package org.granite.messaging.service.security;

import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.security.Principal;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.ServletRequestWrapper;
import javax.servlet.http.HttpSession;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.websocket.servlet.PostUpgradedHttpServletRequest;
import org.granite.context.GraniteContext;
import org.granite.messaging.service.security.SecurityService;
import org.granite.messaging.webapp.HttpGraniteContext;
import org.granite.messaging.webapp.ServletGraniteContext;

/* loaded from: input_file:org/granite/messaging/service/security/Jetty9SecurityService.class */
public class Jetty9SecurityService extends AbstractSecurityService {
    private final Field requestField;

    /* loaded from: input_file:org/granite/messaging/service/security/Jetty9SecurityService$Jetty9AuthenticationContext.class */
    public static class Jetty9AuthenticationContext implements SecurityService.AuthenticationContext {
        private static final long serialVersionUID = 1;
        private final transient UserIdentity.Scope scope;
        private transient Authentication authentication;
        private transient Principal principal;

        public Jetty9AuthenticationContext(UserIdentity.Scope scope, Authentication authentication) {
            this.scope = scope;
            this.authentication = authentication;
        }

        @Override // org.granite.messaging.service.security.SecurityService.AuthenticationContext
        public Principal authenticate(String str, String str2) {
            if (this.authentication == null) {
                throw SecurityServiceException.newAuthenticationFailedException("Invalid authentication");
            }
            if (this.authentication instanceof Authentication.Deferred) {
                this.authentication = this.authentication.login(str, str2, ((ServletGraniteContext) GraniteContext.getCurrentInstance()).getRequest());
            }
            if (this.authentication instanceof Authentication.User) {
                this.principal = this.authentication.getUserIdentity().getUserPrincipal();
            }
            return this.principal;
        }

        @Override // org.granite.messaging.service.security.SecurityService.AuthenticationContext
        public Principal getPrincipal() {
            return this.principal;
        }

        public Authentication getAuthentication() {
            return this.authentication;
        }

        @Override // org.granite.messaging.service.security.SecurityService.AuthenticationContext
        public boolean isUserInRole(String str) {
            if (this.authentication instanceof Authentication.User) {
                return this.authentication.isUserInRole(this.scope, str);
            }
            return false;
        }

        @Override // org.granite.messaging.service.security.SecurityService.AuthenticationContext
        public void logout() {
            if (this.authentication instanceof Authentication.User) {
                this.authentication.logout();
            }
        }
    }

    public Jetty9SecurityService() {
        try {
            this.requestField = ServletRequestWrapper.class.getDeclaredField("request");
            this.requestField.setAccessible(true);
        } catch (Exception e) {
            throw new RuntimeException("Could not get 'request' field in Jetty ServletRequest", e);
        }
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public void configure(Map<String, String> map) {
    }

    @Override // org.granite.messaging.service.security.AbstractSecurityService, org.granite.messaging.service.security.SecurityService
    public void prelogin(HttpSession httpSession, Object obj, String str) {
        Request request;
        if (httpSession == null || (httpSession.getAttribute(SecurityService.AuthenticationContext.class.getName()) instanceof Jetty9AuthenticationContext)) {
            return;
        }
        if (obj.getClass().getName().equals("org.eclipse.jetty.websocket.jsr356.server.JsrHandshakeRequest")) {
            try {
                Field declaredField = obj.getClass().getDeclaredField("request");
                declaredField.setAccessible(true);
                Object obj2 = declaredField.get(obj);
                Field declaredField2 = obj2.getClass().getDeclaredField("req");
                declaredField2.setAccessible(true);
                obj = declaredField2.get(obj2);
            } catch (Exception e) {
                throw new RuntimeException("Could not unwrap jetty JSR request", e);
            }
        }
        if (obj instanceof PostUpgradedHttpServletRequest) {
            try {
                request = (Request) this.requestField.get(obj);
            } catch (Exception e2) {
                throw new RuntimeException("Could not get internal jetty request", e2);
            }
        } else {
            request = (Request) obj;
        }
        httpSession.setAttribute(SecurityService.AuthenticationContext.class.getName(), new Jetty9AuthenticationContext(request.getUserIdentityScope(), request.getAuthentication()));
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public Principal login(Object obj, String str) throws SecurityServiceException {
        Principal authenticate;
        String[] decodeBase64Credentials = decodeBase64Credentials(obj, str);
        ServletGraniteContext servletGraniteContext = (ServletGraniteContext) GraniteContext.getCurrentInstance();
        if (servletGraniteContext instanceof HttpGraniteContext) {
            Request request = servletGraniteContext.getRequest();
            Jetty9AuthenticationContext jetty9AuthenticationContext = new Jetty9AuthenticationContext(request.getUserIdentityScope(), request.getAuthentication());
            authenticate = jetty9AuthenticationContext.authenticate(decodeBase64Credentials[0], decodeBase64Credentials[1]);
            if (authenticate != null) {
                servletGraniteContext.getSession().setAttribute(SecurityService.AuthenticationContext.class.getName(), jetty9AuthenticationContext);
            }
        } else {
            SecurityService.AuthenticationContext authenticationContext = (SecurityService.AuthenticationContext) servletGraniteContext.getSession().getAttribute(SecurityService.AuthenticationContext.class.getName());
            if (authenticationContext == null) {
                return null;
            }
            authenticate = authenticationContext.authenticate(decodeBase64Credentials[0], decodeBase64Credentials[1]);
        }
        if (authenticate == null) {
            throw SecurityServiceException.newInvalidCredentialsException("Wrong username or password");
        }
        servletGraniteContext.setPrincipal(authenticate);
        endLogin(obj, str);
        return authenticate;
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public Object authorize(AbstractSecurityContext abstractSecurityContext) throws Exception {
        HttpSession session;
        startAuthorization(abstractSecurityContext);
        ServletGraniteContext servletGraniteContext = (ServletGraniteContext) GraniteContext.getCurrentInstance();
        Request request = null;
        SecurityService.AuthenticationContext authenticationContext = null;
        Principal principal = null;
        if (servletGraniteContext instanceof HttpGraniteContext) {
            request = servletGraniteContext.getRequest();
            HttpSession session2 = request.getSession(false);
            if (session2 != null) {
                authenticationContext = (SecurityService.AuthenticationContext) session2.getAttribute(SecurityService.AuthenticationContext.class.getName());
                if (authenticationContext != null) {
                    principal = authenticationContext.getPrincipal();
                    request.setAuthentication(((Jetty9AuthenticationContext) authenticationContext).getAuthentication());
                }
                if (principal == null && tryRelogin()) {
                    Authentication.User authentication = request.getAuthentication();
                    if (authentication instanceof Authentication.User) {
                        principal = authentication.getUserIdentity().getUserPrincipal();
                    }
                }
            }
        } else {
            HttpSession session3 = servletGraniteContext.getSession(false);
            if (session3 != null) {
                authenticationContext = (SecurityService.AuthenticationContext) session3.getAttribute(SecurityService.AuthenticationContext.class.getName());
                if (authenticationContext != null) {
                    principal = authenticationContext.getPrincipal();
                }
            }
        }
        servletGraniteContext.setPrincipal(principal);
        if (abstractSecurityContext.getDestination().isSecured()) {
            if (principal == null) {
                if (request == null || request.getRequestedSessionId() == null || ((session = request.getSession(false)) != null && request.getRequestedSessionId().equals(session.getId()))) {
                    throw SecurityServiceException.newNotLoggedInException("User not logged in");
                }
                throw SecurityServiceException.newSessionExpiredException("Session expired");
            }
            if (request == null && authenticationContext == null) {
                throw SecurityServiceException.newNotLoggedInException("No authorization context");
            }
            boolean z = true;
            Iterator<String> it = abstractSecurityContext.getDestination().getRoles().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String next = it.next();
                if (request != null && request.isUserInRole(next)) {
                    z = false;
                    break;
                }
                if (authenticationContext != null && authenticationContext.isUserInRole(next)) {
                    z = false;
                    break;
                }
            }
            if (z) {
                throw SecurityServiceException.newAccessDeniedException("User not in required role");
            }
        }
        try {
            return endAuthorization(abstractSecurityContext);
        } catch (InvocationTargetException e) {
            Throwable th = e;
            while (true) {
                Throwable th2 = th;
                if (th2 == null) {
                    throw e;
                }
                if (th2 instanceof SecurityException) {
                    throw SecurityServiceException.newAccessDeniedException(th2.getMessage());
                }
                th = th2.getCause();
            }
        }
    }

    @Override // org.granite.messaging.service.security.SecurityService
    public void logout() throws SecurityServiceException {
        ServletGraniteContext servletGraniteContext = (ServletGraniteContext) GraniteContext.getCurrentInstance();
        if (!(servletGraniteContext instanceof HttpGraniteContext)) {
            HttpSession session = servletGraniteContext.getSession();
            if (session != null) {
                ((SecurityService.AuthenticationContext) session.getAttribute(SecurityService.AuthenticationContext.class.getName())).logout();
                session.removeAttribute(SecurityService.AuthenticationContext.class.getName());
                endLogout();
                session.invalidate();
                return;
            }
            return;
        }
        Request request = servletGraniteContext.getRequest();
        Authentication.User authentication = request.getAuthentication();
        if (authentication instanceof Authentication.User) {
            authentication.logout();
        }
        if (request.getSession(false) != null) {
            endLogout();
            request.getSession(false).invalidate();
        }
    }
}
