package io.hawt.web.auth;

import io.hawt.system.AuthenticateResult;
import io.hawt.system.Authenticator;
import io.hawt.web.ServletHelpers;
import java.io.IOException;
import java.security.PrivilegedActionException;
import javax.security.auth.Subject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/hawtio-system-2.0.0.fuse-760023-redhat-00001.jar:io/hawt/web/auth/AuthenticationFilter.class */
public class AuthenticationFilter implements Filter {
    private static final transient Logger LOG = LoggerFactory.getLogger((Class<?>) AuthenticationFilter.class);
    private int timeout;
    private AuthenticationConfiguration authConfiguration;

    public void init(FilterConfig filterConfig) throws ServletException {
        this.authConfiguration = AuthenticationConfiguration.getConfiguration(filterConfig.getServletContext());
        this.timeout = AuthSessionHelpers.getSessionTimeout(filterConfig.getServletContext());
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        LOG.trace("Applying {}", getClass().getSimpleName());
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String servletPath = httpServletRequest.getServletPath();
        LOG.debug("Handling request for path {}", servletPath);
        if (this.authConfiguration.getRealm() == null || this.authConfiguration.getRealm().equals("") || !this.authConfiguration.isEnabled()) {
            LOG.debug("No authentication needed for path {}", servletPath);
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            Subject subject = (Subject) session.getAttribute("subject");
            if (AuthSessionHelpers.isSpringSecurityEnabled()) {
                if (subject == null && httpServletRequest.getRemoteUser() != null) {
                    AuthSessionHelpers.setup(session, new Subject(), httpServletRequest.getRemoteUser(), this.timeout);
                }
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }
            if (AuthSessionHelpers.validate(httpServletRequest, session, subject)) {
                executeAs(servletRequest, servletResponse, filterChain, subject);
                return;
            }
        }
        LOG.debug("Doing authentication and authorization for path {}", servletPath);
        AuthenticateResult authenticate = Authenticator.authenticate(this.authConfiguration, httpServletRequest, subject2 -> {
            executeAs(servletRequest, servletResponse, filterChain, subject2);
        });
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        switch (authenticate) {
            case AUTHORIZED:
            default:
                return;
            case NOT_AUTHORIZED:
                ServletHelpers.doForbidden(httpServletResponse);
                return;
            case NO_CREDENTIALS:
                if (this.authConfiguration.isNoCredentials401()) {
                    ServletHelpers.doAuthPrompt(this.authConfiguration.getRealm(), httpServletResponse);
                    return;
                } else {
                    ServletHelpers.doForbidden(httpServletResponse);
                    return;
                }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void executeAs(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain, Subject subject) {
        try {
            Subject.doAs(subject, () -> {
                filterChain.doFilter(servletRequest, servletResponse);
                return null;
            });
        } catch (PrivilegedActionException e) {
            LOG.info("Failed to invoke action " + ((HttpServletRequest) servletRequest).getPathInfo() + " due to:", (Throwable) e);
        }
    }

    public void destroy() {
        LOG.info("Destroying hawtio authentication filter");
    }
}
