package com.google.apphosting.vmruntime.jetty9;

import com.google.appengine.api.users.User;
import com.google.appengine.api.users.UserService;
import com.google.appengine.api.users.UserServiceFactory;
import com.google.apphosting.api.ApiProxy;
import com.google.apphosting.vmruntime.VmApiProxyEnvironment;
import java.io.IOException;
import java.security.Principal;
import java.util.Arrays;
import java.util.HashSet;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.security.authentication.DeferredAuthentication;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.HttpChannel;
import org.eclipse.jetty.server.UserIdentity;

/* loaded from: input_file:com/google/apphosting/vmruntime/jetty9/AppEngineAuthentication.class */
class AppEngineAuthentication {
    private static final Logger log = Logger.getLogger(AppEngineAuthentication.class.getName());
    private static final String AUTH_URL_PREFIX = "/_ah/";
    private static final String AUTH_METHOD = "Google Login";
    private static final String REALM_NAME = "Google App Engine";
    private static final String SKIP_ADMIN_CHECK_ATTR = "com.google.apphosting.internal.SkipAdminCheck";
    private static final String USER_ROLE = "*";
    private static final String ADMIN_ROLE = "admin";

    /* loaded from: input_file:com/google/apphosting/vmruntime/jetty9/AppEngineAuthentication$AppEngineAuthenticator.class */
    private static class AppEngineAuthenticator extends LoginAuthenticator {
        private VmRuntimeTrustedAddressChecker checker;

        private static boolean isLoginOrErrorPage(String str) {
            return str.indexOf(AppEngineAuthentication.AUTH_URL_PREFIX) == 0;
        }

        private AppEngineAuthenticator(VmRuntimeTrustedAddressChecker vmRuntimeTrustedAddressChecker) {
            this.checker = vmRuntimeTrustedAddressChecker;
        }

        public String getAuthMethod() {
            return AppEngineAuthentication.AUTH_METHOD;
        }

        public Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
            HttpChannel currentHttpChannel;
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            if (!z) {
                return new DeferredAuthentication(this);
            }
            String header = httpServletRequest.getHeader("X-Google-Real-IP");
            if (header == null && (currentHttpChannel = HttpChannel.getCurrentHttpChannel()) != null) {
                header = currentHttpChannel.getEndPoint().getRemoteAddress().getAddress().getHostAddress();
            }
            if (!this.checker.isTrustedRemoteAddr(header)) {
                String str = getThreadLocalEnvironment().getL7UnsafeRedirectUrl() + httpServletRequest.getRequestURI();
                if (httpServletRequest.getQueryString() != null) {
                    str = str + "?" + httpServletRequest.getQueryString();
                }
                httpServletResponse.setStatus(307);
                httpServletResponse.setHeader("Location", str);
                return Authentication.SEND_CONTINUE;
            }
            String requestURI = httpServletRequest.getRequestURI();
            if (requestURI == null) {
                requestURI = "/";
            }
            if (isLoginOrErrorPage(requestURI) && !DeferredAuthentication.isDeferred(httpServletResponse)) {
                AppEngineAuthentication.log.fine("Got " + requestURI + ", returning DeferredAuthentication to imply authentication is in progress.");
                return new DeferredAuthentication(this);
            }
            if (httpServletRequest.getAttribute(AppEngineAuthentication.SKIP_ADMIN_CHECK_ATTR) != null) {
                AppEngineAuthentication.log.fine("Returning DeferredAuthentication because of SkipAdminCheck.");
                return new DeferredAuthentication(this);
            }
            if (httpServletResponse == null) {
                throw new ServerAuthException("validateRequest called with null response!!!");
            }
            try {
                UserService userService = UserServiceFactory.getUserService();
                if (userService.isUserLoggedIn()) {
                    UserIdentity login = this._loginService.login((String) null, (Object) null);
                    AppEngineAuthentication.log.fine("authenticate() returning new principal for " + login);
                    if (login != null) {
                        return new UserAuthentication(getAuthMethod(), login);
                    }
                }
                if (DeferredAuthentication.isDeferred(httpServletResponse)) {
                    return Authentication.UNAUTHENTICATED;
                }
                try {
                    AppEngineAuthentication.log.fine("Got " + httpServletRequest.getRequestURI() + " but no one was logged in, redirecting.");
                    httpServletResponse.sendRedirect(userService.createLoginURL(AppEngineAuthentication.getFullURL(httpServletRequest)));
                    return Authentication.SEND_CONTINUE;
                } catch (ApiProxy.ApiProxyException e) {
                    AppEngineAuthentication.log.log(Level.SEVERE, "Could not get login URL:", e);
                    httpServletResponse.sendError(403);
                    return Authentication.SEND_FAILURE;
                }
            } catch (IOException e2) {
                AppEngineAuthentication.log.log(Level.WARNING, "Got an IOException from sendRedirect:", (Throwable) e2);
                throw new ServerAuthException(e2);
            }
        }

        protected HttpSession renewSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
            AppEngineAuthentication.log.warning("renewSession throwing an UnsupportedOperationException");
            throw new UnsupportedOperationException();
        }

        public boolean secureResponse(ServletRequest servletRequest, ServletResponse servletResponse, boolean z, Authentication.User user) {
            return true;
        }

        private VmApiProxyEnvironment getThreadLocalEnvironment() {
            VmApiProxyEnvironment currentEnvironment = ApiProxy.getCurrentEnvironment();
            if (currentEnvironment instanceof VmApiProxyEnvironment) {
                return currentEnvironment;
            }
            return null;
        }
    }

    /* loaded from: input_file:com/google/apphosting/vmruntime/jetty9/AppEngineAuthentication$AppEngineLoginService.class */
    private static class AppEngineLoginService implements LoginService {
        private IdentityService identityService;

        private AppEngineLoginService() {
        }

        public String getName() {
            return AppEngineAuthentication.REALM_NAME;
        }

        public UserIdentity login(String str, Object obj) {
            return loadUser();
        }

        private AppEngineUserIdentity loadUser() {
            User currentUser = UserServiceFactory.getUserService().getCurrentUser();
            if (currentUser == null) {
                return null;
            }
            return new AppEngineUserIdentity(new AppEnginePrincipal(currentUser));
        }

        public IdentityService getIdentityService() {
            return this.identityService;
        }

        public void logout(UserIdentity userIdentity) {
            if (userIdentity != null) {
                AppEngineAuthentication.log.fine("Ignoring logout call for: " + userIdentity);
            }
        }

        public void setIdentityService(IdentityService identityService) {
            this.identityService = identityService;
        }

        public boolean validate(UserIdentity userIdentity) {
            AppEngineAuthentication.log.info("validate(" + userIdentity + ") throwing UnsupportedOperationException.");
            throw new UnsupportedOperationException();
        }
    }

    /* loaded from: input_file:com/google/apphosting/vmruntime/jetty9/AppEngineAuthentication$AppEnginePrincipal.class */
    public static class AppEnginePrincipal implements Principal {
        private final User user;

        public AppEnginePrincipal(User user) {
            this.user = user;
        }

        public User getUser() {
            return this.user;
        }

        @Override // java.security.Principal
        public String getName() {
            return (this.user.getFederatedIdentity() == null || this.user.getFederatedIdentity().length() <= 0) ? this.user.getEmail() : this.user.getFederatedIdentity();
        }

        @Override // java.security.Principal
        public boolean equals(Object obj) {
            if (obj instanceof AppEnginePrincipal) {
                return this.user.equals(((AppEnginePrincipal) obj).user);
            }
            return false;
        }

        @Override // java.security.Principal
        public String toString() {
            return this.user.toString();
        }

        @Override // java.security.Principal
        public int hashCode() {
            return this.user.hashCode();
        }
    }

    /* loaded from: input_file:com/google/apphosting/vmruntime/jetty9/AppEngineAuthentication$AppEngineUserIdentity.class */
    public static class AppEngineUserIdentity implements UserIdentity {
        private final AppEnginePrincipal userPrincipal;

        public AppEngineUserIdentity(AppEnginePrincipal appEnginePrincipal) {
            this.userPrincipal = appEnginePrincipal;
        }

        public Subject getSubject() {
            AppEngineAuthentication.log.info("getSubject() throwing UnsupportedOperationException.");
            throw new UnsupportedOperationException();
        }

        public Principal getUserPrincipal() {
            return this.userPrincipal;
        }

        public boolean isUserInRole(String str, UserIdentity.Scope scope) {
            UserService userService = UserServiceFactory.getUserService();
            AppEngineAuthentication.log.fine("Checking if principal " + this.userPrincipal + " is in role " + str);
            if (this.userPrincipal == null) {
                AppEngineAuthentication.log.info("isUserInRole() called with null principal.");
                return false;
            }
            if (AppEngineAuthentication.USER_ROLE.equals(str)) {
                return true;
            }
            if (!AppEngineAuthentication.ADMIN_ROLE.equals(str)) {
                AppEngineAuthentication.log.warning("Unknown role: " + str + ".");
                return false;
            }
            User user = this.userPrincipal.getUser();
            if (user.equals(userService.getCurrentUser())) {
                return userService.isUserAdmin();
            }
            AppEngineAuthentication.log.severe("Cannot tell if non-logged-in user " + user + " is an admin.");
            return false;
        }

        public String toString() {
            return AppEngineUserIdentity.class.getSimpleName() + "('" + this.userPrincipal + "')";
        }
    }

    AppEngineAuthentication() {
    }

    public static void configureSecurityHandler(ConstraintSecurityHandler constraintSecurityHandler, VmRuntimeTrustedAddressChecker vmRuntimeTrustedAddressChecker) {
        AppEngineLoginService appEngineLoginService = new AppEngineLoginService();
        AppEngineAuthenticator appEngineAuthenticator = new AppEngineAuthenticator(vmRuntimeTrustedAddressChecker);
        DefaultIdentityService defaultIdentityService = new DefaultIdentityService();
        constraintSecurityHandler.setRoles(new HashSet(Arrays.asList(USER_ROLE, ADMIN_ROLE)));
        constraintSecurityHandler.setLoginService(appEngineLoginService);
        constraintSecurityHandler.setAuthenticator(appEngineAuthenticator);
        constraintSecurityHandler.setIdentityService(defaultIdentityService);
        appEngineAuthenticator.setConfiguration(constraintSecurityHandler);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getFullURL(HttpServletRequest httpServletRequest) {
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        if (httpServletRequest.getQueryString() != null) {
            requestURL.append('?');
            requestURL.append(httpServletRequest.getQueryString());
        }
        return requestURL.toString();
    }
}
