package org.granite.spring.security;

import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.granite.context.GraniteContext;
import org.granite.logging.Logger;
import org.granite.messaging.service.security.AbstractSecurityContext;
import org.granite.messaging.service.security.AbstractSecurityService;
import org.granite.messaging.service.security.SecurityServiceException;
import org.granite.messaging.webapp.HttpGraniteContext;
import org.granite.messaging.webapp.ServletGraniteContext;
import org.springframework.beans.factory.BeanFactoryUtils;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.encoding.PasswordEncoder;
import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.web.authentication.session.SessionAuthenticationException;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
import org.springframework.security.web.context.HttpRequestResponseHolder;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.web.context.support.WebApplicationContextUtils;

/* loaded from: input_file:org/granite/spring/security/SpringSecurity3Service.class */
public class SpringSecurity3Service extends AbstractSecurityService implements ApplicationContextAware, ApplicationEventPublisherAware {
    private static final Logger log = Logger.getLogger(SpringSecurity3Service.class);
    private static final String FILTER_APPLIED = "__spring_security_scpf_applied";
    private static final String SECURITY_SERVICE_APPLIED = "__spring_security_granite_service_applied";
    private ApplicationContext applicationContext = null;
    private ApplicationEventPublisher eventPublisher = null;
    private AuthenticationExtension authenticationExtension = new DefaultAuthenticationExtension();
    private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
    private SecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository();
    private AbstractSpringSecurity3Interceptor securityInterceptor = null;
    private SessionAuthenticationStrategy sessionAuthenticationStrategy = new SessionFixationProtectionStrategy();
    private PasswordEncoder passwordEncoder = null;
    private boolean allowAnonymousAccess = false;
    private Method getRequest;
    private Method getResponse;

    /* loaded from: input_file:org/granite/spring/security/SpringSecurity3Service$DefaultAuthenticationExtension.class */
    public static class DefaultAuthenticationExtension implements AuthenticationExtension {
        private ApplicationContext applicationContext = null;
        private AuthenticationManager authenticationManager = null;
        private String authenticationManagerBeanName = null;

        @Override // org.granite.spring.security.AuthenticationExtension
        public void setApplicationContext(ApplicationContext applicationContext) {
            this.applicationContext = applicationContext;
        }

        @Override // org.granite.spring.security.AuthenticationExtension
        public void setAuthenticationManager(AuthenticationManager authenticationManager) {
            this.authenticationManager = authenticationManager;
        }

        @Override // org.granite.spring.security.AuthenticationExtension
        public void setAuthenticationManagerBeanName(String str) {
            this.authenticationManagerBeanName = str;
        }

        @Override // org.granite.spring.security.AuthenticationExtension
        public Authentication buildAuthentication(String str, String str2) {
            return new UsernamePasswordAuthenticationToken(str, str2);
        }

        @Override // org.granite.spring.security.AuthenticationExtension
        public AuthenticationManager selectAuthenticationManager(Authentication authentication) {
            if (this.authenticationManager != null) {
                return this.authenticationManager;
            }
            Map beansOfTypeIncludingAncestors = BeanFactoryUtils.beansOfTypeIncludingAncestors(this.applicationContext, AuthenticationManager.class);
            if (this.authenticationManagerBeanName == null) {
                if (beansOfTypeIncludingAncestors.size() <= 1) {
                    return (AuthenticationManager) beansOfTypeIncludingAncestors.values().iterator().next();
                }
                SpringSecurity3Service.log.error("More than one AuthenticationManager beans found, specify which one to use in Spring config <graniteds:security-service authentication-manager='myAuthManager'/> or in granite-config.xml <security type='org.granite.spring.security.SpringSecurity3Service'><param name='authentication-manager-bean-name' value='myAuthManager'/></security>", new Object[0]);
                throw SecurityServiceException.newAuthenticationFailedException("Authentication failed");
            }
            AuthenticationManager authenticationManager = (AuthenticationManager) beansOfTypeIncludingAncestors.get(this.authenticationManagerBeanName);
            if (authenticationManager != null) {
                return authenticationManager;
            }
            SpringSecurity3Service.log.error("AuthenticationManager bean not found " + this.authenticationManagerBeanName, new Object[0]);
            throw SecurityServiceException.newAuthenticationFailedException("Authentication failed");
        }

        @Override // org.granite.spring.security.AuthenticationExtension
        public void endSession(HttpSession httpSession) {
        }
    }

    public SpringSecurity3Service() {
        this.getRequest = null;
        this.getResponse = null;
        log.debug("Starting Spring 3 Security Service", new Object[0]);
        try {
            this.getRequest = HttpRequestResponseHolder.class.getDeclaredMethod("getRequest", new Class[0]);
            this.getRequest.setAccessible(true);
            this.getResponse = HttpRequestResponseHolder.class.getDeclaredMethod("getResponse", new Class[0]);
            this.getResponse.setAccessible(true);
        } catch (Exception e) {
            throw new RuntimeException("Could not get methods from HttpRequestResponseHolder", e);
        }
    }

    public void setApplicationContext(ApplicationContext applicationContext) {
        this.applicationContext = applicationContext;
    }

    public void setAuthenticationExtension(AuthenticationExtension authenticationExtension) {
        if (authenticationExtension == null) {
            throw new NullPointerException("AuthenticationBuilder cannot be null");
        }
        this.authenticationExtension = authenticationExtension;
    }

    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.eventPublisher = applicationEventPublisher;
    }

    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        this.authenticationExtension.setAuthenticationManager(authenticationManager);
    }

    public void setAuthenticationTrustResolver(AuthenticationTrustResolver authenticationTrustResolver) {
        this.authenticationTrustResolver = authenticationTrustResolver;
    }

    public void setAllowAnonymousAccess(boolean z) {
        this.allowAnonymousAccess = z;
    }

    public void setSecurityContextRepository(SecurityContextRepository securityContextRepository) {
        this.securityContextRepository = securityContextRepository;
    }

    public void setSecurityInterceptor(AbstractSpringSecurity3Interceptor abstractSpringSecurity3Interceptor) {
        this.securityInterceptor = abstractSpringSecurity3Interceptor;
    }

    public void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy) {
        if (sessionAuthenticationStrategy == null) {
            throw new NullPointerException("SessionAuthenticationStrategy cannot be null");
        }
        this.sessionAuthenticationStrategy = sessionAuthenticationStrategy;
    }

    public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
        this.passwordEncoder = passwordEncoder;
    }

    public void configure(Map<String, String> map) {
        log.debug("Configuring with parameters %s: ", new Object[]{map});
        if (map.containsKey("authentication-manager-bean-name")) {
            this.authenticationExtension.setAuthenticationManagerBeanName(map.get("authentication-manager-bean-name"));
        }
        if (Boolean.TRUE.toString().equals(map.get("allow-anonymous-access"))) {
            this.allowAnonymousAccess = true;
        }
    }

    public void login(Object obj, String str) {
        List asList = Arrays.asList(decodeBase64Credentials(obj, str));
        if (!(GraniteContext.getCurrentInstance() instanceof HttpGraniteContext)) {
            log.info("Login from non HTTP granite context ignored", new Object[0]);
            return;
        }
        HttpGraniteContext currentInstance = GraniteContext.getCurrentInstance();
        HttpServletRequest request = currentInstance.getRequest();
        boolean z = currentInstance.getRequest().getAttribute(FILTER_APPLIED) == null;
        ApplicationContext webApplicationContext = this.applicationContext != null ? this.applicationContext : WebApplicationContextUtils.getWebApplicationContext(currentInstance.getServletContext());
        if (webApplicationContext == null) {
            throw new IllegalStateException("No application context defined for Spring security service");
        }
        this.authenticationExtension.setApplicationContext(webApplicationContext);
        String str2 = (String) asList.get(0);
        String str3 = (String) asList.get(1);
        if (this.passwordEncoder != null) {
            str3 = this.passwordEncoder.encodePassword(str3, (Object) null);
        }
        Authentication buildAuthentication = this.authenticationExtension.buildAuthentication(str2, str3);
        try {
            try {
                Authentication authenticate = this.authenticationExtension.selectAuthenticationManager(buildAuthentication).authenticate(buildAuthentication);
                if (authenticate != null && !this.authenticationTrustResolver.isAnonymous(authenticate)) {
                    try {
                        this.sessionAuthenticationStrategy.onAuthentication(authenticate, request, currentInstance.getResponse());
                    } catch (SessionAuthenticationException e) {
                        log.debug(e, "SessionAuthenticationStrategy rejected the authentication object", new Object[0]);
                        SecurityContextHolder.clearContext();
                        handleAuthenticationExceptions(e);
                        if (z) {
                            log.debug("Clear authentication after login", new Object[0]);
                            SecurityContextHolder.clearContext();
                            return;
                        }
                        return;
                    }
                }
                Logger logger = log;
                Object[] objArr = new Object[1];
                objArr[0] = authenticate != null ? authenticate.getName() : "none";
                logger.debug("Define authentication and save to repo: %s", objArr);
                HttpRequestResponseHolder httpRequestResponseHolder = new HttpRequestResponseHolder(currentInstance.getRequest(), currentInstance.getResponse());
                SecurityContext loadContext = this.securityContextRepository.loadContext(httpRequestResponseHolder);
                loadContext.setAuthentication(authenticate);
                SecurityContextHolder.setContext(loadContext);
                try {
                    this.securityContextRepository.saveContext(loadContext, (HttpServletRequest) this.getRequest.invoke(httpRequestResponseHolder, new Object[0]), (HttpServletResponse) this.getResponse.invoke(httpRequestResponseHolder, new Object[0]));
                } catch (Exception e2) {
                    log.error(e2, "Could not save context after authentication", new Object[0]);
                }
                if (this.eventPublisher != null) {
                    this.eventPublisher.publishEvent(new AuthenticationSuccessEvent(authenticate));
                }
                endLogin(obj, str);
                if (z) {
                    log.debug("Clear authentication after login", new Object[0]);
                    SecurityContextHolder.clearContext();
                }
            } catch (Throwable th) {
                if (z) {
                    log.debug("Clear authentication after login", new Object[0]);
                    SecurityContextHolder.clearContext();
                }
                throw th;
            }
        } catch (AuthenticationException e3) {
            handleAuthenticationExceptions(e3);
            if (z) {
                log.debug("Clear authentication after login", new Object[0]);
                SecurityContextHolder.clearContext();
            }
        }
        log.debug("User %s logged in", new Object[]{str2});
    }

    protected void handleAuthenticationExceptions(AuthenticationException authenticationException) {
        if (!(authenticationException instanceof BadCredentialsException) && !(authenticationException instanceof UsernameNotFoundException)) {
            throw SecurityServiceException.newAuthenticationFailedException(authenticationException.getMessage());
        }
        throw SecurityServiceException.newInvalidCredentialsException(authenticationException.getMessage());
    }

    public Object authorize(AbstractSecurityContext abstractSecurityContext) throws Exception {
        log.debug("Authorize %s on destination %s (secured: %b)", new Object[]{abstractSecurityContext, abstractSecurityContext.getDestination().getId(), Boolean.valueOf(abstractSecurityContext.getDestination().isSecured())});
        startAuthorization(abstractSecurityContext);
        ServletGraniteContext currentInstance = GraniteContext.getCurrentInstance();
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        HttpRequestResponseHolder httpRequestResponseHolder = null;
        boolean z = currentInstance.getRequest().getAttribute(FILTER_APPLIED) == null;
        boolean z2 = currentInstance.getRequest().getAttribute(SECURITY_SERVICE_APPLIED) != null;
        try {
            if (z && !z2) {
                try {
                    try {
                        try {
                            httpRequestResponseHolder = new HttpRequestResponseHolder(currentInstance.getRequest(), currentInstance.getResponse());
                            SecurityContext loadContext = this.securityContextRepository.loadContext(httpRequestResponseHolder);
                            SecurityContextHolder.setContext(loadContext);
                            currentInstance.getRequest().setAttribute(SECURITY_SERVICE_APPLIED, true);
                            if (isAuthenticated(authentication)) {
                                log.debug("Thread was already authenticated: %s", new Object[]{authentication.getName()});
                                loadContext.setAuthentication(authentication);
                            } else {
                                authentication = loadContext.getAuthentication();
                                Logger logger = log;
                                Object[] objArr = new Object[1];
                                objArr[0] = authentication != null ? authentication.getName() : "none";
                                logger.debug("Restore authentication from repository: %s", objArr);
                            }
                        } catch (AccessDeniedException e) {
                            throw SecurityServiceException.newAccessDeniedException(e.getMessage());
                        }
                    } catch (SecurityServiceException e2) {
                        throw e2;
                    }
                } catch (InvocationTargetException e3) {
                    handleAuthorizationExceptions(e3);
                    throw e3;
                }
            }
            if (abstractSecurityContext.getDestination().isSecured()) {
                if (!isAuthenticated(authentication) || (!this.allowAnonymousAccess && (authentication instanceof AnonymousAuthenticationToken))) {
                    log.debug("User not authenticated!", new Object[0]);
                    throw SecurityServiceException.newNotLoggedInException("User not logged in");
                }
                if (!userCanAccessService(abstractSecurityContext, authentication)) {
                    Logger logger2 = log;
                    Object[] objArr2 = new Object[1];
                    objArr2[0] = authentication != null ? authentication.getName() : "not authenticated";
                    logger2.debug("Access denied for user %s", objArr2);
                    throw SecurityServiceException.newAccessDeniedException("User not in required role");
                }
            }
            Object invoke = this.securityInterceptor != null ? this.securityInterceptor.invoke(abstractSecurityContext) : endAuthorization(abstractSecurityContext);
            if (z && !z2) {
                SecurityContext context = SecurityContextHolder.getContext();
                Logger logger3 = log;
                Object[] objArr3 = new Object[1];
                objArr3[0] = context.getAuthentication() != null ? context.getAuthentication().getName() : "none";
                logger3.debug("Clear authentication and save to repo: %s", objArr3);
                SecurityContextHolder.clearContext();
                try {
                    this.securityContextRepository.saveContext(context, (HttpServletRequest) this.getRequest.invoke(httpRequestResponseHolder, new Object[0]), (HttpServletResponse) this.getResponse.invoke(httpRequestResponseHolder, new Object[0]));
                } catch (Exception e4) {
                    log.error(e4, "Could not extract wrapped context from holder", new Object[0]);
                }
                currentInstance.getRequest().removeAttribute(SECURITY_SERVICE_APPLIED);
            }
            return invoke;
        } catch (Throwable th) {
            if (z && !z2) {
                SecurityContext context2 = SecurityContextHolder.getContext();
                Logger logger4 = log;
                Object[] objArr4 = new Object[1];
                objArr4[0] = context2.getAuthentication() != null ? context2.getAuthentication().getName() : "none";
                logger4.debug("Clear authentication and save to repo: %s", objArr4);
                SecurityContextHolder.clearContext();
                try {
                    this.securityContextRepository.saveContext(context2, (HttpServletRequest) this.getRequest.invoke(null, new Object[0]), (HttpServletResponse) this.getResponse.invoke(null, new Object[0]));
                } catch (Exception e5) {
                    log.error(e5, "Could not extract wrapped context from holder", new Object[0]);
                }
                currentInstance.getRequest().removeAttribute(SECURITY_SERVICE_APPLIED);
            }
            throw th;
        }
    }

    public boolean acceptsContext() {
        return GraniteContext.getCurrentInstance() instanceof ServletGraniteContext;
    }

    public void logout() {
        ServletGraniteContext currentInstance = GraniteContext.getCurrentInstance();
        boolean z = currentInstance.getRequest().getAttribute(FILTER_APPLIED) == null;
        HttpSession session = currentInstance.getSession(false);
        if (session != null && this.securityContextRepository.containsContext(currentInstance.getRequest())) {
            this.authenticationExtension.endSession(session);
            session.invalidate();
        }
        if (z) {
            SecurityContextHolder.clearContext();
        }
    }

    protected boolean isUserInRole(Authentication authentication, String str) {
        Iterator it = authentication.getAuthorities().iterator();
        while (it.hasNext()) {
            if (((GrantedAuthority) it.next()).getAuthority().matches(str)) {
                return true;
            }
        }
        return false;
    }

    protected boolean isAuthenticated(Authentication authentication) {
        return authentication != null && authentication.isAuthenticated();
    }

    protected boolean userCanAccessService(AbstractSecurityContext abstractSecurityContext, Authentication authentication) {
        log.debug("Is authenticated as: %s", new Object[]{authentication.getName()});
        for (String str : abstractSecurityContext.getDestination().getRoles()) {
            if (isUserInRole(authentication, str)) {
                log.debug("Allowed access to %s in role %s", new Object[]{authentication.getName(), str});
                return true;
            }
            log.debug("Access denied for %s not in role %s", new Object[]{authentication.getName(), str});
        }
        return false;
    }

    /* JADX WARN: Code restructure failed: missing block: B:19:0x002a, code lost:
    
        throw org.granite.messaging.service.security.SecurityServiceException.newAccessDeniedException(r5.getMessage());
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    protected void handleAuthorizationExceptions(java.lang.reflect.InvocationTargetException r4) {
        /*
            r3 = this;
            r0 = r4
            r5 = r0
        L2:
            r0 = r5
            if (r0 == 0) goto L42
            r0 = r5
            boolean r0 = r0 instanceof java.lang.SecurityException
            if (r0 != 0) goto L23
            r0 = r5
            boolean r0 = r0 instanceof org.springframework.security.access.AccessDeniedException
            if (r0 != 0) goto L23
            java.lang.String r0 = "javax.ejb.EJBAccessException"
            r1 = r5
            java.lang.Class r1 = r1.getClass()
            java.lang.String r1 = r1.getName()
            boolean r0 = r0.equals(r1)
            if (r0 == 0) goto L2b
        L23:
            r0 = r5
            java.lang.String r0 = r0.getMessage()
            org.granite.messaging.service.security.SecurityServiceException r0 = org.granite.messaging.service.security.SecurityServiceException.newAccessDeniedException(r0)
            throw r0
        L2b:
            r0 = r5
            boolean r0 = r0 instanceof org.springframework.security.core.AuthenticationException
            if (r0 == 0) goto L3a
            r0 = r5
            java.lang.String r0 = r0.getMessage()
            org.granite.messaging.service.security.SecurityServiceException r0 = org.granite.messaging.service.security.SecurityServiceException.newNotLoggedInException(r0)
            throw r0
        L3a:
            r0 = r5
            java.lang.Throwable r0 = r0.getCause()
            r5 = r0
            goto L2
        L42:
            return
        */
        throw new UnsupportedOperationException("Method not decompiled: org.granite.spring.security.SpringSecurity3Service.handleAuthorizationExceptions(java.lang.reflect.InvocationTargetException):void");
    }
}
