package org.apache.jackrabbit.core.security.authentication;

import java.security.Principal;
import java.util.Map;
import javax.jcr.Credentials;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.security.authentication.token.TokenBasedAuthentication;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:jackrabbit-core-2.13.6.jar:org/apache/jackrabbit/core/security/authentication/DefaultLoginModule.class */
public class DefaultLoginModule extends AbstractLoginModule {
    private static final Logger log = LoggerFactory.getLogger(DefaultLoginModule.class);
    private static final String PARAM_DISABLE_TOKEN_AUTH = "disableTokenAuth";
    private static final String PARAM_TOKEN_EXPIRATION = "tokenExpiration";
    private boolean disableTokenAuth;
    private long tokenExpiration = TokenBasedAuthentication.TOKEN_EXPIRATION;
    protected User user;
    private SessionImpl session;
    private UserManager userManager;
    private TokenCredentials tokenCredentials;

    @Override // org.apache.jackrabbit.core.security.authentication.AbstractLoginModule
    public boolean commit() throws LoginException {
        boolean commit = super.commit();
        if (commit && !this.disableTokenAuth) {
            if (TokenBasedAuthentication.doCreateToken(this.credentials)) {
                Session session = null;
                try {
                    try {
                        session = this.session.createSession(this.session.getWorkspace().getName());
                        Credentials createToken = TokenBasedAuthentication.createToken(this.user, this.credentials, this.tokenExpiration, session);
                        if (createToken != null) {
                            this.subject.getPublicCredentials().add(createToken);
                        }
                        if (session != null) {
                            session.logout();
                        }
                    } catch (RepositoryException e) {
                        LoginException loginException = new LoginException("Failed to commit: " + e.getMessage());
                        loginException.initCause(e);
                        throw loginException;
                    }
                } catch (Throwable th) {
                    if (session != null) {
                        session.logout();
                    }
                    throw th;
                }
            } else if (this.tokenCredentials != null) {
                this.subject.getPublicCredentials().add(this.tokenCredentials);
            }
        }
        return commit;
    }

    @Override // org.apache.jackrabbit.core.security.authentication.AbstractLoginModule
    protected void doInit(CallbackHandler callbackHandler, Session session, Map map) throws LoginException {
        if (!(session instanceof SessionImpl)) {
            throw new LoginException("Unable to initialize LoginModule: SessionImpl expected.");
        }
        try {
            this.session = (SessionImpl) session;
            this.userManager = this.session.getUserManager();
            log.debug("- UserManager -> '" + this.userManager.getClass().getName() + "'");
            if (map.containsKey(PARAM_DISABLE_TOKEN_AUTH)) {
                this.disableTokenAuth = Boolean.parseBoolean(map.get(PARAM_DISABLE_TOKEN_AUTH).toString());
                log.debug("- Token authentication disabled -> '" + this.disableTokenAuth + "'");
            }
            if (map.containsKey(PARAM_TOKEN_EXPIRATION)) {
                try {
                    this.tokenExpiration = Long.parseLong(map.get(PARAM_TOKEN_EXPIRATION).toString());
                    log.debug("- Token expiration -> '" + this.tokenExpiration + "'");
                } catch (NumberFormatException e) {
                    log.warn("Unabled to parse token expiration: {}", e.getMessage());
                }
            }
        } catch (RepositoryException e2) {
            throw new LoginException("Unable to initialize LoginModule: " + e2.getMessage());
        }
    }

    @Override // org.apache.jackrabbit.core.security.authentication.AbstractLoginModule
    protected Principal getPrincipal(Credentials credentials) {
        Principal principal = null;
        String userID = getUserID(credentials);
        try {
            Authorizable authorizable = this.userManager.getAuthorizable(userID);
            if (authorizable != null && !authorizable.isGroup()) {
                this.user = (User) authorizable;
                if (this.user.isDisabled()) {
                    log.debug("User " + userID + " has been disabled.");
                } else {
                    principal = this.user.getPrincipal();
                }
            }
        } catch (RepositoryException e) {
            log.warn("Error while retrieving principal. {}", e.getMessage());
        }
        return principal;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.core.security.authentication.AbstractLoginModule
    public boolean supportsCredentials(Credentials credentials) {
        return credentials instanceof TokenCredentials ? !this.disableTokenAuth : super.supportsCredentials(credentials);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.core.security.authentication.AbstractLoginModule
    public String getUserID(Credentials credentials) {
        if (this.user != null) {
            try {
                return this.user.getID();
            } catch (RepositoryException e) {
                log.warn("Failed to retrieve userID from user", e);
            }
        }
        if (this.disableTokenAuth || !TokenBasedAuthentication.isTokenBasedLogin(credentials)) {
            return super.getUserID(credentials);
        }
        this.tokenCredentials = (TokenCredentials) credentials;
        try {
            return TokenBasedAuthentication.getUserId(this.tokenCredentials, this.session);
        } catch (RepositoryException e2) {
            if (log.isDebugEnabled()) {
                log.warn("Failed to retrieve UserID from token-based credentials", e2);
                return null;
            }
            log.warn("Failed to retrieve UserID from token-based credentials: {}", e2.toString());
            return null;
        }
    }

    @Override // org.apache.jackrabbit.core.security.authentication.AbstractLoginModule
    protected Authentication getAuthentication(Principal principal, Credentials credentials) throws RepositoryException {
        if (!this.disableTokenAuth && this.tokenCredentials != null) {
            TokenBasedAuthentication tokenBasedAuthentication = new TokenBasedAuthentication(this.tokenCredentials.getToken(), this.tokenExpiration, this.session);
            if (tokenBasedAuthentication.canHandle(credentials)) {
                return tokenBasedAuthentication;
            }
        }
        if (this.user == null) {
            return null;
        }
        SimpleCredentialsAuthentication simpleCredentialsAuthentication = new SimpleCredentialsAuthentication(this.user);
        if (simpleCredentialsAuthentication.canHandle(credentials)) {
            return simpleCredentialsAuthentication;
        }
        return null;
    }

    @Override // org.apache.jackrabbit.core.security.authentication.AbstractLoginModule
    protected boolean impersonate(Principal principal, Credentials credentials) throws RepositoryException, FailedLoginException {
        if (this.user == null) {
            log.debug("Failed to retrieve user to impersonate for principal name " + principal.getName());
            return false;
        }
        if (this.user.getImpersonation().allows(getImpersonatorSubject(credentials))) {
            return true;
        }
        throw new FailedLoginException("attempt to impersonate denied for " + principal.getName());
    }

    public boolean isDisableTokenAuth() {
        return this.disableTokenAuth;
    }

    public void setDisableTokenAuth(boolean z) {
        this.disableTokenAuth = z;
    }

    public long getTokenExpiration() {
        return this.tokenExpiration;
    }

    public void setTokenExpiration(long j) {
        this.tokenExpiration = j;
    }
}
