package org.jboss.resteasy.skeleton.key.as7;

import java.io.IOException;
import java.util.Map;
import java.util.Set;
import javax.security.auth.login.LoginException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.UriBuilder;
import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener;
import org.apache.catalina.Session;
import org.apache.catalina.authenticator.FormAuthenticator;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.realm.GenericPrincipal;
import org.jboss.resteasy.client.jaxrs.ResteasyClient;
import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
import org.jboss.resteasy.plugins.providers.RegisterBuiltin;
import org.jboss.resteasy.skeleton.key.RealmConfiguration;
import org.jboss.resteasy.skeleton.key.ResourceMetadata;
import org.jboss.resteasy.skeleton.key.SkeletonKeyPrincipal;
import org.jboss.resteasy.skeleton.key.SkeletonKeySession;
import org.jboss.resteasy.skeleton.key.as7.config.CatalinaManagedResourceConfigLoader;
import org.jboss.resteasy.skeleton.key.as7.i18n.LogMessages;
import org.jboss.resteasy.skeleton.key.as7.i18n.Messages;
import org.jboss.resteasy.skeleton.key.config.ManagedResourceConfig;
import org.jboss.resteasy.skeleton.key.representations.SkeletonKeyToken;
import org.jboss.resteasy.spi.ResteasyProviderFactory;

/* loaded from: input_file:org/jboss/resteasy/skeleton/key/as7/OAuthManagedResourceValve.class */
public class OAuthManagedResourceValve extends FormAuthenticator implements LifecycleListener {
    protected RealmConfiguration realmConfiguration;
    protected UserSessionManagement userSessionManagement = new UserSessionManagement();
    protected ManagedResourceConfig remoteSkeletonKeyConfig;
    protected ResourceMetadata resourceMetadata;

    public void start() throws LifecycleException {
        super.start();
        this.context.addLifecycleListener(this);
    }

    public void lifecycleEvent(LifecycleEvent lifecycleEvent) {
        if (lifecycleEvent.getType() == "after_start") {
            init();
        }
    }

    protected void init() {
        CatalinaManagedResourceConfigLoader catalinaManagedResourceConfigLoader = new CatalinaManagedResourceConfigLoader(this.context);
        this.resourceMetadata = catalinaManagedResourceConfigLoader.getResourceMetadata();
        this.remoteSkeletonKeyConfig = catalinaManagedResourceConfigLoader.getRemoteSkeletonKeyConfig();
        String clientId = this.remoteSkeletonKeyConfig.getClientId();
        if (clientId == null) {
            throw new IllegalArgumentException(Messages.MESSAGES.mustSetClientId());
        }
        this.realmConfiguration = new RealmConfiguration();
        String authUrl = this.remoteSkeletonKeyConfig.getAuthUrl();
        if (authUrl == null) {
            throw new RuntimeException(Messages.MESSAGES.mustSpecifyAuthUrl());
        }
        String codeUrl = this.remoteSkeletonKeyConfig.getCodeUrl();
        if (codeUrl == null) {
            throw new RuntimeException(Messages.MESSAGES.mustSpecifyCodeUrl());
        }
        this.realmConfiguration.setMetadata(this.resourceMetadata);
        this.realmConfiguration.setClientId(clientId);
        for (Map.Entry entry : catalinaManagedResourceConfigLoader.getRemoteSkeletonKeyConfig().getClientCredentials().entrySet()) {
            this.realmConfiguration.getCredentials().param((String) entry.getKey(), (String) entry.getValue());
        }
        int connectionPoolSize = catalinaManagedResourceConfigLoader.getRemoteSkeletonKeyConfig().getConnectionPoolSize() > 0 ? catalinaManagedResourceConfigLoader.getRemoteSkeletonKeyConfig().getConnectionPoolSize() : 10;
        ResteasyClientBuilder.HostnameVerificationPolicy hostnameVerificationPolicy = ResteasyClientBuilder.HostnameVerificationPolicy.WILDCARD;
        if (catalinaManagedResourceConfigLoader.getRemoteSkeletonKeyConfig().isAllowAnyHostname()) {
            hostnameVerificationPolicy = ResteasyClientBuilder.HostnameVerificationPolicy.ANY;
        }
        ResteasyProviderFactory resteasyProviderFactory = new ResteasyProviderFactory();
        ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
        Thread.currentThread().setContextClassLoader(OAuthManagedResourceValve.class.getClassLoader());
        try {
            ResteasyProviderFactory.getInstance();
            RegisterBuiltin.register(resteasyProviderFactory);
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            ResteasyClient build = new ResteasyClientBuilder().providerFactory(resteasyProviderFactory).connectionPoolSize(connectionPoolSize).hostnameVerification(hostnameVerificationPolicy).trustStore(this.resourceMetadata.getTruststore()).keyStore(this.resourceMetadata.getClientKeystore(), this.resourceMetadata.getClientKeyPassword()).build();
            this.realmConfiguration.setClient(build);
            this.realmConfiguration.setAuthUrl(UriBuilder.fromUri(authUrl).queryParam("client_id", new Object[]{clientId}));
            this.realmConfiguration.setCodeUrl(build.target(codeUrl));
        } catch (Throwable th) {
            Thread.currentThread().setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    public void invoke(Request request, Response response) throws IOException, ServletException {
        try {
            if (request.getDecodedRequestURI().endsWith("j_oauth_remote_logout")) {
                remoteLogout(request, response);
            } else {
                super.invoke(request, response);
            }
        } finally {
            ResteasyProviderFactory.clearContextData();
        }
    }

    public boolean authenticate(Request request, HttpServletResponse httpServletResponse, LoginConfig loginConfig) throws IOException {
        try {
            if (bearer(false, request, httpServletResponse)) {
                return true;
            }
            if (!checkLoggedIn(request, httpServletResponse)) {
                oauth(request, httpServletResponse);
                return false;
            }
            if (request.getSessionInternal().getNote("org.apache.catalina.authenticator.REQUEST") == null) {
                return true;
            }
            if (restoreRequest(request, request.getSessionInternal())) {
                LogMessages.LOGGER.debug(Messages.MESSAGES.restoreRequest());
                return true;
            }
            LogMessages.LOGGER.debug(Messages.MESSAGES.restoreOfOriginalRequestFailed());
            httpServletResponse.sendError(400);
            return false;
        } catch (LoginException e) {
            return false;
        }
    }

    protected void remoteLogout(Request request, HttpServletResponse httpServletResponse) throws IOException {
        try {
            LogMessages.LOGGER.debug(Messages.MESSAGES.remoteLogout());
        } catch (Exception e) {
            LogMessages.LOGGER.error(Messages.MESSAGES.failedToLogout(), e);
        }
        if (!bearer(true, request, httpServletResponse)) {
            LogMessages.LOGGER.debug(Messages.MESSAGES.bearerAuthFailed());
            return;
        }
        if (!request.getPrincipal().hasRole(this.remoteSkeletonKeyConfig.getAdminRole())) {
            LogMessages.LOGGER.debug(Messages.MESSAGES.roleFailure());
            httpServletResponse.sendError(403);
            return;
        }
        String parameter = request.getParameter("user");
        if (parameter != null) {
            this.userSessionManagement.logout(parameter);
        } else {
            this.userSessionManagement.logoutAll();
        }
        httpServletResponse.setStatus(204);
    }

    protected boolean bearer(boolean z, Request request, HttpServletResponse httpServletResponse) throws LoginException, IOException {
        return new CatalinaBearerTokenAuthenticator(this.realmConfiguration.getMetadata(), !this.remoteSkeletonKeyConfig.isCancelPropagation(), z).login(request, httpServletResponse);
    }

    protected boolean checkLoggedIn(Request request, HttpServletResponse httpServletResponse) {
        SkeletonKeySession skeletonKeySession;
        if (request.getSessionInternal() == null || request.getSessionInternal().getPrincipal() == null) {
            return false;
        }
        LogMessages.LOGGER.debug(Messages.MESSAGES.remoteLoggedInAlready());
        request.setUserPrincipal(request.getSessionInternal().getPrincipal());
        request.setAuthType("OAUTH");
        Session sessionInternal = request.getSessionInternal();
        if (sessionInternal == null || this.remoteSkeletonKeyConfig.isCancelPropagation() || (skeletonKeySession = (SkeletonKeySession) sessionInternal.getNote(SkeletonKeySession.class.getName())) == null) {
            return true;
        }
        request.setAttribute(SkeletonKeySession.class.getName(), skeletonKeySession);
        ResteasyProviderFactory.pushContext(SkeletonKeySession.class, skeletonKeySession);
        return true;
    }

    protected void oauth(Request request, HttpServletResponse httpServletResponse) throws IOException {
        ServletOAuthLogin servletOAuthLogin = new ServletOAuthLogin(this.realmConfiguration, request, httpServletResponse, request.getConnector().getRedirectPort());
        String code = servletOAuthLogin.getCode();
        if (code == null) {
            String error = servletOAuthLogin.getError();
            if (error != null) {
                httpServletResponse.sendError(400, Messages.MESSAGES.oAuthError(error));
                return;
            } else {
                saveRequest(request, request.getSessionInternal(true));
                servletOAuthLogin.loginRedirect();
                return;
            }
        }
        if (servletOAuthLogin.resolveCode(code)) {
            SkeletonKeyToken token = servletOAuthLogin.getToken();
            Set set = null;
            if (this.resourceMetadata.getResourceName() != null) {
                SkeletonKeyToken.Access resourceAccess = token.getResourceAccess(this.resourceMetadata.getResourceName());
                if (resourceAccess != null) {
                    set = resourceAccess.getRoles();
                }
            } else {
                SkeletonKeyToken.Access realmAccess = token.getRealmAccess();
                if (realmAccess != null) {
                    set = realmAccess.getRoles();
                }
            }
            GenericPrincipal createPrincipal = new CatalinaSecurityContextHelper().createPrincipal(this.context.getRealm(), new SkeletonKeyPrincipal(token.getPrincipal(), (String) null), set);
            Session sessionInternal = request.getSessionInternal(true);
            sessionInternal.setPrincipal(createPrincipal);
            sessionInternal.setAuthType("OAUTH");
            if (!this.remoteSkeletonKeyConfig.isCancelPropagation()) {
                sessionInternal.setNote(SkeletonKeySession.class.getName(), new SkeletonKeySession(servletOAuthLogin.getTokenString(), this.realmConfiguration.getMetadata()));
            }
            String principal = token.getPrincipal();
            LogMessages.LOGGER.debug(Messages.MESSAGES.userSessionManageLogin(principal));
            this.userSessionManagement.login(sessionInternal, principal);
        }
    }
}
