package net.sf.jguard.core.filters;

import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.security.AccessControlContext;
import java.security.Permission;
import java.security.Permissions;
import java.security.PrivilegedExceptionAction;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import net.sf.jguard.core.CoreConstants;
import net.sf.jguard.core.PolicyEnforcementPointOptions;
import net.sf.jguard.core.authentication.AccessContext;
import net.sf.jguard.core.authentication.AuthenticationException;
import net.sf.jguard.core.authentication.AuthenticationServicePoint;
import net.sf.jguard.core.authentication.AuthenticationStatus;
import net.sf.jguard.core.authentication.AuthenticationUtils;
import net.sf.jguard.core.authentication.bindings.AuthenticationBindings;
import net.sf.jguard.core.authentication.bindings.AuthenticationBindingsFactory;
import net.sf.jguard.core.authentication.bindings.StatefulAuthenticationBindings;
import net.sf.jguard.core.authentication.schemes.AuthenticationSchemeHandler;
import net.sf.jguard.core.authentication.schemes.StatefulAuthenticationSchemeHandler;
import net.sf.jguard.core.authorization.AuthorizationBindings;
import net.sf.jguard.core.authorization.PolicyDecisionPoint;
import net.sf.jguard.core.authorization.policy.AccessControllerUtils;
import net.sf.jguard.core.provisioning.ProvisioningServicePoint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/sf/jguard/core/filters/PolicyEnforcementPointFilter.class */
public class PolicyEnforcementPointFilter implements Filter {
    private AuthenticationBindingsFactory authenticationBindingsFactory;
    private PolicyDecisionPoint policyDecisionPoint;
    private ProvisioningServicePoint provisioningServicePoint = null;
    private static final Logger logger = LoggerFactory.getLogger(PolicyEnforcementPointFilter.class.getName());
    private String authenticationScope;
    private String applicationName;
    private boolean propagateThrowable;
    public static final String REDIRECT = "redirect";

    public PolicyEnforcementPointFilter(String str, Map<PolicyEnforcementPointOptions, String> map) {
        this.authenticationBindingsFactory = null;
        this.policyDecisionPoint = null;
        String str2 = map.get(PolicyEnforcementPointOptions.CONFIGURATION_LOCATION);
        this.authenticationScope = map.get(PolicyEnforcementPointOptions.AUTHENTICATION_SCOPE);
        this.applicationName = map.get(PolicyEnforcementPointOptions.APPLICATION_NAME);
        this.policyDecisionPoint = initPolicyDecisionPoint(map.get(PolicyEnforcementPointOptions.AUTHORIZATION_BINDINGS));
        logger.debug("authenticationScope=" + this.authenticationScope);
        if (this.authenticationScope == null || "".equals(this.authenticationScope)) {
            throw new IllegalArgumentException("authenticationScope is null or empty");
        }
        this.authenticationBindingsFactory = initAuthenticationBindings(str, str2);
        String str3 = map.get(PolicyEnforcementPointOptions.PROVISIONING_SERVICE_POINT);
        if (str3 == null || "".equals(str3)) {
            logger.info("provisioningServicePoint is not set ");
        }
        this.policyDecisionPoint.addAlwaysGrantedPermissionsToPolicy(getGrantedPermissions(this.authenticationBindingsFactory));
        String str4 = map.get(PolicyEnforcementPointOptions.PROPAGATE_THROWABLE);
        if (str4 == null || "".equals(str4)) {
            return;
        }
        this.propagateThrowable = Boolean.parseBoolean(str4);
    }

    private void authorize(AuthenticationBindings authenticationBindings, Subject subject, FilterChain filterChain) {
        authenticationBindings.process();
        if (Boolean.valueOf((String) authenticationBindings.getRequestAttribute(REDIRECT)).booleanValue()) {
            return;
        }
        propagateWithSecurity(authenticationBindings.getContext(), subject, filterChain);
    }

    private Subject getCurrentSubject(AuthenticationBindings authenticationBindings) {
        return authenticationBindings.getAuthenticationUtils().getSubject();
    }

    private Permissions getGrantedPermissions(AuthenticationBindingsFactory authenticationBindingsFactory) {
        Permissions permissions = new Permissions();
        Iterator<AuthenticationSchemeHandler> it = authenticationBindingsFactory.getAuthenticationSchemeHandlers().iterator();
        while (it.hasNext()) {
            Enumeration<Permission> elements = it.next().getGrantedPermissions().elements();
            while (elements.hasMoreElements()) {
                permissions.add(elements.nextElement());
            }
        }
        return permissions;
    }

    public PolicyDecisionPoint getPolicyDecisionPoint() {
        return this.policyDecisionPoint;
    }

    public ProvisioningServicePoint getProvisioningServicePoint() {
        return this.provisioningServicePoint;
    }

    private Subject getGuestSubject(AuthenticationBindings authenticationBindings) throws AuthenticationException {
        AuthenticationUtils impersonateAsGuest = AuthenticationServicePoint.impersonateAsGuest(authenticationBindings, this.applicationName, this.authenticationScope);
        if (impersonateAsGuest == null) {
            throw new IllegalStateException(" authenticationUtils is null in the Authenticationbindings");
        }
        if (AuthenticationStatus.SUCCESS.equals(impersonateAsGuest.getStatus())) {
            return impersonateAsGuest.getSubject();
        }
        throw new AuthenticationException("authentication of the guest user does not return a SUCCESS authentication status but " + impersonateAsGuest.getStatus().toString());
    }

    private PolicyDecisionPoint initPolicyDecisionPoint(String str) {
        logger.debug("initializing PolicyDecisionPoint");
        logger.debug("authorizationBindingsImpl=" + str);
        try {
            return new PolicyDecisionPoint((AuthorizationBindings) Thread.currentThread().getContextClassLoader().loadClass(str).newInstance());
        } catch (ClassNotFoundException e) {
            logger.error(e.getMessage(), e);
            throw new IllegalArgumentException(e);
        } catch (IllegalAccessException e2) {
            logger.error(e2.getMessage(), e2);
            throw new IllegalArgumentException(e2);
        } catch (InstantiationException e3) {
            logger.error(e3.getMessage(), e3);
            throw new IllegalArgumentException(e3);
        }
    }

    private ProvisioningServicePoint initProvisioningServicePoint(String str, String str2) {
        logger.debug("initializing ProvisioningServicePoint");
        logger.debug("provisioningServicePointImpl=" + str);
        try {
            ProvisioningServicePoint provisioningServicePoint = (ProvisioningServicePoint) Thread.currentThread().getContextClassLoader().loadClass(str).newInstance();
            provisioningServicePoint.init(str2);
            return provisioningServicePoint;
        } catch (ClassNotFoundException e) {
            logger.error(e.getMessage(), e);
            throw new IllegalArgumentException(e);
        } catch (IllegalAccessException e2) {
            logger.error(e2.getMessage(), e2);
            throw new IllegalArgumentException(e2);
        } catch (InstantiationException e3) {
            logger.error(e3.getMessage(), e3);
            throw new IllegalArgumentException(e3);
        }
    }

    public AuthenticationBindingsFactory initAuthenticationBindings(String str, String str2) {
        if (str == null || "".equals(str)) {
            throw new IllegalArgumentException("authenticationBindingsImpl is null or empty");
        }
        if (str2 == null || "".equals(str2)) {
            throw new IllegalArgumentException("filterConfigurationLocation is null or empty");
        }
        logger.debug("initializing authenticationBindings");
        logger.debug("authenticationBindingsImpl=" + str);
        logger.debug("filterConfigurationLocation=" + str2);
        try {
            AuthenticationBindingsFactory authenticationBindingsFactory = (AuthenticationBindingsFactory) Thread.currentThread().getContextClassLoader().loadClass(str).getConstructor(String.class).newInstance(this.authenticationScope);
            authenticationBindingsFactory.init(str2);
            return authenticationBindingsFactory;
        } catch (ClassNotFoundException e) {
            logger.error(e.getMessage(), e);
            throw new IllegalArgumentException(e);
        } catch (IllegalAccessException e2) {
            logger.error(e2.getMessage(), e2);
            throw new IllegalArgumentException(e2);
        } catch (IllegalArgumentException e3) {
            logger.error(e3.getMessage(), e3);
            throw new IllegalArgumentException(e3);
        } catch (InstantiationException e4) {
            logger.error(e4.getMessage(), e4);
            throw new IllegalArgumentException(e4);
        } catch (NoSuchMethodException e5) {
            logger.error(e5.getMessage(), e5);
            throw new IllegalArgumentException(e5);
        } catch (SecurityException e6) {
            logger.error(e6.getMessage(), e6);
            throw new IllegalArgumentException(e6);
        } catch (InvocationTargetException e7) {
            logger.error(e7.getMessage(), e7);
            throw new IllegalArgumentException(e7);
        }
    }

    private AuthenticationStatus authenticateAfterRegistration(AuthenticationBindings authenticationBindings) throws AuthenticationException {
        authenticationBindings.setRequestAttribute(CoreConstants.REGISTRATION_DONE, Boolean.TRUE);
        return AuthenticationServicePoint.authenticate(authenticationBindings, this.applicationName, this.authenticationScope).getStatus();
    }

    private void logoff(AuthenticationBindings authenticationBindings) {
        logger.debug(" logoff phase ");
        StatefulAuthenticationBindings statefulAuthenticationBindings = (StatefulAuthenticationBindings) authenticationBindings;
        AuthenticationUtils authenticationUtils = (AuthenticationUtils) statefulAuthenticationBindings.getSessionAttribute(CoreConstants.AUTHN_UTILS);
        if (authenticationUtils != null) {
            authenticationUtils.logout();
            logger.debug(" user logoff ");
        }
        statefulAuthenticationBindings.removeSessionAttribute(CoreConstants.AUTHN_UTILS);
        logger.debug("doFilter() -  user logoff ");
        try {
            statefulAuthenticationBindings.invalidateSession();
        } catch (IllegalStateException e) {
            logger.error(" session is already invalidated ", e);
        }
    }

    private void propagateWithSecurity(final AccessContext accessContext, Subject subject, final FilterChain filterChain) {
        try {
            Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { // from class: net.sf.jguard.core.filters.PolicyEnforcementPointFilter.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws IOException {
                    try {
                        PolicyEnforcementPointFilter.this.policyDecisionPoint.process(accessContext, filterChain);
                        return null;
                    } catch (Throwable th) {
                        PolicyEnforcementPointFilter.logger.error(th.getMessage(), th);
                        throw new RuntimeException(th.getMessage(), th);
                    }
                }
            }, (AccessControlContext) null);
        } catch (Throwable th) {
            logger.error(th.getMessage(), th);
            throw new RuntimeException(th.getMessage(), th);
        }
    }

    private boolean accessGrantedToGuest(AuthenticationBindings authenticationBindings, Permission permission) {
        try {
            return AccessControllerUtils.hasPermission(getGuestSubject(authenticationBindings), permission);
        } catch (AuthenticationException e) {
            logger.error(e.getMessage(), e);
            return false;
        }
    }

    private boolean checkAuthenticationNeeded(AuthenticationBindings authenticationBindings, Permission permission) {
        if (AuthenticationServicePoint.answerToChallenge(authenticationBindings.getContext(), this.authenticationBindingsFactory)) {
            return true;
        }
        return !accessGrantedToGuest(authenticationBindings, permission) && getCurrentSubject(authenticationBindings) == null;
    }

    private void doInternalFilter(AccessContext accessContext, FilterChain filterChain) {
        AuthenticationBindings authenticationBindings = this.authenticationBindingsFactory.getAuthenticationBindings(accessContext);
        Permission permissionRequested = this.policyDecisionPoint.getAuthorizationBindings().getPermissionRequested(authenticationBindings.getContext());
        boolean checkAuthenticationNeeded = checkAuthenticationNeeded(authenticationBindings, permissionRequested);
        try {
            Subject currentSubject = getCurrentSubject(authenticationBindings);
            if (currentSubject == null) {
                currentSubject = AuthenticationServicePoint.impersonateAsGuest(authenticationBindings, this.applicationName, this.authenticationScope).getSubject();
            }
            if (checkAuthenticationNeeded) {
                try {
                    if (!AuthenticationStatus.SUCCESS.equals(AuthenticationServicePoint.authenticate(authenticationBindings, this.applicationName, this.authenticationScope).getStatus())) {
                        return;
                    } else {
                        currentSubject = getCurrentSubject(authenticationBindings);
                    }
                } catch (AuthenticationException e) {
                    logger.error(" authentication of guest raise an exception", e);
                    throw new RuntimeException(e);
                }
            } else if (userTriesToLogoff(currentSubject, permissionRequested, this.authenticationBindingsFactory)) {
                logoff(authenticationBindings);
                try {
                    AuthenticationServicePoint.impersonateAsGuest(authenticationBindings, this.applicationName, this.authenticationScope);
                } catch (AuthenticationException e2) {
                    logger.error("authentication as guest fails during logoff phase" + e2.getMessage(), e2);
                    throw new RuntimeException(e2);
                }
            }
            authorize(authenticationBindings, currentSubject, filterChain);
        } catch (AuthenticationException e3) {
            logger.error("an authentication exception occurs" + e3.getMessage());
            throw new RuntimeException(e3);
        }
    }

    private boolean userTriesToLogoff(Subject subject, Permission permission, AuthenticationBindingsFactory authenticationBindingsFactory) {
        boolean z = false;
        AuthenticationSchemeHandler authenticationSchemeHandler = AuthenticationServicePoint.getAuthenticationSchemeHandler(subject, authenticationBindingsFactory);
        if (authenticationSchemeHandler == null) {
            return false;
        }
        if (StatefulAuthenticationSchemeHandler.class.isAssignableFrom(authenticationSchemeHandler.getClass()) && ((StatefulAuthenticationSchemeHandler) authenticationSchemeHandler).getLogoffPermission().implies(permission)) {
            z = true;
        }
        return z;
    }

    @Override // net.sf.jguard.core.filters.Filter
    public void doFilter(AccessContext accessContext, FilterChain filterChain) {
        try {
            doInternalFilter(accessContext, filterChain);
        } catch (Throwable th) {
            logger.error(th.getMessage());
            if (this.propagateThrowable) {
                throw new IllegalStateException(th);
            }
            getPolicyDecisionPoint().getAuthorizationBindings().sendThrowable(accessContext, th);
        }
    }
}
