package io.undertow.security.impl;

import io.undertow.UndertowLogger;
import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.NotificationReceiver;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.api.SecurityNotification;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.IdentityManager;
import io.undertow.server.ConduitWrapper;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.handlers.Cookie;
import io.undertow.server.handlers.CookieImpl;
import io.undertow.server.session.Session;
import io.undertow.server.session.SessionListener;
import io.undertow.server.session.SessionManager;
import io.undertow.util.ConduitFactory;
import io.undertow.util.Sessions;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Set;
import java.util.WeakHashMap;
import org.jboss.logging.Logger;
import org.xnio.conduits.StreamSinkConduit;

/* loaded from: input_file:META-INF/jars/undertow-core-2.3.12.Final.jar:io/undertow/security/impl/SingleSignOnAuthenticationMechanism.class */
public class SingleSignOnAuthenticationMechanism implements AuthenticationMechanism {
    private static final Logger log = Logger.getLogger((Class<?>) SingleSignOnAuthenticationMechanism.class);
    private static final String SSO_SESSION_ATTRIBUTE = SingleSignOnAuthenticationMechanism.class.getName() + ".SSOID";
    private final Set<SessionManager> seenSessionManagers;
    private String cookieName;
    private boolean httpOnly;
    private boolean secure;
    private String domain;
    private String path;
    private final SessionInvalidationListener listener;
    private final ResponseListener responseListener;
    private final SingleSignOnManager singleSignOnManager;
    private final IdentityManager identityManager;

    /* loaded from: input_file:META-INF/jars/undertow-core-2.3.12.Final.jar:io/undertow/security/impl/SingleSignOnAuthenticationMechanism$ResponseListener.class */
    final class ResponseListener implements ConduitWrapper<StreamSinkConduit> {
        ResponseListener() {
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // io.undertow.server.ConduitWrapper
        public StreamSinkConduit wrap(ConduitFactory<StreamSinkConduit> conduitFactory, HttpServerExchange httpServerExchange) {
            SecurityContext securityContext = httpServerExchange.getSecurityContext();
            Account authenticatedAccount = securityContext.getAuthenticatedAccount();
            if (authenticatedAccount != null) {
                SingleSignOn createSingleSignOn = SingleSignOnAuthenticationMechanism.this.singleSignOnManager.createSingleSignOn(authenticatedAccount, securityContext.getMechanismName());
                try {
                    Session session = SingleSignOnAuthenticationMechanism.this.getSession(httpServerExchange);
                    if (createSingleSignOn != null) {
                        SingleSignOnAuthenticationMechanism.this.registerSessionIfRequired(createSingleSignOn, session);
                        httpServerExchange.setResponseCookie(new CookieImpl(SingleSignOnAuthenticationMechanism.this.cookieName, createSingleSignOn.getId()).setHttpOnly(SingleSignOnAuthenticationMechanism.this.httpOnly).setSecure(SingleSignOnAuthenticationMechanism.this.secure).setDomain(SingleSignOnAuthenticationMechanism.this.domain).setPath(SingleSignOnAuthenticationMechanism.this.path));
                    } else {
                        UndertowLogger.SECURITY_LOGGER.failedToCreateSSOForSession(SingleSignOnAuthenticationMechanism.SSO_SESSION_ATTRIBUTE);
                    }
                    if (createSingleSignOn != null) {
                        createSingleSignOn.close();
                    }
                } catch (Throwable th) {
                    if (createSingleSignOn != null) {
                        try {
                            createSingleSignOn.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }
            return conduitFactory.create();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:META-INF/jars/undertow-core-2.3.12.Final.jar:io/undertow/security/impl/SingleSignOnAuthenticationMechanism$SessionInvalidationListener.class */
    public final class SessionInvalidationListener implements SessionListener {
        SessionInvalidationListener() {
        }

        @Override // io.undertow.server.session.SessionListener
        public void sessionCreated(Session session, HttpServerExchange httpServerExchange) {
        }

        @Override // io.undertow.server.session.SessionListener
        public void sessionDestroyed(Session session, HttpServerExchange httpServerExchange, SessionListener.SessionDestroyedReason sessionDestroyedReason) {
            String str = (String) session.getAttribute(SingleSignOnAuthenticationMechanism.SSO_SESSION_ATTRIBUTE);
            if (str != null) {
                if (SingleSignOnAuthenticationMechanism.log.isTraceEnabled()) {
                    SingleSignOnAuthenticationMechanism.log.tracef("Removing SSO ID %s from destroyed session %s.", str, session.getId());
                }
                LinkedList linkedList = new LinkedList();
                SingleSignOn findSingleSignOn = SingleSignOnAuthenticationMechanism.this.singleSignOnManager.findSingleSignOn(str);
                if (findSingleSignOn != null) {
                    try {
                        findSingleSignOn.remove(session);
                        if (sessionDestroyedReason == SessionListener.SessionDestroyedReason.INVALIDATED) {
                            for (Session session2 : findSingleSignOn) {
                                findSingleSignOn.remove(session2);
                                linkedList.add(session2);
                            }
                        }
                        if (!findSingleSignOn.iterator().hasNext()) {
                            SingleSignOnAuthenticationMechanism.this.singleSignOnManager.removeSingleSignOn(findSingleSignOn);
                        }
                    } catch (Throwable th) {
                        if (findSingleSignOn != null) {
                            try {
                                findSingleSignOn.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                }
                if (findSingleSignOn != null) {
                    findSingleSignOn.close();
                }
                Iterator it = linkedList.iterator();
                while (it.hasNext()) {
                    ((Session) it.next()).invalidate(null);
                }
            }
        }

        @Override // io.undertow.server.session.SessionListener
        public void attributeAdded(Session session, String str, Object obj) {
        }

        @Override // io.undertow.server.session.SessionListener
        public void attributeUpdated(Session session, String str, Object obj, Object obj2) {
        }

        @Override // io.undertow.server.session.SessionListener
        public void attributeRemoved(Session session, String str, Object obj) {
        }

        @Override // io.undertow.server.session.SessionListener
        public void sessionIdChanged(Session session, String str) {
        }
    }

    public SingleSignOnAuthenticationMechanism(SingleSignOnManager singleSignOnManager) {
        this(singleSignOnManager, null);
    }

    public SingleSignOnAuthenticationMechanism(SingleSignOnManager singleSignOnManager, IdentityManager identityManager) {
        this.seenSessionManagers = Collections.synchronizedSet(Collections.newSetFromMap(new WeakHashMap()));
        this.cookieName = "JSESSIONIDSSO";
        this.listener = new SessionInvalidationListener();
        this.responseListener = new ResponseListener();
        this.singleSignOnManager = singleSignOnManager;
        this.identityManager = identityManager;
    }

    private IdentityManager getIdentityManager(SecurityContext securityContext) {
        return this.identityManager != null ? this.identityManager : securityContext.getIdentityManager();
    }

    @Override // io.undertow.security.api.AuthenticationMechanism
    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        Cookie cookie = null;
        for (Cookie cookie2 : httpServerExchange.requestCookies()) {
            if (this.cookieName.equals(cookie2.getName())) {
                cookie = cookie2;
            }
        }
        if (cookie != null) {
            String value = cookie.getValue();
            log.tracef("Found SSO cookie %s", value);
            final SingleSignOn findSingleSignOn = this.singleSignOnManager.findSingleSignOn(value);
            if (findSingleSignOn != null) {
                try {
                    if (log.isTraceEnabled()) {
                        log.tracef("SSO session with ID: %s found.", value);
                    }
                    Account verify = getIdentityManager(securityContext).verify(findSingleSignOn.getAccount());
                    if (verify == null) {
                        if (log.isTraceEnabled()) {
                            log.tracef("Account not found. Returning 'not attempted' here.", new Object[0]);
                        }
                        AuthenticationMechanism.AuthenticationMechanismOutcome authenticationMechanismOutcome = AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
                        if (findSingleSignOn != null) {
                            findSingleSignOn.close();
                        }
                        return authenticationMechanismOutcome;
                    }
                    registerSessionIfRequired(findSingleSignOn, getSession(httpServerExchange));
                    securityContext.authenticationComplete(verify, findSingleSignOn.getMechanismName(), false);
                    securityContext.registerNotificationReceiver(new NotificationReceiver() { // from class: io.undertow.security.impl.SingleSignOnAuthenticationMechanism.1
                        @Override // io.undertow.security.api.NotificationReceiver
                        public void handleNotification(SecurityNotification securityNotification) {
                            if (securityNotification.getEventType() == SecurityNotification.EventType.LOGGED_OUT) {
                                SingleSignOnAuthenticationMechanism.this.singleSignOnManager.removeSingleSignOn(findSingleSignOn);
                            }
                        }
                    });
                    log.tracef("Authenticated account %s using SSO", verify.getPrincipal().getName());
                    AuthenticationMechanism.AuthenticationMechanismOutcome authenticationMechanismOutcome2 = AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
                    if (findSingleSignOn != null) {
                        findSingleSignOn.close();
                    }
                    return authenticationMechanismOutcome2;
                } catch (Throwable th) {
                    if (findSingleSignOn != null) {
                        try {
                            findSingleSignOn.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }
            if (findSingleSignOn != null) {
                findSingleSignOn.close();
            }
            clearSsoCookie(httpServerExchange);
        }
        httpServerExchange.addResponseWrapper(this.responseListener);
        return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }

    private void registerSessionIfRequired(SingleSignOn singleSignOn, Session session) {
        if (!singleSignOn.contains(session)) {
            if (log.isTraceEnabled()) {
                log.tracef("Session %s added to SSO %s", session.getId(), singleSignOn.getId());
            }
            singleSignOn.add(session);
        }
        if (session.getAttribute(SSO_SESSION_ATTRIBUTE) == null) {
            if (log.isTraceEnabled()) {
                log.tracef("SSO_SESSION_ATTRIBUTE not found. Creating it with SSO ID %s as value.", singleSignOn.getId());
            }
            session.setAttribute(SSO_SESSION_ATTRIBUTE, singleSignOn.getId());
        }
        SessionManager sessionManager = session.getSessionManager();
        if (this.seenSessionManagers.add(sessionManager)) {
            sessionManager.registerSessionListener(this.listener);
        }
    }

    private void clearSsoCookie(HttpServerExchange httpServerExchange) {
        httpServerExchange.setResponseCookie(new CookieImpl(this.cookieName).setMaxAge((Integer) 0).setHttpOnly(this.httpOnly).setSecure(this.secure).setDomain(this.domain).setPath(this.path));
    }

    @Override // io.undertow.security.api.AuthenticationMechanism
    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        return AuthenticationMechanism.ChallengeResult.NOT_SENT;
    }

    protected Session getSession(HttpServerExchange httpServerExchange) {
        return Sessions.getOrCreateSession(httpServerExchange);
    }

    public String getCookieName() {
        return this.cookieName;
    }

    public SingleSignOnAuthenticationMechanism setCookieName(String str) {
        this.cookieName = str;
        return this;
    }

    public boolean isHttpOnly() {
        return this.httpOnly;
    }

    public SingleSignOnAuthenticationMechanism setHttpOnly(boolean z) {
        this.httpOnly = z;
        return this;
    }

    public boolean isSecure() {
        return this.secure;
    }

    public SingleSignOnAuthenticationMechanism setSecure(boolean z) {
        this.secure = z;
        return this;
    }

    public String getDomain() {
        return this.domain;
    }

    public SingleSignOnAuthenticationMechanism setDomain(String str) {
        this.domain = str;
        return this;
    }

    public String getPath() {
        return this.path;
    }

    public SingleSignOnAuthenticationMechanism setPath(String str) {
        this.path = str;
        return this;
    }
}
