package org.n52.security.service.was;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import org.n52.security.authentication.AnonymousCredential;
import org.n52.security.authentication.Credential;
import org.n52.security.authentication.SAMLCredential;
import org.n52.security.authentication.SAMLResponse;
import org.n52.security.authentication.SAMLTicket;
import org.n52.security.authentication.UsernamePasswordCredential;
import org.n52.security.authentication.callbacks.CredentialCallback;
import org.n52.security.authentication.loginmodule.AbstractLoginModule;
import org.n52.security.authentication.loginmodule.CredentialCache;
import org.n52.security.authentication.loginmodule.SAMLCredentialCacheEntry;
import org.n52.security.common.artifact.ClientException;
import org.n52.security.common.artifact.ServiceException;
import org.n52.security.common.crypto.DigestUtil;
import org.n52.security.common.subject.SubjectCredentialAnalyzer;
import org.n52.security.common.util.StringUtils;
import org.n52.security.support.net.client.HTTPClientFactory;
import org.opensaml.SAMLException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/n52/security/service/was/WASLoginModule.class */
public class WASLoginModule extends AbstractLoginModule {
    private static final long serialVersionUID = 7535428693883868993L;
    private static final String OPTION_TOKEN_CACHE = "tokenCache";
    private static final String OPTION_DEFAULT_WAS_URL = "defaultWasUrl";
    private static final String OPTION_FORCE_WAS_SESSION = "forceWasSession";
    private static final String OPTION_HTTP_CLIENT_FACTORY = "httpClientFactory";
    private CredentialCache m_cache;
    private String m_wasUrl;
    private SAMLCredential m_samlCred;
    private String m_credentialCacheEntryId;
    private WASAuthenticationServiceConnector m_wasConnector;
    private boolean m_forceSession;
    private HTTPClientFactory m_httpClientFactory;
    private static final Logger LOG = LoggerFactory.getLogger(WASLoginModule.class);
    private static final char[] EMPTY_CHAR_ARRAY = new char[0];

    protected void clearAuthenticationState() throws LoginException {
        this.m_credentialCacheEntryId = null;
    }

    protected String getDescription() {
        return getClass().getName();
    }

    protected void initialize() {
        this.m_cache = (CredentialCache) getOptions().get(OPTION_TOKEN_CACHE);
        if (this.m_cache == null) {
            LOG.debug("No credential cache instance configured. All login requests require WAS access.");
        }
        this.m_wasUrl = getOptions().getAsString(OPTION_DEFAULT_WAS_URL, (String) null);
        if (this.m_wasUrl == null) {
            LOG.error("Option 'defaultWasUrl' is not set. Login using this module will fail.");
        }
        this.m_httpClientFactory = (HTTPClientFactory) getOptions().get(OPTION_HTTP_CLIENT_FACTORY);
        if (this.m_httpClientFactory == null) {
            LOG.error("Option 'httpClientFactory' is not set. Login using this module will fail.");
        }
        this.m_forceSession = Boolean.parseBoolean(getOptions().getAsString(OPTION_FORCE_WAS_SESSION, "false"));
        this.m_wasConnector = new WASAuthenticationServiceConnector(this.m_wasUrl, this.m_httpClientFactory);
        this.m_samlCred = null;
    }

    protected boolean performLogin() throws LoginException {
        Callback nameCallback = new NameCallback("user name: ");
        PasswordCallback passwordCallback = new PasswordCallback("password: ", false);
        Callback credentialCallback = new CredentialCallback(AnonymousCredential.class);
        handleCallbacks(new Callback[]{nameCallback, passwordCallback, credentialCallback});
        if (credentialCallback.getCredential() != null) {
            return performLogin(credentialCallback.getCredential(), "anonymous");
        }
        String name = nameCallback.getName();
        char[] password = passwordCallback.getPassword();
        if (name == null && password == null) {
            UsernamePasswordCredential usernamePasswordCredential = (UsernamePasswordCredential) new SubjectCredentialAnalyzer(getSubject()).getCredential(UsernamePasswordCredential.class);
            if (usernamePasswordCredential == null) {
                if (!LOG.isDebugEnabled()) {
                    return false;
                }
                LOG.debug("No username/password credential available. Skipping login for this module.");
                return false;
            }
            name = usernamePasswordCredential.getUsername();
            password = usernamePasswordCredential.getPassword();
        }
        if (name == null) {
            name = "";
        }
        if (password == null) {
            password = EMPTY_CHAR_ARRAY;
        }
        return performLogin(new UsernamePasswordCredential(name, password), "urn:opengeospatial:authNMethod:OWS:1.0:password");
    }

    private boolean performLogin(Credential credential, String str) throws LoginException {
        LOG.debug("Logging in user at WAS <{}>", this.m_wasUrl);
        try {
            this.m_credentialCacheEntryId = generateCacheKey(credential, (String) getSharedState().get("org.n52.cacheEntryModifier"));
            SAMLCredentialCacheEntry lookupCachedEntry = lookupCachedEntry(this.m_credentialCacheEntryId);
            if (lookupCachedEntry == null) {
                LOG.debug("Cache miss for credential with cache key <{}>", this.m_credentialCacheEntryId);
                SAMLResponse requestSAMLResponse = requestSAMLResponse(credential, str);
                try {
                    this.m_samlCred = new SAMLCredential(new SAMLTicket(StringUtils.decodeBase64(requestSAMLResponse.getTicket())));
                } catch (SAMLException e) {
                    LOG.warn("Invalid SAML Ticket. Ticket was: <" + requestSAMLResponse.getTicket() + ">", e);
                    throw new FailedLoginException("Got invalid SAML ticket (before signature validation) from WAS");
                }
            } else {
                LOG.debug("Cache hit for credential with cache key <{}>", this.m_credentialCacheEntryId);
                this.m_samlCred = (SAMLCredential) lookupCachedEntry.getCredentialCopy();
            }
            getSubject().getPublicCredentials().add(this.m_samlCred);
            return true;
        } catch (ClientException e2) {
            LOG.error("Cannot perform WAS login at " + this.m_wasUrl, e2);
            throw new FailedLoginException("WAS Authentication failed with message <" + e2.getMessage() + ">.");
        } catch (ServiceException e3) {
            throw new FailedLoginException("WAS authentication failed with code <" + e3.getErrorCode() + "> and message <" + e3.getMessage() + ">.");
        }
    }

    private SAMLResponse requestSAMLResponse(Credential credential, String str) throws ServiceException {
        SAMLResponse ticketWithSession;
        try {
            ticketWithSession = !this.m_forceSession ? this.m_wasConnector.getTicket(credential, str) : this.m_wasConnector.getTicketWithSession(credential, str);
        } catch (ServiceException e) {
            if (this.m_forceSession || !e.getErrorCode().equals("InvalidSessionID")) {
                throw e;
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Direct authentication at WAS failed. Retrying with preceeding GetSession request.");
            }
            ticketWithSession = this.m_wasConnector.getTicketWithSession(credential, str);
        }
        return ticketWithSession;
    }

    private SAMLCredentialCacheEntry lookupCachedEntry(String str) throws LoginException {
        SAMLCredentialCacheEntry sAMLCredentialCacheEntry = null;
        if (this.m_cache != null && str != null) {
            sAMLCredentialCacheEntry = (SAMLCredentialCacheEntry) this.m_cache.get(str);
            if (sAMLCredentialCacheEntry != null && LOG.isDebugEnabled()) {
                LOG.debug("Using cached SAML ticket identified by " + str);
            }
        }
        return sAMLCredentialCacheEntry;
    }

    protected void prepareCommitState() throws LoginException {
        String str;
        if (this.m_cache == null || (str = this.m_credentialCacheEntryId) == null) {
            return;
        }
        this.m_cache.put(new SAMLCredentialCacheEntry(str, this.m_samlCred));
        if (LOG.isDebugEnabled()) {
            LOG.debug("Cached SAML ticket at " + str);
        }
    }

    private String generateCacheKey(Credential credential, String str) throws LoginException {
        String str2 = null;
        if (credential instanceof UsernamePasswordCredential) {
            UsernamePasswordCredential usernamePasswordCredential = (UsernamePasswordCredential) credential;
            str2 = usernamePasswordCredential.getUsername() + "|" + ((str == null || str.isEmpty()) ? new String(usernamePasswordCredential.getPassword()) : str);
        } else if (credential instanceof AnonymousCredential) {
            str2 = AnonymousCredential.class.getCanonicalName();
        }
        if (str2 == null || str2.isEmpty()) {
            return null;
        }
        return DigestUtil.digestToString(DigestUtil.calculateDigestOf(str2, "MD5"));
    }
}
