package io.undertow.security.impl;

import io.undertow.UndertowLogger;
import io.undertow.UndertowMessages;
import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.AuthenticationMechanismContext;
import io.undertow.security.api.AuthenticationMode;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.IdentityManager;
import io.undertow.security.idm.PasswordCredential;
import io.undertow.server.HttpServerExchange;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;

/* loaded from: input_file:BOOT-INF/lib/undertow-core-1.4.18.Final.jar:io/undertow/security/impl/SecurityContextImpl.class */
public class SecurityContextImpl extends AbstractSecurityContext implements AuthenticationMechanismContext {
    private static final RuntimePermission PERMISSION = new RuntimePermission("MODIFY_UNDERTOW_SECURITY_CONTEXT");
    private AuthenticationState authenticationState;
    private final AuthenticationMode authenticationMode;
    private String programaticMechName;
    private Node<AuthenticationMechanism> authMechanisms;
    private final IdentityManager identityManager;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/undertow-core-1.4.18.Final.jar:io/undertow/security/impl/SecurityContextImpl$AuthAttempter.class */
    public class AuthAttempter {
        private Node<AuthenticationMechanism> currentMethod;
        private final HttpServerExchange exchange;

        private AuthAttempter(Node<AuthenticationMechanism> node, HttpServerExchange httpServerExchange) {
            this.exchange = httpServerExchange;
            this.currentMethod = node;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public AuthenticationState transition() {
            if (this.currentMethod == null) {
                return AuthenticationState.ATTEMPTED;
            }
            AuthenticationMechanism authenticationMechanism = this.currentMethod.item;
            this.currentMethod = this.currentMethod.next;
            AuthenticationMechanism.AuthenticationMechanismOutcome authenticate = authenticationMechanism.authenticate(this.exchange, SecurityContextImpl.this);
            UndertowLogger.SECURITY_LOGGER.debugf("Authentication outcome was %s with method %s for %s", authenticate, authenticationMechanism, this.exchange);
            if (authenticate == null) {
                throw UndertowMessages.MESSAGES.authMechanismOutcomeNull();
            }
            switch (authenticate) {
                case AUTHENTICATED:
                    return AuthenticationState.AUTHENTICATED;
                case NOT_AUTHENTICATED:
                    SecurityContextImpl.this.setAuthenticationRequired();
                    return AuthenticationState.ATTEMPTED;
                case NOT_ATTEMPTED:
                    return transition();
                default:
                    throw new IllegalStateException();
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/undertow-core-1.4.18.Final.jar:io/undertow/security/impl/SecurityContextImpl$AuthenticationState.class */
    public enum AuthenticationState {
        NOT_ATTEMPTED,
        ATTEMPTED,
        AUTHENTICATED,
        CHALLENGE_SENT
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/undertow-core-1.4.18.Final.jar:io/undertow/security/impl/SecurityContextImpl$ChallengeSender.class */
    public class ChallengeSender {
        private Node<AuthenticationMechanism> currentMethod;
        private final HttpServerExchange exchange;
        private Integer chosenStatusCode;
        private boolean challengeSent;

        private ChallengeSender(Node<AuthenticationMechanism> node, HttpServerExchange httpServerExchange) {
            this.chosenStatusCode = null;
            this.challengeSent = false;
            this.exchange = httpServerExchange;
            this.currentMethod = node;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public AuthenticationState transition() {
            if (this.currentMethod == null) {
                if (!this.exchange.isResponseStarted()) {
                    if (this.chosenStatusCode == null) {
                        if (!this.challengeSent) {
                            this.exchange.setStatusCode(403);
                        }
                    } else if (this.chosenStatusCode.equals(200)) {
                        this.exchange.setStatusCode(this.chosenStatusCode.intValue());
                    }
                }
                return AuthenticationState.CHALLENGE_SENT;
            }
            AuthenticationMechanism authenticationMechanism = this.currentMethod.item;
            this.currentMethod = this.currentMethod.next;
            AuthenticationMechanism.ChallengeResult sendChallenge = authenticationMechanism.sendChallenge(this.exchange, SecurityContextImpl.this);
            if (sendChallenge == null) {
                throw UndertowMessages.MESSAGES.sendChallengeReturnedNull(authenticationMechanism);
            }
            if (sendChallenge.isChallengeSent()) {
                this.challengeSent = true;
                Integer desiredResponseCode = sendChallenge.getDesiredResponseCode();
                if (desiredResponseCode != null && (this.chosenStatusCode == null || this.chosenStatusCode.equals(200))) {
                    this.chosenStatusCode = desiredResponseCode;
                    if (!this.chosenStatusCode.equals(200) && !this.exchange.isResponseStarted()) {
                        this.exchange.setStatusCode(this.chosenStatusCode.intValue());
                    }
                }
            }
            return transition();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/undertow-core-1.4.18.Final.jar:io/undertow/security/impl/SecurityContextImpl$Node.class */
    public static final class Node<T> {
        final T item;
        Node<T> next;

        private Node(T t) {
            this.item = t;
        }
    }

    public SecurityContextImpl(HttpServerExchange httpServerExchange, IdentityManager identityManager) {
        this(httpServerExchange, AuthenticationMode.PRO_ACTIVE, identityManager);
    }

    public SecurityContextImpl(HttpServerExchange httpServerExchange, AuthenticationMode authenticationMode, IdentityManager identityManager) {
        super(httpServerExchange);
        this.authenticationState = AuthenticationState.NOT_ATTEMPTED;
        this.programaticMechName = "Programatic";
        this.authMechanisms = null;
        this.authenticationMode = authenticationMode;
        this.identityManager = identityManager;
        if (System.getSecurityManager() != null) {
            System.getSecurityManager().checkPermission(PERMISSION);
        }
    }

    @Override // io.undertow.security.api.SecurityContext
    public boolean authenticate() {
        UndertowLogger.SECURITY_LOGGER.debugf("Attempting to authenticate %s, authentication required: %s", this.exchange, Boolean.valueOf(isAuthenticationRequired()));
        if (this.authenticationState == AuthenticationState.ATTEMPTED || (this.authenticationState == AuthenticationState.CHALLENGE_SENT && !this.exchange.isResponseStarted())) {
            this.authenticationState = AuthenticationState.NOT_ATTEMPTED;
        }
        return !authTransition();
    }

    private boolean authTransition() {
        if (!authTransitionRequired()) {
            UndertowLogger.SECURITY_LOGGER.debugf("Authentication result was %s for %s", this.authenticationState, this.exchange);
            switch (this.authenticationState) {
                case NOT_ATTEMPTED:
                case ATTEMPTED:
                case AUTHENTICATED:
                    return false;
                default:
                    return true;
            }
        }
        switch (this.authenticationState) {
            case NOT_ATTEMPTED:
                this.authenticationState = attemptAuthentication();
                break;
            case ATTEMPTED:
                this.authenticationState = sendChallenges();
                break;
            default:
                throw new IllegalStateException("It should not be possible to reach this.");
        }
        return authTransition();
    }

    private AuthenticationState attemptAuthentication() {
        return new AuthAttempter(this.authMechanisms, this.exchange).transition();
    }

    private AuthenticationState sendChallenges() {
        UndertowLogger.SECURITY_LOGGER.debugf("Sending authentication challenge for %s", this.exchange);
        return new ChallengeSender(this.authMechanisms, this.exchange).transition();
    }

    private boolean authTransitionRequired() {
        switch (this.authenticationState) {
            case NOT_ATTEMPTED:
                return isAuthenticationRequired() || this.authenticationMode == AuthenticationMode.PRO_ACTIVE;
            case ATTEMPTED:
                return isAuthenticationRequired();
            default:
                return false;
        }
    }

    public void setProgramaticMechName(String str) {
        this.programaticMechName = str;
    }

    @Override // io.undertow.security.api.SecurityContext
    public void addAuthenticationMechanism(AuthenticationMechanism authenticationMechanism) {
        if (this.authMechanisms == null) {
            this.authMechanisms = new Node<>(authenticationMechanism);
            return;
        }
        Node node = this.authMechanisms;
        while (true) {
            Node node2 = node;
            if (node2.next == null) {
                node2.next = new Node<>(authenticationMechanism);
                return;
            }
            node = node2.next;
        }
    }

    @Override // io.undertow.security.api.SecurityContext
    @Deprecated
    public List<AuthenticationMechanism> getAuthenticationMechanisms() {
        LinkedList linkedList = new LinkedList();
        Node node = this.authMechanisms;
        while (true) {
            Node node2 = node;
            if (node2 == null) {
                return Collections.unmodifiableList(linkedList);
            }
            linkedList.add(node2.item);
            node = node2.next;
        }
    }

    @Override // io.undertow.security.api.SecurityContext
    @Deprecated
    public IdentityManager getIdentityManager() {
        return this.identityManager;
    }

    @Override // io.undertow.security.api.SecurityContext
    public boolean login(final String str, final String str2) {
        UndertowLogger.SECURITY_LOGGER.debugf("Attempting programatic login for user %s for request %s", str, this.exchange);
        Account verify = System.getSecurityManager() == null ? this.identityManager.verify(str, new PasswordCredential(str2.toCharArray())) : (Account) AccessController.doPrivileged(new PrivilegedAction<Account>() { // from class: io.undertow.security.impl.SecurityContextImpl.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Account run() {
                return SecurityContextImpl.this.identityManager.verify(str, new PasswordCredential(str2.toCharArray()));
            }
        });
        if (verify == null) {
            return false;
        }
        authenticationComplete(verify, this.programaticMechName, true);
        this.authenticationState = AuthenticationState.AUTHENTICATED;
        return true;
    }

    @Override // io.undertow.security.impl.AbstractSecurityContext, io.undertow.security.api.SecurityContext
    public void logout() {
        Account authenticatedAccount = getAuthenticatedAccount();
        if (authenticatedAccount != null) {
            UndertowLogger.SECURITY_LOGGER.debugf("Logging out user %s for %s", authenticatedAccount.getPrincipal().getName(), this.exchange);
        } else {
            UndertowLogger.SECURITY_LOGGER.debugf("Logout called with no authenticated user in exchange %s", this.exchange);
        }
        super.logout();
        this.authenticationState = AuthenticationState.NOT_ATTEMPTED;
    }
}
