package org.jboss.errai.security.server.tmp;

import java.io.IOException;
import java.lang.annotation.Annotation;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.inject.Any;
import javax.enterprise.inject.Instance;
import javax.inject.Inject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.picketlink.Identity;
import org.picketlink.annotations.PicketLink;
import org.picketlink.common.constants.LDAPConstants;
import org.picketlink.common.util.StringUtil;
import org.picketlink.credential.DefaultLoginCredentials;

@ApplicationScoped
/* loaded from: input_file:WEB-INF/lib/errai-security-picketlink-3.0.0.CR1.jar:org/jboss/errai/security/server/tmp/AuthenticationFilter.class */
public class AuthenticationFilter implements Filter {
    public static final String AUTH_TYPE_INIT_PARAM = "authType";
    public static final String UNPROTECTED_METHODS_INIT_PARAM = "unprotectedMethods";
    public static final String FORCE_REAUTHENTICATION_INIT_PARAM = "forceReAuthentication";
    private final Set<String> unprotectedMethods = new HashSet();
    private boolean forceReAuthentication;

    @Inject
    private Instance<Identity> identityInstance;

    @Inject
    private Instance<DefaultLoginCredentials> credentialsInstance;

    @Inject
    @Any
    private Instance<HTTPAuthenticationScheme> allAvailableAuthSchemesInstance;

    @Inject
    @PicketLink
    private Instance<HTTPAuthenticationScheme> applicationPreferredAuthSchemeInstance;
    private HTTPAuthenticationScheme authenticationScheme;

    public void init(FilterConfig filterConfig) throws ServletException {
        this.authenticationScheme = resolveAuthenticationScheme(filterConfig);
        this.authenticationScheme.initialize(filterConfig);
        String initParameter = filterConfig.getInitParameter("unprotectedMethods");
        if (initParameter != null) {
            if (initParameter.contains(LDAPConstants.COMMA)) {
                for (String str : initParameter.split(LDAPConstants.COMMA)) {
                    this.unprotectedMethods.add(str.trim().toUpperCase());
                }
            } else {
                this.unprotectedMethods.add(initParameter.trim().toUpperCase());
            }
        }
        String initParameter2 = filterConfig.getInitParameter("forceReAuthentication");
        if (StringUtil.isNullOrEmpty(initParameter2)) {
            initParameter2 = "false";
        }
        this.forceReAuthentication = Boolean.valueOf(initParameter2).booleanValue();
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!HttpServletRequest.class.isInstance(servletRequest)) {
            throw new ServletException("This filter can only process HttpServletRequest requests.");
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        Identity identity = getIdentity();
        DefaultLoginCredentials extractCredentials = extractCredentials(httpServletRequest);
        if (extractCredentials.getCredential() != null && this.forceReAuthentication) {
            identity.logout();
            extractCredentials = extractCredentials(httpServletRequest);
        }
        if (!isProtected(httpServletRequest) || identity.isLoggedIn()) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        httpServletRequest.getSession();
        if (extractCredentials.getCredential() != null) {
            identity.login();
        }
        if (!identity.isLoggedIn()) {
            this.authenticationScheme.challengeClient(httpServletRequest, httpServletResponse);
        } else if (this.authenticationScheme.postAuthentication(httpServletRequest, httpServletResponse)) {
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    public void destroy() {
    }

    private HTTPAuthenticationScheme resolveAuthenticationScheme(FilterConfig filterConfig) {
        if (this.applicationPreferredAuthSchemeInstance.isAmbiguous()) {
            throw new IllegalStateException(ambiguousBeanError(this.applicationPreferredAuthSchemeInstance, "There is more than one @PicketLink HTTPAuthenticationScheme. Make sure you have only one such type defined."));
        }
        if (!this.applicationPreferredAuthSchemeInstance.isUnsatisfied()) {
            return (HTTPAuthenticationScheme) this.applicationPreferredAuthSchemeInstance.get();
        }
        String initParameter = filterConfig.getInitParameter("authType");
        if (initParameter == null) {
            throw new IllegalArgumentException("No HTTPAuthenticationScheme found. You must provide either a CDI bean qualified with @PicketLink, or define it by fully-qualified class name in the authType init parameter of the " + getClass().getName() + " filter in web.xml.");
        }
        try {
            Instance select = this.allAvailableAuthSchemesInstance.select(Class.forName(initParameter).asSubclass(HTTPAuthenticationScheme.class), new Annotation[0]);
            if (select.isAmbiguous()) {
                throw new IllegalStateException(ambiguousBeanError(select, "HTTPAuthenticationScheme type from web.xml is ambiguous."));
            }
            return (HTTPAuthenticationScheme) select.get();
        } catch (ClassNotFoundException e) {
            throw new IllegalStateException("HTTPAuthenticationScheme " + initParameter + " from web.xml could not be found.", e);
        }
    }

    private static String ambiguousBeanError(Instance<?> instance, String str) {
        StringBuilder sb = new StringBuilder(str);
        sb.append("\nAmbiguous types:");
        Iterator it = instance.iterator();
        while (it.hasNext()) {
            sb.append("\n  ").append(it.next().getClass().getName());
        }
        return sb.toString();
    }

    private DefaultLoginCredentials extractCredentials(HttpServletRequest httpServletRequest) {
        DefaultLoginCredentials credentials = getCredentials();
        this.authenticationScheme.extractCredential(httpServletRequest, credentials);
        return credentials;
    }

    private DefaultLoginCredentials getCredentials() {
        if (this.credentialsInstance.isUnsatisfied()) {
            throw new IllegalStateException("DefaultLoginCredentials not found - please ensure that the DefaultLoginCredentials component is created on startup.");
        }
        if (this.credentialsInstance.isAmbiguous()) {
            throw new IllegalStateException("DefaultLoginCredentials is ambiguous. Make sure you have a single @RequestScoped instance.");
        }
        try {
            return (DefaultLoginCredentials) this.credentialsInstance.get();
        } catch (Exception e) {
            throw new IllegalStateException("Could not retrieve credentials.", e);
        }
    }

    private Identity getIdentity() throws ServletException {
        if (this.identityInstance.isUnsatisfied()) {
            throw new IllegalStateException("Identity not found.");
        }
        if (this.identityInstance.isAmbiguous()) {
            throw new IllegalStateException("Identity is ambiguous.");
        }
        try {
            return (Identity) this.identityInstance.get();
        } catch (Exception e) {
            throw new IllegalStateException("Could not retrieve Identity.", e);
        }
    }

    private boolean isProtected(HttpServletRequest httpServletRequest) {
        return !this.unprotectedMethods.contains(httpServletRequest.getMethod().toUpperCase());
    }
}
