package org.apache.brooklyn.rest.security.jaas;

import com.google.common.base.Preconditions;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.servlet.http.HttpSession;
import org.apache.brooklyn.api.mgmt.ManagementContext;
import org.apache.brooklyn.config.StringConfigMap;
import org.apache.brooklyn.rest.BrooklynWebConfig;
import org.apache.brooklyn.rest.security.provider.DelegatingSecurityProvider;
import org.apache.brooklyn.rest.security.provider.SecurityProvider;
import org.apache.brooklyn.util.exceptions.Exceptions;
import org.apache.brooklyn.util.text.Strings;
import org.eclipse.jetty.server.HttpChannel;
import org.eclipse.jetty.server.Request;
import org.osgi.framework.Bundle;
import org.osgi.framework.BundleContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/brooklyn/rest/security/jaas/BrooklynLoginModule.class */
public class BrooklynLoginModule implements LoginModule {
    public static final String AUTHENTICATED_USER_SESSION_ATTRIBUTE = "brooklyn.user";
    public static final String DEFAULT_ROLE = "webconsole";
    private Map<String, ?> options;
    private BundleContext bundleContext;
    private HttpSession providerSession;
    private SecurityProvider provider;
    private Subject subject;
    private CallbackHandler callbackHandler;
    private boolean loginSuccess;
    private boolean commitSuccess;
    private Collection<Principal> principals;
    private static final Logger log = LoggerFactory.getLogger(BrooklynLoginModule.class);
    public static final String PROPERTY_BUNDLE_SYMBOLIC_NAME = BrooklynWebConfig.SECURITY_PROVIDER_CLASSNAME.getName() + ".symbolicName";
    public static final String PROPERTY_BUNDLE_VERSION = BrooklynWebConfig.SECURITY_PROVIDER_CLASSNAME.getName() + ".version";
    public static final String PROPERTY_ROLE = BrooklynWebConfig.SECURITY_PROVIDER_CLASSNAME.getName() + ".role";

    /* loaded from: input_file:org/apache/brooklyn/rest/security/jaas/BrooklynLoginModule$BasicPrincipal.class */
    private static class BasicPrincipal implements Principal {
        private String name;

        public BasicPrincipal(String str) {
            this.name = (String) Preconditions.checkNotNull(str, "name");
        }

        @Override // java.security.Principal
        public String getName() {
            return this.name;
        }

        @Override // java.security.Principal
        public int hashCode() {
            return this.name.hashCode();
        }

        @Override // java.security.Principal
        public boolean equals(Object obj) {
            if (obj instanceof BasicPrincipal) {
                return this.name.equals(((BasicPrincipal) obj).name);
            }
            return false;
        }

        @Override // java.security.Principal
        public String toString() {
            return getClass().getSimpleName() + "[" + this.name + "]";
        }
    }

    /* loaded from: input_file:org/apache/brooklyn/rest/security/jaas/BrooklynLoginModule$RolePrincipal.class */
    public static class RolePrincipal extends BasicPrincipal {
        public RolePrincipal(String str) {
            super(str);
        }

        @Override // org.apache.brooklyn.rest.security.jaas.BrooklynLoginModule.BasicPrincipal, java.security.Principal
        public /* bridge */ /* synthetic */ String toString() {
            return super.toString();
        }

        @Override // org.apache.brooklyn.rest.security.jaas.BrooklynLoginModule.BasicPrincipal, java.security.Principal
        public /* bridge */ /* synthetic */ boolean equals(Object obj) {
            return super.equals(obj);
        }

        @Override // org.apache.brooklyn.rest.security.jaas.BrooklynLoginModule.BasicPrincipal, java.security.Principal
        public /* bridge */ /* synthetic */ int hashCode() {
            return super.hashCode();
        }

        @Override // org.apache.brooklyn.rest.security.jaas.BrooklynLoginModule.BasicPrincipal, java.security.Principal
        public /* bridge */ /* synthetic */ String getName() {
            return super.getName();
        }
    }

    /* loaded from: input_file:org/apache/brooklyn/rest/security/jaas/BrooklynLoginModule$UserPrincipal.class */
    public static class UserPrincipal extends BasicPrincipal {
        public UserPrincipal(String str) {
            super(str);
        }

        @Override // org.apache.brooklyn.rest.security.jaas.BrooklynLoginModule.BasicPrincipal, java.security.Principal
        public /* bridge */ /* synthetic */ String toString() {
            return super.toString();
        }

        @Override // org.apache.brooklyn.rest.security.jaas.BrooklynLoginModule.BasicPrincipal, java.security.Principal
        public /* bridge */ /* synthetic */ boolean equals(Object obj) {
            return super.equals(obj);
        }

        @Override // org.apache.brooklyn.rest.security.jaas.BrooklynLoginModule.BasicPrincipal, java.security.Principal
        public /* bridge */ /* synthetic */ int hashCode() {
            return super.hashCode();
        }

        @Override // org.apache.brooklyn.rest.security.jaas.BrooklynLoginModule.BasicPrincipal, java.security.Principal
        public /* bridge */ /* synthetic */ String getName() {
            return super.getName();
        }
    }

    private static synchronized SecurityProvider createDefaultSecurityProvider(ManagementContext managementContext) {
        return new DelegatingSecurityProvider(managementContext);
    }

    private ManagementContext getManagementContext() {
        return ManagementContextHolder.getManagementContext();
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        this.subject = subject;
        this.callbackHandler = callbackHandler;
        this.options = map2;
        this.bundleContext = (BundleContext) map2.get(BundleContext.class.getName());
        this.loginSuccess = false;
        this.commitSuccess = false;
        initProvider();
    }

    private void initProvider() {
        StringConfigMap config = getManagementContext().getConfig();
        this.provider = (SecurityProvider) config.getConfig(BrooklynWebConfig.SECURITY_PROVIDER_INSTANCE);
        String str = (String) this.options.get(PROPERTY_BUNDLE_SYMBOLIC_NAME);
        String str2 = (String) this.options.get(PROPERTY_BUNDLE_VERSION);
        String str3 = (String) this.options.get(BrooklynWebConfig.SECURITY_PROVIDER_CLASSNAME.getName());
        if (str3 != null && str == null) {
            throw new IllegalStateException("Missing JAAS module property " + PROPERTY_BUNDLE_SYMBOLIC_NAME + " pointing at the bundle where to load the security provider from.");
        }
        if (this.provider != null) {
            return;
        }
        if (str != null) {
            if (str3 == null) {
                str3 = (String) config.getConfig(BrooklynWebConfig.SECURITY_PROVIDER_CLASSNAME);
            }
            if (str3 != null) {
                try {
                    Collection<Bundle> matchingBundles = getMatchingBundles(str, str2);
                    if (matchingBundles.isEmpty()) {
                        throw new IllegalStateException("No bundle " + str + ":" + str2 + " found");
                    }
                    if (matchingBundles.size() > 1) {
                        log.warn("Found multiple bundles matching symbolicName " + str + " and version " + str2 + " while trying to load security provider " + str3 + ". Will use first one that loads the class successfully.");
                    }
                    this.provider = tryLoadClass(str3, matchingBundles);
                    if (this.provider == null) {
                        throw new ClassNotFoundException("Unable to load class " + str3 + " from bundle " + str + ":" + str2);
                    }
                } catch (Exception e) {
                    Exceptions.propagateIfFatal(e);
                    throw new IllegalStateException("Can not load or create security provider " + str3 + " for bundle " + str + ":" + str2, e);
                }
            }
        } else {
            log.debug("Delegating security provider loading to Brooklyn.");
            this.provider = createDefaultSecurityProvider(getManagementContext());
        }
        log.debug("Using security provider " + this.provider);
    }

    private SecurityProvider tryLoadClass(String str, Collection<Bundle> collection) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
        Iterator<Bundle> it = collection.iterator();
        while (it.hasNext()) {
            try {
                return DelegatingSecurityProvider.createSecurityProviderInstance(getManagementContext(), it.next().loadClass(str));
            } catch (ClassNotFoundException e) {
            }
        }
        return null;
    }

    private Collection<Bundle> getMatchingBundles(String str, String str2) {
        ArrayList arrayList = new ArrayList();
        for (Bundle bundle : this.bundleContext.getBundles()) {
            if (bundle.getSymbolicName().equals(str) && (str2 == null || bundle.getVersion().toString().equals(str2))) {
                arrayList.add(bundle);
            }
        }
        return arrayList;
    }

    public boolean login() throws LoginException {
        if (this.callbackHandler == null) {
            this.loginSuccess = false;
            throw new FailedLoginException("Username and password not available");
        }
        Callback nameCallback = new NameCallback("Username: ");
        PasswordCallback passwordCallback = new PasswordCallback("Password: ", false);
        try {
            this.callbackHandler.handle(new Callback[]{nameCallback, passwordCallback});
            String name = nameCallback.getName();
            String str = new String(passwordCallback.getPassword());
            this.providerSession = new SecurityProviderHttpSession();
            Request jettyRequest = getJettyRequest();
            if (jettyRequest != null) {
                this.providerSession.setAttribute(BrooklynWebConfig.REMOTE_ADDRESS_SESSION_ATTRIBUTE, jettyRequest.getRemoteAddr());
            }
            if (!this.provider.authenticate(this.providerSession, name, str)) {
                this.loginSuccess = false;
                throw new FailedLoginException("Incorrect username or password");
            }
            if (name != null) {
                this.providerSession.setAttribute(AUTHENTICATED_USER_SESSION_ATTRIBUTE, name);
            }
            this.principals = new ArrayList(2);
            this.principals.add(new UserPrincipal(name));
            String str2 = (String) this.options.get(PROPERTY_ROLE);
            if (str2 == null) {
                str2 = DEFAULT_ROLE;
            }
            if (Strings.isNonEmpty(str2)) {
                this.principals.add(new RolePrincipal(str2));
            }
            this.loginSuccess = true;
            return true;
        } catch (IOException e) {
            throw new LoginException(e.getMessage());
        } catch (UnsupportedCallbackException e2) {
            throw new LoginException(e2.getMessage() + " not available to obtain information from user");
        }
    }

    public boolean commit() throws LoginException {
        if (this.loginSuccess) {
            if (this.subject.isReadOnly()) {
                throw new LoginException("Can't commit read-only subject");
            }
            this.subject.getPrincipals().addAll(this.principals);
        }
        this.commitSuccess = true;
        return this.loginSuccess;
    }

    public boolean abort() throws LoginException {
        if (this.loginSuccess && this.commitSuccess) {
            removePrincipal();
        }
        clear();
        return this.loginSuccess;
    }

    public boolean logout() throws LoginException {
        Request jettyRequest = getJettyRequest();
        if (jettyRequest != null) {
            log.info("REST logging {} out", this.providerSession.getAttribute(AUTHENTICATED_USER_SESSION_ATTRIBUTE));
            this.provider.logout(jettyRequest.getSession());
            jettyRequest.getSession().removeAttribute(AUTHENTICATED_USER_SESSION_ATTRIBUTE);
        } else {
            log.error("Request object not available for logout");
        }
        removePrincipal();
        clear();
        return true;
    }

    private void removePrincipal() throws LoginException {
        if (this.subject.isReadOnly()) {
            throw new LoginException("Read-only subject");
        }
        this.subject.getPrincipals().removeAll(this.principals);
    }

    private void clear() {
        this.subject = null;
        this.callbackHandler = null;
        this.principals = null;
    }

    private Request getJettyRequest() {
        HttpChannel currentHttpChannel = HttpChannel.getCurrentHttpChannel();
        if (currentHttpChannel != null) {
            return currentHttpChannel.getRequest();
        }
        return null;
    }
}
