package io.hawt.web.auth;

import io.hawt.system.ConfigManager;
import io.hawt.util.IOHelper;
import io.hawt.util.Strings;
import io.hawt.web.ServletHelpers;
import io.hawt.web.auth.oidc.OidcConfiguration;
import jakarta.servlet.ServletContext;
import java.io.IOException;
import java.io.InputStream;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Properties;
import javax.security.auth.login.Configuration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/hawtio-system-4.1.0.jar:io/hawt/web/auth/AuthenticationConfiguration.class */
public class AuthenticationConfiguration {
    public static final String[] UNSECURED_PATHS;
    public static final String AUTHENTICATION_ENABLED = "authenticationEnabled";
    public static final String AUTH = "auth";
    public static final String AUTHENTICATION_THROTTLED = "authenticationThrottled";
    public static final String REALM = "realm";
    public static final String ROLES = "roles";
    public static final String ROLE_PRINCIPAL_CLASSES = "rolePrincipalClasses";
    public static final String NO_CREDENTIALS_401 = "noCredentials401";
    public static final String AUTHENTICATION_CONTAINER_DISCOVERY_CLASSES = "authenticationContainerDiscoveryClasses";
    public static final String KEYCLOAK_ENABLED = "keycloakEnabled";
    public static final String OIDC_CLIENT_CONFIG = "oidcConfig";
    public static final String HAWTIO_OIDC_CLIENT_CONFIG = "hawtio.oidcConfig";
    public static final String HAWTIO_AUTHENTICATION_ENABLED = "hawtio.authenticationEnabled";
    public static final String HAWTIO_AUTH = "hawtio.auth";
    public static final String HAWTIO_AUTHENTICATION_THROTTLED = "hawtio.authenticationThrottled";
    public static final String HAWTIO_REALM = "hawtio.realm";
    public static final String HAWTIO_ROLES = "hawtio.roles";
    public static final String HAWTIO_ROLE_PRINCIPAL_CLASSES = "hawtio.rolePrincipalClasses";
    public static final String HAWTIO_NO_CREDENTIALS_401 = "hawtio.noCredentials401";
    public static final String HAWTIO_AUTH_CONTAINER_DISCOVERY_CLASSES = "hawtio.authenticationContainerDiscoveryClasses";
    public static final String HAWTIO_KEYCLOAK_ENABLED = "hawtio.keycloakEnabled";
    public static final String AUTHENTICATION_CONFIGURATION = "authenticationConfig";
    public static final String DEFAULT_REALM = "hawtio";
    private static final String DEFAULT_KARAF_ROLES = "admin,manager,viewer";
    public static final String DEFAULT_KARAF_ROLE_PRINCIPAL_CLASSES = "org.apache.karaf.jaas.boot.principal.RolePrincipal,org.apache.karaf.jaas.modules.RolePrincipal,org.apache.karaf.jaas.boot.principal.GroupPrincipal";
    public static final String TOMCAT_AUTH_CONTAINER_DISCOVERY = "io.hawt.web.tomcat.TomcatAuthenticationContainerDiscovery";
    private final boolean enabled;
    private final Optional<AuthenticationThrottler> throttler;
    private final String realm;
    private final String roles;
    private String rolePrincipalClasses;
    private Class<? extends Principal> defaultRolePrincipalClass;
    private final boolean noCredentials401;
    private final boolean keycloakEnabled;
    private Configuration configuration;
    private final ConfigManager configManager;
    private OidcConfiguration oidcConfiguration;
    private boolean springSecurityEnabled = false;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) AuthenticationConfiguration.class);
    public static final String[] UNSECURED_RESOURCE_PATHS = {"/index.html", "/favicon.ico", "/hawtconfig.json", "/robots.txt", "/json.worker.js", "/editor.worker.js", "/css", "/fonts", "/img", "/js", "/static"};
    public static final String LOGIN_URL = "/login";
    public static final String[] UNSECURED_AUTHENTICATION_PATHS = {LOGIN_URL, "/auth/login", "/auth/logout", "/auth/config", "/user", "/keycloak"};
    public static final String[] UNSECURED_META_PATHS = {"/plugin"};
    public static final String[] UNSECURED_SERVLET_PATHS = {"/jolokia", "/proxy"};

    private AuthenticationConfiguration(ServletContext servletContext) {
        ConfigManager configManager = (ConfigManager) servletContext.getAttribute(ConfigManager.CONFIG_MANAGER);
        if (configManager == null) {
            throw new RuntimeException("Hawtio config manager not found, cannot proceed Hawtio configuration");
        }
        this.configManager = configManager;
        String property = System.getProperty(HAWTIO_AUTH);
        if (property != null) {
            System.setProperty(HAWTIO_AUTHENTICATION_ENABLED, property);
        }
        this.enabled = configManager.getBoolean(AUTHENTICATION_ENABLED, true);
        boolean z = configManager.getBoolean(AUTHENTICATION_THROTTLED, true);
        LOG.info("Authentication throttling is {}", z ? "enabled" : "disabled");
        this.throttler = z ? Optional.of(new AuthenticationThrottler()) : Optional.empty();
        this.realm = configManager.get("realm").orElse(DEFAULT_REALM);
        this.roles = configManager.get(ROLES).orElse(DEFAULT_KARAF_ROLES);
        this.rolePrincipalClasses = configManager.get(ROLE_PRINCIPAL_CLASSES).orElse(isKaraf() ? DEFAULT_KARAF_ROLE_PRINCIPAL_CLASSES : "");
        this.defaultRolePrincipalClass = determineDefaultRolePrincipalClass(this.rolePrincipalClasses);
        this.noCredentials401 = configManager.getBoolean(NO_CREDENTIALS_401, false);
        this.keycloakEnabled = this.enabled && configManager.getBoolean(KEYCLOAK_ENABLED, false);
        if (!this.enabled) {
            LOG.info("Starting hawtio authentication filter, JAAS authentication disabled");
            return;
        }
        Iterator<AuthenticationContainerDiscovery> it = getDiscoveries(configManager.get(AUTHENTICATION_CONTAINER_DISCOVERY_CLASSES).orElse(TOMCAT_AUTH_CONTAINER_DISCOVERY)).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            AuthenticationContainerDiscovery next = it.next();
            if (next.canAuthenticate(this)) {
                LOG.info("Discovered container {} to use with hawtio authentication filter", next.getContainerName());
                break;
            }
        }
        LOG.info("Starting Hawtio authentication filter, JAAS realm: \"{}\" authorized role(s): \"{}\" role principal classes: \"{}\"", this.realm, this.roles, this.rolePrincipalClasses);
    }

    private static boolean isKaraf() {
        return System.getProperty("karaf.name") != null;
    }

    public static AuthenticationConfiguration getConfiguration(ServletContext servletContext) {
        AuthenticationConfiguration authenticationConfiguration = (AuthenticationConfiguration) servletContext.getAttribute(AUTHENTICATION_CONFIGURATION);
        if (authenticationConfiguration == null) {
            authenticationConfiguration = new AuthenticationConfiguration(servletContext);
            servletContext.setAttribute(AUTHENTICATION_CONFIGURATION, authenticationConfiguration);
        }
        return authenticationConfiguration;
    }

    private static List<AuthenticationContainerDiscovery> getDiscoveries(String str) {
        ArrayList arrayList = new ArrayList();
        if (str == null || str.trim().isEmpty()) {
            return arrayList;
        }
        for (String str2 : str.split(",")) {
            try {
                arrayList.add((AuthenticationContainerDiscovery) AuthenticationConfiguration.class.getClassLoader().loadClass(str2.trim()).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]));
            } catch (Exception e) {
                LOG.warn("Couldn't instantiate discovery {}", str2, e);
            }
        }
        return arrayList;
    }

    public boolean isEnabled() {
        return this.enabled;
    }

    public Optional<AuthenticationThrottler> getThrottler() {
        return this.throttler;
    }

    public boolean isNoCredentials401() {
        return this.noCredentials401;
    }

    public String getRealm() {
        return this.realm;
    }

    public String getRoles() {
        return this.roles;
    }

    public String getRolePrincipalClasses() {
        return this.rolePrincipalClasses;
    }

    public void setRolePrincipalClasses(String str) {
        this.rolePrincipalClasses = str;
    }

    public Class<? extends Principal> getDefaultRolePrincipalClass() {
        return this.defaultRolePrincipalClass;
    }

    public Configuration getConfiguration() {
        return this.configuration;
    }

    public void setConfiguration(Configuration configuration) {
        this.configuration = configuration;
    }

    public boolean isKeycloakEnabled() {
        return this.keycloakEnabled;
    }

    public boolean isOidcEnabled() {
        return this.oidcConfiguration != null && this.oidcConfiguration.isEnabled();
    }

    public void setSpringSecurityEnabled(boolean z) {
        this.springSecurityEnabled = z;
    }

    public boolean isSpringSecurityEnabled() {
        return this.springSecurityEnabled;
    }

    public boolean isExternalAuthenticationEnabled() {
        return isKeycloakEnabled() || isOidcEnabled() || isSpringSecurityEnabled();
    }

    public void configureOidc() {
        String orElse = this.configManager.get(OIDC_CLIENT_CONFIG).orElse(null);
        if (System.getProperty(HAWTIO_OIDC_CLIENT_CONFIG) != null) {
            orElse = System.getProperty(HAWTIO_OIDC_CLIENT_CONFIG);
        }
        if (Strings.isBlank(orElse)) {
            orElse = defaultOidcConfigLocation();
        }
        LOG.info("Looking for OIDC configuration file in: {}", orElse);
        InputStream loadFile = ServletHelpers.loadFile(orElse);
        if (loadFile != null) {
            LOG.info("Reading OIDC configuration.");
            Properties properties = new Properties();
            try {
                try {
                    properties.load(loadFile);
                    this.oidcConfiguration = new OidcConfiguration(properties);
                    this.oidcConfiguration.setRolePrincipalClass(this.defaultRolePrincipalClass);
                    if (this.oidcConfiguration.isEnabled()) {
                        this.configuration = this.oidcConfiguration;
                    }
                } catch (IOException e) {
                    LOG.warn("Couldn't read OIDC configuration file", (Throwable) e);
                    IOHelper.close(loadFile, "oidcInputStream", LOG);
                }
            } finally {
                IOHelper.close(loadFile, "oidcInputStream", LOG);
            }
        }
    }

    protected String defaultOidcConfigLocation() {
        String property = System.getProperty("karaf.base");
        if (property != null) {
            return property + "/etc/hawtio-oidc.properties";
        }
        String property2 = System.getProperty("jetty.home");
        if (property2 != null) {
            return property2 + "/etc/hawtio-oidc.properties";
        }
        String property3 = System.getProperty("catalina.home");
        if (property3 != null) {
            return property3 + "/conf/hawtio-oidc.properties";
        }
        String property4 = System.getProperty("jboss.server.config.dir");
        if (property4 != null) {
            return property4 + "/hawtio-oidc.properties";
        }
        String property5 = System.getProperty("artemis.instance.etc");
        return property5 != null ? property5 + "/hawtio-oidc.properties" : "classpath:hawtio-oidc.properties";
    }

    public OidcConfiguration getOidcConfiguration() {
        return this.oidcConfiguration;
    }

    private Class<? extends Principal> determineDefaultRolePrincipalClass(String str) {
        if (str == null || str.isBlank()) {
            return null;
        }
        Class<? extends Principal> cls = null;
        for (String str2 : str.split("\\s*,\\s*")) {
            Class<? extends Principal> tryLoadClass = tryLoadClass(str2, Principal.class);
            if (tryLoadClass != null) {
                try {
                    tryLoadClass.getConstructor(String.class);
                    cls = tryLoadClass;
                } catch (NoSuchMethodException e) {
                    LOG.warn("Can't use role principal class {}: {}", str2, e.getMessage());
                }
            }
        }
        return cls;
    }

    private <T> Class<T> tryLoadClass(String str, Class<T> cls) {
        Class<?> loadClass;
        try {
            loadClass = getClass().getClassLoader().loadClass(str);
        } catch (ClassNotFoundException e) {
        }
        if (cls.isAssignableFrom(loadClass)) {
            return cls;
        }
        LOG.warn("Class {} doesn't implement {}", loadClass, cls);
        try {
            Class<?> loadClass2 = Thread.currentThread().getContextClassLoader().loadClass(str);
            if (cls.isAssignableFrom(loadClass2)) {
                return cls;
            }
            LOG.warn("Class {} doesn't implement {}", loadClass2, cls);
            return null;
        } catch (ClassNotFoundException e2) {
            return null;
        }
    }

    public String toString() {
        return "AuthenticationConfiguration[enabled=" + this.enabled + ", noCredentials401=" + this.noCredentials401 + ", realm='" + this.realm + "', roles='" + this.roles + "', rolePrincipalClasses='" + this.rolePrincipalClasses + "', configuration=" + this.configuration + ", keycloakEnabled=" + this.keycloakEnabled + ", oidcEnabled=" + (this.oidcConfiguration != null && this.oidcConfiguration.isEnabled()) + "]";
    }

    static {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(Arrays.asList(UNSECURED_RESOURCE_PATHS));
        arrayList.addAll(Arrays.asList(UNSECURED_AUTHENTICATION_PATHS));
        arrayList.addAll(Arrays.asList(UNSECURED_META_PATHS));
        arrayList.addAll(Arrays.asList(UNSECURED_SERVLET_PATHS));
        UNSECURED_PATHS = (String[]) arrayList.toArray(i -> {
            return new String[i];
        });
    }
}
