package tech.smartboot.servlet.plugins.security;

import jakarta.servlet.ServletException;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.ServletResponseWrapper;
import jakarta.servlet.annotation.ServletSecurity;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import tech.smartboot.feat.core.common.enums.HeaderNameEnum;
import tech.smartboot.feat.core.common.enums.HttpStatus;
import tech.smartboot.feat.core.common.utils.CollectionUtils;
import tech.smartboot.feat.core.common.utils.StringUtils;
import tech.smartboot.servlet.SmartHttpServletRequest;
import tech.smartboot.servlet.conf.DeploymentInfo;
import tech.smartboot.servlet.conf.LoginConfig;
import tech.smartboot.servlet.conf.SecurityConstraint;
import tech.smartboot.servlet.conf.ServletInfo;
import tech.smartboot.servlet.conf.UrlPattern;
import tech.smartboot.servlet.impl.HttpServletRequestImpl;
import tech.smartboot.servlet.provider.SecurityProvider;
import tech.smartboot.servlet.util.PathMatcherUtil;

/* loaded from: input_file:tech/smartboot/servlet/plugins/security/SecurityProviderImpl.class */
public class SecurityProviderImpl implements SecurityProvider {
    private Map<String, SecurityTO> exactPathSecurities = new HashMap();
    private Map<String, SecurityTO> prefixPathSecurities = new HashMap();
    private Map<String, SecurityTO> extensionSecurities = new HashMap();
    private Map<String, SecurityTO> methodSecurities = new HashMap();
    private final Map<String, SecurityAccount> headerSecurities = new HashMap();
    private List<SecurityAccount> users = Arrays.asList(new SecurityAccount("j2ee", "j2ee", null, Set.of("Administrator", "Employee")), new SecurityAccount("javajoe", "javajoe", null, Set.of("VP", "Manager")));
    private final DeploymentInfo deploymentInfo;
    private static final char[] HEX_CHARS = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
    private static final byte[] HEX_BYTES = {48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102};

    public SecurityProviderImpl(DeploymentInfo deploymentInfo) {
        this.deploymentInfo = deploymentInfo;
    }

    @Override // tech.smartboot.servlet.provider.SecurityProvider
    public void addUser(String str, String str2, Set<String> set) {
        this.headerSecurities.put(str, new SecurityAccount(str, str2, null, set));
    }

    @Override // tech.smartboot.servlet.provider.SecurityProvider
    public SecurityAccount login(String str, String str2) throws ServletException {
        if (str == null || str2 == null) {
            throw new ServletException();
        }
        return this.users.stream().filter(securityAccount -> {
            return securityAccount.getUsername().equals(str) && securityAccount.getPassword().equals(str2);
        }).findFirst().orElse(null);
    }

    @Override // tech.smartboot.servlet.provider.SecurityProvider
    public boolean authenticate(HttpServletRequestImpl httpServletRequestImpl, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        return false;
    }

    @Override // tech.smartboot.servlet.provider.SecurityProvider
    public boolean isUserInRole(String str, LoginAccount loginAccount, HttpServletRequestImpl httpServletRequestImpl) {
        if (loginAccount == null || str == null || str.equals("*")) {
            return false;
        }
        if (str.equals("**") && !httpServletRequestImpl.m14getServletContext().getDeploymentInfo().getSecurityRoles().contains("**")) {
            return true;
        }
        String str2 = httpServletRequestImpl.getServletInfo().getSecurityRoles().get(str);
        if (str2 == null) {
            return loginAccount.getRoles().contains(str);
        }
        System.out.println(str2);
        System.out.println(httpServletRequestImpl.getServletInfo().getSecurityRoles());
        return loginAccount.getRoles().contains(str2) || loginAccount.getRoles().contains(str);
    }

    @Override // tech.smartboot.servlet.provider.SecurityProvider
    public void logout(HttpServletRequestImpl httpServletRequestImpl) throws ServletException {
    }

    @Override // tech.smartboot.servlet.provider.SecurityProvider
    public boolean login(SmartHttpServletRequest smartHttpServletRequest, ServletResponse servletResponse, ServletInfo servletInfo) throws ServletException, IOException {
        while (servletResponse instanceof ServletResponseWrapper) {
            servletResponse = ((ServletResponseWrapper) servletResponse).getResponse();
        }
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        boolean check = check(smartHttpServletRequest, httpServletResponse, servletInfo.getSecurityConstraints());
        if (!check) {
            return check;
        }
        if (this.deploymentInfo.getSecurityConstraints().isEmpty()) {
            return true;
        }
        return check(smartHttpServletRequest, httpServletResponse, this.deploymentInfo.getSecurityConstraints().stream().filter(securityConstraint -> {
            Iterator<UrlPattern> it = securityConstraint.getUrlPatterns().iterator();
            while (it.hasNext()) {
                if (PathMatcherUtil.matches(smartHttpServletRequest, it.next())) {
                    return true;
                }
            }
            return false;
        }).toList());
    }

    private LoginAccount login(SmartHttpServletRequest smartHttpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        LoginConfig loginConfig = this.deploymentInfo.getLoginConfig();
        if (loginConfig != null) {
        }
        if (loginConfig != null && "CLIENT-CERT".equals(loginConfig.getAuthMethod())) {
            ArrayList arrayList = new ArrayList();
            for (Certificate certificate : smartHttpServletRequest.getSslEngine().getSession().getPeerCertificates()) {
                if (certificate instanceof X509Certificate) {
                    arrayList.add((X509Certificate) certificate);
                }
            }
            X509Certificate x509Certificate = (X509Certificate) arrayList.get(0);
            LoginAccount loginAccount = new LoginAccount(x509Certificate.getIssuerX500Principal().getName(), null, this.deploymentInfo.getSecurityRoleMapping().get(x509Certificate.getIssuerX500Principal().getName()), SecurityAccount.CLIENT_CERT);
            smartHttpServletRequest.setLoginAccount(loginAccount);
            smartHttpServletRequest.setAttribute("jakarta.servlet.request.X509Certificate", arrayList.toArray(new X509Certificate[arrayList.size()]));
            smartHttpServletRequest.setAttribute("jakarta.servlet.request.cipher_suite", smartHttpServletRequest.getSslEngine().getSession().getCipherSuite());
            smartHttpServletRequest.setAttribute("jakarta.servlet.request.key_size", Integer.valueOf(calculateKeySize(smartHttpServletRequest.getSslEngine().getSession().getCipherSuite())));
            byte[] id = smartHttpServletRequest.getSslEngine().getSession().getId();
            smartHttpServletRequest.setAttribute("jakarta.servlet.request.ssl_session_id", id != null ? convertToHexString(id) : null);
            return loginAccount;
        }
        String header = smartHttpServletRequest.getHeader("Authorization");
        if (header != null && header.startsWith("Basic ")) {
            String[] split = new String(Base64.getDecoder().decode(header.substring(6))).split(":");
            SecurityAccount orElse = this.users.stream().filter(securityAccount -> {
                return securityAccount.getUsername().equals(split[0]) && securityAccount.getPassword().equals(split[1]);
            }).findFirst().orElse(null);
            if (orElse != null) {
                LoginAccount loginAccount2 = new LoginAccount(orElse.getUsername(), orElse.getPassword(), orElse.getRoles(), SecurityAccount.AUTH_TYPE_BASIC);
                smartHttpServletRequest.setLoginAccount(loginAccount2);
                return loginAccount2;
            }
        }
        if (loginConfig == null) {
            httpServletResponse.sendError(HttpStatus.UNAUTHORIZED.value());
            return null;
        }
        if (StringUtils.equals(loginConfig.getAuthMethod(), SecurityAccount.AUTH_TYPE_BASIC)) {
            httpServletResponse.setHeader(HeaderNameEnum.WWW_AUTHENTICATE.getName(), "Basic realm=\"" + loginConfig.getRealmName() + "\"");
            httpServletResponse.sendError(HttpStatus.UNAUTHORIZED.value());
            return null;
        }
        if (header == null && StringUtils.isNotBlank(loginConfig.getLoginPage())) {
            smartHttpServletRequest.getSession().setAttribute(SecurityProvider.LOGIN_REDIRECT_URI, smartHttpServletRequest.getRequestURI().substring(smartHttpServletRequest.getContextPath().length()));
            smartHttpServletRequest.getSession().setAttribute(SecurityProvider.LOGIN_REDIRECT_METHOD, smartHttpServletRequest.getMethod());
            smartHttpServletRequest.getRequestDispatcher(loginConfig.getLoginPage()).forward(smartHttpServletRequest, httpServletResponse);
            return null;
        }
        if (header == null || !StringUtils.isNotBlank(loginConfig.getErrorPage())) {
            httpServletResponse.sendError(HttpStatus.UNAUTHORIZED.value());
            return null;
        }
        smartHttpServletRequest.getSession().setAttribute(SecurityProvider.LOGIN_REDIRECT_URI, smartHttpServletRequest.getRequestURI().substring(smartHttpServletRequest.getContextPath().length()));
        smartHttpServletRequest.getSession().setAttribute(SecurityProvider.LOGIN_REDIRECT_METHOD, smartHttpServletRequest.getMethod());
        smartHttpServletRequest.getRequestDispatcher(loginConfig.getErrorPage()).forward(smartHttpServletRequest, httpServletResponse);
        return null;
    }

    private boolean check(SmartHttpServletRequest smartHttpServletRequest, HttpServletResponse httpServletResponse, List<SecurityConstraint> list) throws IOException, ServletException {
        if (list.isEmpty()) {
            return true;
        }
        if (list.stream().anyMatch(securityConstraint -> {
            return (securityConstraint.getHttpMethods().isEmpty() || securityConstraint.getHttpMethods().contains(smartHttpServletRequest.getMethod())) && CollectionUtils.isEmpty(securityConstraint.getRoleNames()) && securityConstraint.getEmptyRoleSemantic() == ServletSecurity.EmptyRoleSemantic.DENY;
        })) {
            httpServletResponse.sendError(HttpStatus.FORBIDDEN.value());
            return false;
        }
        List<SecurityConstraint> list2 = list.stream().filter(securityConstraint2 -> {
            return !securityConstraint2.getHttpMethodOmissions().contains(smartHttpServletRequest.getMethod());
        }).toList();
        if (list2.isEmpty()) {
            return true;
        }
        List<SecurityConstraint> list3 = list2.stream().filter(securityConstraint3 -> {
            return CollectionUtils.isEmpty(securityConstraint3.getHttpMethods()) || securityConstraint3.getHttpMethods().contains(smartHttpServletRequest.getMethod());
        }).toList();
        if (list3.isEmpty()) {
            httpServletResponse.sendError(HttpStatus.FORBIDDEN.value());
            return false;
        }
        if (list3.stream().anyMatch(securityConstraint4 -> {
            return CollectionUtils.isEmpty(securityConstraint4.getRoleNames()) && securityConstraint4.getEmptyRoleSemantic() == ServletSecurity.EmptyRoleSemantic.DENY;
        })) {
            httpServletResponse.sendError(HttpStatus.UNAUTHORIZED.value());
            return false;
        }
        List<SecurityConstraint> list4 = list3.stream().filter(securityConstraint5 -> {
            return CollectionUtils.isNotEmpty(securityConstraint5.getRoleNames());
        }).toList();
        if (list4.isEmpty()) {
            return true;
        }
        LoginAccount loginAccount = (LoginAccount) smartHttpServletRequest.getUserPrincipal();
        if (loginAccount == null) {
            loginAccount = login(smartHttpServletRequest, httpServletResponse);
            if (loginAccount == null) {
                return false;
            }
        }
        LoginAccount loginAccount2 = loginAccount;
        if (list4.stream().filter(securityConstraint6 -> {
            if ((securityConstraint6.getEmptyRoleSemantic() == ServletSecurity.EmptyRoleSemantic.PERMIT && CollectionUtils.isEmpty(securityConstraint6.getRoleNames())) || securityConstraint6.getRoleNames().contains("*")) {
                return true;
            }
            Iterator<String> it = securityConstraint6.getRoleNames().iterator();
            while (it.hasNext()) {
                if (loginAccount2.getRoles().contains(it.next())) {
                    return true;
                }
            }
            return false;
        }).count() != 0) {
            return true;
        }
        httpServletResponse.sendError(HttpStatus.FORBIDDEN.value());
        return false;
    }

    static int calculateKeySize(String str) {
        if (str == null) {
            return 0;
        }
        if (str.equals("TLS_AES_256_GCM_SHA384") || str.equals("TLS_CHACHA20_POLY1305_SHA256")) {
            return 256;
        }
        if (str.startsWith("TLS_AES_128_") || str.contains("WITH_AES_128_")) {
            return 128;
        }
        if (str.contains("WITH_AES_256_")) {
            return 256;
        }
        if (str.contains("WITH_3DES_EDE_CBC_")) {
            return 168;
        }
        if (str.contains("WITH_RC4_128_")) {
            return 128;
        }
        if (str.contains("WITH_DES_CBC_")) {
            return 56;
        }
        if (str.contains("WITH_DES40_CBC_") || str.contains("WITH_RC4_40_")) {
            return 40;
        }
        if (str.contains("WITH_IDEA_CBC_")) {
            return 128;
        }
        return str.contains("WITH_RC2_CBC_40_") ? 40 : 0;
    }

    public static String convertToHexString(byte[] bArr) {
        char[] cArr = new char[bArr.length * 2];
        for (int i = 0; i < bArr.length; i++) {
            byte b = bArr[i];
            cArr[i * 2] = HEX_CHARS[(b >> 4) & 15];
            cArr[(i * 2) + 1] = HEX_CHARS[b & 15];
        }
        return String.valueOf(cArr);
    }
}
