package org.jasig.cas.client.jaas;

import java.beans.BeanInfo;
import java.beans.IntrospectionException;
import java.beans.Introspector;
import java.beans.PropertyDescriptor;
import java.io.IOException;
import java.security.Principal;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import net.unicon.cas.mfa.web.support.MultiFactorAuthenticationSupportingWebApplicationService;
import org.jasig.cas.client.authentication.SimpleGroup;
import org.jasig.cas.client.authentication.SimplePrincipal;
import org.jasig.cas.client.util.CommonUtils;
import org.jasig.cas.client.util.ReflectUtils;
import org.jasig.cas.client.validation.Assertion;
import org.jasig.cas.client.validation.TicketValidator;
import org.jasig.cas.web.view.CasViewConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-client-core-3.4.1.jar:org/jasig/cas/client/jaas/CasLoginModule.class */
public class CasLoginModule implements LoginModule {
    public static final String LOGIN_NAME = "javax.security.auth.login.name";
    public static final String DEFAULT_PRINCIPAL_GROUP_NAME = "CallerPrincipal";
    public static final String DEFAULT_ROLE_GROUP_NAME = "Roles";
    public static final int DEFAULT_CACHE_TIMEOUT = 480;
    public static final TimeUnit DEFAULT_CACHE_TIMEOUT_UNIT = TimeUnit.MINUTES;
    protected static final Map<TicketCredential, Assertion> ASSERTION_CACHE = new HashMap();
    protected Subject subject;
    protected CallbackHandler callbackHandler;
    protected TicketValidator ticketValidator;
    protected String service;
    protected Assertion assertion;
    protected TicketCredential ticket;
    protected Map<String, Object> sharedState;
    protected String[] defaultRoles;
    protected boolean cacheAssertions;
    protected final Logger logger = LoggerFactory.getLogger(getClass());
    protected Set<String> roleAttributeNames = new HashSet();
    protected String principalGroupName = DEFAULT_PRINCIPAL_GROUP_NAME;
    protected String roleGroupName = DEFAULT_ROLE_GROUP_NAME;
    protected int cacheTimeout = DEFAULT_CACHE_TIMEOUT;
    protected TimeUnit cacheTimeoutUnit = DEFAULT_CACHE_TIMEOUT_UNIT;

    public final void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        this.assertion = null;
        this.callbackHandler = callbackHandler;
        this.subject = subject;
        this.sharedState = map;
        this.sharedState = new HashMap(map);
        String str = null;
        for (String str2 : map2.keySet()) {
            this.logger.trace("Processing option {}", str2);
            if (CasViewConstants.MODEL_ATTRIBUTE_NAME_SERVICE.equals(str2)) {
                this.service = (String) map2.get(str2);
                this.logger.debug("Set service={}", this.service);
            } else if ("ticketValidatorClass".equals(str2)) {
                str = (String) map2.get(str2);
                this.logger.debug("Set ticketValidatorClass={}", str);
            } else if ("defaultRoles".equals(str2)) {
                String str3 = (String) map2.get(str2);
                this.logger.trace("Got defaultRoles value {}", str3);
                this.defaultRoles = str3.split(",\\s*");
                this.logger.debug("Set defaultRoles={}", Arrays.asList(this.defaultRoles));
            } else if ("roleAttributeNames".equals(str2)) {
                String str4 = (String) map2.get(str2);
                this.logger.trace("Got roleAttributeNames value {}", str4);
                this.roleAttributeNames.addAll(Arrays.asList(str4.split(",\\s*")));
                this.logger.debug("Set roleAttributeNames={}", this.roleAttributeNames);
            } else if ("principalGroupName".equals(str2)) {
                this.principalGroupName = (String) map2.get(str2);
                this.logger.debug("Set principalGroupName={}", this.principalGroupName);
            } else if ("roleGroupName".equals(str2)) {
                this.roleGroupName = (String) map2.get(str2);
                this.logger.debug("Set roleGroupName={}", this.roleGroupName);
            } else if ("cacheAssertions".equals(str2)) {
                this.cacheAssertions = Boolean.parseBoolean((String) map2.get(str2));
                this.logger.debug("Set cacheAssertions={}", Boolean.valueOf(this.cacheAssertions));
            } else if ("cacheTimeout".equals(str2)) {
                this.cacheTimeout = Integer.parseInt((String) map2.get(str2));
                this.logger.debug("Set cacheTimeout={}", Integer.valueOf(this.cacheTimeout));
            } else if ("cacheTimeoutUnit".equals(str2)) {
                this.cacheTimeoutUnit = (TimeUnit) Enum.valueOf(TimeUnit.class, (String) map2.get(str2));
                this.logger.debug("Set cacheTimeoutUnit={}", this.cacheTimeoutUnit);
            }
        }
        if (this.cacheAssertions) {
            cleanCache();
        }
        CommonUtils.assertNotNull(str, "ticketValidatorClass is required.");
        this.ticketValidator = createTicketValidator(str, map2);
    }

    protected boolean preLogin() {
        return true;
    }

    protected void postLogin(boolean z) {
    }

    public final boolean login() throws LoginException {
        this.logger.debug("Performing login.");
        if (!preLogin()) {
            this.logger.debug("preLogin failed.");
            return false;
        }
        Callback nameCallback = new NameCallback(CasViewConstants.MODEL_ATTRIBUTE_NAME_SERVICE);
        PasswordCallback passwordCallback = new PasswordCallback(MultiFactorAuthenticationSupportingWebApplicationService.CONST_PARAM_TICKET, false);
        try {
            try {
                try {
                    this.callbackHandler.handle(new Callback[]{passwordCallback, nameCallback});
                    if (passwordCallback.getPassword() == null) {
                        this.logger.info("Login failed because callback handler did not provide CAS ticket.");
                        throw new LoginException("Callback handler did not provide CAS ticket.");
                    }
                    this.ticket = new TicketCredential(new String(passwordCallback.getPassword()));
                    String name = CommonUtils.isNotBlank(nameCallback.getName()) ? nameCallback.getName() : this.service;
                    if (this.cacheAssertions) {
                        this.assertion = ASSERTION_CACHE.get(this.ticket);
                        if (this.assertion != null) {
                            this.logger.debug("Assertion found in cache.");
                        }
                    }
                    if (this.assertion == null) {
                        this.logger.debug("CAS assertion is null; ticket validation required.");
                        if (CommonUtils.isBlank(name)) {
                            this.logger.info("Login failed because required CAS service parameter not provided.");
                            throw new LoginException("Neither login module nor callback handler provided required service parameter.");
                        }
                        try {
                            this.logger.debug("Attempting ticket validation with service={}  and ticket={}", name, this.ticket);
                            this.assertion = this.ticketValidator.validate(this.ticket.getName(), name);
                        } catch (Exception e) {
                            this.logger.info("Login failed due to CAS ticket validation failure: {}", (Throwable) e);
                            throw ((LoginException) new LoginException("CAS ticket validation failed: " + e).initCause(e));
                        }
                    }
                    this.logger.info("Login succeeded.");
                    postLogin(true);
                    return true;
                } catch (IOException e2) {
                    this.logger.info("Login failed due to IO exception in callback handler: {}", (Throwable) e2);
                    throw ((LoginException) new LoginException("IO exception in callback handler: " + e2).initCause(e2));
                }
            } catch (UnsupportedCallbackException e3) {
                this.logger.info("Login failed due to unsupported callback: {}", (Throwable) e3);
                throw ((LoginException) new LoginException("Callback handler does not support PasswordCallback and TextInputCallback.").initCause(e3));
            }
        } catch (Throwable th) {
            postLogin(false);
            throw th;
        }
    }

    public final boolean abort() throws LoginException {
        if (this.ticket != null) {
            this.ticket = null;
        }
        if (this.assertion == null) {
            return true;
        }
        this.assertion = null;
        return true;
    }

    protected boolean preCommit() {
        return true;
    }

    protected void postCommit(boolean z) {
    }

    public final boolean commit() throws LoginException {
        if (!preCommit()) {
            return false;
        }
        try {
            if (this.assertion != null) {
                if (this.ticket == null) {
                    throw new LoginException("Ticket credential not found.");
                }
                this.subject.getPrivateCredentials().add(this.ticket);
                AssertionPrincipal assertionPrincipal = new AssertionPrincipal(this.assertion.getPrincipal().getName(), this.assertion);
                this.subject.getPrincipals().add(assertionPrincipal);
                SimpleGroup simpleGroup = new SimpleGroup(this.principalGroupName);
                simpleGroup.addMember(assertionPrincipal);
                this.subject.getPrincipals().add(simpleGroup);
                SimpleGroup simpleGroup2 = new SimpleGroup(this.roleGroupName);
                for (String str : this.defaultRoles) {
                    simpleGroup2.addMember(new SimplePrincipal(str));
                }
                Map<String, Object> attributes = this.assertion.getPrincipal().getAttributes();
                for (String str2 : attributes.keySet()) {
                    if (this.roleAttributeNames.contains(str2)) {
                        Object obj = attributes.get(str2);
                        if (obj instanceof Collection) {
                            Iterator it = ((Collection) obj).iterator();
                            while (it.hasNext()) {
                                simpleGroup2.addMember(new SimplePrincipal(it.next().toString()));
                            }
                        } else {
                            simpleGroup2.addMember(new SimplePrincipal(obj.toString()));
                        }
                    }
                }
                this.subject.getPrincipals().add(simpleGroup2);
                this.sharedState.put("javax.security.auth.login.name", this.assertion.getPrincipal().getName());
                this.logger.debug("Created JAAS subject with principals: {}", this.subject.getPrincipals());
                if (this.cacheAssertions) {
                    this.logger.debug("Caching assertion for principal {}", this.assertion.getPrincipal());
                    ASSERTION_CACHE.put(this.ticket, this.assertion);
                }
            } else if (this.ticket != null) {
                this.ticket = null;
            }
            postCommit(true);
            return true;
        } catch (Throwable th) {
            postCommit(false);
            throw th;
        }
    }

    public final boolean logout() throws LoginException {
        this.logger.debug("Performing logout.");
        if (!preLogout()) {
            return false;
        }
        if (this.cacheAssertions) {
            for (TicketCredential ticketCredential : this.subject.getPrivateCredentials(TicketCredential.class)) {
                this.logger.debug("Removing cached assertion for {}", ticketCredential);
                ASSERTION_CACHE.remove(ticketCredential);
            }
        }
        removePrincipalsOfType(AssertionPrincipal.class);
        removePrincipalsOfType(SimplePrincipal.class);
        removePrincipalsOfType(SimpleGroup.class);
        removeCredentialsOfType(TicketCredential.class);
        this.logger.info("Logout succeeded.");
        postLogout();
        return true;
    }

    protected boolean preLogout() {
        return true;
    }

    protected void postLogout() {
    }

    private TicketValidator createTicketValidator(String str, Map<String, ?> map) {
        CommonUtils.assertTrue(map.containsKey("casServerUrlPrefix"), "Required property casServerUrlPrefix not found.");
        Class loadClass = ReflectUtils.loadClass(str);
        TicketValidator ticketValidator = (TicketValidator) ReflectUtils.newInstance(loadClass, map.get("casServerUrlPrefix"));
        try {
            BeanInfo beanInfo = Introspector.getBeanInfo(loadClass);
            for (String str2 : map.keySet()) {
                if (!"casServerUrlPrefix".equals(str2)) {
                    this.logger.debug("Attempting to set TicketValidator property {}", str2);
                    String str3 = (String) map.get(str2);
                    PropertyDescriptor propertyDescriptor = ReflectUtils.getPropertyDescriptor(beanInfo, str2);
                    if (propertyDescriptor != null) {
                        ReflectUtils.setProperty(str2, convertIfNecessary(propertyDescriptor, str3), ticketValidator, beanInfo);
                        this.logger.debug("Set {} = {}", str2, str3);
                    } else {
                        this.logger.warn("Cannot find property {} on {}", str2, str);
                    }
                }
            }
            return ticketValidator;
        } catch (IntrospectionException e) {
            throw new RuntimeException("Error getting bean info for " + loadClass, e);
        }
    }

    private static Object convertIfNecessary(PropertyDescriptor propertyDescriptor, String str) {
        if (String.class.equals(propertyDescriptor.getPropertyType())) {
            return str;
        }
        if (Boolean.TYPE.equals(propertyDescriptor.getPropertyType())) {
            return Boolean.valueOf(str);
        }
        if (Integer.TYPE.equals(propertyDescriptor.getPropertyType())) {
            return new Integer(str);
        }
        if (Long.TYPE.equals(propertyDescriptor.getPropertyType())) {
            return new Long(str);
        }
        throw new IllegalArgumentException("No conversion strategy exists for property " + propertyDescriptor.getName() + " of type " + propertyDescriptor.getPropertyType());
    }

    private void removePrincipalsOfType(Class<? extends Principal> cls) {
        this.subject.getPrincipals().removeAll(this.subject.getPrincipals(cls));
    }

    private void removeCredentialsOfType(Class<? extends Principal> cls) {
        this.subject.getPrivateCredentials().removeAll(this.subject.getPrivateCredentials(cls));
    }

    private void cleanCache() {
        this.logger.debug("Cleaning assertion cache of size {}", Integer.valueOf(ASSERTION_CACHE.size()));
        Iterator<Map.Entry<TicketCredential, Assertion>> it = ASSERTION_CACHE.entrySet().iterator();
        Calendar calendar = Calendar.getInstance();
        calendar.setTimeInMillis(System.currentTimeMillis() - this.cacheTimeoutUnit.toMillis(this.cacheTimeout));
        while (it.hasNext()) {
            Assertion value = it.next().getValue();
            Calendar calendar2 = Calendar.getInstance();
            calendar2.setTime(value.getValidFromDate());
            if (calendar2.before(calendar)) {
                this.logger.debug("Removing expired assertion for principal {}", value.getPrincipal());
                it.remove();
            }
        }
    }
}
