package org.alfresco.repo.web.scripts.servlet;

import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import java.util.HashSet;
import java.util.List;
import net.sf.acegisecurity.DisabledException;
import org.alfresco.error.ExceptionStackUtil;
import org.alfresco.repo.SessionUser;
import org.alfresco.repo.management.subsystems.ActivateableBean;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
import org.alfresco.repo.web.auth.AuthenticationListener;
import org.alfresco.repo.web.auth.TicketCredentials;
import org.alfresco.repo.web.auth.WebCredentials;
import org.alfresco.repo.web.scripts.servlet.BasicHttpAuthenticatorFactory;
import org.alfresco.repo.webdav.auth.AuthenticationDriver;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.extensions.webscripts.Authenticator;
import org.springframework.extensions.webscripts.Description;
import org.springframework.extensions.webscripts.WebScript;
import org.springframework.extensions.webscripts.servlet.WebScriptServletRequest;
import org.springframework.extensions.webscripts.servlet.WebScriptServletResponse;

/* loaded from: input_file:org/alfresco/repo/web/scripts/servlet/RemoteUserAuthenticatorFactory.class */
public class RemoteUserAuthenticatorFactory extends BasicHttpAuthenticatorFactory {
    private static Log logger = LogFactory.getLog(RemoteUserAuthenticatorFactory.class);
    public static final long GET_REMOTE_USER_TIMEOUT_MILLISECONDS_DEFAULT = 10000;
    protected RemoteUserMapper remoteUserMapper;
    protected AuthenticationComponent authenticationComponent;
    List<String> adminConsoleScriptFamilies;
    private boolean alwaysAllowBasicAuthForAdminConsole = true;
    long getRemoteUserTimeoutMilliseconds = 10000;

    /* loaded from: input_file:org/alfresco/repo/web/scripts/servlet/RemoteUserAuthenticatorFactory$RemoteUserAuthenticator.class */
    public class RemoteUserAuthenticator extends BasicHttpAuthenticatorFactory.BasicHttpAuthenticator {

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:org/alfresco/repo/web/scripts/servlet/RemoteUserAuthenticatorFactory$RemoteUserAuthenticator$GetRemoteUserRunnable.class */
        public class GetRemoteUserRunnable implements Runnable {
            private volatile String returnedRemoteUser;

            GetRemoteUserRunnable() {
            }

            @Override // java.lang.Runnable
            public void run() {
                this.returnedRemoteUser = RemoteUserAuthenticator.this.getRemoteUser();
            }

            public String getReturnedRemoteUser() {
                return this.returnedRemoteUser;
            }
        }

        public RemoteUserAuthenticator(WebScriptServletRequest webScriptServletRequest, WebScriptServletResponse webScriptServletResponse, AuthenticationListener authenticationListener) {
            super(webScriptServletRequest, webScriptServletResponse, authenticationListener);
        }

        @Override // org.alfresco.repo.web.scripts.servlet.BasicHttpAuthenticatorFactory.BasicHttpAuthenticator
        public boolean authenticate(Description.RequiredAuthentication requiredAuthentication, boolean z) {
            boolean z2 = false;
            if (RemoteUserAuthenticatorFactory.logger.isTraceEnabled()) {
                RemoteUserAuthenticatorFactory.logger.trace("Authenticate level required: " + requiredAuthentication + " is guest: " + z);
            }
            String str = null;
            if (isRemoteUserMapperActive()) {
                if (RemoteUserAuthenticatorFactory.this.isAlwaysAllowBasicAuthForAdminConsole()) {
                    boolean shouldUseTimeoutForAdminAccessingAdminConsole = shouldUseTimeoutForAdminAccessingAdminConsole(requiredAuthentication, z);
                    if (shouldUseTimeoutForAdminAccessingAdminConsole && isBasicAuthHeaderPresentForAdmin()) {
                        return callBasicAuthForAdminConsoleAccess(requiredAuthentication, z);
                    }
                    try {
                        str = getRemoteUserWithTimeout(shouldUseTimeoutForAdminAccessingAdminConsole);
                    } catch (AuthenticationTimeoutException e) {
                        return false;
                    }
                } else {
                    str = getRemoteUser();
                }
            }
            if (str != null) {
                try {
                    RemoteUserAuthenticatorFactory.this.authenticationComponent.setCurrentUser(str);
                    this.listener.userAuthenticated(new TicketCredentials(RemoteUserAuthenticatorFactory.this.authenticationService.getCurrentTicket()));
                    z2 = true;
                } catch (AuthenticationException e2) {
                    if (ExceptionStackUtil.getCause(e2, new Class[]{DisabledException.class}) == null) {
                        throw e2;
                    }
                    this.listener.authenticationFailed(new WebCredentials() { // from class: org.alfresco.repo.web.scripts.servlet.RemoteUserAuthenticatorFactory.RemoteUserAuthenticator.1
                    });
                }
            } else {
                HttpSession session = this.servletReq.getHttpServletRequest().getSession(false);
                if (session != null) {
                    try {
                        SessionUser sessionUser = (SessionUser) session.getAttribute(AuthenticationDriver.AUTHENTICATION_USER);
                        if (sessionUser != null) {
                            RemoteUserAuthenticatorFactory.this.authenticationService.validate(sessionUser.getTicket());
                            if (RemoteUserAuthenticatorFactory.logger.isDebugEnabled()) {
                                RemoteUserAuthenticatorFactory.logger.debug("Ticket is valid. Retaining cached user in session.");
                            }
                            this.listener.userAuthenticated(new TicketCredentials(sessionUser.getTicket()));
                            z2 = true;
                        } else {
                            z2 = super.authenticate(requiredAuthentication, z);
                        }
                    } catch (AuthenticationException e3) {
                        if (RemoteUserAuthenticatorFactory.logger.isDebugEnabled()) {
                            RemoteUserAuthenticatorFactory.logger.debug("An Authentication error occur. Removing User session.", e3);
                        }
                        session.removeAttribute(AuthenticationDriver.AUTHENTICATION_USER);
                        session.invalidate();
                        this.listener.authenticationFailed(new WebCredentials() { // from class: org.alfresco.repo.web.scripts.servlet.RemoteUserAuthenticatorFactory.RemoteUserAuthenticator.2
                        });
                    }
                } else {
                    z2 = super.authenticate(requiredAuthentication, z);
                }
            }
            return z2;
        }

        private boolean callBasicAuthForAdminConsoleAccess(Description.RequiredAuthentication requiredAuthentication, boolean z) {
            if (RemoteUserAuthenticatorFactory.logger.isTraceEnabled()) {
                RemoteUserAuthenticatorFactory.logger.trace("An Admin Console request has come in with Basic Auth headers present for an admin user.");
            }
            return super.authenticate(requiredAuthentication, z);
        }

        private boolean shouldUseTimeoutForAdminAccessingAdminConsole(Description.RequiredAuthentication requiredAuthentication, boolean z) {
            boolean z2 = Description.RequiredAuthentication.admin.equals(requiredAuthentication) && !z && this.servletReq.getServiceMatch() != null && isAdminConsoleWebScript(this.servletReq.getServiceMatch().getWebScript());
            if (RemoteUserAuthenticatorFactory.logger.isTraceEnabled()) {
                RemoteUserAuthenticatorFactory.logger.trace("Should ensure that the admins can login with basic auth: " + z2);
            }
            return z2;
        }

        private boolean isRemoteUserMapperActive() {
            return RemoteUserAuthenticatorFactory.this.remoteUserMapper != null && (!(RemoteUserAuthenticatorFactory.this.remoteUserMapper instanceof ActivateableBean) || RemoteUserAuthenticatorFactory.this.remoteUserMapper.isActive());
        }

        protected boolean isAdminConsoleWebScript(WebScript webScript) {
            if (webScript == null || RemoteUserAuthenticatorFactory.this.adminConsoleScriptFamilies == null || webScript.getDescription() == null || webScript.getDescription().getFamilys() == null) {
                return false;
            }
            if (RemoteUserAuthenticatorFactory.logger.isTraceEnabled()) {
                RemoteUserAuthenticatorFactory.logger.trace("WebScript: " + webScript + " has these families: " + webScript.getDescription().getFamilys());
            }
            HashSet hashSet = new HashSet(webScript.getDescription().getFamilys());
            hashSet.retainAll(RemoteUserAuthenticatorFactory.this.adminConsoleScriptFamilies);
            boolean z = !hashSet.isEmpty();
            if (RemoteUserAuthenticatorFactory.logger.isTraceEnabled() && z) {
                RemoteUserAuthenticatorFactory.logger.trace("Detected an Admin Console webscript: " + webScript);
            }
            return z;
        }

        protected String getRemoteUserWithTimeout(boolean z) throws AuthenticationTimeoutException {
            if (!z) {
                return getRemoteUser();
            }
            GetRemoteUserRunnable getRemoteUserRunnable = new GetRemoteUserRunnable();
            Thread thread = new Thread(getRemoteUserRunnable);
            thread.start();
            try {
                synchronized (thread) {
                    thread.join(RemoteUserAuthenticatorFactory.this.getRemoteUserTimeoutMilliseconds);
                }
            } catch (Exception e) {
                RemoteUserAuthenticatorFactory.logger.warn("Exception trying to get the remote user: " + e.getMessage(), e);
            }
            String returnedRemoteUser = getRemoteUserRunnable.getReturnedRemoteUser();
            if (!thread.isAlive()) {
                return returnedRemoteUser;
            }
            cleanupThread(thread);
            String str = "Could not get the remote user in a reasonable time: " + RemoteUserAuthenticatorFactory.this.getRemoteUserTimeoutMilliseconds + " milliseconds. Adjust the timeout property 'authentication.getRemoteUserTimeoutMilliseconds' if required.";
            if (RemoteUserAuthenticatorFactory.logger.isWarnEnabled()) {
                RemoteUserAuthenticatorFactory.logger.warn("Returning basic auth challenge for Admin Console. Cause: " + str);
            }
            HttpServletResponse httpServletResponse = this.servletRes.getHttpServletResponse();
            httpServletResponse.setStatus(401);
            httpServletResponse.setHeader("WWW-Authenticate", "Basic realm=\"Alfresco\"");
            throw new AuthenticationTimeoutException(str);
        }

        private void cleanupThread(Thread thread) {
            try {
                thread.interrupt();
            } catch (Exception e) {
            }
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public String getRemoteUser() {
            String str = null;
            if (isRemoteUserMapperActive()) {
                str = RemoteUserAuthenticatorFactory.this.remoteUserMapper.getRemoteUser(this.servletReq.getHttpServletRequest());
            }
            logRemoteUserID(str);
            return str;
        }

        private void logRemoteUserID(String str) {
            if (RemoteUserAuthenticatorFactory.logger.isDebugEnabled()) {
                RemoteUserAuthenticatorFactory.logger.debug(str == null ? "No external user ID in request." : "Extracted external user ID from request: " + AuthenticationUtil.maskUsername(str));
            }
        }
    }

    public void setRemoteUserMapper(RemoteUserMapper remoteUserMapper) {
        this.remoteUserMapper = remoteUserMapper;
    }

    public void setAuthenticationComponent(AuthenticationComponent authenticationComponent) {
        this.authenticationComponent = authenticationComponent;
    }

    public boolean isAlwaysAllowBasicAuthForAdminConsole() {
        return this.alwaysAllowBasicAuthForAdminConsole;
    }

    public void setAlwaysAllowBasicAuthForAdminConsole(boolean z) {
        this.alwaysAllowBasicAuthForAdminConsole = z;
    }

    public List<String> getAdminConsoleScriptFamilies() {
        return this.adminConsoleScriptFamilies;
    }

    public void setAdminConsoleScriptFamilies(List<String> list) {
        this.adminConsoleScriptFamilies = list;
    }

    public long getGetRemoteUserTimeoutMilliseconds() {
        return this.getRemoteUserTimeoutMilliseconds;
    }

    public void setGetRemoteUserTimeoutMilliseconds(long j) {
        this.getRemoteUserTimeoutMilliseconds = j;
    }

    @Override // org.alfresco.repo.web.scripts.servlet.BasicHttpAuthenticatorFactory
    public Authenticator create(WebScriptServletRequest webScriptServletRequest, WebScriptServletResponse webScriptServletResponse) {
        return new RemoteUserAuthenticator(webScriptServletRequest, webScriptServletResponse, this.listener);
    }
}
