity());
        }
    }

    private boolean restoreIdentity() {
        HttpScope scope;
        String str;
        if (this.securityDomain == null || (scope = this.httpExchange.getScope(Scope.SESSION)) == null || !scope.supportsAttachments() || (str = (String) scope.getAttachment(AUTHENTICATED_PRINCIPAL_KEY, String.class)) == null) {
            return false;
        }
        ServerAuthenticationContext createNewAuthenticationContext = this.securityDomain.createNewAuthenticationContext();
        try {
            createNewAuthenticationContext.setAuthenticationName(str);
            if (!createNewAuthenticationContext.authorize()) {
                scope.setAttachment(AUTHENTICATED_PRINCIPAL_KEY, null);
                return false;
            }
            authenticationComplete(new ElytronAccount(createNewAuthenticationContext.getAuthorizedIdentity()), this.programaticMechanismName, false);
            setupProgramaticLogout(scope);
            return true;
        } catch (IllegalArgumentException | IllegalStateException | RealmUnavailableException e) {
            authenticationFailed(e.getMessage(), this.programaticMechanismName);
            return false;
        }
    }

    @Override // io.undertow.security.api.SecurityContext
    public void addAuthenticationMechanism(AuthenticationMechanism authenticationMechanism) {
        throw new UnsupportedOperationException();
    }

    @Override // io.undertow.security.api.SecurityContext
    public List<AuthenticationMechanism> getAuthenticationMechanisms() {
        throw new UnsupportedOperationException();
    }

    @Override // io.undertow.security.api.SecurityContext
    public IdentityManager getIdentityManager() {
        throw new UnsupportedOperationException();
    }

    private void setupProgramaticLogout(HttpScope httpScope) {
        this.logoutHandler = () -> {
            httpScope.setAttachment(AUTHENTICATED_PRINCIPAL_KEY, null);
        };
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public FlexibleIdentityAssociation getFlexibleIdentityAssociation() {
        return this.flexibleIdentityAssociation;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Builder builder() {
        return new Builder();
    }
}
