package org.wildfly.security.http;

import java.io.OutputStream;
import java.security.AccessController;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.function.Consumer;
import java.util.function.Supplier;
import org.wildfly.common.Assert;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.auth.server.ServerAuthenticationContext;
import org.wildfly.security.cache.CachedIdentity;
import org.wildfly.security.cache.IdentityCache;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.evidence.Evidence;
import org.wildfly.security.evidence.PasswordGuessEvidence;
import org.wildfly.security.http.impl.BaseHttpServerRequest;
import org.wildfly.security.password.interfaces.ClearPassword;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/wildfly-elytron-1.15.5.Final.jar:org/wildfly/security/http/HttpAuthenticator.class
 */
/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-http-1.17.1.Final.jar:org/wildfly/security/http/HttpAuthenticator.class */
public class HttpAuthenticator {
    private static final String MY_AUTHENTICATED_IDENTITY_KEY = HttpAuthenticator.class.getName() + ".authenticated-identity";
    private final Supplier<List<HttpServerAuthenticationMechanism>> mechanismSupplier;
    private final Supplier<IdentityCache> identityCacheSupplier;
    private final SecurityDomain securityDomain;
    private final HttpExchangeSpi httpExchangeSpi;
    private final boolean required;
    private final boolean ignoreOptionalFailures;
    private final String programmaticMechanismName;
    private final Consumer<Runnable> logoutHandlerConsumer;
    private volatile IdentityCache identityCache;
    private volatile boolean authenticated;

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/wildfly-elytron-1.15.5.Final.jar:org/wildfly/security/http/HttpAuthenticator$AuthenticationExchange.class
     */
    /* loaded from: input_file:WEB-INF/lib/wildfly-elytron-http-1.17.1.Final.jar:org/wildfly/security/http/HttpAuthenticator$AuthenticationExchange.class */
    private class AuthenticationExchange extends BaseHttpServerRequest implements HttpServerRequest, HttpServerResponse {
        private volatile HttpServerAuthenticationMechanism currentMechanism;
        private volatile boolean authenticationAttempted;
        private volatile int statusCode;
        private volatile boolean statusCodeAllowed;
        private volatile List<HttpServerMechanismsResponder> responders;
        private volatile HttpServerMechanismsResponder successResponder;

        AuthenticationExchange() {
            super(HttpAuthenticator.this.httpExchangeSpi);
            this.authenticationAttempted = false;
            this.statusCode = -1;
            this.statusCodeAllowed = false;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean authenticate() throws HttpAuthenticationException {
            List<HttpServerAuthenticationMechanism> list = (List) HttpAuthenticator.this.mechanismSupplier.get();
            if (HttpAuthenticator.this.required && list.size() == 0) {
                throw ElytronMessages.log.httpAuthenticationNoMechanisms();
            }
            this.responders = new ArrayList(list.size());
            boolean z = false;
            try {
                for (HttpServerAuthenticationMechanism httpServerAuthenticationMechanism : list) {
                    this.currentMechanism = httpServerAuthenticationMechanism;
                    try {
                        httpServerAuthenticationMechanism.evaluateRequest(this);
                    } catch (HttpAuthenticationException e) {
                        z = true;
                        ElytronMessages.log.trace("Request evaluation for mechanism '%s' failed.", httpServerAuthenticationMechanism.getMechanismName(), e);
                    }
                    if (HttpAuthenticator.this.isAuthenticated()) {
                        if (this.successResponder != null) {
                            this.statusCodeAllowed = true;
                            this.successResponder.sendResponse(this);
                            if (this.statusCode > 0) {
                                HttpAuthenticator.this.httpExchangeSpi.setStatusCode(this.statusCode);
                                Iterator it = list.iterator();
                                while (it.hasNext()) {
                                    ((HttpServerAuthenticationMechanism) it.next()).dispose();
                                }
                                return false;
                            }
                        }
                        return true;
                    }
                }
                this.currentMechanism = null;
                if (!HttpAuthenticator.this.required && (!this.authenticationAttempted || HttpAuthenticator.this.ignoreOptionalFailures)) {
                    Iterator it2 = list.iterator();
                    while (it2.hasNext()) {
                        ((HttpServerAuthenticationMechanism) it2.next()).dispose();
                    }
                    return true;
                }
                this.statusCodeAllowed = true;
                if (this.responders.size() > 0) {
                    boolean z2 = false;
                    int i = 200;
                    boolean z3 = false;
                    Iterator<HttpServerMechanismsResponder> it3 = this.responders.iterator();
                    while (it3.hasNext()) {
                        try {
                            it3.next().sendResponse(this);
                            z2 = true;
                            if (!z3 && this.statusCode > 0) {
                                if (this.statusCode == 403) {
                                    i = this.statusCode;
                                } else if (this.statusCode != 200) {
                                    z3 = true;
                                    HttpAuthenticator.this.httpExchangeSpi.setStatusCode(this.statusCode);
                                }
                            }
                        } catch (HttpAuthenticationException e2) {
                            ElytronMessages.log.trace("HTTP Authentication mechanism unable to send challenge.", e2);
                        }
                    }
                    if (!z2) {
                        throw ElytronMessages.log.httpAuthenticationNoSuccessfulResponder();
                    }
                    if (!z3) {
                        HttpAuthenticator.this.httpExchangeSpi.setStatusCode(i);
                    }
                } else {
                    if (z) {
                        throw ElytronMessages.log.httpAuthenticationFailedEvaluatingRequest();
                    }
                    HttpAuthenticator.this.httpExchangeSpi.setStatusCode(403);
                }
                Iterator it4 = list.iterator();
                while (it4.hasNext()) {
                    ((HttpServerAuthenticationMechanism) it4.next()).dispose();
                }
                return false;
            } finally {
                Iterator it5 = list.iterator();
                while (it5.hasNext()) {
                    ((HttpServerAuthenticationMechanism) it5.next()).dispose();
                }
            }
        }

        @Override // org.wildfly.security.http.impl.BaseHttpServerRequest, org.wildfly.security.http.HttpServerRequest
        public Certificate[] getPeerCertificates() {
            return HttpAuthenticator.this.httpExchangeSpi.getPeerCertificates(HttpAuthenticator.this.required);
        }

        @Override // org.wildfly.security.http.HttpServerRequest
        public void noAuthenticationInProgress(HttpServerMechanismsResponder httpServerMechanismsResponder) {
            if (httpServerMechanismsResponder != null) {
                this.responders.add(httpServerMechanismsResponder);
            }
        }

        @Override // org.wildfly.security.http.HttpServerRequest
        public void authenticationInProgress(HttpServerMechanismsResponder httpServerMechanismsResponder) {
            this.authenticationAttempted = true;
            if (httpServerMechanismsResponder != null) {
                this.responders.add(httpServerMechanismsResponder);
            }
        }

        @Override // org.wildfly.security.http.HttpServerRequest
        public void authenticationComplete(HttpServerMechanismsResponder httpServerMechanismsResponder) {
            HttpAuthenticator.this.authenticated = true;
            HttpAuthenticator.this.httpExchangeSpi.authenticationComplete((SecurityIdentity) this.currentMechanism.getNegotiationProperty(HttpConstants.SECURITY_IDENTITY, SecurityIdentity.class), this.currentMechanism.getMechanismName());
            this.successResponder = httpServerMechanismsResponder;
        }

        @Override // org.wildfly.security.http.HttpServerRequest
        public void authenticationComplete(HttpServerMechanismsResponder httpServerMechanismsResponder, Runnable runnable) {
            authenticationComplete(httpServerMechanismsResponder);
            if (HttpAuthenticator.this.logoutHandlerConsumer != null) {
                HttpAuthenticator.this.logoutHandlerConsumer.accept(runnable);
            }
        }

        @Override // org.wildfly.security.http.HttpServerRequest
        public void authenticationFailed(String str, HttpServerMechanismsResponder httpServerMechanismsResponder) {
            this.authenticationAttempted = true;
            HttpAuthenticator.this.httpExchangeSpi.authenticationFailed(str, this.currentMechanism.getMechanismName());
            if (httpServerMechanismsResponder != null) {
                this.responders.add(httpServerMechanismsResponder);
            }
        }

        @Override // org.wildfly.security.http.HttpServerRequest
        public void badRequest(HttpAuthenticationException httpAuthenticationException, HttpServerMechanismsResponder httpServerMechanismsResponder) {
            this.authenticationAttempted = true;
            HttpAuthenticator.this.httpExchangeSpi.badRequest(httpAuthenticationException, this.currentMechanism.getMechanismName());
            if (httpServerMechanismsResponder != null) {
                this.responders.add(httpServerMechanismsResponder);
            }
        }

        @Override // org.wildfly.security.http.HttpServerResponse
        public void addResponseHeader(String str, String str2) {
            HttpAuthenticator.this.httpExchangeSpi.addResponseHeader(str, str2);
        }

        @Override // org.wildfly.security.http.HttpServerResponse
        public void setStatusCode(int i) {
            if (!this.statusCodeAllowed) {
                throw ElytronMessages.log.statusCodeNotNow();
            }
            if (this.statusCode < 0 || i != 200) {
                this.statusCode = i;
            }
        }

        @Override // org.wildfly.security.http.HttpServerResponse
        public OutputStream getOutputStream() {
            return HttpAuthenticator.this.httpExchangeSpi.getResponseOutputStream();
        }

        @Override // org.wildfly.security.http.HttpServerResponse
        public void setResponseCookie(HttpServerCookie httpServerCookie) {
            HttpAuthenticator.this.httpExchangeSpi.setResponseCookie(httpServerCookie);
        }

        @Override // org.wildfly.security.http.HttpServerResponse
        public boolean forward(String str) {
            int forward = HttpAuthenticator.this.httpExchangeSpi.forward(str);
            if (forward <= 0) {
                return false;
            }
            setStatusCode(forward);
            return true;
        }

        @Override // org.wildfly.security.http.HttpServerRequest
        public boolean suspendRequest() {
            return HttpAuthenticator.this.httpExchangeSpi.suspendRequest();
        }

        @Override // org.wildfly.security.http.HttpServerRequest
        public boolean resumeRequest() {
            return HttpAuthenticator.this.httpExchangeSpi.resumeRequest();
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/wildfly-elytron-1.15.5.Final.jar:org/wildfly/security/http/HttpAuthenticator$Builder.class
     */
    /* loaded from: input_file:WEB-INF/lib/wildfly-elytron-http-1.17.1.Final.jar:org/wildfly/security/http/HttpAuthenticator$Builder.class */
    public static class Builder {
        private Supplier<List<HttpServerAuthenticationMechanism>> mechanismSupplier;
        private SecurityDomain securityDomain;
        private HttpExchangeSpi httpExchangeSpi;
        private boolean required;
        private boolean ignoreOptionalFailures;
        private Consumer<Runnable> logoutHandlerConsumer;
        private String programmaticMechanismName;
        private Supplier<IdentityCache> identityCacheSupplier;

        Builder() {
        }

        public Builder setMechanismSupplier(Supplier<List<HttpServerAuthenticationMechanism>> supplier) {
            this.mechanismSupplier = supplier;
            return this;
        }

        public Builder setSecurityDomain(SecurityDomain securityDomain) {
            this.securityDomain = securityDomain;
            return this;
        }

        public Builder setHttpExchangeSpi(HttpExchangeSpi httpExchangeSpi) {
            this.httpExchangeSpi = httpExchangeSpi;
            return this;
        }

        public Builder setRequired(boolean z) {
            this.required = z;
            return this;
        }

        public Builder setIgnoreOptionalFailures(boolean z) {
            this.ignoreOptionalFailures = z;
            return this;
        }

        public Builder registerLogoutHandler(Consumer<Runnable> consumer) {
            this.logoutHandlerConsumer = (Consumer) Assert.checkNotNullParam("logoutHandlerConsumer", consumer);
            return this;
        }

        public Builder setProgrammaticMechanismName(String str) {
            this.programmaticMechanismName = str;
            return this;
        }

        public Builder setIdentityCacheSupplier(Supplier<IdentityCache> supplier) {
            this.identityCacheSupplier = supplier;
            return this;
        }

        public HttpAuthenticator build() {
            return new HttpAuthenticator(this);
        }
    }

    private HttpAuthenticator(Builder builder) {
        this.authenticated = false;
        this.mechanismSupplier = builder.mechanismSupplier;
        this.securityDomain = builder.securityDomain;
        this.programmaticMechanismName = builder.programmaticMechanismName;
        this.logoutHandlerConsumer = builder.logoutHandlerConsumer;
        this.httpExchangeSpi = builder.httpExchangeSpi;
        this.required = builder.required;
        this.ignoreOptionalFailures = builder.ignoreOptionalFailures;
        this.identityCacheSupplier = builder.identityCacheSupplier != null ? builder.identityCacheSupplier : () -> {
            return createIdentityCache(this.programmaticMechanismName);
        };
    }

    public boolean authenticate() throws HttpAuthenticationException {
        if (restoreIdentity()) {
            return true;
        }
        return new AuthenticationExchange().authenticate();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isAuthenticated() {
        return this.authenticated;
    }

    public SecurityIdentity login(String str, String str2) {
        PasswordGuessEvidence passwordGuessEvidence = new PasswordGuessEvidence(((String) Assert.checkNotNullParam("password", str2)).toCharArray());
        try {
            SecurityIdentity login = login(str, passwordGuessEvidence, this.programmaticMechanismName);
            passwordGuessEvidence.destroy();
            return login;
        } catch (Throwable th) {
            passwordGuessEvidence.destroy();
            throw th;
        }
    }

    private SecurityIdentity login(String str, Evidence evidence, String str2) {
        if (this.securityDomain == null) {
            return null;
        }
        try {
            ServerAuthenticationContext createServerAuthenticationContext = createServerAuthenticationContext();
            try {
                createServerAuthenticationContext.setAuthenticationName(str);
                if (createServerAuthenticationContext.verifyEvidence(evidence)) {
                    if (evidence instanceof PasswordGuessEvidence) {
                        ElytronMessages.log.tracef("Associating credential for '%s' with identity.", str);
                        createServerAuthenticationContext.addPrivateCredential(new PasswordCredential(ClearPassword.createRaw("clear", ((PasswordGuessEvidence) evidence).getGuess())));
                    }
                    if (createServerAuthenticationContext.authorize()) {
                        SecurityIdentity authorizedIdentity = createServerAuthenticationContext.getAuthorizedIdentity();
                        IdentityCache orCreateIdentityCache = getOrCreateIdentityCache();
                        orCreateIdentityCache.put(authorizedIdentity);
                        Consumer<Runnable> consumer = this.logoutHandlerConsumer;
                        Objects.requireNonNull(orCreateIdentityCache);
                        consumer.accept(orCreateIdentityCache::remove);
                        this.httpExchangeSpi.authenticationComplete(authorizedIdentity, str2);
                        if (createServerAuthenticationContext != null) {
                            createServerAuthenticationContext.close();
                        }
                        return authorizedIdentity;
                    }
                    this.httpExchangeSpi.authenticationFailed("Authorization Failed", str2);
                } else {
                    this.httpExchangeSpi.authenticationFailed("Authentication Failed", str2);
                }
                if (createServerAuthenticationContext != null) {
                    createServerAuthenticationContext.close();
                }
                return null;
            } catch (Throwable th) {
                if (createServerAuthenticationContext != null) {
                    try {
                        createServerAuthenticationContext.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (IllegalArgumentException | IllegalStateException | RealmUnavailableException e) {
            this.httpExchangeSpi.authenticationFailed(e.getMessage(), str2);
            return null;
        }
    }

    private ServerAuthenticationContext createServerAuthenticationContext() {
        return System.getSecurityManager() != null ? (ServerAuthenticationContext) AccessController.doPrivileged(() -> {
            return this.securityDomain.createNewAuthenticationContext();
        }) : this.securityDomain.createNewAuthenticationContext();
    }

    /* JADX WARN: Removed duplicated region for block: B:15:0x0043 A[Catch: Throwable -> 0x00c4, IllegalArgumentException | IllegalStateException | RealmUnavailableException -> 0x00e2, IllegalArgumentException | IllegalStateException | RealmUnavailableException -> 0x00e2, IllegalArgumentException | IllegalStateException | RealmUnavailableException -> 0x00e2, TryCatch #1 {Throwable -> 0x00c4, blocks: (B:44:0x002b, B:15:0x0043, B:18:0x0065, B:20:0x0092), top: B:43:0x002b, outer: #2 }] */
    /* JADX WARN: Removed duplicated region for block: B:18:0x0065 A[Catch: Throwable -> 0x00c4, IllegalArgumentException | IllegalStateException | RealmUnavailableException -> 0x00e2, IllegalArgumentException | IllegalStateException | RealmUnavailableException -> 0x00e2, IllegalArgumentException | IllegalStateException | RealmUnavailableException -> 0x00e2, TryCatch #1 {Throwable -> 0x00c4, blocks: (B:44:0x002b, B:15:0x0043, B:18:0x0065, B:20:0x0092), top: B:43:0x002b, outer: #2 }] */
    /* JADX WARN: Removed duplicated region for block: B:37:0x00b7  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private boolean restoreIdentity() {
        /*
            Method dump skipped, instructions count: 282
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.wildfly.security.http.HttpAuthenticator.restoreIdentity():boolean");
    }

    private IdentityCache getOrCreateIdentityCache() {
        if (this.identityCache == null) {
            this.identityCache = this.identityCacheSupplier.get();
        }
        return this.identityCache;
    }

    private IdentityCache createIdentityCache(final String str) {
        return new IdentityCache() { // from class: org.wildfly.security.http.HttpAuthenticator.1
            @Override // org.wildfly.security.cache.IdentityCache
            public void put(SecurityIdentity securityIdentity) {
                HttpScope attachableSessionScope = HttpAuthenticator.this.getAttachableSessionScope(true);
                if (attachableSessionScope == null || !attachableSessionScope.exists()) {
                    if (ElytronMessages.log.isTraceEnabled()) {
                        ElytronMessages.log.tracef("Unable to cache identity for '%s'.", securityIdentity.getPrincipal().getName());
                    }
                } else {
                    if (attachableSessionScope.supportsChangeID() && attachableSessionScope.getAttachment(HttpAuthenticator.MY_AUTHENTICATED_IDENTITY_KEY) == null) {
                        attachableSessionScope.changeID();
                    }
                    if (ElytronMessages.log.isTraceEnabled()) {
                        ElytronMessages.log.tracef("Caching identity for '%s' against session scope.", securityIdentity.getPrincipal().getName());
                    }
                    attachableSessionScope.setAttachment(HttpAuthenticator.MY_AUTHENTICATED_IDENTITY_KEY, new CachedIdentity(str, true, securityIdentity));
                }
            }

            @Override // org.wildfly.security.cache.IdentityCache
            public CachedIdentity get() {
                HttpScope attachableSessionScope = HttpAuthenticator.this.getAttachableSessionScope(false);
                if (attachableSessionScope == null || !attachableSessionScope.exists()) {
                    return null;
                }
                return (CachedIdentity) attachableSessionScope.getAttachment(HttpAuthenticator.MY_AUTHENTICATED_IDENTITY_KEY);
            }

            @Override // org.wildfly.security.cache.IdentityCache
            public CachedIdentity remove() {
                HttpScope attachableSessionScope = HttpAuthenticator.this.getAttachableSessionScope(false);
                if (attachableSessionScope == null || !attachableSessionScope.exists()) {
                    return null;
                }
                CachedIdentity cachedIdentity = get();
                attachableSessionScope.setAttachment(HttpAuthenticator.MY_AUTHENTICATED_IDENTITY_KEY, null);
                return cachedIdentity;
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public HttpScope getAttachableSessionScope(boolean z) {
        HttpScope scope = this.httpExchangeSpi.getScope(Scope.SESSION);
        if (scope == null || !scope.supportsAttachments()) {
            return null;
        }
        if (scope != null && !scope.exists() && z) {
            scope.create();
        }
        return scope;
    }

    public static Builder builder() {
        return new Builder();
    }
}
