package org.apache.qpid.server.management.plugin.servlet.rest;

import java.io.IOException;
import java.security.Principal;
import java.security.SecureRandom;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Random;
import javax.security.auth.Subject;
import javax.security.sasl.SaslServer;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.xml.bind.DatatypeConverter;
import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
import org.apache.qpid.server.management.plugin.HttpManagementUtil;
import org.apache.qpid.server.security.SubjectCreator;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.SubjectAuthenticationResult;
import org.apache.qpid.server.util.ConnectionScopedRuntimeException;
import org.apache.qpid.util.Strings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.class */
public class SaslServlet extends AbstractServlet {
    private static final Logger LOGGER = LoggerFactory.getLogger(SaslServlet.class);
    private static final SecureRandom SECURE_RANDOM = new SecureRandom();
    private static final String ATTR_RANDOM = "SaslServlet.Random";
    private static final String ATTR_ID = "SaslServlet.ID";
    private static final String ATTR_SASL_SERVER = "SaslServlet.SaslServer";
    private static final String ATTR_EXPIRY = "SaslServlet.Expiry";
    private static final long SASL_EXCHANGE_EXPIRY = 3000;

    @Override // org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet
    protected void doGetWithSubjectAndActor(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        getRandom(httpServletRequest);
        List mechanisms = getSubjectCreator(httpServletRequest).getMechanisms();
        String[] strArr = (String[]) mechanisms.toArray(new String[mechanisms.size()]);
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        Subject authorisedSubject = getAuthorisedSubject(httpServletRequest);
        if (authorisedSubject != null) {
            linkedHashMap.put("user", AuthenticatedPrincipal.getAuthenticatedPrincipalFromSubject(authorisedSubject).getName());
        } else if (httpServletRequest.getRemoteUser() != null) {
            linkedHashMap.put("user", httpServletRequest.getRemoteUser());
        }
        linkedHashMap.put("mechanisms", strArr);
        sendJsonResponse(linkedHashMap, httpServletRequest, httpServletResponse);
    }

    private Random getRandom(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession();
        Random random = (Random) session.getAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_RANDOM, httpServletRequest));
        if (random == null) {
            synchronized (SECURE_RANDOM) {
                random = new Random(SECURE_RANDOM.nextLong());
            }
            session.setAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_RANDOM, httpServletRequest), random);
        }
        return random;
    }

    @Override // org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet
    protected void doPostWithSubjectAndActor(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        checkSaslAuthEnabled(httpServletRequest);
        HttpSession session = httpServletRequest.getSession();
        try {
            String parameter = httpServletRequest.getParameter("mechanism");
            String parameter2 = httpServletRequest.getParameter("id");
            String parameter3 = httpServletRequest.getParameter("response");
            SubjectCreator subjectCreator = getSubjectCreator(httpServletRequest);
            if (parameter != null) {
                if (parameter2 == null) {
                    LOGGER.debug("Creating SaslServer for mechanism: {}", parameter);
                    evaluateSaslResponse(httpServletRequest, httpServletResponse, session, parameter3, subjectCreator.createSaslServer(parameter, httpServletRequest.getServerName(), (Principal) null), subjectCreator);
                } else {
                    httpServletResponse.setStatus(417);
                    session.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_ID, httpServletRequest));
                    session.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_SASL_SERVER, httpServletRequest));
                    session.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_EXPIRY, httpServletRequest));
                }
            } else if (parameter2 == null) {
                httpServletResponse.setStatus(417);
                session.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_ID, httpServletRequest));
                session.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_SASL_SERVER, httpServletRequest));
                session.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_EXPIRY, httpServletRequest));
            } else if (!parameter2.equals(session.getAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_ID, httpServletRequest))) || System.currentTimeMillis() >= ((Long) session.getAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_EXPIRY, httpServletRequest))).longValue()) {
                httpServletResponse.setStatus(417);
                session.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_ID, httpServletRequest));
                session.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_SASL_SERVER, httpServletRequest));
                session.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_EXPIRY, httpServletRequest));
            } else {
                evaluateSaslResponse(httpServletRequest, httpServletResponse, session, parameter3, (SaslServer) session.getAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_SASL_SERVER, httpServletRequest)), subjectCreator);
            }
            if (httpServletResponse.getStatus() != 200) {
                session.invalidate();
            }
        } catch (Throwable th) {
            if (httpServletResponse.getStatus() != 200) {
                session.invalidate();
            }
            throw th;
        }
    }

    private void checkSaslAuthEnabled(HttpServletRequest httpServletRequest) {
        HttpManagementConfiguration managementConfiguration = getManagementConfiguration();
        if (!(httpServletRequest.isSecure() ? managementConfiguration.isHttpsSaslAuthenticationEnabled() : managementConfiguration.isHttpSaslAuthenticationEnabled())) {
            throw new ConnectionScopedRuntimeException("Sasl authentication disabled.");
        }
    }

    private void evaluateSaslResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession, String str, SaslServer saslServer, SubjectCreator subjectCreator) throws IOException {
        int i;
        SubjectAuthenticationResult authenticate = subjectCreator.authenticate(saslServer, str == null ? new byte[0] : Strings.decodeBase64(str));
        byte[] challenge = authenticate.getChallenge();
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        if (authenticate.getStatus() == AuthenticationResult.AuthenticationStatus.SUCCESS) {
            Subject subject = authenticate.getSubject();
            try {
                HttpManagementUtil.assertManagementAccess(getBroker(), subject);
                HttpManagementUtil.saveAuthorisedSubject(httpServletRequest, HttpManagementUtil.createServletConnectionSubject(httpServletRequest, subject));
                httpSession.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_ID, httpServletRequest));
                httpSession.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_SASL_SERVER, httpServletRequest));
                httpSession.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_EXPIRY, httpServletRequest));
                if (challenge != null && challenge.length != 0) {
                    linkedHashMap.put("challenge", DatatypeConverter.printBase64Binary(challenge));
                }
                i = 200;
            } catch (SecurityException e) {
                i = 403;
            }
        } else if (authenticate.getStatus() == AuthenticationResult.AuthenticationStatus.CONTINUE) {
            String valueOf = String.valueOf(getRandom(httpServletRequest).nextLong());
            httpSession.setAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_ID, httpServletRequest), valueOf);
            httpSession.setAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_SASL_SERVER, httpServletRequest), saslServer);
            httpSession.setAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_EXPIRY, httpServletRequest), Long.valueOf(System.currentTimeMillis() + SASL_EXCHANGE_EXPIRY));
            linkedHashMap.put("id", valueOf);
            linkedHashMap.put("challenge", DatatypeConverter.printBase64Binary(challenge));
            i = 200;
        } else {
            httpSession.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_ID, httpServletRequest));
            httpSession.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_SASL_SERVER, httpServletRequest));
            httpSession.removeAttribute(HttpManagementUtil.getRequestSpecificAttributeName(ATTR_EXPIRY, httpServletRequest));
            i = 401;
        }
        sendJsonResponse(linkedHashMap, httpServletRequest, httpServletResponse, i, false);
    }

    private SubjectCreator getSubjectCreator(HttpServletRequest httpServletRequest) {
        return HttpManagementUtil.getManagementConfiguration(getServletContext()).getAuthenticationProvider(httpServletRequest).getSubjectCreator(httpServletRequest.isSecure());
    }

    @Override // org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet
    protected Subject getAuthorisedSubject(HttpServletRequest httpServletRequest) {
        Subject authorisedSubject = HttpManagementUtil.getAuthorisedSubject(httpServletRequest);
        if (authorisedSubject == null) {
            authorisedSubject = HttpManagementUtil.tryToAuthenticate(httpServletRequest, HttpManagementUtil.getManagementConfiguration(getServletContext()));
        }
        return authorisedSubject;
    }
}
