package com.google.apphosting.runtime.jetty9;

import com.google.appengine.api.users.User;
import com.google.appengine.api.users.UserService;
import com.google.appengine.api.users.UserServiceFactory;
import com.google.appengine.repackaged.com.google.common.flogger.GoogleLogger;
import com.google.appengine.repackaged.com.google.gaia.mint.proto2api.MutableApiscopecodes;
import com.google.apphosting.api.ApiProxy;
import java.io.IOException;
import java.security.Principal;
import java.util.Arrays;
import java.util.HashSet;
import javax.security.auth.Subject;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.security.authentication.DeferredAuthentication;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.util.URIUtil;

/* loaded from: input_file:com/google/apphosting/runtime/jetty9/AppEngineAuthentication.class */
public class AppEngineAuthentication {
    private static final GoogleLogger logger = GoogleLogger.forInjectedClassName("com/google/apphosting/runtime/jetty9/AppEngineAuthentication");
    private static final String AUTH_URL_PREFIX = "/_ah/";
    private static final String AUTH_METHOD = "Google Login";
    private static final String REALM_NAME = "Google App Engine";
    private static final String SKIP_ADMIN_CHECK_ATTR = "com.google.apphosting.internal.SkipAdminCheck";
    private static final String USER_ROLE = "*";
    private static final String ADMIN_ROLE = "admin";

    /* loaded from: input_file:com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEngineAuthenticator.class */
    private static class AppEngineAuthenticator extends LoginAuthenticator {
        private AppEngineAuthenticator() {
        }

        private static boolean isLoginOrErrorPage(String str) {
            return str.startsWith(AppEngineAuthentication.AUTH_URL_PREFIX);
        }

        public String getAuthMethod() {
            return AppEngineAuthentication.AUTH_METHOD;
        }

        public Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            if (!z) {
                return new DeferredAuthentication(this);
            }
            String addPaths = URIUtil.addPaths(httpServletRequest.getServletPath(), httpServletRequest.getPathInfo());
            if (addPaths == null) {
                addPaths = "/";
            }
            if (isLoginOrErrorPage(addPaths) && !DeferredAuthentication.isDeferred(httpServletResponse)) {
                ((GoogleLogger.Api) AppEngineAuthentication.logger.atFine().withInjectedLogSite("com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEngineAuthenticator", "validateRequest", 174, "AppEngineAuthentication.java")).log("Got %s, returning DeferredAuthentication to imply authentication is in progress.", addPaths);
                return new DeferredAuthentication(this);
            }
            if (httpServletRequest.getAttribute(AppEngineAuthentication.SKIP_ADMIN_CHECK_ATTR) != null) {
                ((GoogleLogger.Api) AppEngineAuthentication.logger.atFine().withInjectedLogSite("com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEngineAuthenticator", "validateRequest", 181, "AppEngineAuthentication.java")).log("Returning DeferredAuthentication because of SkipAdminCheck.");
                return new DeferredAuthentication(this);
            }
            if (httpServletResponse == null) {
                throw new ServerAuthException("validateRequest called with null response!!!");
            }
            try {
                UserService userService = UserServiceFactory.getUserService();
                if (userService.isUserLoggedIn()) {
                    UserIdentity login = this._loginService.login((String) null, (Object) null, (ServletRequest) null);
                    ((GoogleLogger.Api) AppEngineAuthentication.logger.atFine().withInjectedLogSite("com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEngineAuthenticator", "validateRequest", 196, "AppEngineAuthentication.java")).log("authenticate() returning new principal for %s", login);
                    if (login != null) {
                        return new UserAuthentication(getAuthMethod(), login);
                    }
                }
                if (DeferredAuthentication.isDeferred(httpServletResponse)) {
                    return Authentication.UNAUTHENTICATED;
                }
                try {
                    ((GoogleLogger.Api) AppEngineAuthentication.logger.atFine().withInjectedLogSite("com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEngineAuthenticator", "validateRequest", MutableApiscopecodes.GaiaMintScopeCode.ScopeCode.API_ACCOUNT_INFO_ID_VALUE, "AppEngineAuthentication.java")).log("Got %s but no one was logged in, redirecting.", httpServletRequest.getRequestURI());
                    httpServletResponse.sendRedirect(userService.createLoginURL(AppEngineAuthentication.getFullURL(httpServletRequest)));
                    return Authentication.SEND_CONTINUE;
                } catch (ApiProxy.ApiProxyException e) {
                    ((GoogleLogger.Api) ((GoogleLogger.Api) AppEngineAuthentication.logger.atSevere().withCause(e)).withInjectedLogSite("com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEngineAuthenticator", "validateRequest", MutableApiscopecodes.GaiaMintScopeCode.ScopeCode2.API_PASSWORD_CHANGE_STATUS_VALUE, "AppEngineAuthentication.java")).log("Could not get login URL:");
                    httpServletResponse.sendError(403);
                    return Authentication.SEND_FAILURE;
                }
            } catch (IOException e2) {
                throw new ServerAuthException(e2);
            }
        }

        protected HttpSession renewSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
            ((GoogleLogger.Api) AppEngineAuthentication.logger.atWarning().withInjectedLogSite("com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEngineAuthenticator", "renewSession", 229, "AppEngineAuthentication.java")).log("renewSession throwing an UnsupportedOperationException");
            throw new UnsupportedOperationException();
        }

        public boolean secureResponse(ServletRequest servletRequest, ServletResponse servletResponse, boolean z, Authentication.User user) {
            return true;
        }
    }

    /* loaded from: input_file:com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEngineLoginService.class */
    private static class AppEngineLoginService implements LoginService {
        private IdentityService identityService;

        private AppEngineLoginService() {
        }

        public String getName() {
            return AppEngineAuthentication.REALM_NAME;
        }

        public UserIdentity login(String str, Object obj, ServletRequest servletRequest) {
            return loadUser();
        }

        private AppEngineUserIdentity loadUser() {
            User currentUser = UserServiceFactory.getUserService().getCurrentUser();
            if (currentUser == null) {
                return null;
            }
            return new AppEngineUserIdentity(new AppEnginePrincipal(currentUser));
        }

        public IdentityService getIdentityService() {
            return this.identityService;
        }

        public void logout(UserIdentity userIdentity) {
            if (userIdentity != null) {
                ((GoogleLogger.Api) AppEngineAuthentication.logger.atFine().withInjectedLogSite("com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEngineLoginService", "logout", MutableApiscopecodes.GaiaMintScopeCode.ScopeCode.API_MAIL_SEND_VALUE, "AppEngineAuthentication.java")).log("Ignoring logout call for: %s", userIdentity);
            }
        }

        public void setIdentityService(IdentityService identityService) {
            this.identityService = identityService;
        }

        public boolean validate(UserIdentity userIdentity) {
            ((GoogleLogger.Api) AppEngineAuthentication.logger.atInfo().withInjectedLogSite("com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEngineLoginService", "validate", 329, "AppEngineAuthentication.java")).log("validate(%s) throwing UnsupportedOperationException.", userIdentity);
            throw new UnsupportedOperationException();
        }
    }

    /* loaded from: input_file:com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEnginePrincipal.class */
    public static class AppEnginePrincipal implements Principal {
        private final User user;

        public AppEnginePrincipal(User user) {
            this.user = user;
        }

        public User getUser() {
            return this.user;
        }

        @Override // java.security.Principal
        public String getName() {
            return (this.user.getFederatedIdentity() == null || this.user.getFederatedIdentity().length() <= 0) ? this.user.getEmail() : this.user.getFederatedIdentity();
        }

        @Override // java.security.Principal
        public boolean equals(Object obj) {
            if (obj instanceof AppEnginePrincipal) {
                return this.user.equals(((AppEnginePrincipal) obj).user);
            }
            return false;
        }

        @Override // java.security.Principal
        public String toString() {
            return this.user.toString();
        }

        @Override // java.security.Principal
        public int hashCode() {
            return this.user.hashCode();
        }
    }

    /* loaded from: input_file:com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEngineUserIdentity.class */
    public static class AppEngineUserIdentity implements UserIdentity {
        private final AppEnginePrincipal userPrincipal;

        public AppEngineUserIdentity(AppEnginePrincipal appEnginePrincipal) {
            this.userPrincipal = appEnginePrincipal;
        }

        public Subject getSubject() {
            ((GoogleLogger.Api) AppEngineAuthentication.logger.atInfo().withInjectedLogSite("com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEngineUserIdentity", "getSubject", MutableApiscopecodes.GaiaMintScopeCode.ScopeCode2.API_MAIL_MESSAGE_ACCESS_TOKEN_VALUE, "AppEngineAuthentication.java")).log("getSubject() throwing UnsupportedOperationException.");
            throw new UnsupportedOperationException();
        }

        public Principal getUserPrincipal() {
            return this.userPrincipal;
        }

        public boolean isUserInRole(String str, UserIdentity.Scope scope) {
            UserService userService = UserServiceFactory.getUserService();
            ((GoogleLogger.Api) AppEngineAuthentication.logger.atFine().withInjectedLogSite("com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEngineUserIdentity", "isUserInRole", 408, "AppEngineAuthentication.java")).log("Checking if principal %s is in role %s", this.userPrincipal, str);
            if (this.userPrincipal == null) {
                ((GoogleLogger.Api) AppEngineAuthentication.logger.atInfo().withInjectedLogSite("com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEngineUserIdentity", "isUserInRole", 410, "AppEngineAuthentication.java")).log("isUserInRole() called with null principal.");
                return false;
            }
            if (AppEngineAuthentication.USER_ROLE.equals(str)) {
                return true;
            }
            if (!AppEngineAuthentication.ADMIN_ROLE.equals(str)) {
                ((GoogleLogger.Api) AppEngineAuthentication.logger.atWarning().withInjectedLogSite("com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEngineUserIdentity", "isUserInRole", 430, "AppEngineAuthentication.java")).log("Unknown role: %s.", str);
                return false;
            }
            User user = this.userPrincipal.getUser();
            if (user.equals(userService.getCurrentUser())) {
                return userService.isUserAdmin();
            }
            ((GoogleLogger.Api) AppEngineAuthentication.logger.atSevere().withInjectedLogSite("com/google/apphosting/runtime/jetty9/AppEngineAuthentication$AppEngineUserIdentity", "isUserInRole", 426, "AppEngineAuthentication.java")).log("Cannot tell if non-logged-in user %s is an admin.", user);
            return false;
        }

        public String toString() {
            String simpleName = AppEngineUserIdentity.class.getSimpleName();
            String valueOf = String.valueOf(this.userPrincipal);
            return new StringBuilder(4 + String.valueOf(simpleName).length() + String.valueOf(valueOf).length()).append(simpleName).append("('").append(valueOf).append("')").toString();
        }
    }

    public static void configureSecurityHandler(ConstraintSecurityHandler constraintSecurityHandler) {
        AppEngineLoginService appEngineLoginService = new AppEngineLoginService();
        AppEngineAuthenticator appEngineAuthenticator = new AppEngineAuthenticator();
        DefaultIdentityService defaultIdentityService = new DefaultIdentityService();
        constraintSecurityHandler.setRoles(new HashSet(Arrays.asList(USER_ROLE, ADMIN_ROLE)));
        constraintSecurityHandler.setLoginService(appEngineLoginService);
        constraintSecurityHandler.setAuthenticator(appEngineAuthenticator);
        constraintSecurityHandler.setIdentityService(defaultIdentityService);
        appEngineAuthenticator.setConfiguration(constraintSecurityHandler);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getFullURL(HttpServletRequest httpServletRequest) {
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        if (httpServletRequest.getQueryString() != null) {
            requestURL.append('?');
            requestURL.append(httpServletRequest.getQueryString());
        }
        return requestURL.toString();
    }
}
