package org.jboss.as.web.sso;

import java.io.IOException;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.CopyOnWriteArraySet;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import org.apache.catalina.Container;
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener;
import org.apache.catalina.Manager;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
import org.apache.catalina.SessionEvent;
import org.apache.catalina.authenticator.Constants;
import org.apache.catalina.authenticator.SingleSignOn;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.jboss.as.clustering.web.sso.FullyQualifiedSessionId;
import org.jboss.as.clustering.web.sso.SSOClusterManager;
import org.jboss.as.clustering.web.sso.SSOCredentials;
import org.jboss.as.clustering.web.sso.SSOLocalManager;
import org.jboss.as.web.WebLogger;
import org.jboss.as.web.WebMessages;
import org.jboss.as.web.session.ClusteredSession;
import org.jboss.as.web.session.notification.ClusteredSessionNotificationCause;

/* loaded from: input_file:org/jboss/as/web/sso/ClusteredSingleSignOn.class */
public class ClusteredSingleSignOn extends SingleSignOn implements LifecycleListener, SSOLocalManager {
    public static final int DEFAULT_PROCESS_EXPIRES_INTERVAL = 60;
    public static final int DEFAULT_MAX_EMPTY_LIFE = 1800;
    private final SSOClusterManager ssoClusterManager;
    private Set<Manager> activeManagers = new CopyOnWriteArraySet();
    private volatile int maxEmptyLife = 1800000;
    private volatile int processExpiresInterval = 60000;
    private volatile long lastProcessExpires = System.currentTimeMillis();
    private Map<String, Long> emptySSOs = new ConcurrentHashMap();
    private final Object MUTEX = new Object();

    public ClusteredSingleSignOn(SSOClusterManager sSOClusterManager) {
        this.ssoClusterManager = sSOClusterManager;
        this.ssoClusterManager.setSSOLocalManager(this);
    }

    public int getMaxEmptyLife() {
        return this.maxEmptyLife / 1000;
    }

    public void setMaxEmptyLife(int i) {
        this.maxEmptyLife = i * 1000;
    }

    public int getProcessExpiresInterval() {
        return this.processExpiresInterval / 1000;
    }

    public void setProcessExpiresInterval(int i) {
        this.processExpiresInterval = i * 1000;
    }

    public long getLastProcessExpires() {
        return this.lastProcessExpires;
    }

    public void start() throws LifecycleException {
        if (this.started) {
            throw new LifecycleException(WebMessages.MESSAGES.valveAlreadyStarted());
        }
        checkSystemProperties();
        this.lifecycle.fireLifecycleEvent("start", (Object) null);
        this.started = true;
    }

    public void stop() throws LifecycleException {
        if (!this.started) {
            throw new LifecycleException(WebMessages.MESSAGES.valveNotStarted());
        }
        this.lifecycle.fireLifecycleEvent("stop", (Object) null);
        this.started = false;
    }

    public void sessionEvent(SessionEvent sessionEvent) {
        String str;
        WebLogger.WEB_SSO_LOGGER.tracef("received SessionEvent %s", sessionEvent.toString());
        if ("destroySession".equals(sessionEvent.getType())) {
            Session session = sessionEvent.getSession();
            WebLogger.WEB_SSO_LOGGER.tracef("Process session destroyed on %s", session);
            synchronized (this.reverse) {
                str = (String) this.reverse.get(session);
            }
            if (str == null) {
                WebLogger.WEB_SSO_LOGGER.tracef("ignoring as SSO is already closed for session %s", session);
                return;
            }
            boolean z = false;
            boolean isSessionTimedOut = isSessionTimedOut(session);
            if (!isSessionTimedOut) {
                boolean isManagerStopped = isManagerStopped(session);
                z = isManagerStopped;
                if (!isManagerStopped) {
                    WebLogger.WEB_SSO_LOGGER.tracef("user logged out of SSO %s", str);
                    logout(str);
                    return;
                }
            }
            WebLogger.WEB_SSO_LOGGER.tracef("remove session %s from SSO %s, isSessionTimedOut=%s, isManagerStopped=%s", new Object[]{session, str, Boolean.valueOf(isSessionTimedOut), Boolean.valueOf(z)});
            removeSession(str, session);
            processExpires();
        }
    }

    private boolean isSessionTimedOut(Session session) {
        return session.getMaxInactiveInterval() > 0 && System.currentTimeMillis() - session.getLastAccessedTime() >= ((long) (session.getMaxInactiveInterval() * 1000));
    }

    private boolean isManagerStopped(Session session) {
        return !this.activeManagers.contains(session.getManager());
    }

    public void lifecycleEvent(LifecycleEvent lifecycleEvent) {
        String type = lifecycleEvent.getType();
        if ("before_stop".equals(type) || "stop".equals(type) || "after_stop".equals(type)) {
            Lifecycle lifecycle = lifecycleEvent.getLifecycle();
            if (this.activeManagers.remove(lifecycle)) {
                lifecycle.removeLifecycleListener(this);
                WebLogger.WEB_SSO_LOGGER.tracef("ClusteredSSO: removed stopped manager %s", lifecycle);
            }
        }
    }

    public void invoke(Request request, Response response) throws IOException, ServletException {
        WebLogger.WEB_SSO_LOGGER.tracef("handling request %s", request.getRequestURI());
        request.removeNote("org.apache.catalina.request.SSOID");
        WebLogger.WEB_SSO_LOGGER.tracef("Process request for '%s'", request.getRequestURI());
        if (request.getUserPrincipal() != null) {
            WebLogger.WEB_SSO_LOGGER.tracef("Principal '%s' has already been authenticated", request.getUserPrincipal().getName());
            getNext().invoke(request, response);
            return;
        }
        Cookie cookie = null;
        Cookie[] cookies = request.getCookies();
        if (cookies == null) {
            cookies = new Cookie[0];
        }
        int i = 0;
        while (true) {
            if (i >= cookies.length) {
                break;
            }
            if (Constants.SINGLE_SIGN_ON_COOKIE.equals(cookies[i].getName())) {
                cookie = cookies[i];
                break;
            }
            i++;
        }
        if (cookie == null) {
            WebLogger.WEB_SSO_LOGGER.trace("SSO cookie is not present");
            getNext().invoke(request, response);
            return;
        }
        String value = cookie.getValue();
        WebLogger.WEB_SSO_LOGGER.tracef("Checking for cached principal for %s", value);
        SingleSignOnEntry singleSignOnEntry = getSingleSignOnEntry(cookie.getValue());
        if (singleSignOnEntry == null || !isValid(value, singleSignOnEntry)) {
            WebLogger.WEB_SSO_LOGGER.tracef("No cached principal found, erasing SSO cookie", new Object[0]);
            cookie.setMaxAge(0);
            response.addCookie(cookie);
        } else {
            Principal principal = singleSignOnEntry.getPrincipal();
            WebLogger.WEB_SSO_LOGGER.tracef("Found cached principal '%s' with auth type '%s'", principal == null ? "NULL" : principal.getName(), singleSignOnEntry.getAuthType());
            request.setNote("org.apache.catalina.request.SSOID", cookie.getValue());
            if (!getRequireReauthentication() && principal != null) {
                request.setAuthType(singleSignOnEntry.getAuthType());
                request.setUserPrincipal(principal);
            }
        }
        getNext().invoke(request, response);
    }

    public void associate(String str, Session session) {
        WebLogger.WEB_SSO_LOGGER.tracef("Associate sso id %s with session %s", str, session);
        SingleSignOnEntry singleSignOnEntry = getSingleSignOnEntry(str);
        boolean z = false;
        if (singleSignOnEntry != null) {
            z = singleSignOnEntry.addSession2(this, session);
        }
        synchronized (this.reverse) {
            this.reverse.put(session, str);
        }
        if (z) {
            Lifecycle manager = session.getManager();
            if (this.activeManagers.add(manager)) {
                manager.addLifecycleListener(this);
            }
            if (this.ssoClusterManager != null) {
                this.ssoClusterManager.addSession(str, getFullyQualifiedSessionId(session));
            }
        }
    }

    protected void deregister(String str, Session session) {
        synchronized (this.reverse) {
            this.reverse.remove(session);
        }
        SingleSignOnEntry singleSignOnEntry = getSingleSignOnEntry(str);
        if (singleSignOnEntry == null) {
            return;
        }
        boolean removeSession2 = singleSignOnEntry.removeSession2(session);
        if (this.ssoClusterManager != null) {
            if (removeSession2) {
                this.ssoClusterManager.removeSession(str, getFullyQualifiedSessionId(session));
                WebLogger.WEB_SSO_LOGGER.tracef("deregister will notify cluster of removed session %s sso id %s", session, str);
            } else {
                WebLogger.WEB_SSO_LOGGER.tracef("deregister didn't find session %s sso id %s cluster notification not sent", session, str);
            }
        }
        if (singleSignOnEntry.getSessionCount() == 0) {
            WebLogger.WEB_SSO_LOGGER.tracef("deregister detected zero sessions for sso id %s", str);
            synchronized (this.cache) {
            }
        }
    }

    public void deregister(String str) {
        SingleSignOnEntry singleSignOnEntry;
        WebLogger.WEB_SSO_LOGGER.tracef("Deregistering sso id '%s'", str);
        this.emptySSOs.remove(str);
        synchronized (this.cache) {
            singleSignOnEntry = (SingleSignOnEntry) this.cache.remove(str);
        }
        if (singleSignOnEntry == null) {
            return;
        }
        for (Session session : singleSignOnEntry.findSessions()) {
            WebLogger.WEB_SSO_LOGGER.tracef(" Invalidating session %s", session);
            synchronized (this.reverse) {
                this.reverse.remove(session);
            }
            ClassLoader classLoader = null;
            try {
                classLoader = bindThread(session);
                session.expire();
                if (classLoader != null) {
                    unbindThread(session, classLoader);
                }
            } catch (Throwable th) {
                if (classLoader != null) {
                    unbindThread(session, classLoader);
                }
                throw th;
            }
        }
        if (this.ssoClusterManager != null) {
            this.ssoClusterManager.logout(str);
        }
    }

    public void deregisterLocal(String str) {
        SingleSignOnEntry singleSignOnEntry;
        WebLogger.WEB_SSO_LOGGER.tracef("Deregistering locally sso id '%s'", str);
        this.emptySSOs.remove(str);
        synchronized (this.cache) {
            singleSignOnEntry = (SingleSignOnEntry) this.cache.remove(str);
        }
        if (singleSignOnEntry == null) {
            return;
        }
        for (Session session : singleSignOnEntry.findSessions()) {
            WebLogger.WEB_SSO_LOGGER.tracef(" Invalidating session %s", session);
            synchronized (this.reverse) {
                this.reverse.remove(session);
            }
            if (session instanceof ClusteredSession) {
                ((ClusteredSession) session).expire(true, false, true, ClusteredSessionNotificationCause.INVALIDATE);
            } else {
                session.expire();
            }
        }
    }

    protected void logout(String str) {
        deregister(str);
        if (this.ssoClusterManager != null) {
            this.ssoClusterManager.logout(str);
        }
    }

    public void removeLogin(String str) {
        SingleSignOnEntry singleSignOnEntry = getSingleSignOnEntry(str);
        if (singleSignOnEntry == null) {
            return;
        }
        for (Session session : singleSignOnEntry.findSessions()) {
            session.setAuthType((String) null);
            session.setPrincipal((Principal) null);
            session.removeNote("org.apache.catalina.session.USERNAME");
            session.removeNote("org.apache.catalina.session.PASSWORD");
        }
        synchronized (singleSignOnEntry) {
            if (singleSignOnEntry.updateCredentials2(null, null, null, null)) {
                this.ssoClusterManager.updateCredentials(str, (String) null, (String) null, (String) null);
            }
        }
    }

    protected SingleSignOnEntry getSingleSignOnEntry(String str) {
        SSOCredentials lookup;
        SingleSignOnEntry localLookup = localLookup(str);
        if (localLookup == null && this.ssoClusterManager != null && (lookup = this.ssoClusterManager.lookup(str)) != null) {
            localLookup = new SingleSignOnEntry(null, lookup.getAuthType(), lookup.getUsername(), lookup.getPassword());
            synchronized (this.cache) {
                this.cache.put(str, localLookup);
            }
        }
        return localLookup;
    }

    public boolean reauthenticate(String str, Realm realm, Request request) {
        String username;
        Principal authenticate;
        if (str == null || realm == null) {
            return false;
        }
        boolean z = false;
        SingleSignOnEntry singleSignOnEntry = getSingleSignOnEntry(str);
        if (singleSignOnEntry != null && singleSignOnEntry.getCanReauthenticate() && (username = singleSignOnEntry.getUsername()) != null && (authenticate = realm.authenticate(username, singleSignOnEntry.getPassword())) != null) {
            z = true;
            request.setAuthType(singleSignOnEntry.getAuthType());
            request.setUserPrincipal(authenticate);
            singleSignOnEntry.setPrincipal(authenticate);
        }
        return z;
    }

    public void register(String str, Principal principal, String str2, String str3, String str4) {
        registerLocal(str, principal, str2, str3, str4);
        this.ssoClusterManager.register(str, str2, str3, str4);
    }

    protected void removeSession(String str, Session session) {
        SingleSignOnEntry singleSignOnEntry = getSingleSignOnEntry(str);
        WebLogger.WEB_SSO_LOGGER.tracef("Removing session %s from sso id %s, %s", session, str, singleSignOnEntry != null ? "found SSO entry" : "SSO entry not found");
        if (singleSignOnEntry == null) {
            return;
        }
        boolean removeSession2 = singleSignOnEntry.removeSession2(session);
        WebLogger.WEB_SSO_LOGGER.tracef("Removing Session %s, session found = %s", session, Boolean.valueOf(removeSession2));
        if (removeSession2) {
            this.ssoClusterManager.removeSession(str, getFullyQualifiedSessionId(session));
        }
        synchronized (this.reverse) {
            this.reverse.remove(session);
        }
    }

    public void update(String str, Principal principal, String str2, String str3, String str4) {
        if (updateLocal(str, principal, str2, str3, str4)) {
            this.ssoClusterManager.updateCredentials(str, str2, str3, str4);
        }
    }

    SingleSignOnEntry localLookup(String str) {
        SingleSignOnEntry singleSignOnEntry;
        synchronized (this.cache) {
            singleSignOnEntry = (SingleSignOnEntry) this.cache.get(str);
        }
        return singleSignOnEntry;
    }

    void registerLocal(String str, Principal principal, String str2, String str3, String str4) {
        WebLogger.WEB_SSO_LOGGER.tracef("Registering sso id '%s' for user '%s' with auth type '%s'", str, principal.getName(), str2);
        synchronized (this.cache) {
            this.cache.put(str, new SingleSignOnEntry(principal, str2, str3, str4));
        }
    }

    boolean updateLocal(String str, Principal principal, String str2, String str3, String str4) {
        boolean z = false;
        SingleSignOnEntry singleSignOnEntry = getSingleSignOnEntry(str);
        if (singleSignOnEntry != null) {
            if (!singleSignOnEntry.getCanReauthenticate()) {
                WebLogger.WEB_SSO_LOGGER.tracef("Update sso id %s to auth type %s", str, str2);
                synchronized (singleSignOnEntry) {
                    z = singleSignOnEntry.updateCredentials2(principal, str2, str3, str4);
                }
            } else if (singleSignOnEntry.getPrincipal() == null && principal != null) {
                WebLogger.WEB_SSO_LOGGER.tracef("Update sso id %s with principal %s", str, principal.getName());
                synchronized (singleSignOnEntry) {
                    singleSignOnEntry.setPrincipal(principal);
                }
            }
        }
        return z;
    }

    public void remoteUpdate(String str, SSOCredentials sSOCredentials) {
        SingleSignOnEntry localLookup = localLookup(str);
        if (localLookup != null) {
            if (sSOCredentials.getAuthType() != null || sSOCredentials.getUsername() != null || sSOCredentials.getPassword() != null) {
                if (localLookup.getCanReauthenticate()) {
                    return;
                }
                WebLogger.WEB_SSO_LOGGER.tracef("Update sso id %s to auth type %s", str, sSOCredentials.getAuthType());
                synchronized (localLookup) {
                    localLookup.updateCredentials(localLookup.getPrincipal(), sSOCredentials.getAuthType(), sSOCredentials.getUsername(), sSOCredentials.getPassword());
                }
                return;
            }
            WebLogger.WEB_SSO_LOGGER.tracef("Uppdating local SSO cache and associated sessions after SSO id %s was logged out on other cluster member", str);
            for (Session session : localLookup.findSessions()) {
                session.setAuthType((String) null);
                session.setPrincipal((Principal) null);
                session.removeNote("org.apache.catalina.session.USERNAME");
                session.removeNote("org.apache.catalina.session.PASSWORD");
            }
            synchronized (localLookup) {
                localLookup.updateCredentials(null, sSOCredentials.getAuthType(), sSOCredentials.getUsername(), sSOCredentials.getPassword());
            }
        }
    }

    public void notifySSOEmpty(String str) {
        if (this.emptySSOs.put(str, new Long(System.currentTimeMillis())) == null) {
            WebLogger.WEB_SSO_LOGGER.tracef("Notified that SSO %s is empty", str);
        }
    }

    public void notifySSONotEmpty(String str) {
        if (this.emptySSOs.remove(str) != null) {
            WebLogger.WEB_SSO_LOGGER.tracef("Notified that SSO %s is no longer empty", str);
        }
    }

    private void processExpires() {
        synchronized (this.MUTEX) {
            long currentTimeMillis = System.currentTimeMillis();
            if (currentTimeMillis - this.lastProcessExpires > this.processExpiresInterval) {
                this.lastProcessExpires = currentTimeMillis;
                clearExpiredSSOs(currentTimeMillis);
            }
        }
    }

    private synchronized void clearExpiredSSOs(long j) {
        for (Map.Entry<String, Long> entry : this.emptySSOs.entrySet()) {
            if (j - entry.getValue().longValue() > this.maxEmptyLife) {
                String key = entry.getKey();
                WebLogger.WEB_SSO_LOGGER.tracef("Invalidating expired SSO %s", key);
                logout(key);
            }
        }
    }

    private boolean isValid(String str, SingleSignOnEntry singleSignOnEntry) {
        Long l;
        boolean z = true;
        if (singleSignOnEntry.getSessionCount() == 0 && (l = this.emptySSOs.get(str)) != null && System.currentTimeMillis() - l.longValue() > this.maxEmptyLife) {
            z = false;
            WebLogger.WEB_SSO_LOGGER.tracef("Invalidating expired SSO %s", str);
            logout(str);
        }
        return z;
    }

    private FullyQualifiedSessionId getFullyQualifiedSessionId(Session session) {
        String idInternal = session.getIdInternal();
        Container container = session.getManager().getContainer();
        return new FullyQualifiedSessionId(idInternal, container.getName(), container.getParent().getName());
    }

    private void checkSystemProperties() {
        final WebLogger webLogger = WebLogger.WEB_SSO_LOGGER;
        Properties properties = System.getProperties();
        final String property = properties.getProperty("org.jboss.as.web.sso.ClusteredSingleSignOn.maxEmptyLife");
        final String property2 = properties.getProperty("org.jboss.as.web.sso.ClusteredSingleSignOn.processExpiresInterval");
        if (property != null || property2 != null) {
            AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: org.jboss.as.web.sso.ClusteredSingleSignOn.1
                @Override // java.security.PrivilegedAction
                public Object run() {
                    if (webLogger.isInfoEnabled()) {
                        webLogger.infof("Checking system properties for maxEmptyLife and processExpiresInterval override values. This is a one-off fix for Red Hat bug BZ-958572", new Object[0]);
                    }
                    if (property != null) {
                        ClusteredSingleSignOn.this.setMaxEmptyLife(Integer.parseInt(property));
                        if (webLogger.isDebugEnabled()) {
                            webLogger.debugf("maxEmptyLife preset as a System property. Changed value to %s", Integer.valueOf(ClusteredSingleSignOn.this.maxEmptyLife));
                        }
                    }
                    if (property2 == null) {
                        return null;
                    }
                    ClusteredSingleSignOn.this.setProcessExpiresInterval(Integer.parseInt(property2));
                    if (!webLogger.isDebugEnabled()) {
                        return null;
                    }
                    webLogger.debugf("processExpiredInterval preset as a System property. Changed value to %s", Integer.valueOf(ClusteredSingleSignOn.this.processExpiresInterval));
                    return null;
                }
            });
        }
        if (webLogger.isTraceEnabled()) {
            webLogger.tracef("Cleared adding the System properties within a privileged action.", new Object[0]);
        }
    }

    static {
        info = ClusteredSingleSignOn.class.getName();
    }
}
