package com.google.apphosting.runtime.jetty;

import com.google.appengine.api.users.User;
import com.google.appengine.api.users.UserService;
import com.google.appengine.api.users.UserServiceFactory;
import com.google.appengine.repackaged.com.google.common.flogger.GoogleLogger;
import com.google.apphosting.api.ApiProxy;
import java.security.Principal;
import java.util.Arrays;
import java.util.HashSet;
import java.util.function.Function;
import javax.security.auth.Subject;
import org.eclipse.jetty.ee10.servlet.security.ConstraintSecurityHandler;
import org.eclipse.jetty.http.HttpURI;
import org.eclipse.jetty.security.AuthenticationState;
import org.eclipse.jetty.security.Constraint;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.UserIdentity;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.server.Session;
import org.eclipse.jetty.util.Callback;

/* loaded from: input_file:com/google/apphosting/runtime/jetty/EE10AppEngineAuthentication.class */
public class EE10AppEngineAuthentication {
    private static final GoogleLogger logger = GoogleLogger.forEnclosingClass();
    private static final String AUTH_URL_PREFIX = "/_ah/";
    private static final String AUTH_METHOD = "Google Login";
    private static final String REALM_NAME = "Google App Engine";
    private static final String SKIP_ADMIN_CHECK_ATTR = "com.google.apphosting.internal.SkipAdminCheck";
    private static final String USER_ROLE = "*";
    private static final String ADMIN_ROLE = "admin";

    /* loaded from: input_file:com/google/apphosting/runtime/jetty/EE10AppEngineAuthentication$AppEngineAuthenticator.class */
    private static class AppEngineAuthenticator extends LoginAuthenticator {
        private AppEngineAuthenticator() {
        }

        private static boolean isLoginOrErrorPage(String str) {
            return str.startsWith(EE10AppEngineAuthentication.AUTH_URL_PREFIX);
        }

        public String getAuthenticationType() {
            return EE10AppEngineAuthentication.AUTH_METHOD;
        }

        public Constraint.Authorization getConstraintAuthentication(String str, Constraint.Authorization authorization, Function<Boolean, Session> function) {
            if (!isLoginOrErrorPage(str)) {
                return super.getConstraintAuthentication(str, authorization, function);
            }
            EE10AppEngineAuthentication.logger.atFine().log("Got %s, returning DeferredAuthentication to imply authentication is in progress.", str);
            return Constraint.Authorization.ALLOWED;
        }

        public AuthenticationState validateRequest(Request request, Response response, Callback callback) {
            UserService userService = UserServiceFactory.getUserService();
            if (userService.isUserLoggedIn()) {
                UserIdentity login = this._loginService.login((String) null, (Object) null, (Request) null, (Function) null);
                EE10AppEngineAuthentication.logger.atFine().log("authenticate() returning new principal for %s", login);
                if (login != null) {
                    return new LoginAuthenticator.UserAuthenticationSucceeded(getAuthenticationType(), login);
                }
            }
            if (AuthenticationState.Deferred.isDeferred(response)) {
                return null;
            }
            try {
                EE10AppEngineAuthentication.logger.atFine().log("Got %s but no one was logged in, redirecting.", request.getHttpURI().getPath());
                Response.sendRedirect(request, response, callback, userService.createLoginURL(HttpURI.build(request.getHttpURI()).asString()));
                return AuthenticationState.CHALLENGE;
            } catch (ApiProxy.ApiProxyException e) {
                ((GoogleLogger.Api) EE10AppEngineAuthentication.logger.atSevere().withCause(e)).log("Could not get login URL:");
                Response.writeError(request, response, callback, 403);
                return AuthenticationState.SEND_FAILURE;
            }
        }
    }

    /* loaded from: input_file:com/google/apphosting/runtime/jetty/EE10AppEngineAuthentication$AppEngineLoginService.class */
    private static class AppEngineLoginService implements LoginService {
        private IdentityService identityService;

        private AppEngineLoginService() {
        }

        public String getName() {
            return EE10AppEngineAuthentication.REALM_NAME;
        }

        public UserIdentity login(String str, Object obj, Request request, Function<Boolean, Session> function) {
            return loadUser();
        }

        private AppEngineUserIdentity loadUser() {
            User currentUser = UserServiceFactory.getUserService().getCurrentUser();
            if (currentUser == null) {
                return null;
            }
            return new AppEngineUserIdentity(new AppEnginePrincipal(currentUser));
        }

        public IdentityService getIdentityService() {
            return this.identityService;
        }

        public void logout(UserIdentity userIdentity) {
            if (userIdentity != null) {
                EE10AppEngineAuthentication.logger.atFine().log("Ignoring logout call for: %s", userIdentity);
            }
        }

        public void setIdentityService(IdentityService identityService) {
            this.identityService = identityService;
        }

        public boolean validate(UserIdentity userIdentity) {
            EE10AppEngineAuthentication.logger.atInfo().log("validate(%s) throwing UnsupportedOperationException.", userIdentity);
            throw new UnsupportedOperationException();
        }
    }

    /* loaded from: input_file:com/google/apphosting/runtime/jetty/EE10AppEngineAuthentication$AppEnginePrincipal.class */
    public static class AppEnginePrincipal implements Principal {
        private final User user;

        public AppEnginePrincipal(User user) {
            this.user = user;
        }

        public User getUser() {
            return this.user;
        }

        @Override // java.security.Principal
        public String getName() {
            return (this.user.getFederatedIdentity() == null || this.user.getFederatedIdentity().isEmpty()) ? this.user.getEmail() : this.user.getFederatedIdentity();
        }

        @Override // java.security.Principal
        public boolean equals(Object obj) {
            if (obj instanceof AppEnginePrincipal) {
                return this.user.equals(((AppEnginePrincipal) obj).user);
            }
            return false;
        }

        @Override // java.security.Principal
        public String toString() {
            return this.user.toString();
        }

        @Override // java.security.Principal
        public int hashCode() {
            return this.user.hashCode();
        }
    }

    /* loaded from: input_file:com/google/apphosting/runtime/jetty/EE10AppEngineAuthentication$AppEngineUserIdentity.class */
    public static class AppEngineUserIdentity implements UserIdentity {
        private final AppEnginePrincipal userPrincipal;

        public AppEngineUserIdentity(AppEnginePrincipal appEnginePrincipal) {
            this.userPrincipal = appEnginePrincipal;
        }

        public Subject getSubject() {
            EE10AppEngineAuthentication.logger.atInfo().log("getSubject() throwing UnsupportedOperationException.");
            throw new UnsupportedOperationException();
        }

        public Principal getUserPrincipal() {
            return this.userPrincipal;
        }

        public boolean isUserInRole(String str) {
            UserService userService = UserServiceFactory.getUserService();
            EE10AppEngineAuthentication.logger.atFine().log("Checking if principal %s is in role %s", this.userPrincipal, str);
            if (this.userPrincipal == null) {
                EE10AppEngineAuthentication.logger.atInfo().log("isUserInRole() called with null principal.");
                return false;
            }
            if (EE10AppEngineAuthentication.USER_ROLE.equals(str)) {
                return true;
            }
            if (!EE10AppEngineAuthentication.ADMIN_ROLE.equals(str)) {
                EE10AppEngineAuthentication.logger.atWarning().log("Unknown role: %s.", str);
                return false;
            }
            User user = this.userPrincipal.getUser();
            if (user.equals(userService.getCurrentUser())) {
                return userService.isUserAdmin();
            }
            EE10AppEngineAuthentication.logger.atSevere().log("Cannot tell if non-logged-in user %s is an admin.", user);
            return false;
        }

        public String toString() {
            return AppEngineUserIdentity.class.getSimpleName() + "('" + this.userPrincipal + "')";
        }
    }

    public static ConstraintSecurityHandler newSecurityHandler() {
        ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler() { // from class: com.google.apphosting.runtime.jetty.EE10AppEngineAuthentication.1
            protected Constraint getConstraint(String str, Request request) {
                if (request.getAttribute(EE10AppEngineAuthentication.SKIP_ADMIN_CHECK_ATTR) == null) {
                    return super.getConstraint(str, request);
                }
                EE10AppEngineAuthentication.logger.atFine().log("Returning DeferredAuthentication because of SkipAdminCheck.");
                return Constraint.ALLOWED;
            }
        };
        AppEngineLoginService appEngineLoginService = new AppEngineLoginService();
        AppEngineAuthenticator appEngineAuthenticator = new AppEngineAuthenticator();
        DefaultIdentityService defaultIdentityService = new DefaultIdentityService();
        constraintSecurityHandler.setRoles(new HashSet(Arrays.asList(USER_ROLE, ADMIN_ROLE)));
        constraintSecurityHandler.setLoginService(appEngineLoginService);
        constraintSecurityHandler.setAuthenticator(appEngineAuthenticator);
        constraintSecurityHandler.setIdentityService(defaultIdentityService);
        appEngineAuthenticator.setConfiguration(constraintSecurityHandler);
        return constraintSecurityHandler;
    }
}
