package org.hippoecm.hst.core.container;

import java.io.IOException;
import java.security.AccessControlContext;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.jcr.Credentials;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.httpclient.HttpStatus;
import org.apache.commons.lang.StringUtils;
import org.hippoecm.hst.configuration.hosting.Mount;
import org.hippoecm.hst.core.internal.HstMutableRequestContext;
import org.hippoecm.hst.core.linking.HstLink;
import org.hippoecm.hst.core.request.HstRequestContext;
import org.hippoecm.hst.core.request.ResolvedMount;
import org.hippoecm.hst.core.request.ResolvedSiteMapItem;
import org.hippoecm.hst.security.AuthenticationProvider;
import org.hippoecm.hst.security.HstSubject;
import org.hippoecm.hst.security.PolicyContextWrapper;
import org.hippoecm.hst.security.TransientUser;

/* loaded from: input_file:WEB-INF/lib/hst-core-2.28.07.jar:org/hippoecm/hst/core/container/SecurityValve.class */
public class SecurityValve extends AbstractBaseOrderableValve {
    public static final String DESTINATION_ATTR_NAME = "org.hippoecm.hst.security.servlet.destination";
    public static final String SECURITY_EXCEPTION_ATTR_NAME = "org.hippoecm.hst.security.servlet.exception";
    protected AuthenticationProvider authProvider;

    public void setAuthenticationProvider(AuthenticationProvider authenticationProvider) {
        this.authProvider = authenticationProvider;
    }

    @Override // org.hippoecm.hst.core.container.AbstractBaseOrderableValve, org.hippoecm.hst.container.valves.AbstractValve, org.hippoecm.hst.core.container.Valve
    public void invoke(final ValveContext valveContext) throws ContainerException {
        Mount mount;
        HstRequestContext requestContext = valveContext.getRequestContext();
        if (requestContext.isCmsRequest() && requestContext.getResolvedMount().getMount().getVirtualHost().getVirtualHosts().isChannelMngrSiteAuthenticationSkipped()) {
            log.debug("Bypassing security valve because the request comes fo a CMS application and it's configured to skip authentication for those requests.");
            valveContext.invokeNext();
            return;
        }
        HttpServletRequest servletRequest = valveContext.getServletRequest();
        HttpServletResponse servletResponse = valveContext.getServletResponse();
        ResolvedMount resolvedMount = requestContext.getResolvedMount();
        boolean z = false;
        boolean z2 = false;
        ContainerSecurityException containerSecurityException = null;
        try {
            checkAccess(servletRequest);
            z = true;
        } catch (ContainerSecurityNotAuthenticatedException e) {
            z2 = true;
            containerSecurityException = e;
        } catch (ContainerSecurityNotAuthorizedException e2) {
            containerSecurityException = e2;
        } catch (ContainerSecurityException e3) {
            containerSecurityException = e3;
        }
        if (!z) {
            HstLink hstLink = null;
            String formLoginPage = resolvedMount.getFormLoginPage();
            Mount mount2 = resolvedMount.getMount();
            try {
                if (!mount2.isSite() && (mount = requestContext.getMount("site")) != null) {
                    mount2 = mount;
                }
                if (StringUtils.isBlank(formLoginPage)) {
                    formLoginPage = mount2.getFormLoginPage();
                }
                ResolvedSiteMapItem resolvedSiteMapItem = requestContext.getResolvedSiteMapItem();
                hstLink = requestContext.getHstLinkCreator().create(resolvedSiteMapItem == null ? "" : resolvedSiteMapItem.getPathInfo(), mount2);
            } catch (Exception e4) {
                if (log.isDebugEnabled()) {
                    log.warn("Failed to create destination link.", e4);
                } else if (log.isWarnEnabled()) {
                    log.warn("Failed to create destination link. {}", e4.toString());
                }
            }
            if (z2 && !StringUtils.isBlank(formLoginPage)) {
                try {
                    HttpSession session = servletRequest.getSession(true);
                    session.setAttribute(DESTINATION_ATTR_NAME, hstLink.toUrlForm(requestContext, true));
                    session.setAttribute(SECURITY_EXCEPTION_ATTR_NAME, containerSecurityException);
                    servletResponse.sendRedirect(requestContext.getHstLinkCreator().create(formLoginPage, mount2).toUrlForm(requestContext, true));
                    return;
                } catch (IOException e5) {
                    if (log.isDebugEnabled()) {
                        log.warn("Failed to redirect to form login page. " + formLoginPage, e5);
                    } else if (log.isWarnEnabled()) {
                        log.warn("Failed to redirect to form login page. " + formLoginPage + ". {}", e5.toString());
                    }
                }
            }
            try {
                servletRequest.getSession(true).setAttribute(DESTINATION_ATTR_NAME, hstLink.toUrlForm(requestContext, true));
                if (z2) {
                    servletResponse.sendError(HttpStatus.SC_UNAUTHORIZED, containerSecurityException != null ? containerSecurityException.getLocalizedMessage() : null);
                    return;
                } else {
                    servletResponse.sendError(HttpStatus.SC_FORBIDDEN, containerSecurityException != null ? containerSecurityException.getLocalizedMessage() : null);
                    return;
                }
            } catch (IOException e6) {
                if (log.isDebugEnabled()) {
                    log.warn("Failed to send error code.", e6);
                } else if (log.isWarnEnabled()) {
                    log.warn("Failed to send error code. {}", e6.toString());
                }
            }
        }
        Subject subject = requestContext.getSubject();
        if (subject == null) {
            subject = getSubject(servletRequest);
        }
        if (subject == null) {
            valveContext.invokeNext();
            return;
        }
        ContainerException containerException = (ContainerException) HstSubject.doAsPrivileged(subject, new PrivilegedAction<ContainerException>() { // from class: org.hippoecm.hst.core.container.SecurityValve.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public ContainerException run() {
                try {
                    try {
                        valveContext.invokeNext();
                        HstSubject.clearSubject();
                        return null;
                    } catch (ContainerException e7) {
                        HstSubject.clearSubject();
                        return e7;
                    }
                } catch (Throwable th) {
                    HstSubject.clearSubject();
                    throw th;
                }
            }
        }, (AccessControlContext) null);
        if (containerException != null) {
            throw containerException;
        }
    }

    protected void checkAccess(HttpServletRequest httpServletRequest) throws ContainerSecurityException {
        HstRequestContext hstRequestContext = (HstRequestContext) httpServletRequest.getAttribute(ContainerConstants.HST_REQUEST_CONTEXT);
        ResolvedSiteMapItem resolvedSiteMapItem = hstRequestContext.getResolvedSiteMapItem();
        Set<String> set = null;
        Set<String> set2 = null;
        boolean z = resolvedSiteMapItem != null && resolvedSiteMapItem.isAuthenticated();
        if (z) {
            set = resolvedSiteMapItem.getRoles();
            set2 = resolvedSiteMapItem.getUsers();
        } else {
            ResolvedMount resolvedMount = hstRequestContext.getResolvedMount();
            z = resolvedMount != null && resolvedMount.isAuthenticated();
            if (z) {
                set = resolvedMount.getRoles();
                set2 = resolvedMount.getUsers();
            }
        }
        if (!z) {
            log.debug("The sitemap item or site mount is non-authenticated.");
            return;
        }
        Principal userPrincipal = httpServletRequest.getUserPrincipal();
        if (userPrincipal == null) {
            log.debug("The user has not been authenticated yet.");
            throw new ContainerSecurityNotAuthenticatedException("Not authenticated yet.");
        }
        if (set2.isEmpty() && set.isEmpty()) {
            log.debug("The roles or users are not configured.");
        }
        if (!set2.isEmpty()) {
            if (set2.contains(userPrincipal.getName())) {
                return;
            } else {
                log.debug("The user is not assigned to users, {}", set2);
            }
        }
        if (!set.isEmpty()) {
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                if (httpServletRequest.isUserInRole(it.next())) {
                    return;
                }
            }
            log.debug("The user is not assigned to roles, {}", set);
        }
        throw new ContainerSecurityNotAuthorizedException("Not authorized.");
    }

    protected Subject getSubject(HttpServletRequest httpServletRequest) {
        Credentials credentials;
        HttpSession session;
        Principal userPrincipal = httpServletRequest.getUserPrincipal();
        if (userPrincipal == null) {
            return null;
        }
        Subject subject = (Subject) PolicyContextWrapper.getContext("javax.security.auth.Subject.container");
        if (subject == null && (session = httpServletRequest.getSession(false)) != null) {
            subject = (Subject) session.getAttribute(ContainerConstants.SUBJECT_ATTR_NAME);
        }
        if (subject == null) {
            TransientUser transientUser = new TransientUser(userPrincipal.getName());
            HashSet hashSet = new HashSet();
            hashSet.add(userPrincipal);
            hashSet.add(transientUser);
            if (this.authProvider != null) {
                hashSet.addAll(this.authProvider.getRolesByUsername(userPrincipal.getName()));
            }
            HashSet hashSet2 = new HashSet();
            HashSet hashSet3 = new HashSet();
            HttpSession session2 = httpServletRequest.getSession(false);
            if (session2 != null && (credentials = (Credentials) session2.getAttribute("org.hippoecm.hst.security.servlet.subject.repo.creds")) != null) {
                session2.removeAttribute("org.hippoecm.hst.security.servlet.subject.repo.creds");
                hashSet3.add(credentials);
            }
            subject = new Subject(true, hashSet, hashSet2, hashSet3);
            if (session2 != null) {
                session2.setAttribute(ContainerConstants.SUBJECT_ATTR_NAME, subject);
            }
        }
        ((HstMutableRequestContext) ((HstRequestContext) httpServletRequest.getAttribute(ContainerConstants.HST_REQUEST_CONTEXT))).setSubject(subject);
        return subject;
    }
}
