package org.apache.qpid.server.management.plugin.filter;

import java.io.IOException;
import java.security.AccessControlException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
import org.apache.qpid.server.management.plugin.HttpManagementUtil;
import org.apache.qpid.server.management.plugin.preferences.QueryPreferenceValue;
import org.apache.qpid.server.management.plugin.servlet.ServletConnectionPrincipal;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.security.TokenCarryingPrincipal;
import org.apache.qpid.server.security.auth.ManagementConnectionPrincipal;
import org.apache.qpid.server.util.ConnectionScopedRuntimeException;

/* loaded from: input_file:org/apache/qpid/server/management/plugin/filter/AuthenticationCheckFilter.class */
public class AuthenticationCheckFilter implements Filter {
    public static final String INIT_PARAM_ALLOWED = "allowed";
    private String _allowed = null;
    private Broker _broker;
    private HttpManagementConfiguration _managementConfiguration;

    public void init(FilterConfig filterConfig) throws ServletException {
        String initParameter = filterConfig.getInitParameter(INIT_PARAM_ALLOWED);
        if (initParameter != null && !QueryPreferenceValue.DEFAULT_SCOPE.equals(initParameter)) {
            this._allowed = initParameter;
        }
        ServletContext servletContext = filterConfig.getServletContext();
        this._broker = HttpManagementUtil.getBroker(servletContext);
        this._managementConfiguration = HttpManagementUtil.getManagementConfiguration(servletContext);
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        Subject subject;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        boolean z = false;
        try {
            try {
                try {
                    Subject authorisedSubject = HttpManagementUtil.getAuthorisedSubject(httpServletRequest);
                    if (authorisedSubject != null) {
                        Set<Principal> principals = authorisedSubject.getPrincipals();
                        LinkedHashSet linkedHashSet = new LinkedHashSet();
                        for (Principal principal : principals) {
                            if (!(principal instanceof ManagementConnectionPrincipal)) {
                                linkedHashSet.add(principal);
                            }
                        }
                        subject = new Subject(false, principals, authorisedSubject.getPublicCredentials(), authorisedSubject.getPrivateCredentials());
                        subject.getPrincipals().add(new ServletConnectionPrincipal(httpServletRequest));
                        subject.setReadOnly();
                    } else if (this._allowed == null || !httpServletRequest.getServletPath().startsWith(this._allowed)) {
                        subject = tryPreemptiveAuthentication(httpServletRequest);
                        subject.getPrincipals(TokenCarryingPrincipal.class).forEach(tokenCarryingPrincipal -> {
                            Map tokens = tokenCarryingPrincipal.getTokens();
                            HttpServletResponse httpServletResponse2 = (HttpServletResponse) servletResponse;
                            httpServletResponse2.getClass();
                            tokens.forEach(httpServletResponse2::setHeader);
                        });
                        z = true;
                    } else {
                        subject = new Subject(true, Collections.singleton(new ServletConnectionPrincipal(httpServletRequest)), Collections.emptySet(), Collections.emptySet());
                    }
                    doFilterChainAs(servletRequest, servletResponse, filterChain, subject);
                    if (z) {
                        invalidateSession(httpServletRequest);
                    }
                } catch (SecurityException e) {
                    httpServletResponse.sendError(401);
                    invalidateSession(httpServletRequest);
                    if (z) {
                        invalidateSession(httpServletRequest);
                    }
                }
            } catch (AccessControlException e2) {
                httpServletResponse.sendError(403);
                invalidateSession(httpServletRequest);
                if (z) {
                    invalidateSession(httpServletRequest);
                }
            }
        } catch (Throwable th) {
            if (z) {
                invalidateSession(httpServletRequest);
            }
            throw th;
        }
    }

    private void doFilterChainAs(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain, Subject subject) throws IOException, ServletException {
        try {
            Subject.doAs(subject, new PrivilegedExceptionAction<Void>() { // from class: org.apache.qpid.server.management.plugin.filter.AuthenticationCheckFilter.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws IOException, ServletException {
                    filterChain.doFilter(servletRequest, servletResponse);
                    return null;
                }
            });
        } catch (PrivilegedActionException e) {
            ServletException cause = e.getCause();
            if (cause instanceof IOException) {
                throw ((IOException) cause);
            }
            if (cause instanceof ServletException) {
                throw cause;
            }
            if (cause instanceof Error) {
                throw ((Error) cause);
            }
            if (!(cause instanceof RuntimeException)) {
                throw new ConnectionScopedRuntimeException(e.getCause());
            }
            throw ((RuntimeException) cause);
        }
    }

    private Subject tryPreemptiveAuthentication(HttpServletRequest httpServletRequest) {
        Subject tryToAuthenticate = HttpManagementUtil.tryToAuthenticate(httpServletRequest, this._managementConfiguration);
        if (tryToAuthenticate == null) {
            throw new SecurityException("Only authenticated users can access the management interface");
        }
        Subject createServletConnectionSubject = HttpManagementUtil.createServletConnectionSubject(httpServletRequest, tryToAuthenticate);
        HttpManagementUtil.assertManagementAccess(this._broker, createServletConnectionSubject);
        return createServletConnectionSubject;
    }

    private void invalidateSession(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            session.invalidate();
        }
    }
}
