package org.alfresco.rest.api;

import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.transaction.RetryingTransactionHelper;
import org.alfresco.repo.web.auth.AuthenticationListener;
import org.alfresco.repo.web.auth.TenantAuthentication;
import org.alfresco.repo.web.auth.WebCredentials;
import org.alfresco.repo.web.scripts.TenantWebScriptServletRequest;
import org.alfresco.repo.web.scripts.servlet.RemoteUserAuthenticatorFactory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.extensions.webscripts.Authenticator;
import org.springframework.extensions.webscripts.Description;
import org.springframework.extensions.webscripts.WebScriptException;
import org.springframework.extensions.webscripts.servlet.WebScriptServletRequest;
import org.springframework.extensions.webscripts.servlet.WebScriptServletResponse;

/* loaded from: input_file:org/alfresco/rest/api/PublicApiAuthenticatorFactory.class */
public class PublicApiAuthenticatorFactory extends RemoteUserAuthenticatorFactory {
    private static Log logger = LogFactory.getLog(PublicApiAuthenticatorFactory.class);
    public static final String DEFAULT_AUTHENTICATOR_KEY_HEADER = "X-Alfresco-Authenticator-Key";
    private RetryingTransactionHelper retryingTransactionHelper;
    private TenantAuthentication tenantAuthentication;
    private Set<String> outboundHeaderNames;
    private String authenticatorKeyHeader = DEFAULT_AUTHENTICATOR_KEY_HEADER;
    private Set<String> validAuthenticatorKeys = Collections.emptySet();
    private boolean useBasicAuth = true;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/alfresco/rest/api/PublicApiAuthenticatorFactory$ProxyListener.class */
    public class ProxyListener implements AuthenticationListener {
        private WebCredentials originalCredentials;

        private ProxyListener() {
        }

        @Override // org.alfresco.repo.web.auth.AuthenticationListener
        public void userAuthenticated(WebCredentials webCredentials) {
            this.originalCredentials = webCredentials;
        }

        @Override // org.alfresco.repo.web.auth.AuthenticationListener
        public void authenticationFailed(WebCredentials webCredentials) {
            PublicApiAuthenticatorFactory.this.listener.authenticationFailed(webCredentials);
        }

        @Override // org.alfresco.repo.web.auth.AuthenticationListener
        public void authenticationFailed(WebCredentials webCredentials, Exception exc) {
            PublicApiAuthenticatorFactory.this.listener.authenticationFailed(webCredentials, exc);
        }

        public WebCredentials getOrignalCredentials() {
            return this.originalCredentials;
        }
    }

    /* loaded from: input_file:org/alfresco/rest/api/PublicApiAuthenticatorFactory$PublicApiAuthenticator.class */
    public class PublicApiAuthenticator extends RemoteUserAuthenticatorFactory.RemoteUserAuthenticator {
        private TenantWebScriptServletRequest servletReq;
        private ProxyListener proxyListener;

        public PublicApiAuthenticator(WebScriptServletRequest webScriptServletRequest, WebScriptServletResponse webScriptServletResponse, ProxyListener proxyListener) {
            super(webScriptServletRequest, webScriptServletResponse, proxyListener);
            if (!(webScriptServletRequest instanceof TenantWebScriptServletRequest)) {
                throw new WebScriptException("Request is not a tenant aware request");
            }
            this.servletReq = (TenantWebScriptServletRequest) webScriptServletRequest;
            this.proxyListener = proxyListener;
        }

        @Override // org.alfresco.repo.web.scripts.servlet.RemoteUserAuthenticatorFactory.RemoteUserAuthenticator, org.alfresco.repo.web.scripts.servlet.BasicHttpAuthenticatorFactory.BasicHttpAuthenticator
        public boolean authenticate(Description.RequiredAuthentication requiredAuthentication, boolean z) {
            boolean z2 = false;
            try {
                String header = this.servletReq.getHeader(PublicApiAuthenticatorFactory.this.authenticatorKeyHeader);
                String remoteUser = getRemoteUser();
                if (header == null || remoteUser == null) {
                    try {
                        z2 = super.authenticate(requiredAuthentication, z);
                    } catch (AuthenticationException e) {
                        if (PublicApiAuthenticatorFactory.logger.isDebugEnabled()) {
                            PublicApiAuthenticatorFactory.logger.debug("TenantBasicHttpAuthenticator: required=" + requiredAuthentication + ", isGuest=" + z + " - " + e.getMessage());
                        }
                    }
                } else {
                    z2 = authenticateViaGateway(requiredAuthentication, z, header, remoteUser);
                }
                if (z2) {
                    final String tenant = this.servletReq.getTenant();
                    final String fullyAuthenticatedUser = AuthenticationUtil.getFullyAuthenticatedUser();
                    try {
                        z2 = ((Boolean) PublicApiAuthenticatorFactory.this.retryingTransactionHelper.doInTransaction(new RetryingTransactionHelper.RetryingTransactionCallback<Boolean>() { // from class: org.alfresco.rest.api.PublicApiAuthenticatorFactory.PublicApiAuthenticator.1
                            /* renamed from: execute, reason: merged with bridge method [inline-methods] */
                            public Boolean m196execute() throws Exception {
                                return Boolean.valueOf(PublicApiAuthenticatorFactory.this.tenantAuthentication.authenticateTenant(fullyAuthenticatedUser, tenant));
                            }
                        }, true, false)).booleanValue();
                        if (z2) {
                            this.listener.userAuthenticated(new TenantCredentials(tenant, fullyAuthenticatedUser, this.proxyListener.getOrignalCredentials()));
                        } else {
                            this.listener.authenticationFailed(new TenantCredentials(tenant, fullyAuthenticatedUser, this.proxyListener.getOrignalCredentials()));
                            AuthenticationUtil.clearCurrentSecurityContext();
                        }
                    } catch (Throwable th) {
                        if (z2) {
                            this.listener.userAuthenticated(new TenantCredentials(tenant, fullyAuthenticatedUser, this.proxyListener.getOrignalCredentials()));
                        } else {
                            this.listener.authenticationFailed(new TenantCredentials(tenant, fullyAuthenticatedUser, this.proxyListener.getOrignalCredentials()));
                            AuthenticationUtil.clearCurrentSecurityContext();
                        }
                        throw th;
                    }
                }
                return z2;
            } finally {
                if (!z2) {
                    this.servletRes.setStatus(401);
                    this.servletRes.setHeader("WWW-Authenticate", (PublicApiAuthenticatorFactory.this.useBasicAuth ? "Basic" : "AlfTicket") + " realm=\"Alfresco " + this.servletReq.getTenant() + " tenant\"");
                }
            }
        }

        private boolean authenticateViaGateway(Description.RequiredAuthentication requiredAuthentication, boolean z, String str, String str2) {
            if (PublicApiAuthenticatorFactory.this.validAuthenticatorKeys.contains(str)) {
                AuthenticationUtil.setFullyAuthenticatedUser(str2);
                this.proxyListener.userAuthenticated(new PublicApiCredentials(str, str2, PublicApiAuthenticatorFactory.this.getOutboundHeaders(this.servletReq)));
                return true;
            }
            PublicApiAuthenticatorFactory.logger.error("Invalid authenticator key:- " + str);
            this.proxyListener.authenticationFailed(new PublicApiCredentials(str, str2, PublicApiAuthenticatorFactory.this.getOutboundHeaders(this.servletReq)));
            return false;
        }
    }

    public void setAuthenticatorKeyHeader(String str) {
        this.authenticatorKeyHeader = str;
    }

    public void setOutboundHeaders(Set<String> set) {
        if (set != null) {
            HashSet hashSet = new HashSet();
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                hashSet.add(it.next().toLowerCase(Locale.ENGLISH).trim());
            }
            set = hashSet;
        }
        this.outboundHeaderNames = set;
    }

    public void setUseBasicAuth(boolean z) {
        this.useBasicAuth = z;
    }

    public void setTenantAuthentication(TenantAuthentication tenantAuthentication) {
        this.tenantAuthentication = tenantAuthentication;
    }

    public void setTransactionHelper(RetryingTransactionHelper retryingTransactionHelper) {
        this.retryingTransactionHelper = retryingTransactionHelper;
    }

    public void setValidAuthentictorKeys(Set<String> set) {
        if (set != null) {
            HashSet hashSet = new HashSet();
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                hashSet.add(it.next().trim());
            }
            set = hashSet;
        }
        this.validAuthenticatorKeys = set;
    }

    @Override // org.alfresco.repo.web.scripts.servlet.RemoteUserAuthenticatorFactory, org.alfresco.repo.web.scripts.servlet.BasicHttpAuthenticatorFactory
    public Authenticator create(WebScriptServletRequest webScriptServletRequest, WebScriptServletResponse webScriptServletResponse) {
        return new PublicApiAuthenticator(webScriptServletRequest, webScriptServletResponse, new ProxyListener());
    }

    private Map<String, String[]> getOutboundHeaders(TenantWebScriptServletRequest tenantWebScriptServletRequest) {
        HashMap hashMap = new HashMap();
        for (String str : this.outboundHeaderNames) {
            String[] headerValues = tenantWebScriptServletRequest.getHeaderValues(str);
            if (headerValues != null && headerValues.length > 0) {
                hashMap.put(str, headerValues);
            }
        }
        return hashMap;
    }
}
