package org.ametys.core.authentication;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.ametys.core.ObservationConstants;
import org.ametys.core.authentication.token.AuthenticationTokenManager;
import org.ametys.core.observation.Event;
import org.ametys.core.observation.ObservationManager;
import org.ametys.core.trace.ForensicLogger;
import org.ametys.core.user.CurrentUserProvider;
import org.ametys.core.user.User;
import org.ametys.core.user.UserIdentity;
import org.ametys.core.user.UserManager;
import org.ametys.core.user.directory.ModifiableUserDirectory;
import org.ametys.core.user.directory.UserDirectory;
import org.ametys.core.user.directory.WeakPasswordException;
import org.ametys.core.user.population.PopulationContextHelper;
import org.ametys.core.user.population.UserPopulation;
import org.ametys.core.user.population.UserPopulationDAO;
import org.ametys.core.util.URIUtils;
import org.ametys.plugins.core.impl.authentication.FormCredentialProvider;
import org.ametys.plugins.core.user.UserDAO;
import org.ametys.plugins.core.user.management.UserPasswordManager;
import org.ametys.runtime.authentication.AccessDeniedException;
import org.ametys.runtime.authentication.AuthorizationRequiredException;
import org.ametys.runtime.maintenance.MaintenanceAction;
import org.ametys.runtime.servlet.RuntimeServlet;
import org.ametys.runtime.workspace.WorkspaceMatcher;
import org.apache.avalon.framework.activity.Initializable;
import org.apache.avalon.framework.parameters.Parameters;
import org.apache.avalon.framework.service.ServiceException;
import org.apache.avalon.framework.thread.ThreadSafe;
import org.apache.cocoon.ProcessingException;
import org.apache.cocoon.acting.ServiceableAction;
import org.apache.cocoon.environment.ObjectModelHelper;
import org.apache.cocoon.environment.Redirector;
import org.apache.cocoon.environment.Request;
import org.apache.cocoon.environment.Session;
import org.apache.cocoon.environment.SourceResolver;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:org/ametys/core/authentication/AuthenticateAction.class */
public class AuthenticateAction extends ServiceableAction implements ThreadSafe, Initializable {
    public static final String REQUEST_ATTRIBUTE_INTERNAL_ALLOWED = "Runtime:InternalAllowedRequest";
    public static final String REQUEST_ATTRIBUTE_GRANTED = "Runtime:GrantedRequest";
    public static final String REQUEST_ATTRIBUTE_AVAILABLE_USER_POPULATIONS_LIST = "Runtime:UserPopulationsList";
    public static final String REQUEST_ATTRIBUTE_USER_POPULATION_ID = "Runtime:CurrentUserPopulationId";
    public static final String REQUEST_ATTRIBUTE_LOGIN_URL = "Runtime:RequestLoginURL";
    public static final String SESSION_USERIDENTITY = "Runtime:UserIdentity";
    public static final String REQUEST_PARAMETER_POPULATION_NAME = "UserPopulation";
    public static final String REQUEST_PARAMETER_CREDENTIALPROVIDER_INDEX = "CredentialProviderIndex";
    public static final String REQUEST_PARAMETER_NONBLOCING = "NonBlocking";
    public static final String REQUEST_ATTRIBUTE_AUTHENTICATED = "Runtime:RequestAuthenticated";
    public static final String REQUEST_PARAMETER_TOKEN = "token";
    public static final String REQUEST_PARAMETER_TOKEN_CONTEXT = "tokenContext";
    public static final String HEADER_TOKEN = "X-Ametys-Token";
    protected static final String PARAMETERS_PARAMETER_TOKEN = "token";
    protected static final String PARAMETERS_PARAMETER_TOKEN_CONTEXT = "tokenContext";
    protected static final String REQUEST_ATTRIBUTE_CREDENTIAL_PROVIDER_LIST = "Runtime:RequestListCredentialProvider";
    protected static final String REQUEST_ATTRIBUTE_CREDENTIAL_PROVIDER_INDEX = "Runtime:RequestCredentialProviderIndex";
    protected static final String REQUEST_ATTRIBUTE_SHOULD_DISPLAY_USER_POPULATIONS_LIST = "Runtime:UserPopulationsListDisplay";
    protected static final String REQUEST_ATTRIBUTE_INVALID_POPULATION = "Runtime:RequestInvalidPopulation";
    protected static final String REQUEST_ATTRIBUTE_CONTEXTS = "Runtime:Contexts";
    protected static final String SESSION_CONNECTING_CREDENTIALPROVIDER_INDEX = "Runtime:ConnectingCredentialProviderIndex";
    protected static final String SESSION_CONNECTING_CREDENTIALPROVIDER_INDEX_LASTBLOCKINGKNOWN = "Runtime:ConnectingCredentialProviderIndexLastKnown";
    protected static final String SESSION_CONNECTING_CREDENTIALPROVIDER_MODE = "Runtime:ConnectingCredentialProviderMode";
    protected static final String SESSION_CONNECTING_USERPOPULATION_ID = "Runtime:ConnectingUserPopulationId";
    protected static final String SESSION_CREDENTIALPROVIDER = "Runtime:CredentialProvider";
    protected static final String SESSION_CREDENTIALPROVIDER_MODE = "Runtime:CredentialProviderMode";
    protected static final String SITEMAP_PARAMETER_TOKEN_MODE = "token-mode";
    protected UserPopulationDAO _userPopulationDAO;
    protected UserManager _userManager;
    protected PopulationContextHelper _populationContextHelper;
    protected CurrentUserProvider _currentUserProvider;
    protected Collection<Pattern> _acceptedUrlPatterns = Arrays.asList(Pattern.compile("^plugins/core/authenticate/[0-9]+$"), Pattern.compile("^plugins/core/reset-password.html$"));
    protected AuthenticationTokenManager _authenticateTokenManager;
    protected ObservationManager _observationManager;
    protected UserPasswordManager _userPasswordManager;
    protected UserStatusManager _userStatusManager;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/ametys/core/authentication/AuthenticateAction$TOKEN_MODE.class */
    public enum TOKEN_MODE {
        TOKEN_ONLY,
        ALLOW_ANONYMOUS,
        DEFAULT
    }

    public void initialize() throws Exception {
        this._userPopulationDAO = (UserPopulationDAO) this.manager.lookup(UserPopulationDAO.ROLE);
        this._userManager = (UserManager) this.manager.lookup(UserManager.ROLE);
        this._populationContextHelper = (PopulationContextHelper) this.manager.lookup(PopulationContextHelper.ROLE);
        this._userStatusManager = (UserStatusManager) this.manager.lookup(UserStatusManager.ROLE);
        this._currentUserProvider = (CurrentUserProvider) this.manager.lookup(CurrentUserProvider.ROLE);
        try {
            this._userPasswordManager = (UserPasswordManager) this.manager.lookup(UserPasswordManager.ROLE);
            this._authenticateTokenManager = (AuthenticationTokenManager) this.manager.lookup(AuthenticationTokenManager.ROLE);
            this._observationManager = (ObservationManager) this.manager.lookup(ObservationManager.ROLE);
        } catch (ServiceException e) {
        }
    }

    public Map act(Redirector redirector, SourceResolver sourceResolver, Map map, String str, Parameters parameters) throws Exception {
        Request request = ObjectModelHelper.getRequest(map);
        if (_preFlightCheck(redirector, sourceResolver, map, str, parameters) || _handleAuthenticationToken(request, parameters)) {
            request.setAttribute(REQUEST_ATTRIBUTE_AUTHENTICATED, "true");
            return EMPTY_MAP;
        }
        if (_getTokenMode(parameters) != TOKEN_MODE.DEFAULT) {
            if (_getTokenMode(parameters) != TOKEN_MODE.ALLOW_ANONYMOUS) {
                return null;
            }
            request.setAttribute(REQUEST_ATTRIBUTE_AUTHENTICATED, "true");
            return null;
        }
        request.setAttribute(REQUEST_ATTRIBUTE_AUTHENTICATED, "true");
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        if (!_prepareUserPopulationsAndCredentialProviders(request, parameters, redirector, arrayList, arrayList2)) {
            return EMPTY_MAP;
        }
        int _getCurrentCredentialProviderIndex = _getCurrentCredentialProviderIndex(request, arrayList2);
        request.setAttribute(REQUEST_ATTRIBUTE_CREDENTIAL_PROVIDER_INDEX, Integer.valueOf(_getCurrentCredentialProviderIndex));
        request.setAttribute(REQUEST_ATTRIBUTE_LOGIN_URL, getLoginURL(request));
        if (!_isCurrentCredentialProviderInBlockingMode(request)) {
            for (int max = Math.max(0, _getCurrentCredentialProviderIndex); max < arrayList2.size(); max++) {
                if (_process(request, false, arrayList2.get(max), max, redirector, arrayList)) {
                    return EMPTY_MAP;
                }
            }
            _getCurrentCredentialProviderIndex = -1;
        }
        _saveLastKnownBlockingCredentialProvider(request, _getCurrentCredentialProviderIndex);
        if (_shouldRunFirstBlockingCredentialProvider(_getCurrentCredentialProviderIndex, arrayList2, request, arrayList)) {
            if (_process(request, true, _getCurrentCredentialProviderIndex == -1 ? _getFirstBlockingCredentialProvider(arrayList2) : arrayList2.get(_getCurrentCredentialProviderIndex), _getCurrentCredentialProviderIndex, redirector, arrayList)) {
                return EMPTY_MAP;
            }
            throw new AuthorizationRequiredException();
        }
        Integer num = (Integer) request.getSession(true).getAttribute(SESSION_CONNECTING_CREDENTIALPROVIDER_INDEX_LASTBLOCKINGKNOWN);
        if (num == null || !arrayList2.get(num.intValue()).grantAnonymousRequest(true)) {
            return _displayBlockingList(redirector, request, arrayList2);
        }
        request.setAttribute(REQUEST_ATTRIBUTE_GRANTED, true);
        _saveConnectingStateToSession(request, -1, true);
        return EMPTY_MAP;
    }

    protected boolean _preFlightCheck(Redirector redirector, SourceResolver sourceResolver, Map map, String str, Parameters parameters) throws Exception {
        Request request = ObjectModelHelper.getRequest(map);
        return _handleLogout(redirector, map, str, parameters) || _internalRequest(request) || _acceptedUrl(request) || _validateCurrentlyConnectedUser(request, redirector, parameters) || redirector.hasRedirected();
    }

    protected boolean _handleAuthenticationToken(Request request, Parameters parameters) {
        String header = request.getHeader(HEADER_TOKEN);
        if (StringUtils.isBlank(header)) {
            header = parameters.getParameter("token", _getTokenFromRequest(request));
        }
        if (!StringUtils.isNotBlank(header)) {
            return false;
        }
        UserIdentity _validateToken = _validateToken(header, parameters.getParameter("tokenContext", (String) null));
        if (_validateToken == null) {
            return false;
        }
        _setUserIdentityInSession(request, _validateToken, new UserDAO.ImpersonateCredentialProvider(), true);
        _validateCurrentlyConnectedUserIsInAuthorizedPopulation(_validateToken, request, parameters);
        this._userStatusManager.updateConnectionDate(_validateToken);
        ForensicLogger.info("authentication.token", Map.of("user", _validateToken), _validateToken);
        return true;
    }

    protected String _getTokenFromRequest(Request request) {
        return request.getParameter("token");
    }

    protected UserIdentity _validateToken(String str, String str2) {
        if (this._authenticateTokenManager != null) {
            return this._authenticateTokenManager.validateToken(str, str2);
        }
        return null;
    }

    private TOKEN_MODE _getTokenMode(Parameters parameters) {
        return TOKEN_MODE.valueOf(parameters.getParameter(SITEMAP_PARAMETER_TOKEN_MODE, TOKEN_MODE.DEFAULT.toString()).toUpperCase());
    }

    private void _saveLastKnownBlockingCredentialProvider(Request request, int i) {
        if (i != -1) {
            request.getSession(true).setAttribute(SESSION_CONNECTING_CREDENTIALPROVIDER_INDEX_LASTBLOCKINGKNOWN, Integer.valueOf(i));
        }
    }

    private Map _displayBlockingList(Redirector redirector, Request request, List<CredentialProvider> list) throws IOException, ProcessingException, AuthorizationRequiredException {
        if (!list.stream().filter(credentialProvider -> {
            return credentialProvider instanceof BlockingCredentialProvider;
        }).findFirst().isPresent()) {
            throw new AuthorizationRequiredException();
        }
        _saveConnectingStateToSession(request, -1, true);
        redirector.redirect(false, getLoginURL(request));
        return EMPTY_MAP;
    }

    private boolean _shouldRunFirstBlockingCredentialProvider(int i, List<CredentialProvider> list, Request request, List<UserPopulation> list2) {
        return i >= 0 || (list.stream().filter(credentialProvider -> {
            return credentialProvider instanceof BlockingCredentialProvider;
        }).count() == 1 && (((List) request.getAttribute(REQUEST_ATTRIBUTE_AVAILABLE_USER_POPULATIONS_LIST)).size() == list2.size() || _getFirstBlockingCredentialProvider(list).requiresNewWindow()));
    }

    private BlockingCredentialProvider _getFirstBlockingCredentialProvider(List<CredentialProvider> list) {
        Optional<CredentialProvider> findFirst = list.stream().filter(credentialProvider -> {
            return credentialProvider instanceof BlockingCredentialProvider;
        }).findFirst();
        if (findFirst.isPresent()) {
            return (BlockingCredentialProvider) findFirst.get();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean _prepareUserPopulationsAndCredentialProviders(Request request, Parameters parameters, Redirector redirector, List<UserPopulation> list, List<CredentialProvider> list2) throws ProcessingException, IOException {
        List<String> _getContexts = _getContexts(request, parameters);
        request.setAttribute(REQUEST_ATTRIBUTE_CONTEXTS, _getContexts);
        Stream<String> stream = _getAvailableUserPopulationsIds(request, _getContexts).stream();
        UserPopulationDAO userPopulationDAO = this._userPopulationDAO;
        Objects.requireNonNull(userPopulationDAO);
        List<UserPopulation> list3 = (List) stream.map(userPopulationDAO::getUserPopulation).collect(Collectors.toList());
        request.setAttribute(REQUEST_ATTRIBUTE_AVAILABLE_USER_POPULATIONS_LIST, list3);
        String _getChosenUserPopulationId = _getChosenUserPopulationId(request, list3);
        request.setAttribute(REQUEST_ATTRIBUTE_USER_POPULATION_ID, _getChosenUserPopulationId);
        list.addAll(_getChosenUserPopulationId == null ? list3 : Collections.singletonList(this._userPopulationDAO.getUserPopulation(_getChosenUserPopulationId)));
        if (list.size() == 0) {
            String parameter = parameters.getParameter("nocontext-redirection", (String) null);
            if (parameter == null) {
                throw new IllegalStateException("There is no populations available for contexts '" + StringUtils.join(_getContexts, "', '") + "'");
            }
            redirector.redirect(false, parameter);
            return false;
        }
        boolean _hasCredentialProviders = _hasCredentialProviders(list);
        request.setAttribute(REQUEST_ATTRIBUTE_CREDENTIAL_PROVIDER_LIST, Boolean.valueOf(_hasCredentialProviders));
        if (_hasCredentialProviders) {
            list2.addAll(list.get(0).getCredentialProviders());
            if (list2.size() == 0) {
                throw new IllegalStateException("There is no populations credential provider available for contexts '" + StringUtils.join(_getContexts, "', '") + "'");
            }
            request.setAttribute(REQUEST_ATTRIBUTE_SHOULD_DISPLAY_USER_POPULATIONS_LIST, Boolean.valueOf(_getChosenUserPopulationId == null || _hasCredentialProviders(list3) || (list2.size() == 1 && !list2.stream().filter(credentialProvider -> {
                return credentialProvider instanceof FormCredentialProvider;
            }).findAny().isPresent())));
            return true;
        }
        request.setAttribute(REQUEST_ATTRIBUTE_SHOULD_DISPLAY_USER_POPULATIONS_LIST, true);
        _resetConnectingStateToSession(request);
        if (redirector == null) {
            return false;
        }
        redirector.redirect(false, getLoginURL(request));
        return false;
    }

    protected String getLoginURL(Request request) {
        return getLoginURLParameters(request, "cocoon://_plugins/core/login.html");
    }

    protected String getLoginURLParameters(Request request, String str) {
        ArrayList arrayList = new ArrayList();
        arrayList.add("invalidPopulationIds=" + (((Boolean) request.getAttribute(REQUEST_ATTRIBUTE_INVALID_POPULATION)) == Boolean.TRUE ? "true" : "false"));
        arrayList.add("shouldDisplayUserPopulationsList=" + (((Boolean) request.getAttribute(REQUEST_ATTRIBUTE_SHOULD_DISPLAY_USER_POPULATIONS_LIST)).booleanValue() ? "true" : "false"));
        List list = (List) request.getAttribute(REQUEST_ATTRIBUTE_AVAILABLE_USER_POPULATIONS_LIST);
        if (list != null) {
            arrayList.add("usersPopulations=" + URIUtils.encodeParameter((String) list.stream().map((v0) -> {
                return v0.getId();
            }).collect(Collectors.joining(","))));
        }
        String str2 = (String) request.getAttribute(REQUEST_ATTRIBUTE_USER_POPULATION_ID);
        if (str2 != null) {
            arrayList.add("chosenPopulationId=" + URIUtils.encodeParameter(str2));
        }
        arrayList.add("availableCredentialProviders=" + (((Boolean) request.getAttribute(REQUEST_ATTRIBUTE_CREDENTIAL_PROVIDER_LIST)).booleanValue() ? "true" : "false"));
        Integer num = (Integer) request.getAttribute(REQUEST_ATTRIBUTE_CREDENTIAL_PROVIDER_INDEX);
        arrayList.add("credentialProviderIndex=" + String.valueOf(num != null ? num.intValue() : -1));
        arrayList.add("contexts=" + URIUtils.encodeParameter(StringUtils.join((List) request.getAttribute(REQUEST_ATTRIBUTE_CONTEXTS), ",")));
        return str + (str.contains("?") ? "&" : "?") + StringUtils.join(arrayList, "&");
    }

    protected String getLogoutURL(Request request) {
        return "cocoon://_plugins/core/logout.html";
    }

    protected boolean _hasCredentialProviders(List<UserPopulation> list) {
        if (list.size() != 1) {
            return list.stream().map((v0) -> {
                return v0.getCredentialProviders();
            }).distinct().count() == 1 && list.stream().map(this::_needsResetLinkOnFormCredential).distinct().count() == 1;
        }
        return true;
    }

    private boolean _needsResetLinkOnFormCredential(UserPopulation userPopulation) {
        Stream<CredentialProvider> stream = userPopulation.getCredentialProviders().stream();
        Class<FormCredentialProvider> cls = FormCredentialProvider.class;
        Objects.requireNonNull(FormCredentialProvider.class);
        Stream<CredentialProvider> filter = stream.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<FormCredentialProvider> cls2 = FormCredentialProvider.class;
        Objects.requireNonNull(FormCredentialProvider.class);
        if (!((Boolean) filter.map((v1) -> {
            return r1.cast(v1);
        }).map((v0) -> {
            return v0.displayResetLink();
        }).findAny().orElse(false)).booleanValue()) {
            return false;
        }
        Stream<UserDirectory> stream2 = userPopulation.getUserDirectories().stream();
        Class<ModifiableUserDirectory> cls3 = ModifiableUserDirectory.class;
        Objects.requireNonNull(ModifiableUserDirectory.class);
        return stream2.anyMatch((v1) -> {
            return r1.isInstance(v1);
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set<String> _getAvailableUserPopulationsIds(Request request, List<String> list) {
        return this._populationContextHelper.getUserPopulationsOnContexts(list, false, false);
    }

    protected String _getChosenUserPopulationId(Request request, List<UserPopulation> list) {
        Session session;
        String parameter = request.getParameter(REQUEST_PARAMETER_POPULATION_NAME);
        if (parameter == null && (session = request.getSession(false)) != null) {
            parameter = (String) session.getAttribute(SESSION_CONNECTING_USERPOPULATION_ID);
        }
        if (!StringUtils.isNotBlank(parameter)) {
            return null;
        }
        String str = parameter;
        if (list.stream().anyMatch(userPopulation -> {
            return userPopulation.getId().equals(str);
        })) {
            return parameter;
        }
        request.setAttribute(REQUEST_ATTRIBUTE_INVALID_POPULATION, true);
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean _process(Request request, boolean z, CredentialProvider credentialProvider, int i, Redirector redirector, List<UserPopulation> list) throws Exception {
        boolean z2 = request.getSession(false) != null;
        _saveConnectingStateToSession(request, z ? -1 : i, z);
        if (_doProcess(request, z, credentialProvider, redirector, list)) {
            return true;
        }
        if (!z2) {
            return false;
        }
        request.getSession().invalidate();
        return false;
    }

    protected boolean _doProcess(Request request, boolean z, CredentialProvider credentialProvider, Redirector redirector, List<UserPopulation> list) throws Exception {
        UserIdentity userIdentity;
        if (credentialProvider.grantAnonymousRequest(z)) {
            request.setAttribute(REQUEST_ATTRIBUTE_GRANTED, true);
            return true;
        }
        try {
            userIdentity = credentialProvider.getUserIdentity(z, redirector);
        } catch (WeakPasswordException e) {
            userIdentity = e.getUserIdentity();
            _handleWeakPassword(request, credentialProvider, redirector, userIdentity);
        }
        if (redirector.hasRedirected()) {
            return true;
        }
        if (userIdentity == null) {
            return false;
        }
        UserIdentity _getUserIdentity = _getUserIdentity(list, userIdentity, redirector, z, credentialProvider);
        if (redirector.hasRedirected()) {
            return true;
        }
        if (_getUserIdentity == null) {
            return false;
        }
        _setUserIdentityInSession(request, _getUserIdentity, credentialProvider, z);
        credentialProvider.userAllowed(z, _getUserIdentity, redirector);
        this._userStatusManager.updateConnectionDate(_getUserIdentity);
        _logLoginEvent(credentialProvider, _getUserIdentity);
        return true;
    }

    protected void _handleWeakPassword(Request request, CredentialProvider credentialProvider, Redirector redirector, UserIdentity userIdentity) throws Exception {
        ForensicLogger.info("authentication.form.weak.password", Map.of("userIdentity", userIdentity), userIdentity);
        Optional<String> _getWeakPasswordURI = _getWeakPasswordURI(request, userIdentity);
        if (!_getWeakPasswordURI.isPresent()) {
            getLogger().warn("Password of user " + String.valueOf(userIdentity) + " does not meet the security requirements. User is authenticated despite the risk for security.");
        } else {
            getLogger().info("Password of user " + String.valueOf(userIdentity) + " does not meet the security requirements. Force to change password.");
            redirector.redirect(false, _getWeakPasswordURI.get());
        }
    }

    protected Optional<String> _getWeakPasswordURI(Request request, UserIdentity userIdentity) {
        return (this._userPasswordManager == null || RuntimeServlet.getRunMode() != RuntimeServlet.RunMode.NORMAL) ? Optional.empty() : this._userPasswordManager.getChangePasswordURI(request, userIdentity, true);
    }

    protected void _logLoginEvent(CredentialProvider credentialProvider, UserIdentity userIdentity) {
        ForensicLogger.info("authentication.login", Map.of("credential-provider", credentialProvider.getCredentialProviderModelId(), "user", userIdentity), userIdentity);
    }

    protected void _logLogoutEvent(UserIdentity userIdentity) {
        ForensicLogger.info("authentication.logout", Map.of("user", userIdentity), userIdentity);
    }

    protected static void _resetConnectingStateToSession(Request request) {
        Session session = request.getSession(false);
        if (session != null) {
            session.removeAttribute(SESSION_CONNECTING_CREDENTIALPROVIDER_INDEX);
            session.removeAttribute(SESSION_CONNECTING_CREDENTIALPROVIDER_MODE);
            session.removeAttribute(SESSION_CONNECTING_CREDENTIALPROVIDER_INDEX_LASTBLOCKINGKNOWN);
            session.removeAttribute(SESSION_CONNECTING_USERPOPULATION_ID);
        }
    }

    protected void _saveConnectingStateToSession(Request request, int i, boolean z) {
        Session session = request.getSession(true);
        session.setAttribute(SESSION_CONNECTING_CREDENTIALPROVIDER_INDEX, Integer.valueOf(i));
        session.setAttribute(SESSION_CONNECTING_CREDENTIALPROVIDER_MODE, Boolean.valueOf(z));
        session.setAttribute(SESSION_CONNECTING_USERPOPULATION_ID, request.getAttribute(REQUEST_ATTRIBUTE_USER_POPULATION_ID));
    }

    protected void _setUserIdentityInSession(Request request, UserIdentity userIdentity, CredentialProvider credentialProvider, boolean z) {
        setUserIdentityInSession(request, userIdentity, credentialProvider, z);
        if (this._observationManager != null) {
            HashMap hashMap = new HashMap();
            hashMap.put("user", userIdentity);
            this._observationManager.notify(new Event(ObservationConstants.EVENT_USER_AUTHENTICATED, UserPopulationDAO.SYSTEM_USER_IDENTITY, hashMap));
        }
    }

    public static void setUserIdentityInSession(Request request, UserIdentity userIdentity, CredentialProvider credentialProvider, boolean z) {
        Session renewSession = renewSession(request);
        _resetConnectingStateToSession(request);
        renewSession.setAttribute(SESSION_USERIDENTITY, userIdentity);
        renewSession.setAttribute(SESSION_CREDENTIALPROVIDER, credentialProvider);
        renewSession.setAttribute(SESSION_CREDENTIALPROVIDER_MODE, Boolean.valueOf(z));
    }

    public static Session renewSession(Request request) {
        Session session = request.getSession(true);
        HashMap hashMap = new HashMap();
        Enumeration attributeNames = session.getAttributeNames();
        while (attributeNames.hasMoreElements()) {
            String str = (String) attributeNames.nextElement();
            hashMap.put(str, session.getAttribute(str));
        }
        session.invalidate();
        Session session2 = request.getSession(true);
        for (Map.Entry entry : hashMap.entrySet()) {
            session2.setAttribute((String) entry.getKey(), entry.getValue());
        }
        return session2;
    }

    protected UserIdentity _getUserIdentityFromSession(Request request) {
        return getUserIdentityFromSession(request);
    }

    public static UserIdentity getUserIdentityFromSession(Request request) {
        Session session = request.getSession(false);
        if (session != null) {
            return (UserIdentity) session.getAttribute(SESSION_USERIDENTITY);
        }
        return null;
    }

    protected CredentialProvider _getCredentialProviderFromSession(Request request) {
        return getCredentialProviderFromSession(request);
    }

    public static CredentialProvider getCredentialProviderFromSession(Request request) {
        Session session = request.getSession(false);
        if (session != null) {
            return (CredentialProvider) session.getAttribute(SESSION_CREDENTIALPROVIDER);
        }
        return null;
    }

    protected Boolean _getCredentialProviderModeFromSession(Request request) {
        return getCredentialProviderModeFromSession(request);
    }

    public static Boolean getCredentialProviderModeFromSession(Request request) {
        Session session = request.getSession(false);
        if (session != null) {
            return (Boolean) session.getAttribute(SESSION_CREDENTIALPROVIDER_MODE);
        }
        return null;
    }

    protected boolean _isCurrentCredentialProviderInBlockingMode(Request request) {
        if (StringUtils.equals(request.getParameter(REQUEST_PARAMETER_NONBLOCING), "force")) {
            return false;
        }
        Integer _getCurrentCredentialProviderIndexFromParameter = _getCurrentCredentialProviderIndexFromParameter(request);
        if (_getCurrentCredentialProviderIndexFromParameter != null && _getCurrentCredentialProviderIndexFromParameter.intValue() != -1) {
            return true;
        }
        Session session = request.getSession(false);
        if (session == null) {
            return false;
        }
        Boolean bool = (Boolean) session.getAttribute(SESSION_CONNECTING_CREDENTIALPROVIDER_MODE);
        session.removeAttribute(SESSION_CONNECTING_CREDENTIALPROVIDER_MODE);
        if (bool != null) {
            return bool.booleanValue();
        }
        return false;
    }

    public static void skipCurrentCredentialProvider(Request request) {
        Integer num;
        Session session = request.getSession();
        if (session == null || (num = (Integer) session.getAttribute(SESSION_CONNECTING_CREDENTIALPROVIDER_INDEX)) == null) {
            return;
        }
        session.setAttribute(SESSION_CONNECTING_CREDENTIALPROVIDER_INDEX, Integer.valueOf(num.intValue() + 1));
    }

    protected Integer _getCurrentCredentialProviderIndexFromParameter(Request request) {
        String parameter = request.getParameter(REQUEST_PARAMETER_CREDENTIALPROVIDER_INDEX);
        if (StringUtils.isNotBlank(parameter)) {
            return Integer.valueOf(Integer.parseInt(parameter));
        }
        return null;
    }

    protected int _getCurrentCredentialProviderIndex(Request request, List<CredentialProvider> list) {
        Integer _getCurrentCredentialProviderIndexFromParameter = _getCurrentCredentialProviderIndexFromParameter(request);
        if (_getCurrentCredentialProviderIndexFromParameter != null) {
            if (_getCurrentCredentialProviderIndexFromParameter.intValue() < list.size()) {
                return _getCurrentCredentialProviderIndexFromParameter.intValue();
            }
            return -1;
        }
        Session session = request.getSession(false);
        if (session == null) {
            return -1;
        }
        Integer num = (Integer) session.getAttribute(SESSION_CONNECTING_CREDENTIALPROVIDER_INDEX);
        session.removeAttribute(SESSION_CONNECTING_CREDENTIALPROVIDER_INDEX);
        if (num != null) {
            return num.intValue();
        }
        return -1;
    }

    protected List<String> _getContexts(Request request, Parameters parameters) {
        String parameter = parameters.getParameter("context", (String) null);
        if (parameter == null) {
            throw new IllegalArgumentException("The authentication is not parameterized correctly: an authentication context must be specified");
        }
        return Collections.singletonList(parameter);
    }

    protected boolean _internalRequest(Request request) {
        return "true".equals(request.getAttribute(REQUEST_ATTRIBUTE_AUTHENTICATED)) || request.getAttribute(REQUEST_ATTRIBUTE_INTERNAL_ALLOWED) != null;
    }

    protected boolean _acceptedUrl(Request request) {
        String str = (String) request.getAttribute(WorkspaceMatcher.IN_WORKSPACE_URL);
        Iterator<Pattern> it = this._acceptedUrlPatterns.iterator();
        while (it.hasNext()) {
            if (it.next().matcher(str).matches()) {
                request.setAttribute(REQUEST_ATTRIBUTE_GRANTED, true);
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean _validateCurrentlyConnectedUser(Request request, Redirector redirector, Parameters parameters) throws Exception {
        Session session = request.getSession(false);
        UserIdentity _getUserIdentityFromSession = _getUserIdentityFromSession(request);
        CredentialProvider _getCredentialProviderFromSession = _getCredentialProviderFromSession(request);
        Boolean _getCredentialProviderModeFromSession = _getCredentialProviderModeFromSession(request);
        if (_getCredentialProviderFromSession != null && _getUserIdentityFromSession != null && _getCredentialProviderModeFromSession != null && _getCredentialProviderFromSession.isStillConnected(_getCredentialProviderModeFromSession.booleanValue(), _getUserIdentityFromSession, redirector)) {
            if (RuntimeServlet.getRunMode() == RuntimeServlet.RunMode.MAINTENANCE && MaintenanceAction.acceptedUrl(request)) {
                return true;
            }
            _validateCurrentlyConnectedUserIsInAuthorizedPopulation(_getUserIdentityFromSession, request, parameters);
            return true;
        }
        if (redirector.hasRedirected()) {
            return true;
        }
        if (session == null || _getUserIdentityFromSession == null) {
            return false;
        }
        session.invalidate();
        return false;
    }

    protected void _validateCurrentlyConnectedUserIsInAuthorizedPopulation(UserIdentity userIdentity, Request request, Parameters parameters) {
        if (_getTokenMode(parameters) != TOKEN_MODE.DEFAULT) {
            if (!((List) this._userPopulationDAO.getEnabledUserPopulations(false).stream().map((v0) -> {
                return v0.getId();
            }).collect(Collectors.toList())).contains(userIdentity.getPopulationId())) {
                throw new AccessDeniedException("The user " + String.valueOf(userIdentity) + " cannot be authenticated because its populations does not exist or it is disabled.");
            }
        } else {
            List<String> _getContexts = _getContexts(request, parameters);
            Set<String> _getAvailableUserPopulationsIds = _getAvailableUserPopulationsIds(request, _getContexts);
            if (!_getAvailableUserPopulationsIds.contains(userIdentity.getPopulationId())) {
                throw new AccessDeniedException("The user " + String.valueOf(userIdentity) + " cannot be authenticated to the contexts '" + StringUtils.join(_getContexts, "', '") + "' because its populations are not part of the " + _getAvailableUserPopulationsIds.size() + " granted populations.");
            }
        }
    }

    protected boolean _handleLogout(Redirector redirector, Map map, String str, Parameters parameters) throws Exception {
        Request request = ObjectModelHelper.getRequest(map);
        if (!StringUtils.equals(request.getContextPath() + String.valueOf(request.getAttribute(WorkspaceMatcher.WORKSPACE_URI)) + "/logout.html", request.getRequestURI()) && !StringUtils.equals("true", parameters.getParameter("logout", "false"))) {
            return false;
        }
        UserIdentity user = this._currentUserProvider.getUser();
        if (user != null) {
            this._currentUserProvider.logout(redirector);
            _logLogoutEvent(user);
        }
        if (redirector.hasRedirected()) {
            return true;
        }
        redirector.redirect(false, getLogoutURL(request));
        return true;
    }

    protected UserIdentity _getUserIdentity(List<UserPopulation> list, UserIdentity userIdentity, Redirector redirector, boolean z, CredentialProvider credentialProvider) throws Exception {
        if (userIdentity.getPopulationId() == null) {
            Iterator<UserPopulation> it = list.iterator();
            while (it.hasNext()) {
                User user = this._userManager.getUser(it.next(), userIdentity.getLogin());
                if (_isLoginCaseExact(user, userIdentity)) {
                    return user.getIdentity();
                }
            }
        } else {
            User user2 = this._userManager.getUser(userIdentity.getPopulationId(), userIdentity.getLogin());
            if (_isLoginCaseExact(user2, userIdentity)) {
                return user2.getIdentity();
            }
        }
        credentialProvider.userNotAllowed(z, redirector);
        if (!getLogger().isWarnEnabled()) {
            return null;
        }
        getLogger().warn("The user '" + String.valueOf(userIdentity) + "' was authenticated by the credential provider '" + credentialProvider.getCredentialProviderModelId() + "' but it does not match any user of the " + list.size() + " granted populations.");
        return null;
    }

    private boolean _isLoginCaseExact(User user, UserIdentity userIdentity) {
        return user != null && ((user.getUserDirectory().isCaseSensitive() && StringUtils.equals(user.getIdentity().getLogin(), userIdentity.getLogin())) || (!user.getUserDirectory().isCaseSensitive() && StringUtils.equalsIgnoreCase(user.getIdentity().getLogin(), userIdentity.getLogin())));
    }
}
