package org.apache.geronimo.tomcat.security;

import java.io.IOException;
import java.security.Principal;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Session;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.valves.ValveBase;

/* loaded from: input_file:org/apache/geronimo/tomcat/security/SecurityValve.class */
public class SecurityValve extends ValveBase implements org.apache.catalina.Authenticator {
    public static final String CACHED_IDENTITY_KEY = "org.apache.geronimo.jaspic.servlet.cachedIdentity";
    private final Authenticator authenticator;
    private final Authorizer authorizer;
    private final IdentityService identityService;

    public SecurityValve(Authenticator authenticator, Authorizer authorizer, IdentityService identityService) {
        super(true);
        this.authenticator = authenticator;
        this.authorizer = authorizer;
        this.identityService = identityService;
    }

    public void invoke(Request request, Response response) throws IOException, ServletException {
        Object constraints = this.authorizer.getConstraints(request);
        if (!this.authorizer.hasUserDataPermissions(request, constraints)) {
            if (response.isError()) {
                return;
            }
            response.sendError(403);
            return;
        }
        boolean isAuthMandatory = this.authorizer.isAuthMandatory(request, constraints);
        try {
            AuthResult validateRequest = this.authenticator.validateRequest(request, response, isAuthMandatory, getCachedIdentity(request));
            TomcatAuthStatus authStatus = validateRequest.getAuthStatus();
            if (authStatus != TomcatAuthStatus.FAILURE) {
                if (authStatus == TomcatAuthStatus.SEND_CONTINUE) {
                    cacheIdentity(request, validateRequest);
                } else if (authStatus != TomcatAuthStatus.SEND_FAILURE && authStatus != TomcatAuthStatus.SEND_SUCCESS) {
                    if (authStatus != TomcatAuthStatus.SUCCESS) {
                        throw new ServletException("unexpected auth status: " + authStatus);
                    }
                    Object doSuccess = doSuccess(request, validateRequest);
                    if (isAuthMandatory && !this.authorizer.hasResourcePermissions(request, validateRequest, constraints, validateRequest.getUserIdentity())) {
                        if (response.isError()) {
                            return;
                        }
                        response.sendError(403);
                    } else {
                        try {
                            getNext().invoke(request, response);
                            this.identityService.dissociate(doSuccess);
                            this.authenticator.secureResponse(request, response, validateRequest);
                        } catch (Throwable th) {
                            this.identityService.dissociate(doSuccess);
                            throw th;
                        }
                    }
                }
            }
        } catch (ServerAuthException e) {
            throw new ServletException(e);
        }
    }

    private Object doSuccess(Request request, AuthResult authResult) {
        cacheIdentity(request, authResult);
        UserIdentity userIdentity = authResult.getUserIdentity();
        Principal userPrincipal = userIdentity == null ? null : userIdentity.getUserPrincipal();
        if (userPrincipal != null) {
            request.setAuthType(this.authenticator.getAuthType());
            request.setUserPrincipal(userPrincipal);
        }
        return this.identityService.associate(userIdentity);
    }

    private void cacheIdentity(Request request, AuthResult authResult) {
        UserIdentity userIdentity = authResult.getUserIdentity();
        if (userIdentity == null || !authResult.isContainerCaching()) {
            return;
        }
        request.getSessionInternal(true).setNote(CACHED_IDENTITY_KEY, userIdentity);
    }

    private UserIdentity getCachedIdentity(Request request) {
        Session sessionInternal = request.getSessionInternal(false);
        if (sessionInternal == null) {
            return null;
        }
        return (UserIdentity) sessionInternal.getNote(CACHED_IDENTITY_KEY);
    }

    public boolean authenticate(Request request, HttpServletResponse httpServletResponse, LoginConfig loginConfig) throws IOException {
        try {
            AuthResult validateRequest = this.authenticator.validateRequest(request, httpServletResponse, true, getCachedIdentity(request));
            if (!TomcatAuthStatus.SUCCESS.equals(validateRequest.getAuthStatus())) {
                return false;
            }
            doSuccess(request, validateRequest);
            return true;
        } catch (ServerAuthException e) {
            throw new IOException(e.getMessage(), e.getCause());
        }
    }

    public void login(String str, String str2, Request request) throws ServletException {
        AuthResult login = this.authenticator.login(str, str2, request);
        if (login.getAuthStatus() != TomcatAuthStatus.SUCCESS) {
            throw new ServletException("Could not log in");
        }
        doSuccess(request, login);
    }

    public void logout(Request request) throws ServletException {
        this.authenticator.logout(request);
        request.setUserPrincipal((Principal) null);
        Session sessionInternal = request.getSessionInternal(false);
        if (sessionInternal != null) {
            sessionInternal.removeNote(CACHED_IDENTITY_KEY);
        }
        this.identityService.associate(null);
    }
}
