package org.granite.messaging.service.security;

import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.security.Principal;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpSession;
import org.apache.catalina.Context;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
import org.apache.catalina.Wrapper;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.RequestFacade;
import org.granite.context.GraniteContext;
import org.granite.messaging.service.security.SecurityService;
import org.granite.messaging.webapp.HttpGraniteContext;
import org.granite.messaging.webapp.ServletGraniteContext;

/* loaded from: input_file:org/granite/messaging/service/security/Tomcat7SecurityService.class */
public class Tomcat7SecurityService extends AbstractSecurityService {
    private final Field requestField;

    /* loaded from: input_file:org/granite/messaging/service/security/Tomcat7SecurityService$Tomcat7AuthenticationContext.class */
    public static class Tomcat7AuthenticationContext implements SecurityService.AuthenticationContext {
        private static final long serialVersionUID = 1;
        private final transient Realm realm;
        private transient Principal principal;

        public Tomcat7AuthenticationContext(Realm realm) {
            this.realm = realm;
        }

        @Override // org.granite.messaging.service.security.SecurityService.AuthenticationContext
        public Principal authenticate(String str, String str2) {
            if (this.realm == null) {
                throw SecurityServiceException.newAuthenticationFailedException("Invalid authentication");
            }
            this.principal = this.realm.authenticate(str, str2);
            return this.principal;
        }

        @Override // org.granite.messaging.service.security.SecurityService.AuthenticationContext
        public Principal getPrincipal() {
            return this.principal;
        }

        @Override // org.granite.messaging.service.security.SecurityService.AuthenticationContext
        public boolean isUserInRole(String str) {
            return this.realm.hasRole((Wrapper) null, this.principal, str);
        }

        @Override // org.granite.messaging.service.security.SecurityService.AuthenticationContext
        public void logout() {
        }
    }

    public Tomcat7SecurityService() {
        try {
            this.requestField = RequestFacade.class.getDeclaredField("request");
            this.requestField.setAccessible(true);
        } catch (Exception e) {
            throw new RuntimeException("Could not get 'request' field in Tomcat RequestFacade", e);
        }
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public void configure(Map<String, String> map) {
    }

    @Override // org.granite.messaging.service.security.AbstractSecurityService, org.granite.messaging.service.security.SecurityService
    public void prelogin(HttpSession httpSession, Object obj, String str) {
        if (httpSession == null || (httpSession.getAttribute(SecurityService.AuthenticationContext.class.getName()) instanceof Tomcat7AuthenticationContext)) {
            return;
        }
        if (obj.getClass().getName().equals("org.apache.tomcat.websocket.server.WsHandshakeRequest")) {
            try {
                Field declaredField = obj.getClass().getDeclaredField("request");
                declaredField.setAccessible(true);
                obj = declaredField.get(obj);
            } catch (Exception e) {
                throw new RuntimeException("Could not unwrap Tomcat request from ws handshake", e);
            }
        }
        httpSession.setAttribute(SecurityService.AuthenticationContext.class.getName(), new Tomcat7AuthenticationContext(getRealm(getRequest((HttpServletRequest) obj))));
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public Principal login(Object obj, String str) throws SecurityServiceException {
        Principal authenticate;
        String[] decodeBase64Credentials = decodeBase64Credentials(obj, str);
        ServletGraniteContext servletGraniteContext = (ServletGraniteContext) GraniteContext.getCurrentInstance();
        Request request = null;
        if (servletGraniteContext instanceof HttpGraniteContext) {
            request = getRequest(servletGraniteContext.getRequest());
            Tomcat7AuthenticationContext tomcat7AuthenticationContext = new Tomcat7AuthenticationContext(getRealm(request));
            authenticate = tomcat7AuthenticationContext.authenticate(decodeBase64Credentials[0], decodeBase64Credentials[1]);
            if (authenticate != null) {
                servletGraniteContext.getSession().setAttribute(SecurityService.AuthenticationContext.class.getName(), tomcat7AuthenticationContext);
            }
        } else {
            SecurityService.AuthenticationContext authenticationContext = (SecurityService.AuthenticationContext) servletGraniteContext.getSession().getAttribute(SecurityService.AuthenticationContext.class.getName());
            if (authenticationContext == null) {
                return null;
            }
            authenticate = authenticationContext.authenticate(decodeBase64Credentials[0], decodeBase64Credentials[1]);
        }
        if (authenticate == null) {
            throw SecurityServiceException.newInvalidCredentialsException("Wrong username or password");
        }
        servletGraniteContext.setPrincipal(authenticate);
        if (servletGraniteContext instanceof HttpGraniteContext) {
            request.setAuthType(AbstractSecurityService.AUTH_TYPE);
            request.setUserPrincipal(authenticate);
            Session sessionInternal = request.getSessionInternal();
            sessionInternal.setAuthType(AbstractSecurityService.AUTH_TYPE);
            sessionInternal.setPrincipal(authenticate);
            sessionInternal.setNote("org.apache.catalina.session.USERNAME", decodeBase64Credentials[0]);
            sessionInternal.setNote("org.apache.catalina.session.PASSWORD", decodeBase64Credentials[1]);
        }
        endLogin(obj, str);
        return authenticate;
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public Object authorize(AbstractSecurityContext abstractSecurityContext) throws Exception {
        Throwable th;
        HttpSession session;
        startAuthorization(abstractSecurityContext);
        ServletGraniteContext servletGraniteContext = (ServletGraniteContext) GraniteContext.getCurrentInstance();
        HttpServletRequest httpServletRequest = null;
        SecurityService.AuthenticationContext authenticationContext = null;
        Principal principal = null;
        if (servletGraniteContext instanceof HttpGraniteContext) {
            httpServletRequest = servletGraniteContext.getRequest();
            Request request = getRequest(httpServletRequest);
            Session sessionInternal = request.getSessionInternal(false);
            if (sessionInternal != null) {
                request.setAuthType(sessionInternal.getAuthType());
                principal = sessionInternal.getPrincipal();
                if (principal == null && tryRelogin()) {
                    principal = sessionInternal.getPrincipal();
                }
            }
            request.setUserPrincipal(principal);
        } else {
            HttpSession session2 = servletGraniteContext.getSession(false);
            if (session2 != null) {
                authenticationContext = (SecurityService.AuthenticationContext) session2.getAttribute(SecurityService.AuthenticationContext.class.getName());
                if (authenticationContext != null) {
                    principal = authenticationContext.getPrincipal();
                }
            }
        }
        servletGraniteContext.setPrincipal(principal);
        if (abstractSecurityContext.getDestination().isSecured()) {
            if (principal == null) {
                if (httpServletRequest == null || httpServletRequest.getRequestedSessionId() == null || ((session = httpServletRequest.getSession(false)) != null && httpServletRequest.getRequestedSessionId().equals(session.getId()))) {
                    throw SecurityServiceException.newNotLoggedInException("User not logged in");
                }
                throw SecurityServiceException.newSessionExpiredException("Session expired");
            }
            if (httpServletRequest == null && authenticationContext == null) {
                throw SecurityServiceException.newNotLoggedInException("No authorization context");
            }
            boolean z = true;
            Iterator<String> it = abstractSecurityContext.getDestination().getRoles().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String next = it.next();
                if (httpServletRequest != null && httpServletRequest.isUserInRole(next)) {
                    z = false;
                    break;
                }
                if (authenticationContext != null && authenticationContext.isUserInRole(next)) {
                    z = false;
                    break;
                }
            }
            if (z) {
                throw SecurityServiceException.newAccessDeniedException("User not in required role");
            }
        }
        try {
            return endAuthorization(abstractSecurityContext);
        } catch (InvocationTargetException e) {
            Throwable th2 = e;
            while (true) {
                th = th2;
                if (th == null) {
                    throw e;
                }
                if ((th instanceof SecurityException) || "javax.ejb.EJBAccessException".equals(th.getClass().getName())) {
                    break;
                }
                th2 = th.getCause();
            }
            throw SecurityServiceException.newAccessDeniedException(th.getMessage());
        }
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public void logout() throws SecurityServiceException {
        ServletGraniteContext servletGraniteContext = (ServletGraniteContext) GraniteContext.getCurrentInstance();
        if (!(servletGraniteContext instanceof HttpGraniteContext)) {
            HttpSession session = servletGraniteContext.getSession();
            if (session != null) {
                try {
                    session.removeAttribute(SecurityService.AuthenticationContext.class.getName());
                } catch (IllegalStateException e) {
                }
                endLogout();
                try {
                    session.invalidate();
                    return;
                } catch (IllegalStateException e2) {
                    return;
                }
            }
            return;
        }
        Session session2 = getSession(servletGraniteContext.getRequest(), false);
        if (session2 == null || session2.getPrincipal() == null || !session2.isValid()) {
            return;
        }
        session2.setAuthType((String) null);
        session2.setPrincipal((Principal) null);
        session2.removeNote("org.apache.catalina.session.USERNAME");
        session2.removeNote("org.apache.catalina.session.PASSWORD");
        endLogout();
        session2.expire();
    }

    protected Principal getPrincipal(HttpServletRequest httpServletRequest) {
        Session sessionInternal = getRequest(httpServletRequest).getSessionInternal(false);
        if (sessionInternal != null) {
            return sessionInternal.getPrincipal();
        }
        return null;
    }

    protected Session getSession(HttpServletRequest httpServletRequest, boolean z) {
        return getRequest(httpServletRequest).getSessionInternal(z);
    }

    protected Request getRequest(HttpServletRequest httpServletRequest) {
        while (httpServletRequest instanceof HttpServletRequestWrapper) {
            httpServletRequest = (HttpServletRequest) ((HttpServletRequestWrapper) httpServletRequest).getRequest();
        }
        try {
            return (Request) this.requestField.get(httpServletRequest);
        } catch (Exception e) {
            throw new RuntimeException("Could not get tomcat request", e);
        }
    }

    protected Realm getRealm(Request request) {
        String serverName = request.getServerName();
        String contextPath = request.getContextPath();
        Context context = request.getContext();
        if (context == null) {
            throw new NullPointerException("Could not find Tomcat context for: " + contextPath);
        }
        Realm realm = context.getRealm();
        if (realm == null) {
            throw new NullPointerException("Could not find Tomcat realm for: " + serverName + "" + contextPath);
        }
        return realm;
    }
}
