package org.alfresco.rest.api.impl;

import javax.servlet.http.HttpServletRequest;
import org.alfresco.repo.management.subsystems.ActivateableBean;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.Authorization;
import org.alfresco.repo.security.authentication.TicketComponent;
import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
import org.alfresco.repo.web.scripts.BufferedRequest;
import org.alfresco.rest.api.Authentications;
import org.alfresco.rest.api.People;
import org.alfresco.rest.api.PublicApiTenantWebScriptServletRequest;
import org.alfresco.rest.api.model.LoginTicket;
import org.alfresco.rest.api.model.LoginTicketResponse;
import org.alfresco.rest.framework.core.exceptions.InvalidArgumentException;
import org.alfresco.rest.framework.core.exceptions.NotFoundException;
import org.alfresco.rest.framework.core.exceptions.PermissionDeniedException;
import org.alfresco.rest.framework.resource.parameters.Parameters;
import org.alfresco.rest.framework.webscripts.WithResponse;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.util.PropertyCheck;
import org.apache.commons.lang3.StringUtils;
import org.springframework.extensions.surf.util.Base64;

/* loaded from: input_file:org/alfresco/rest/api/impl/AuthenticationsImpl.class */
public class AuthenticationsImpl implements Authentications {
    private static final String AUTHORIZATION_HEADER = "Authorization";
    private static final String PARAM_ALF_TICKET = "alf_ticket";
    private AuthenticationService authenticationService;
    private TicketComponent ticketComponent;
    private RemoteUserMapper remoteUserMapper;

    public void setAuthenticationService(AuthenticationService authenticationService) {
        this.authenticationService = authenticationService;
    }

    public void setTicketComponent(TicketComponent ticketComponent) {
        this.ticketComponent = ticketComponent;
    }

    public void setRemoteUserMapper(RemoteUserMapper remoteUserMapper) {
        this.remoteUserMapper = remoteUserMapper;
    }

    public void init() {
        PropertyCheck.mandatory(this, "authenticationService", this.authenticationService);
        PropertyCheck.mandatory(this, "ticketComponent", this.ticketComponent);
    }

    @Override // org.alfresco.rest.api.Authentications
    public LoginTicketResponse createTicket(LoginTicket loginTicket, Parameters parameters) {
        validateLoginRequest(loginTicket);
        try {
            try {
                this.authenticationService.authenticate(loginTicket.getUserId(), loginTicket.getPassword().toCharArray());
                LoginTicketResponse loginTicketResponse = new LoginTicketResponse();
                loginTicketResponse.setUserId(loginTicket.getUserId());
                loginTicketResponse.setId(this.authenticationService.getCurrentTicket());
                AuthenticationUtil.clearCurrentSecurityContext();
                return loginTicketResponse;
            } catch (AuthenticationException e) {
                throw new PermissionDeniedException("Login failed");
            }
        } catch (Throwable th) {
            AuthenticationUtil.clearCurrentSecurityContext();
            throw th;
        }
    }

    @Override // org.alfresco.rest.api.Authentications
    public LoginTicketResponse validateTicket(String str, Parameters parameters, WithResponse withResponse) {
        if (!People.DEFAULT_USER.equals(str)) {
            throw new InvalidArgumentException("Invalid parameter: " + str);
        }
        String ticket = getTicket(parameters);
        try {
            String validateTicket = this.ticketComponent.validateTicket(ticket);
            String fullyAuthenticatedUser = AuthenticationUtil.getFullyAuthenticatedUser();
            if (fullyAuthenticatedUser == null || !fullyAuthenticatedUser.equals(validateTicket)) {
                throw new NotFoundException(NotFoundException.DEFAULT_MESSAGE_ID, new String[]{ticket});
            }
            LoginTicketResponse loginTicketResponse = new LoginTicketResponse();
            loginTicketResponse.setId(ticket);
            return loginTicketResponse;
        } catch (AuthenticationException e) {
            throw new NotFoundException(NotFoundException.DEFAULT_MESSAGE_ID, new String[]{ticket});
        }
    }

    @Override // org.alfresco.rest.api.Authentications
    public void deleteTicket(String str, Parameters parameters, WithResponse withResponse) {
        if (!People.DEFAULT_USER.equals(str)) {
            throw new InvalidArgumentException("Invalid parameter: " + str);
        }
        String ticket = getTicket(parameters);
        try {
            String validateTicket = this.ticketComponent.validateTicket(ticket);
            String fullyAuthenticatedUser = AuthenticationUtil.getFullyAuthenticatedUser();
            if (fullyAuthenticatedUser == null || !fullyAuthenticatedUser.equals(validateTicket)) {
                throw new NotFoundException(NotFoundException.DEFAULT_MESSAGE_ID, new String[]{ticket});
            }
            this.authenticationService.invalidateTicket(ticket);
        } catch (AuthenticationException e) {
            throw new NotFoundException(NotFoundException.DEFAULT_MESSAGE_ID, new String[]{ticket});
        }
    }

    protected void validateLoginRequest(LoginTicket loginTicket) {
        if (loginTicket == null || loginTicket.getUserId() == null || loginTicket.getPassword() == null) {
            throw new InvalidArgumentException("Invalid login details.");
        }
    }

    protected String getTicket(Parameters parameters) {
        String parameter = parameters.getParameter(PARAM_ALF_TICKET);
        if (StringUtils.isNotEmpty(parameter)) {
            return parameter;
        }
        String header = parameters.getRequest().getHeader(AUTHORIZATION_HEADER);
        if (StringUtils.isEmpty(header)) {
            throw new InvalidArgumentException("Authorization header is required.");
        }
        String[] split = header.split(" ");
        if (!split[0].equalsIgnoreCase("basic")) {
            if (split[0].equalsIgnoreCase("bearer")) {
                return getTicketFromRemoteUserMapperUserId(parameters);
            }
            throw new InvalidArgumentException("Authorization '" + split[0] + "' not supported.");
        }
        Authorization authorization = new Authorization(new String(Base64.decode(split[1])));
        if (authorization.isTicket()) {
            return authorization.getTicket();
        }
        throw new InvalidArgumentException("Ticket base authentication required.");
    }

    private String getTicketFromRemoteUserMapperUserId(Parameters parameters) {
        String remoteUser;
        HttpServletRequest extractHttpServletRequestFromParameters = extractHttpServletRequestFromParameters(parameters);
        if (extractHttpServletRequestFromParameters == null || !isRemoteUserMapperActive() || (remoteUser = this.remoteUserMapper.getRemoteUser(extractHttpServletRequestFromParameters)) == null) {
            throw new InvalidArgumentException("Can't use Alfresco Identity Services to validate the user in the bearer access token");
        }
        return this.ticketComponent.getCurrentTicket(remoteUser, false);
    }

    private HttpServletRequest extractHttpServletRequestFromParameters(Parameters parameters) {
        if ((parameters.getRequest() instanceof BufferedRequest) && (parameters.getRequest().getNext() instanceof PublicApiTenantWebScriptServletRequest)) {
            return parameters.getRequest().getNext().getHttpServletRequest();
        }
        return null;
    }

    private boolean isRemoteUserMapperActive() {
        return (this.remoteUserMapper instanceof ActivateableBean) && this.remoteUserMapper.isActive();
    }
}
