package org.kaazing.gateway.transport.http.bridge.filter;

import java.net.InetAddress;
import java.net.URI;
import java.net.UnknownHostException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginException;
import org.apache.mina.core.filterchain.IoFilter;
import org.apache.mina.core.session.IoSession;
import org.kaazing.gateway.resource.address.ResourceAddress;
import org.kaazing.gateway.resource.address.http.HttpResourceAddress;
import org.kaazing.gateway.security.LoginContextFactory;
import org.kaazing.gateway.security.TypedCallbackHandlerMap;
import org.kaazing.gateway.security.auth.AuthenticationTokenCallbackHandler;
import org.kaazing.gateway.security.auth.DefaultLoginResult;
import org.kaazing.gateway.security.auth.InetAddressCallbackHandler;
import org.kaazing.gateway.security.auth.YesLoginModule;
import org.kaazing.gateway.security.auth.context.ResultAwareLoginContext;
import org.kaazing.gateway.server.spi.security.AuthenticationToken;
import org.kaazing.gateway.server.spi.security.AuthenticationTokenCallback;
import org.kaazing.gateway.server.spi.security.InetAddressCallback;
import org.kaazing.gateway.server.spi.security.LoginResult;
import org.kaazing.gateway.transport.BridgeSession;
import org.kaazing.gateway.transport.http.HttpHeaders;
import org.kaazing.gateway.transport.http.HttpStatus;
import org.kaazing.gateway.transport.http.bridge.HttpRequestMessage;
import org.kaazing.gateway.transport.http.bridge.HttpResponseMessage;
import org.kaazing.gateway.transport.http.security.auth.challenge.HttpChallengeFactories;
import org.kaazing.gateway.transport.http.security.auth.challenge.HttpChallengeFactory;
import org.kaazing.mina.core.session.IoSessionEx;
import org.slf4j.Logger;

/* loaded from: input_file:org/kaazing/gateway/transport/http/bridge/filter/HttpLoginSecurityFilter.class */
public abstract class HttpLoginSecurityFilter extends HttpBaseSecurityFilter {
    protected static final String AUTH_SCHEME_APPLICATION_PREFIX = "Application ";
    private static final DefaultLoginResult LOGIN_RESULT_OK;
    private static final Pattern PATTERN_HEADER_FORWARDED;
    private static final String FORWARDED_URI = "scheme://%s";
    private static final String HEADER_FORWARDED_UNKNOWN_VALUE = "unknown";
    static final ResultAwareLoginContext LOGIN_CONTEXT_OK;
    private HttpChallengeFactory challengeFactory;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/kaazing/gateway/transport/http/bridge/filter/HttpLoginSecurityFilter$SuccessConfiguration.class */
    private static class SuccessConfiguration extends Configuration {
        private SuccessConfiguration() {
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            return new AppConfigurationEntry[]{new AppConfigurationEntry(YesLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, new HashMap())};
        }
    }

    public HttpLoginSecurityFilter() {
        this.challengeFactory = HttpChallengeFactories.create();
    }

    public HttpLoginSecurityFilter(Logger logger) {
        super(logger);
        this.challengeFactory = HttpChallengeFactories.create();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean alreadyLoggedIn(IoSession ioSession, ResourceAddress resourceAddress) {
        List asList = Arrays.asList((Object[]) resourceAddress.getOption(HttpResourceAddress.REQUIRED_ROLES));
        if (asList == null || asList.size() == 0) {
            return true;
        }
        Subject subject = ((IoSessionEx) ioSession).getSubject();
        if (subject != null) {
            return getAuthorizedRoles(subject).containsAll(asList);
        }
        return false;
    }

    private boolean loginMissingToken(IoFilter.NextFilter nextFilter, IoSession ioSession, HttpRequestMessage httpRequestMessage, AuthenticationToken authenticationToken, TypedCallbackHandlerMap typedCallbackHandlerMap) {
        ResultAwareLoginContext resultAwareLoginContext = null;
        ResourceAddress localAddress = httpRequestMessage.getLocalAddress();
        String str = (String) localAddress.getOption(HttpResourceAddress.REALM_CHALLENGE_SCHEME);
        try {
            LoginContextFactory loginContextFactory = (LoginContextFactory) localAddress.getOption(HttpResourceAddress.LOGIN_CONTEXT_FACTORY);
            TypedCallbackHandlerMap typedCallbackHandlerMap2 = new TypedCallbackHandlerMap();
            registerCallbacks(ioSession, httpRequestMessage, authenticationToken, typedCallbackHandlerMap2);
            typedCallbackHandlerMap2.putAll(typedCallbackHandlerMap);
            resultAwareLoginContext = (ResultAwareLoginContext) loginContextFactory.createLoginContext(typedCallbackHandlerMap2);
        } catch (LoginException e) {
            if (loggerEnabled() && !e.getMessage().contains("all modules ignored")) {
                log("Login failed: " + e.getMessage(), e);
            }
            if (0 == 0) {
                writeResponse(HttpStatus.CLIENT_FORBIDDEN, nextFilter, ioSession, httpRequestMessage);
                return false;
            }
        } catch (Exception e2) {
            if (loggerEnabled()) {
                log("Login failed.", e2);
            }
            writeResponse(HttpStatus.CLIENT_FORBIDDEN, nextFilter, ioSession, httpRequestMessage);
            return false;
        }
        if (resultAwareLoginContext == null) {
            throw new LoginException("Login failed; cannot create a login context for authentication token '" + authenticationToken + "'.");
        }
        if (loggerEnabled()) {
            log("Login module login required; [%s].", authenticationToken);
        }
        resultAwareLoginContext.login();
        DefaultLoginResult loginResult = resultAwareLoginContext.getLoginResult();
        Object[] objArr = null;
        if (loginResult.getType() == LoginResult.Type.CHALLENGE) {
            objArr = loginResult.getLoginChallengeData();
        }
        HttpResponseMessage createChallenge = this.challengeFactory.createChallenge(httpRequestMessage, objArr);
        if (loggerEnabled()) {
            log(String.format("No authentication token was provided.  Issuing an authentication challenge '%s'.", createChallenge.getHeader(HttpSubjectSecurityFilter.WWW_AUTHENTICATE_HEADER)), new Object[0]);
        }
        writeChallenge(createChallenge, nextFilter, ioSession, str);
        if (!HttpProtocolFilter.PROTOCOL_HTTP_1_1.equals((String) ((ResourceAddress) BridgeSession.LOCAL_ADDRESS.get(ioSession)).getOption(ResourceAddress.NEXT_PROTOCOL))) {
            return false;
        }
        HttpMergeRequestFilter.INITIAL_HTTP_REQUEST_KEY.remove(ioSession);
        return false;
    }

    protected TypedCallbackHandlerMap makeAuthenticationTokenCallback(AuthenticationToken authenticationToken) {
        AuthenticationTokenCallbackHandler authenticationTokenCallbackHandler = new AuthenticationTokenCallbackHandler(authenticationToken);
        TypedCallbackHandlerMap typedCallbackHandlerMap = new TypedCallbackHandlerMap();
        typedCallbackHandlerMap.put(AuthenticationTokenCallback.class, authenticationTokenCallbackHandler);
        return typedCallbackHandlerMap;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getBaseAuthScheme(String str) {
        if (str != null && str.startsWith("Application ")) {
            str = str.replaceFirst("Application ", "");
        }
        return str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean login(IoFilter.NextFilter nextFilter, IoSession ioSession, HttpRequestMessage httpRequestMessage, AuthenticationToken authenticationToken, TypedCallbackHandlerMap typedCallbackHandlerMap) {
        ResourceAddress localAddress = httpRequestMessage.getLocalAddress();
        String[] strArr = (String[]) localAddress.getOption(HttpResourceAddress.REQUIRED_ROLES);
        boolean z = true;
        Subject subject = httpRequestMessage.getSubject();
        List asList = Arrays.asList(strArr);
        boolean containsAll = Collections.emptySet().containsAll(asList);
        if (loggerEnabled()) {
            Object[] objArr = new Object[2];
            objArr[0] = authenticationToken == null ? "N/A" : authenticationToken;
            objArr[1] = Boolean.valueOf(containsAll);
            log("Login starting; [token='%s',rolesAreSufficient=%s].", objArr);
        }
        if (authTokenIsMissing(authenticationToken) && !containsAll) {
            return loginMissingToken(nextFilter, ioSession, httpRequestMessage, authenticationToken, typedCallbackHandlerMap);
        }
        DefaultLoginResult defaultLoginResult = null;
        ResultAwareLoginContext resultAwareLoginContext = null;
        if (containsAll) {
            if (loggerEnabled()) {
                log("Login not required - subject has sufficient required roles; [%s].", authenticationToken);
            }
            defaultLoginResult = LOGIN_RESULT_OK;
            resultAwareLoginContext = LOGIN_CONTEXT_OK;
            z = true;
        }
        if (!containsAll) {
            LoginContextFactory loginContextFactory = (LoginContextFactory) localAddress.getOption(HttpResourceAddress.LOGIN_CONTEXT_FACTORY);
            try {
                TypedCallbackHandlerMap typedCallbackHandlerMap2 = new TypedCallbackHandlerMap();
                registerCallbacks(ioSession, httpRequestMessage, authenticationToken, typedCallbackHandlerMap2);
                typedCallbackHandlerMap2.putAll(typedCallbackHandlerMap);
                resultAwareLoginContext = (ResultAwareLoginContext) loginContextFactory.createLoginContext(typedCallbackHandlerMap2);
                if (resultAwareLoginContext == null) {
                    throw new LoginException("Login failed; cannot create a login context for authentication token '" + authenticationToken + "'.");
                }
                if (loggerEnabled()) {
                    log("Login module login required; [%s].", authenticationToken);
                }
                resultAwareLoginContext.login();
                defaultLoginResult = resultAwareLoginContext.getLoginResult();
                LoginResult.Type type = defaultLoginResult.getType();
                if (type == LoginResult.Type.FAILURE) {
                    if (defaultLoginResult.getLoginException() != null) {
                        throw defaultLoginResult.getLoginException();
                    }
                    throw new LoginException("Login Result Indicates Failure");
                }
                subject = resultAwareLoginContext.getSubject();
                Collection<String> authorizedRoles = getAuthorizedRoles(subject);
                boolean isSubjectAutomaticallyAuthorized = isSubjectAutomaticallyAuthorized(subject, asList);
                boolean containsAll2 = authorizedRoles.containsAll(asList);
                if (type == LoginResult.Type.CHALLENGE || (!isSubjectAutomaticallyAuthorized && !containsAll2)) {
                    if (type == LoginResult.Type.CHALLENGE) {
                        if (loggerEnabled()) {
                            log("Login module login succeeded but requires another challenge", new Object[0]);
                        }
                        Object[] loginChallengeData = defaultLoginResult.getLoginChallengeData();
                        if ((loginChallengeData == null || loginChallengeData.length == 0) && !"Basic".equals(getBaseAuthScheme((String) localAddress.getOption(HttpResourceAddress.REALM_CHALLENGE_SCHEME)))) {
                            if (loggerEnabled()) {
                                log("Login module login succeeded but requires another challenge, however no new challenge data was provided.", new Object[0]);
                            }
                            writeResponse(HttpStatus.CLIENT_FORBIDDEN, nextFilter, ioSession, httpRequestMessage);
                            return false;
                        }
                    }
                    String sendChallengeResponse = sendChallengeResponse(nextFilter, ioSession, httpRequestMessage, defaultLoginResult);
                    if (!loggerEnabled()) {
                        return false;
                    }
                    if (type != LoginResult.Type.CHALLENGE) {
                        log(String.format("Login module login succeeded but subject missing required roles; Issued another challenge '%s'.", sendChallengeResponse), new Object[0]);
                        return false;
                    }
                    log(String.format("Login module login succeeded but login result requires a challenge; Issued another challenge '%s'.", sendChallengeResponse), new Object[0]);
                    return false;
                }
            } catch (Exception e) {
                z = false;
                if (loggerEnabled()) {
                    log("Login failed.", e);
                }
                if ("Basic".equals(getBaseAuthScheme((String) localAddress.getOption(HttpResourceAddress.REALM_CHALLENGE_SCHEME)))) {
                    String sendChallengeResponse2 = sendChallengeResponse(nextFilter, ioSession, httpRequestMessage, defaultLoginResult);
                    if (loggerEnabled()) {
                        log(String.format("Login module login failed; Issued another challenge '%s'.", sendChallengeResponse2), e);
                    }
                } else {
                    writeResponse(HttpStatus.CLIENT_FORBIDDEN, nextFilter, ioSession, httpRequestMessage);
                }
            }
        }
        if (z && defaultLoginResult.hasLoginAuthorizationAttachment()) {
            writeSessionCookie(ioSession, httpRequestMessage, defaultLoginResult);
        }
        if (z) {
            try {
                httpRequestMessage.setLoginContext(resultAwareLoginContext);
                httpRequestMessage.setSubject((resultAwareLoginContext == null || resultAwareLoginContext == LOGIN_CONTEXT_OK) ? subject : resultAwareLoginContext.getSubject());
            } catch (Exception e2) {
                if (loggerEnabled()) {
                    this.logger.trace("Login failed.", e2);
                }
                z = false;
            }
        }
        if (z && loggerEnabled()) {
            log("Login succeeded; [%s].", authenticationToken);
        }
        if (!z && loggerEnabled()) {
            log("Login failed; [%s].", authenticationToken);
        }
        return z;
    }

    private String sendChallengeResponse(IoFilter.NextFilter nextFilter, IoSession ioSession, HttpRequestMessage httpRequestMessage, DefaultLoginResult defaultLoginResult) {
        ResourceAddress localAddress = httpRequestMessage.getLocalAddress();
        HttpResponseMessage createChallenge = this.challengeFactory.createChallenge(httpRequestMessage, defaultLoginResult == null ? null : defaultLoginResult.getLoginChallengeData());
        writeChallenge(createChallenge, nextFilter, ioSession, (String) localAddress.getOption(HttpResourceAddress.REALM_CHALLENGE_SCHEME));
        return createChallenge.getHeader(HttpSubjectSecurityFilter.WWW_AUTHENTICATE_HEADER);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setUnprotectedLoginContext(HttpRequestMessage httpRequestMessage) {
        httpRequestMessage.setLoginContext(LOGIN_CONTEXT_OK);
    }

    private void registerCallbacks(IoSession ioSession, HttpRequestMessage httpRequestMessage, AuthenticationToken authenticationToken, TypedCallbackHandlerMap typedCallbackHandlerMap) {
        if (typedCallbackHandlerMap == null) {
            throw new NullPointerException("Null callbackHandlerMap passed in");
        }
        typedCallbackHandlerMap.put(AuthenticationTokenCallback.class, new AuthenticationTokenCallbackHandler(authenticationToken));
        String header = httpRequestMessage.getHeader(HttpHeaders.HEADER_FORWARDED);
        Matcher matcher = PATTERN_HEADER_FORWARDED.matcher(header.toLowerCase());
        if (!matcher.matches()) {
            throw new IllegalStateException(String.format("Invalid format: '%s'", header));
        }
        String group = matcher.group(1);
        if (group.charAt(0) == '\"') {
            int length = group.length();
            if (!$assertionsDisabled && length <= 2) {
                throw new AssertionError();
            }
            if (group.charAt(length - 1) != '\"') {
                throw new IllegalStateException(String.format("Invalid format: '%s'", header));
            }
            group = group.substring(1, length - 2);
        }
        if (group.equals(HEADER_FORWARDED_UNKNOWN_VALUE)) {
            return;
        }
        try {
            typedCallbackHandlerMap.put(InetAddressCallback.class, new InetAddressCallbackHandler(InetAddress.getByName(URI.create(String.format(FORWARDED_URI, group)).getHost())));
        } catch (UnknownHostException e) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace(e.getMessage());
            }
            throw new IllegalStateException(e);
        }
    }

    protected void writeSessionCookie(IoSession ioSession, HttpRequestMessage httpRequestMessage, DefaultLoginResult defaultLoginResult) {
    }

    private boolean authTokenIsMissing(AuthenticationToken authenticationToken) {
        return authenticationToken == null || authenticationToken.isEmpty();
    }

    private boolean isSubjectAutomaticallyAuthorized(Subject subject, Collection<String> collection) {
        return collection.contains("*") && subject != null;
    }

    private void log(String str, Object... objArr) {
        this.logger.trace(String.format(str, objArr));
    }

    private void log(String str, Throwable th) {
        this.logger.trace(str, th);
    }

    static {
        $assertionsDisabled = !HttpLoginSecurityFilter.class.desiredAssertionStatus();
        LOGIN_RESULT_OK = new DefaultLoginResult();
        PATTERN_HEADER_FORWARDED = Pattern.compile(".*for\\s*=\\s*(.*?)(?:\\s*;.*)?$");
        try {
            LOGIN_CONTEXT_OK = new ResultAwareLoginContext("LOGIN_CONTEXT_OK", new Subject(), (CallbackHandler) null, new SuccessConfiguration(), LOGIN_RESULT_OK);
        } catch (LoginException e) {
            throw new RuntimeException(e);
        }
    }
}
