package org.kaazing.gateway.transport.http.bridge.filter;

import java.security.Principal;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ScheduledExecutorService;
import javax.security.auth.Subject;
import org.apache.mina.core.filterchain.IoFilter;
import org.apache.mina.core.session.AttributeKey;
import org.apache.mina.core.session.IoSession;
import org.apache.mina.core.write.WriteRequest;
import org.kaazing.gateway.resource.address.ResourceAddress;
import org.kaazing.gateway.resource.address.http.HttpResourceAddress;
import org.kaazing.gateway.security.TypedCallbackHandlerMap;
import org.kaazing.gateway.security.auth.DefaultLoginResult;
import org.kaazing.gateway.security.auth.RealmNameCallback;
import org.kaazing.gateway.security.auth.RealmNameCallbackHandler;
import org.kaazing.gateway.security.auth.token.DefaultAuthenticationToken;
import org.kaazing.gateway.transport.http.HttpCookie;
import org.kaazing.gateway.transport.http.HttpStatus;
import org.kaazing.gateway.transport.http.HttpUtils;
import org.kaazing.gateway.transport.http.MutableHttpCookie;
import org.kaazing.gateway.transport.http.bridge.HttpMessage;
import org.kaazing.gateway.transport.http.bridge.HttpRequestMessage;
import org.kaazing.gateway.transport.http.bridge.HttpResponseMessage;
import org.kaazing.gateway.transport.http.security.AuthorizationMapCallback;
import org.kaazing.gateway.transport.http.security.AuthorizationMapCallbackHandler;
import org.kaazing.gateway.transport.http.security.HttpRequestMessageCallback;
import org.kaazing.gateway.transport.http.security.HttpRequestMessageCallbackHandler;
import org.kaazing.gateway.transport.http.security.auth.token.DefaultAuthenticationTokenExtractor;
import org.kaazing.gateway.util.scheduler.SchedulerProvider;
import org.kaazing.mina.core.session.IoSessionEx;
import org.slf4j.Logger;

/* loaded from: input_file:org/kaazing/gateway/transport/http/bridge/filter/HttpSubjectSecurityFilter.class */
public class HttpSubjectSecurityFilter extends HttpLoginSecurityFilter {
    public static final String NAME = "http#security";
    public static final String SESSION_COOKIE_NAME = "KSESSIONID";
    public static final String AUTHORIZATION_HEADER = "Authorization";
    public static final String WWW_AUTHENTICATE_HEADER = "WWW-Authenticate";
    public static final String AUTH_SCHEME_APPLICATION_PREFIX = "Application ";
    public static final String AUTH_SCHEME_BASIC = "Basic";
    public static final String AUTH_SCHEME_NEGOTIATE = "Negotiate";
    static final AttributeKey NEW_SESSION_COOKIE_KEY = new AttributeKey(HttpSubjectSecurityFilter.class, "sessionCookie");
    private final AuthorizationMap authorizationMap;
    private ScheduledExecutorService scheduler;

    /* loaded from: input_file:org/kaazing/gateway/transport/http/bridge/filter/HttpSubjectSecurityFilter$AuthorizationMap.class */
    public static class AuthorizationMap {
        private Map<String, TimedCredential> keyToTimedCredentialMap = new ConcurrentHashMap();
        private Map<Subject, String> subjectToKeyMap = new ConcurrentHashMap();

        TimedCredential get(String str) {
            return this.keyToTimedCredentialMap.get(str);
        }

        public TimedCredential get(String str, String str2) {
            return this.keyToTimedCredentialMap.get(str + str2);
        }

        public synchronized void put(String str, String str2, TimedCredential timedCredential) {
            this.keyToTimedCredentialMap.put(str + str2, timedCredential);
            this.subjectToKeyMap.put(timedCredential.subject, str + str2);
        }

        public synchronized TimedCredential removeByKey(String str, String str2) {
            TimedCredential remove = this.keyToTimedCredentialMap.remove(str + str2);
            if (remove != null && remove.subject != null) {
                this.subjectToKeyMap.remove(remove.subject);
            }
            return remove;
        }

        public synchronized String removeBySubject(Subject subject) {
            String remove = this.subjectToKeyMap.remove(subject);
            if (remove != null) {
                this.keyToTimedCredentialMap.remove(remove);
            }
            return remove;
        }

        public boolean containsKey(String str) {
            return this.keyToTimedCredentialMap.containsKey(str);
        }

        public boolean containsSubject(Subject subject) {
            return this.subjectToKeyMap.containsKey(subject);
        }

        public String getKey(Subject subject) {
            return this.subjectToKeyMap.get(subject);
        }

        public int size() {
            return this.keyToTimedCredentialMap.size();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/kaazing/gateway/transport/http/bridge/filter/HttpSubjectSecurityFilter$LoginContextTask.class */
    public final class LoginContextTask implements Runnable {
        private final IoFilter.NextFilter nextFilter;
        private final IoSession session;
        private final HttpRequestMessage httpRequest;
        private final DefaultAuthenticationToken authToken;
        private final TypedCallbackHandlerMap additionalCallbacks;
        private final long createdTime = System.currentTimeMillis();

        LoginContextTask(IoFilter.NextFilter nextFilter, IoSession ioSession, HttpRequestMessage httpRequestMessage, DefaultAuthenticationToken defaultAuthenticationToken, TypedCallbackHandlerMap typedCallbackHandlerMap) {
            this.nextFilter = nextFilter;
            this.session = ioSession;
            this.httpRequest = httpRequestMessage;
            this.authToken = defaultAuthenticationToken;
            this.additionalCallbacks = typedCallbackHandlerMap;
        }

        @Override // java.lang.Runnable
        public void run() {
            if (HttpSubjectSecurityFilter.this.loggerEnabled()) {
                HttpSubjectSecurityFilter.this.logger.trace("Executing login task %d ms after scheduling for session %s", Long.valueOf(System.currentTimeMillis() - this.createdTime), this.session);
            }
            if (HttpSubjectSecurityFilter.this.login(this.nextFilter, this.session, this.httpRequest, this.authToken, this.additionalCallbacks)) {
                try {
                    HttpSubjectSecurityFilter.super.doMessageReceived(this.nextFilter, this.session, this.httpRequest);
                } catch (Exception e) {
                    this.session.getFilterChain().fireExceptionCaught(e);
                }
            }
            HttpSubjectSecurityFilter.super.resumeIncoming(this.session);
            if (HttpSubjectSecurityFilter.this.loggerEnabled()) {
                HttpSubjectSecurityFilter.this.logger.trace("Finished login task after %d ms for session %s", Long.valueOf(System.currentTimeMillis() - this.createdTime), this.session);
            }
        }
    }

    /* loaded from: input_file:org/kaazing/gateway/transport/http/bridge/filter/HttpSubjectSecurityFilter$TimedCredential.class */
    public static class TimedCredential {
        private Subject subject;
        private Long expirationTimestamp;

        public TimedCredential(Subject subject, Long l) {
            if (subject == null) {
                throw new IllegalArgumentException("subject was null");
            }
            this.subject = subject;
            this.expirationTimestamp = l;
        }

        public Subject getSubject() {
            return this.subject;
        }

        public boolean hasExpirationTimestamp() {
            return this.expirationTimestamp != null;
        }

        public Long getExpirationTimestamp() {
            return this.expirationTimestamp;
        }

        public void setExpirationTimestamp(Long l) {
            this.expirationTimestamp = l;
        }

        public String toString() {
            StringBuilder sb = new StringBuilder();
            sb.append("[TimedCredential: Subject(");
            Iterator<Principal> it = this.subject.getPrincipals().iterator();
            while (it.hasNext()) {
                sb.append(it.next().getName()).append('/');
            }
            if (this.subject.getPrincipals().size() > 0) {
                sb.deleteCharAt(sb.length() - 1);
            }
            sb.append(") ");
            if (this.expirationTimestamp != null) {
                sb.append("; expires on ").append(new SimpleDateFormat("yyyyMMdd HH:mm:ss").format(new Date(this.expirationTimestamp.longValue() * 1000)));
            }
            sb.append(" ]");
            return sb.toString();
        }
    }

    public HttpSubjectSecurityFilter() {
        this(null);
    }

    public HttpSubjectSecurityFilter(Logger logger) {
        super(logger);
        this.authorizationMap = new AuthorizationMap();
    }

    public void setSchedulerProvider(SchedulerProvider schedulerProvider) {
        this.scheduler = schedulerProvider.getScheduler("loginmodule", false);
    }

    public void doMessageReceived(IoFilter.NextFilter nextFilter, IoSession ioSession, Object obj) throws Exception {
        if (httpRequestMessageReceived(nextFilter, ioSession, obj)) {
            HttpRequestMessage httpRequestMessage = (HttpRequestMessage) obj;
            if (httpRequestMessage.getSubject() == null) {
                httpRequestMessage.setSubject(((IoSessionEx) ioSession).getSubject());
            }
            ResourceAddress localAddress = httpRequestMessage.getLocalAddress();
            String str = (String) localAddress.getOption(HttpResourceAddress.REALM_NAME);
            boolean z = this.logger != null && this.logger.isTraceEnabled();
            if (str == null) {
                setUnprotectedLoginContext(ioSession);
                if (z) {
                    this.logger.trace("HttpSubjectSecurityFilter skipped because no realm is configured.");
                }
                super.doMessageReceived(nextFilter, ioSession, obj);
                return;
            }
            String str2 = (String) localAddress.getOption(HttpResourceAddress.REALM_AUTHORIZATION_MODE);
            if (HttpBaseSecurityFilter.AUTHORIZATION_MODE_RECYCLE.equals(str2)) {
                legacySecurityMessageReceived(nextFilter, ioSession, httpRequestMessage);
            }
            if (HttpBaseSecurityFilter.AUTHORIZATION_MODE_RECYCLE.equals(str2)) {
                return;
            }
            securityMessageReceived(nextFilter, ioSession, httpRequestMessage);
        }
    }

    void legacySecurityMessageReceived(IoFilter.NextFilter nextFilter, IoSession ioSession, Object obj) throws Exception {
        if (httpRequestMessageReceived(nextFilter, ioSession, obj)) {
            HttpRequestMessage httpRequestMessage = (HttpRequestMessage) obj;
            ResourceAddress localAddress = httpRequestMessage.getLocalAddress();
            String str = (String) localAddress.getOption(HttpResourceAddress.REALM_NAME);
            String str2 = (String) localAddress.getOption(HttpResourceAddress.REALM_AUTHORIZATION_MODE);
            String str3 = (String) localAddress.getOption(HttpResourceAddress.REALM_CHALLENGE_SCHEME);
            String header = httpRequestMessage.getHeader("Authorization");
            MutableHttpCookie sessionCookie = getSessionCookie(httpRequestMessage);
            boolean z = this.logger != null && this.logger.isTraceEnabled();
            if (z) {
                this.logger.trace("HTTP session cookie received: {}", sessionCookie);
                this.logger.trace("HTTP authorization header received: {}", header);
            }
            if (!HttpBaseSecurityFilter.AUTHORIZATION_MODE_RECYCLE.equals(str2)) {
                if (z) {
                    this.logger.trace("HttpSubjectSecurityFilter skipped because authorization mode is not recycle.");
                }
                super.doMessageReceived(nextFilter, ioSession, obj);
                return;
            }
            if (alreadyLoggedIn(ioSession, localAddress)) {
                if (LOGIN_CONTEXT_KEY.get(ioSession) == null) {
                    setUnprotectedLoginContext(ioSession);
                }
                if (z) {
                    this.logger.trace("HttpSubjectSecurityFilter skipped because we are already logged in.");
                }
                super.doMessageReceived(nextFilter, ioSession, obj);
                return;
            }
            DefaultAuthenticationToken defaultAuthenticationToken = new DefaultAuthenticationToken();
            defaultAuthenticationToken.setScheme(getBaseAuthScheme(str3));
            defaultAuthenticationToken.add("Authorization", header);
            if (sessionCookie != null) {
                defaultAuthenticationToken.add(SESSION_COOKIE_NAME, sessionCookie.getValue());
            }
            TypedCallbackHandlerMap typedCallbackHandlerMap = new TypedCallbackHandlerMap();
            typedCallbackHandlerMap.put(RealmNameCallback.class, new RealmNameCallbackHandler(str));
            typedCallbackHandlerMap.put(AuthorizationMapCallback.class, new AuthorizationMapCallbackHandler(this.authorizationMap));
            typedCallbackHandlerMap.put(HttpRequestMessageCallback.class, new HttpRequestMessageCallbackHandler(httpRequestMessage, HttpRequestMessageCallback.class));
            if (z) {
                this.logger.trace("HttpSubjectSecurityFilter calling login().");
            }
            suspendIncoming(ioSession);
            this.scheduler.execute(new LoginContextTask(nextFilter, ioSession, httpRequestMessage, defaultAuthenticationToken, typedCallbackHandlerMap));
        }
    }

    protected MutableHttpCookie getSessionCookie(HttpRequestMessage httpRequestMessage) {
        MutableHttpCookie mutableHttpCookie = null;
        Iterator<HttpCookie> it = httpRequestMessage.getCookies().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            HttpCookie next = it.next();
            if (SESSION_COOKIE_NAME.equals(next.getName())) {
                mutableHttpCookie = (MutableHttpCookie) next;
                break;
            }
        }
        return mutableHttpCookie;
    }

    @Override // org.kaazing.gateway.transport.http.bridge.filter.HttpLoginSecurityFilter
    protected void writeSessionCookie(IoSession ioSession, HttpRequestMessage httpRequestMessage, DefaultLoginResult defaultLoginResult) {
        MutableHttpCookie sessionCookie = getSessionCookie(httpRequestMessage);
        HttpCookie httpCookie = (HttpCookie) defaultLoginResult.getLoginAuthorizationAttachment();
        httpRequestMessage.addCookie(httpCookie);
        if (sessionCookie != null) {
            httpRequestMessage.removeCookie(sessionCookie);
        }
        ioSession.setAttribute(NEW_SESSION_COOKIE_KEY, httpCookie);
        if (loggerEnabled()) {
            this.logger.trace("Sending session cookie {}", httpCookie);
        }
    }

    public void filterWrite(IoFilter.NextFilter nextFilter, IoSession ioSession, WriteRequest writeRequest) throws Exception {
        HttpMessage httpMessage = (HttpMessage) writeRequest.getMessage();
        switch (httpMessage.getKind()) {
            case RESPONSE:
                HttpResponseMessage httpResponseMessage = (HttpResponseMessage) httpMessage;
                HttpCookie httpCookie = (HttpCookie) ioSession.removeAttribute(NEW_SESSION_COOKIE_KEY);
                if (httpCookie != null) {
                    httpResponseMessage.addCookie(httpCookie);
                    break;
                }
                break;
        }
        super.filterWrite(nextFilter, ioSession, writeRequest);
    }

    public void exceptionCaught(IoFilter.NextFilter nextFilter, IoSession ioSession, Throwable th) throws Exception {
        if (loggerEnabled()) {
            this.logger.trace("Caught exception.", th);
        }
        super.exceptionCaught(nextFilter, ioSession, th);
    }

    public void destroy() throws Exception {
        super.destroy();
    }

    AuthorizationMap getAuthorizationMap() {
        return this.authorizationMap;
    }

    void securityMessageReceived(IoFilter.NextFilter nextFilter, IoSession ioSession, Object obj) throws Exception {
        boolean z = this.logger != null && this.logger.isTraceEnabled();
        if (httpRequestMessageReceived(nextFilter, ioSession, obj)) {
            HttpRequestMessage httpRequestMessage = (HttpRequestMessage) obj;
            ResourceAddress localAddress = httpRequestMessage.getLocalAddress();
            String str = (String) localAddress.getOption(HttpResourceAddress.REALM_NAME);
            String str2 = (String) localAddress.getOption(HttpResourceAddress.REALM_AUTHORIZATION_MODE);
            String str3 = (String) localAddress.getOption(HttpResourceAddress.REALM_CHALLENGE_SCHEME);
            if (alreadyLoggedIn(ioSession, localAddress)) {
                if (LOGIN_CONTEXT_KEY.get(ioSession) == null) {
                    setUnprotectedLoginContext(ioSession);
                }
                if (z) {
                    this.logger.trace("HttpSubjectSecurityFilter skipped because we are already allowed or logged in.");
                }
                super.doMessageReceived(nextFilter, ioSession, obj);
                return;
            }
            if (str2 != null && HttpBaseSecurityFilter.AUTHORIZATION_MODE_RECYCLE.equals(str2)) {
                if (loggerEnabled()) {
                    this.logger.trace(String.format("Cannot process authorization mode 'recycle' for requested URI '%s'.", HttpUtils.getRequestURI(httpRequestMessage, ioSession)));
                }
                writeResponse(HttpStatus.CLIENT_BAD_REQUEST, nextFilter, ioSession, httpRequestMessage);
                return;
            }
            if (str == null) {
                setUnprotectedLoginContext(ioSession);
                if (z) {
                    this.logger.trace("HttpSecurityStandardFilter skipped because no realm is configured.");
                }
                super.doMessageReceived(nextFilter, ioSession, obj);
                return;
            }
            DefaultAuthenticationToken extract = DefaultAuthenticationTokenExtractor.INSTANCE.extract(httpRequestMessage);
            String scheme = extract.getScheme();
            String baseAuthScheme = getBaseAuthScheme(str3);
            if (scheme == null || scheme.equals(baseAuthScheme)) {
                extract.setScheme(baseAuthScheme);
                suspendIncoming(ioSession);
                this.scheduler.execute(new LoginContextTask(nextFilter, ioSession, httpRequestMessage, extract, null));
            } else {
                if (loggerEnabled()) {
                    this.logger.trace(String.format("A websocket request used the '%s' challenge scheme when we expected the '%s' challenge scheme", scheme, baseAuthScheme));
                }
                writeResponse(HttpStatus.CLIENT_BAD_REQUEST, String.format("Expected challenge scheme '%s' not found", baseAuthScheme), nextFilter, ioSession, httpRequestMessage);
            }
        }
    }
}
