package sa;

import com.fasterxml.jackson.core.util.MinimalPrettyPrinter;
import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.message.AuthException;
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.config.AuthConfigFactory;
import javax.security.auth.message.config.AuthConfigProvider;
import javax.security.auth.message.config.RegistrationListener;
import javax.security.auth.message.config.ServerAuthConfig;
import javax.security.auth.message.config.ServerAuthContext;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import kb.r;
import kb.s;
import lb.p;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.filters.ExpiresFilter;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.coyote.ActionCode;
import org.apache.tomcat.util.descriptor.web.LoginConfig;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.apache.tomcat.util.res.StringManager;
import ra.d0;
import ra.j;
import ra.j0;
import ra.o0;
import ra.z;

/* loaded from: classes2.dex */
public abstract class a extends p implements ra.c, RegistrationListener {

    /* renamed from: g0, reason: collision with root package name */
    public static final String f11848g0 = wc.d.a(1);

    /* renamed from: h0, reason: collision with root package name */
    public static final StringManager f11849h0 = StringManager.c(a.class);

    /* renamed from: i0, reason: collision with root package name */
    public static final String f11850i0 = "WWW-Authenticate";

    /* renamed from: j0, reason: collision with root package name */
    public static final String f11851j0 = "Authentication required";
    public boolean C;
    public String D;
    public String Z;

    /* renamed from: a0, reason: collision with root package name */
    public String f11852a0;

    /* renamed from: b0, reason: collision with root package name */
    public String f11853b0;

    /* renamed from: c0, reason: collision with root package name */
    public r f11854c0;

    /* renamed from: d0, reason: collision with root package name */
    public h f11855d0;

    /* renamed from: e0, reason: collision with root package name */
    public volatile String f11856e0;

    /* renamed from: f0, reason: collision with root package name */
    public volatile Optional<AuthConfigProvider> f11857f0;

    /* renamed from: j, reason: collision with root package name */
    public final dc.b f11858j;

    /* renamed from: k, reason: collision with root package name */
    public boolean f11859k;

    /* renamed from: l, reason: collision with root package name */
    public boolean f11860l;

    /* renamed from: m, reason: collision with root package name */
    public boolean f11861m;

    /* renamed from: n, reason: collision with root package name */
    public j f11862n;

    /* renamed from: o, reason: collision with root package name */
    public boolean f11863o;

    /* loaded from: classes2.dex */
    public static class b {
        public MessageInfo a;
        public ServerAuthContext b;

        public b() {
            this.a = null;
            this.b = null;
        }
    }

    public a() {
        super(true);
        this.f11858j = dc.c.d(a.class);
        this.f11859k = false;
        this.f11860l = true;
        this.f11861m = true;
        this.f11862n = null;
        this.f11863o = true;
        this.C = false;
        this.D = null;
        this.Z = "SHA1PRNG";
        this.f11852a0 = null;
        this.f11853b0 = null;
        this.f11854c0 = null;
        this.f11855d0 = null;
        this.f11856e0 = null;
        this.f11857f0 = null;
    }

    private AuthConfigProvider F8() {
        Optional<AuthConfigProvider> optional = this.f11857f0;
        if (optional == null) {
            optional = y8();
        }
        return optional.orElse(null);
    }

    private b G8(AuthConfigProvider authConfigProvider, ua.h hVar, ua.j jVar, boolean z10) throws IOException {
        b bVar = new b();
        bVar.a = new ta.c(hVar.H0(), jVar.a0(), z10);
        try {
            ServerAuthConfig a = authConfigProvider.a("HttpServlet", this.f11856e0, v8());
            bVar.b = a.a(a.f(bVar.a), null, null);
            return bVar;
        } catch (AuthException e10) {
            this.f11858j.i(f11849h0.g("authenticator.jaspicServerAuthContextFail"), e10);
            jVar.y(500);
            return null;
        }
    }

    private GenericPrincipal H8(Subject subject) {
        if (subject == null) {
            return null;
        }
        Set privateCredentials = subject.getPrivateCredentials(GenericPrincipal.class);
        if (privateCredentials.isEmpty()) {
            return null;
        }
        return (GenericPrincipal) privateCredentials.iterator().next();
    }

    public static String I8(j jVar) {
        LoginConfig I3;
        String realmName;
        return (jVar == null || (I3 = jVar.I3()) == null || (realmName = I3.getRealmName()) == null) ? f11851j0 : realmName;
    }

    private void R8(ua.h hVar, HttpServletResponse httpServletResponse, Principal principal, String str, String str2, String str3, boolean z10, boolean z11) {
        if (this.f11858j.e()) {
            String name = principal == null ? "none" : principal.getName();
            this.f11858j.a("Authenticated '" + name + "' with type '" + str + "'");
        }
        hVar.n1(str);
        hVar.F1(principal);
        d0 M0 = hVar.M0(false);
        if (M0 != null) {
            if (this.f11861m && principal != null) {
                String id2 = this.f11858j.e() ? M0.getId() : null;
                hVar.w0().getManager().y(M0);
                hVar.l0(M0.getId());
                if (this.f11858j.e()) {
                    this.f11858j.a(f11849h0.h("authenticator.changeSessionId", id2, M0.getId()));
                }
            }
        } else if (z10) {
            M0 = hVar.M0(true);
        }
        d0 d0Var = M0;
        if (z11 && d0Var != null) {
            d0Var.setAuthType(str);
            d0Var.setPrincipal(principal);
            if (str2 != null) {
                d0Var.setNote(c.f11884n, str2);
            } else {
                d0Var.removeNote(c.f11884n);
            }
            if (str3 != null) {
                d0Var.setNote(c.f11883m, str3);
            } else {
                d0Var.removeNote(c.f11883m);
            }
        }
        if (this.f11855d0 == null) {
            return;
        }
        String str4 = (String) hVar.E0(c.f11881k);
        if (str4 == null) {
            str4 = this.f11854c0.j1();
            Cookie cookie = new Cookie(c.f11880j, str4);
            cookie.setMaxAge(-1);
            cookie.setPath("/");
            cookie.setSecure(hVar.j());
            String v82 = this.f11855d0.v8();
            if (v82 != null) {
                cookie.setDomain(v82);
            }
            if (hVar.getServletContext().s0().h() || hVar.w0().V4()) {
                cookie.setHttpOnly(true);
            }
            httpServletResponse.F(cookie);
            this.f11855d0.z8(str4, principal, str, str2, str3);
            hVar.s1(c.f11881k, str4);
        } else {
            if (principal == null) {
                this.f11855d0.t8(str4);
                hVar.k1(c.f11881k);
                return;
            }
            this.f11855d0.E8(str4, principal, str, str2, str3);
        }
        if (d0Var == null) {
            d0Var = hVar.M0(true);
        }
        this.f11855d0.s8(str4, d0Var);
    }

    private void S8(ua.h hVar, ua.j jVar, b bVar) {
        try {
            bVar.b.e(bVar.a, null);
            hVar.w1((HttpServletRequest) bVar.a.a());
            jVar.s0((HttpServletResponse) bVar.a.d());
        } catch (AuthException e10) {
            this.f11858j.i(f11849h0.g("authenticator.jaspicSecureResponseFail"), e10);
        }
    }

    private boolean t8(ua.h hVar, ua.j jVar, b bVar, boolean z10) {
        boolean u82 = u8(hVar, jVar, false);
        Subject subject = new Subject();
        try {
            AuthStatus d10 = bVar.b.d(bVar.a, subject, null);
            hVar.w1((HttpServletRequest) bVar.a.a());
            jVar.s0((HttpServletResponse) bVar.a.d());
            if (d10 != AuthStatus.b) {
                return false;
            }
            GenericPrincipal H8 = H8(subject);
            if (this.f11858j.e()) {
                this.f11858j.a("Authenticated user: " + H8);
            }
            if (H8 == null) {
                hVar.F1(null);
                hVar.n1(null);
                if (z10) {
                    return false;
                }
            } else if (!u82 || !H8.getUserPrincipal().equals(hVar.getUserPrincipal())) {
                Map b10 = bVar.a.b();
                if (b10 == null || !b10.containsKey("javax.servlet.http.registerSession")) {
                    Q8(hVar, jVar, H8, "JASPIC", null, null);
                } else {
                    R8(hVar, jVar, H8, "JASPIC", null, null, true, true);
                }
            }
            hVar.s1(c.f11882l, subject);
            return true;
        } catch (AuthException e10) {
            this.f11858j.b(f11849h0.g("authenticator.loginFail"), e10);
            return false;
        }
    }

    private CallbackHandler v8() {
        String str = this.f11853b0;
        if (str == null) {
            return ta.b.a();
        }
        Class<?> cls = null;
        try {
            cls = Class.forName(str, true, Thread.currentThread().getContextClassLoader());
        } catch (ClassNotFoundException unused) {
        }
        if (cls == null) {
            try {
                cls = Class.forName(this.f11853b0);
            } catch (ReflectiveOperationException e10) {
                throw new SecurityException(e10);
            }
        }
        return (CallbackHandler) cls.getConstructor(new Class[0]).newInstance(new Object[0]);
    }

    private Optional<AuthConfigProvider> y8() {
        AuthConfigFactory d10 = AuthConfigFactory.d();
        Optional<AuthConfigProvider> empty = d10 == null ? Optional.empty() : Optional.ofNullable(d10.c("HttpServlet", this.f11856e0, this));
        this.f11857f0 = empty;
        return empty;
    }

    public abstract String A8();

    public boolean B8() {
        return this.f11860l;
    }

    public boolean C8() {
        return this.f11861m;
    }

    public boolean D8() {
        return this.f11863o;
    }

    public String E8() {
        return this.f11853b0;
    }

    @Override // javax.security.auth.message.config.RegistrationListener
    public void H2(String str, String str2) {
        y8();
    }

    @Override // ra.c
    public boolean I1(ua.h hVar, HttpServletResponse httpServletResponse) throws IOException {
        AuthConfigProvider F8 = F8();
        if (F8 == null) {
            return w8(hVar, httpServletResponse);
        }
        ua.j J0 = hVar.J0();
        b G8 = G8(F8, hVar, J0, true);
        if (G8 == null) {
            return false;
        }
        boolean t82 = t8(hVar, J0, G8, true);
        S8(hVar, J0, G8);
        return t82;
    }

    public X509Certificate[] J8(ua.h hVar) throws IllegalStateException {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) hVar.getAttribute("javax.servlet.request.X509Certificate");
        if (x509CertificateArr != null && x509CertificateArr.length >= 1) {
            return x509CertificateArr;
        }
        try {
            hVar.x0().a(ActionCode.REQ_SSL_CERTIFICATE, null);
            return (X509Certificate[]) hVar.getAttribute("javax.servlet.request.X509Certificate");
        } catch (IllegalStateException unused) {
            return x509CertificateArr;
        }
    }

    public boolean K8() {
        return this.C;
    }

    @Override // ra.o0
    public void L4(ua.h hVar, ua.j jVar) throws IOException, ServletException {
        boolean z10;
        String[] findAuthRoles;
        d0 M0;
        Principal principal;
        if (this.f11858j.e()) {
            this.f11858j.a("Security checking request " + hVar.getMethod() + MinimalPrettyPrinter.DEFAULT_ROOT_VALUE_SEPARATOR + hVar.i0());
        }
        if (this.f11860l && hVar.getUserPrincipal() == null && (M0 = hVar.M0(false)) != null && (principal = M0.getPrincipal()) != null) {
            if (this.f11858j.e()) {
                this.f11858j.a("We have cached auth type " + M0.getAuthType() + " for principal " + principal);
            }
            hVar.n1(M0.getAuthType());
            hVar.F1(principal);
        }
        boolean O8 = O8(hVar);
        z a72 = this.f11862n.a7();
        SecurityConstraint[] z42 = a72.z4(hVar, this.f11862n);
        AuthConfigProvider F8 = F8();
        if (F8 != null) {
            O8 = true;
        }
        if (z42 == null && !this.f11862n.I7() && !O8) {
            if (this.f11858j.e()) {
                this.f11858j.a(" Not subject to any constraint");
            }
            A3().L4(hVar, jVar);
            return;
        }
        if (z42 != null && this.f11863o && !"POST".equalsIgnoreCase(hVar.getMethod())) {
            if (this.C) {
                jVar.d("Pragma", "No-cache");
                jVar.d(ExpiresFilter.f10113g, "no-cache");
            } else {
                jVar.d(ExpiresFilter.f10113g, "private");
            }
            jVar.d(ExpiresFilter.f10114h, f11848g0);
        }
        if (z42 != null) {
            if (this.f11858j.e()) {
                this.f11858j.a(" Calling hasUserDataPermission()");
            }
            if (!a72.y3(hVar, jVar, z42)) {
                if (this.f11858j.e()) {
                    this.f11858j.a(" Failed hasUserDataPermission() test");
                    return;
                }
                return;
            }
        }
        if (z42 != null) {
            z10 = true;
            for (int i10 = 0; i10 < z42.length && z10; i10++) {
                if (!z42[i10].getAuthConstraint() || (!z42[i10].getAllRoles() && !z42[i10].getAuthenticatedUsers() && ((findAuthRoles = z42[i10].findAuthRoles()) == null || findAuthRoles.length == 0))) {
                    z10 = false;
                }
            }
        } else {
            z10 = false;
        }
        if (!O8 && z10) {
            O8 = true;
        }
        if (!O8 && this.f11862n.I7()) {
            O8 = hVar.x0().u().k("authorization") != null;
        }
        if (!O8 && this.f11862n.I7() && HttpServletRequest.f8216c.equals(A8())) {
            X509Certificate[] J8 = J8(hVar);
            O8 = J8 != null && J8.length > 0;
        }
        b bVar = null;
        if (O8) {
            if (this.f11858j.e()) {
                this.f11858j.a(" Calling authenticate()");
            }
            if (F8 != null && (bVar = G8(F8, hVar, jVar, z10)) == null) {
                return;
            }
            if ((F8 == null && !w8(hVar, jVar)) || (F8 != null && !t8(hVar, jVar, bVar, false))) {
                if (this.f11858j.e()) {
                    this.f11858j.a(" Failed authenticate() test");
                    return;
                }
                return;
            }
        }
        if (z42 != null) {
            if (this.f11858j.e()) {
                this.f11858j.a(" Calling accessControl()");
            }
            if (!a72.o6(hVar, jVar, z42, this.f11862n)) {
                if (this.f11858j.e()) {
                    this.f11858j.a(" Failed accessControl() test");
                    return;
                }
                return;
            }
        }
        if (this.f11858j.e()) {
            this.f11858j.a(" Successfully passed all security constraints");
        }
        A3().L4(hVar, jVar);
        if (F8 != null) {
            S8(hVar, jVar, bVar);
        }
    }

    public String L8() {
        return this.Z;
    }

    public String M8() {
        return this.D;
    }

    public String N8() {
        return this.f11852a0;
    }

    public boolean O8(ua.h hVar) {
        return false;
    }

    public boolean P8(String str, ua.h hVar) {
        z a72;
        boolean z10 = false;
        if (this.f11855d0 != null && str != null) {
            ra.f container = getContainer();
            if (container != null && (a72 = container.a7()) != null) {
                z10 = this.f11855d0.y8(str, a72, hVar);
            }
            if (z10) {
                s8(str, hVar.M0(true));
                if (this.f11858j.e()) {
                    this.f11858j.a(" Reauthenticated cached principal '" + hVar.getUserPrincipal().getName() + "' with auth type '" + hVar.getAuthType() + "'");
                }
            }
        }
        return z10;
    }

    public void Q8(ua.h hVar, HttpServletResponse httpServletResponse, Principal principal, String str, String str2, String str3) {
        R8(hVar, httpServletResponse, principal, str, str2, str3, this.f11859k, this.f11860l);
    }

    @Override // ra.c
    public void T1(ua.h hVar) {
        AuthConfigProvider F8 = F8();
        if (F8 != null) {
            ta.c cVar = new ta.c(hVar, hVar.J0(), true);
            Subject subject = (Subject) hVar.E0(c.f11882l);
            if (subject != null) {
                try {
                    ServerAuthConfig a = F8.a("HttpServlet", this.f11856e0, ta.b.a());
                    a.a(a.f(cVar), null, null).b(cVar, subject);
                } catch (AuthException e10) {
                    this.f11858j.b(f11849h0.g("authenticator.jaspicCleanSubjectFail"), e10);
                }
            }
        }
        Principal G0 = hVar.G0();
        if (G0 instanceof j0) {
            try {
                ((j0) G0).logout();
            } catch (Throwable th) {
                jc.b.a(th);
                this.f11858j.b(f11849h0.g("authenticator.tomcatPrincipalLogoutFail"), th);
            }
        }
        Q8(hVar, hVar.J0(), null, null, null, null);
    }

    public void T8(boolean z10) {
        this.f11859k = z10;
    }

    public void U8(boolean z10) {
        this.f11860l = z10;
    }

    public void V8(boolean z10) {
        this.f11861m = z10;
    }

    public void W8(boolean z10) {
        this.f11863o = z10;
    }

    public void X8(String str) {
        this.f11853b0 = str;
    }

    public void Y8(boolean z10) {
        this.C = z10;
    }

    public void Z8(String str) {
        this.Z = str;
    }

    public void a9(String str) {
        this.D = str;
    }

    public void b9(String str) {
        this.f11852a0 = str;
    }

    @Override // lb.p, ra.e
    public ra.f getContainer() {
        return this.f11862n;
    }

    @Override // ra.c
    public void m(String str, String str2, ua.h hVar) throws ServletException {
        Q8(hVar, hVar.J0(), x8(hVar, str, str2), A8(), str, str2);
    }

    @Override // lb.p, kb.k
    public synchronized void m8() throws LifecycleException {
        ServletContext servletContext = this.f11862n.getServletContext();
        this.f11856e0 = servletContext.X() + MinimalPrettyPrinter.DEFAULT_ROOT_VALUE_SEPARATOR + servletContext.y();
        ra.f parent = this.f11862n.getParent();
        while (this.f11855d0 == null && parent != null) {
            o0[] o42 = parent.U6().o4();
            int i10 = 0;
            while (true) {
                if (i10 >= o42.length) {
                    break;
                }
                if (o42[i10] instanceof h) {
                    this.f11855d0 = (h) o42[i10];
                    break;
                }
                i10++;
            }
            if (this.f11855d0 == null) {
                parent = parent.getParent();
            }
        }
        if (this.f11858j.e()) {
            if (this.f11855d0 != null) {
                this.f11858j.a("Found SingleSignOn Valve at " + this.f11855d0);
            } else {
                this.f11858j.a("No SingleSignOn Valve is present");
            }
        }
        s sVar = new s();
        this.f11854c0 = sVar;
        sVar.t8(L8());
        this.f11854c0.u8(M8());
        this.f11854c0.v8(N8());
        super.m8();
    }

    @Override // lb.p, kb.k
    public synchronized void n8() throws LifecycleException {
        super.n8();
        this.f11855d0 = null;
    }

    public void s8(String str, d0 d0Var) {
        h hVar = this.f11855d0;
        if (hVar == null) {
            return;
        }
        hVar.s8(str, d0Var);
    }

    public boolean u8(ua.h hVar, HttpServletResponse httpServletResponse, boolean z10) {
        String messageBytes;
        Principal userPrincipal = hVar.getUserPrincipal();
        String str = (String) hVar.E0(c.f11881k);
        if (userPrincipal != null) {
            if (this.f11858j.e()) {
                this.f11858j.a(f11849h0.h("authenticator.check.found", userPrincipal.getName()));
            }
            if (str != null) {
                s8(str, hVar.M0(true));
            }
            return true;
        }
        if (z10 && str != null) {
            if (this.f11858j.e()) {
                this.f11858j.a(f11849h0.h("authenticator.check.sso", str));
            }
            if (P8(str, hVar)) {
                return true;
            }
        }
        if (!hVar.x0().B() || (messageBytes = hVar.x0().A().toString()) == null) {
            return false;
        }
        if (this.f11858j.e()) {
            this.f11858j.a(f11849h0.h("authenticator.check.authorize", messageBytes));
        }
        Principal Q5 = this.f11862n.a7().Q5(messageBytes);
        if (Q5 == null) {
            if (this.f11858j.e()) {
                this.f11858j.a(f11849h0.h("authenticator.check.authorizeFail", messageBytes));
            }
            Q5 = new GenericPrincipal(messageBytes, null, null);
        }
        Principal principal = Q5;
        String authType = hVar.getAuthType();
        if (authType == null || authType.length() == 0) {
            authType = A8();
        }
        Q8(hVar, httpServletResponse, principal, authType, messageBytes, null);
        return true;
    }

    public abstract boolean w8(ua.h hVar, HttpServletResponse httpServletResponse) throws IOException;

    public Principal x8(ua.h hVar, String str, String str2) throws ServletException {
        Principal P3 = this.f11862n.a7().P3(str, str2);
        if (P3 != null) {
            return P3;
        }
        throw new ServletException(f11849h0.g("authenticator.loginFail"));
    }

    @Override // lb.p, ra.e
    public void z7(ra.f fVar) {
        if (fVar != null && !(fVar instanceof j)) {
            throw new IllegalArgumentException(f11849h0.g("authenticator.notContext"));
        }
        super.z7(fVar);
        this.f11862n = (j) fVar;
    }

    public boolean z8() {
        return this.f11859k;
    }
}
