package org.apache.qpid.server.management.plugin.servlet.rest;

import java.io.IOException;
import java.security.AccessController;
import java.security.Principal;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Random;
import javax.security.auth.Subject;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
import org.apache.qpid.server.management.plugin.HttpManagementUtil;
import org.apache.qpid.server.management.plugin.SessionInvalidatedException;
import org.apache.qpid.server.management.plugin.controller.LegacyConfiguredObject;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.security.SubjectCreator;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.SubjectAuthenticationResult;
import org.apache.qpid.server.security.auth.sasl.SaslNegotiator;
import org.apache.qpid.server.security.auth.sasl.SaslSettings;
import org.apache.qpid.server.util.ConnectionScopedRuntimeException;
import org.apache.qpid.server.util.Strings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.class */
public class SaslServlet extends AbstractServlet {
    private static final long serialVersionUID = 1;
    private static final Logger LOGGER = LoggerFactory.getLogger(SaslServlet.class);
    private static final SecureRandom SECURE_RANDOM = new SecureRandom();
    private static final String ATTR_RANDOM = "SaslServlet.Random";
    private static final String ATTR_ID = "SaslServlet.ID";
    private static final String ATTR_SASL_NEGOTIATOR = "SaslServlet.SaslNegotiator";
    private static final String ATTR_EXPIRY = "SaslServlet.Expiry";

    @Override // org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet
    protected final void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ConfiguredObject<?> configuredObject) throws ServletException, IOException {
        getRandom(httpServletRequest);
        List availableMechanisms = getAuthenticationProvider(httpServletRequest).getAvailableMechanisms(httpServletRequest.isSecure());
        String[] strArr = (String[]) availableMechanisms.toArray(new String[availableMechanisms.size()]);
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        AuthenticatedPrincipal optionalAuthenticatedPrincipalFromSubject = AuthenticatedPrincipal.getOptionalAuthenticatedPrincipalFromSubject(Subject.getSubject(AccessController.getContext()));
        if (optionalAuthenticatedPrincipalFromSubject != null) {
            linkedHashMap.put("user", optionalAuthenticatedPrincipalFromSubject.getName());
        } else if (httpServletRequest.getRemoteUser() != null) {
            linkedHashMap.put("user", httpServletRequest.getRemoteUser());
        }
        linkedHashMap.put("mechanisms", strArr);
        sendJsonResponse(linkedHashMap, httpServletRequest, httpServletResponse);
    }

    private Random getRandom(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession();
        Random random = (Random) HttpManagementUtil.getSessionAttribute(ATTR_RANDOM, session, httpServletRequest);
        if (random == null) {
            synchronized (SECURE_RANDOM) {
                random = new Random(SECURE_RANDOM.nextLong());
            }
            HttpManagementUtil.setSessionAttribute(ATTR_RANDOM, random, session, httpServletRequest);
        }
        return random;
    }

    @Override // org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet
    protected void doPost(final HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ConfiguredObject<?> configuredObject) throws IOException {
        checkSaslAuthEnabled(httpServletRequest);
        HttpSession session = httpServletRequest.getSession();
        try {
            try {
                String parameter = httpServletRequest.getParameter("mechanism");
                String parameter2 = httpServletRequest.getParameter(LegacyConfiguredObject.ID);
                String parameter3 = httpServletRequest.getParameter("response");
                SubjectCreator subjectCreator = getSubjectCreator(httpServletRequest);
                AuthenticationProvider<?> authenticationProvider = getAuthenticationProvider(httpServletRequest);
                SaslNegotiator saslNegotiator = null;
                if (parameter != null) {
                    if (parameter2 == null && authenticationProvider.getAvailableMechanisms(httpServletRequest.isSecure()).contains(parameter)) {
                        LOGGER.debug("Creating SaslServer for mechanism: {}", parameter);
                        saslNegotiator = subjectCreator.createSaslNegotiator(parameter, new SaslSettings() { // from class: org.apache.qpid.server.management.plugin.servlet.rest.SaslServlet.1
                            public String getLocalFQDN() {
                                return httpServletRequest.getServerName();
                            }

                            public Principal getExternalPrincipal() {
                                return null;
                            }
                        });
                    }
                } else if (parameter2 != null && parameter2.equals(HttpManagementUtil.getSessionAttribute(ATTR_ID, session, httpServletRequest)) && System.currentTimeMillis() < ((Long) HttpManagementUtil.getSessionAttribute(ATTR_EXPIRY, session, httpServletRequest)).longValue()) {
                    saslNegotiator = (SaslNegotiator) HttpManagementUtil.getSessionAttribute(ATTR_SASL_NEGOTIATOR, session, httpServletRequest);
                }
                if (saslNegotiator != null) {
                    evaluateSaslResponse(httpServletRequest, httpServletResponse, session, parameter3, saslNegotiator, subjectCreator);
                } else {
                    cleanup(httpServletRequest, session);
                    httpServletResponse.setStatus(417);
                }
                if (httpServletResponse.getStatus() != 200) {
                    HttpManagementUtil.invalidateSession(session);
                }
            } catch (SessionInvalidatedException e) {
                httpServletResponse.setStatus(412);
                if (httpServletResponse.getStatus() != 200) {
                    HttpManagementUtil.invalidateSession(session);
                }
            }
        } catch (Throwable th) {
            if (httpServletResponse.getStatus() != 200) {
                HttpManagementUtil.invalidateSession(session);
            }
            throw th;
        }
    }

    private void cleanup(HttpServletRequest httpServletRequest, HttpSession httpSession) {
        SaslNegotiator saslNegotiator = (SaslNegotiator) HttpManagementUtil.getSessionAttribute(ATTR_SASL_NEGOTIATOR, httpSession, httpServletRequest);
        if (saslNegotiator != null) {
            saslNegotiator.dispose();
        }
        HttpManagementUtil.removeAttribute(ATTR_ID, httpSession, httpServletRequest);
        HttpManagementUtil.removeAttribute(ATTR_SASL_NEGOTIATOR, httpSession, httpServletRequest);
        HttpManagementUtil.removeAttribute(ATTR_EXPIRY, httpSession, httpServletRequest);
    }

    private void checkSaslAuthEnabled(HttpServletRequest httpServletRequest) {
        HttpManagementConfiguration managementConfiguration = getManagementConfiguration();
        if (!(httpServletRequest.isSecure() ? managementConfiguration.isHttpsSaslAuthenticationEnabled() : managementConfiguration.isHttpSaslAuthenticationEnabled())) {
            throw new ConnectionScopedRuntimeException("Sasl authentication disabled.");
        }
    }

    private void evaluateSaslResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession, String str, SaslNegotiator saslNegotiator, SubjectCreator subjectCreator) throws IOException {
        int i;
        SubjectAuthenticationResult authenticate = subjectCreator.authenticate(saslNegotiator, str == null ? new byte[0] : Strings.decodeBase64(str));
        byte[] challenge = authenticate.getChallenge();
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        if (authenticate.getStatus() == AuthenticationResult.AuthenticationStatus.SUCCESS) {
            try {
                HttpManagementUtil.createServletConnectionSubjectAssertManagementAccessAndSave(getBroker(), httpServletRequest, authenticate.getSubject());
                if (challenge != null && challenge.length != 0) {
                    linkedHashMap.put("additionalData", Base64.getEncoder().encodeToString(challenge));
                }
                i = 200;
                cleanup(httpServletRequest, httpSession);
            } catch (SecurityException e) {
                i = 403;
                cleanup(httpServletRequest, httpSession);
            } catch (Throwable th) {
                cleanup(httpServletRequest, httpSession);
                throw th;
            }
        } else if (authenticate.getStatus() == AuthenticationResult.AuthenticationStatus.CONTINUE) {
            String valueOf = String.valueOf(getRandom(httpServletRequest).nextLong());
            HttpManagementUtil.setSessionAttribute(ATTR_ID, valueOf, httpSession, httpServletRequest);
            HttpManagementUtil.setSessionAttribute(ATTR_SASL_NEGOTIATOR, saslNegotiator, httpSession, httpServletRequest);
            HttpManagementUtil.setSessionAttribute(ATTR_EXPIRY, Long.valueOf(System.currentTimeMillis() + getManagementConfiguration().getSaslExchangeExpiry()), httpSession, httpServletRequest);
            linkedHashMap.put(LegacyConfiguredObject.ID, valueOf);
            linkedHashMap.put("challenge", Base64.getEncoder().encodeToString(challenge));
            i = 200;
        } else {
            i = 401;
            cleanup(httpServletRequest, httpSession);
        }
        sendJsonResponse(linkedHashMap, httpServletRequest, httpServletResponse, i, false);
    }

    private SubjectCreator getSubjectCreator(HttpServletRequest httpServletRequest) {
        return HttpManagementUtil.getPort(httpServletRequest).getSubjectCreator(httpServletRequest.isSecure(), httpServletRequest.getServerName());
    }

    private AuthenticationProvider<?> getAuthenticationProvider(HttpServletRequest httpServletRequest) {
        return HttpManagementUtil.getManagementConfiguration(getServletContext()).getAuthenticationProvider(httpServletRequest);
    }
}
