package org.ametys.core.authentication;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.ametys.core.user.User;
import org.ametys.core.user.UserManager;
import org.ametys.core.user.directory.UserDirectory;
import org.ametys.core.user.population.PopulationContextHelper;
import org.ametys.core.user.population.UserPopulation;
import org.ametys.core.user.population.UserPopulationDAO;
import org.ametys.plugins.core.impl.authentication.FormCredentialProvider;
import org.ametys.plugins.core.impl.authentication.token.TokenCredentials;
import org.ametys.runtime.authentication.AccessDeniedException;
import org.ametys.runtime.config.Config;
import org.apache.avalon.framework.activity.Initializable;
import org.apache.avalon.framework.parameters.Parameters;
import org.apache.avalon.framework.thread.ThreadSafe;
import org.apache.cocoon.ProcessingException;
import org.apache.cocoon.acting.ServiceableAction;
import org.apache.cocoon.environment.ObjectModelHelper;
import org.apache.cocoon.environment.Redirector;
import org.apache.cocoon.environment.Request;
import org.apache.cocoon.environment.Session;
import org.apache.cocoon.environment.SourceResolver;

/* loaded from: input_file:org/ametys/core/authentication/AuthenticateAction.class */
public class AuthenticateAction extends ServiceableAction implements ThreadSafe, Initializable {
    public static final String SESSION_USERIDENTITY = "Runtime:UserIdentity";
    public static final String SESSION_CREDENTIALPROVIDER = "Runtime:CredentialProvider";
    public static final String REQUEST_AUTHENTICATED = "Runtime:RequestAuthenticated";
    public static final String REQUEST_CHOOSE_CP_LIST = "Runtime:RequestListCredentialProvider";
    public static final String REQUEST_FORM_BASED_CREDENTIAL_PROVIDER = "Runtime:RequestFormBasedCredentialProvider";
    public static final String REQUEST_INDEX_FORM_CP = "Runtime:RequestIndexForm";
    public static final String REQUEST_POPULATIONS = "Runtime:RequestPopulations";
    public static final String REQUEST_INVALID_POPULATION = "Runtime:RequestInvalidPopulation";
    public static final String REQUEST_AMETYS_PUBLIC = "Runtime:AmetysPublic";
    public static final String SUBMITTED_POPULATION_PARAMETER_NAME = "hiddenPopulation";
    public static final String SUBMITTED_CP_INDEX_PARAMETER_NAME = "CredentialProviderIndex";
    protected static final String __CONFIG_AMETYS_PUBLIC = "runtime.ametys.public";
    protected static final String __REDIRECT_URL_LOGIN_SCREEN = "cocoon://_plugins/core/login.html";
    protected UserPopulationDAO _userPopulationDAO;
    protected UserManager _userManager;
    protected PopulationContextHelper _populationContextHelper;
    protected Boolean _ametysPublic;

    public void initialize() throws Exception {
        this._ametysPublic = Boolean.valueOf(Config.getInstance() != null ? Config.getInstance().getValueAsBoolean(__CONFIG_AMETYS_PUBLIC).booleanValue() : false);
        this._userPopulationDAO = (UserPopulationDAO) this.manager.lookup(UserPopulationDAO.ROLE);
        this._userManager = (UserManager) this.manager.lookup(UserManager.ROLE);
        this._populationContextHelper = (PopulationContextHelper) this.manager.lookup(PopulationContextHelper.ROLE);
    }

    public Map act(Redirector redirector, SourceResolver sourceResolver, Map map, String str, Parameters parameters) throws Exception {
        Request request = ObjectModelHelper.getRequest(map);
        if (!"true".equals(request.getAttribute(REQUEST_AUTHENTICATED)) && request.getAttribute(Authentication.INTERNAL_ALLOWED_REQUEST_ATTR) == null) {
            String parameter = parameters.getParameter("context");
            if (parameter == null) {
                throw new AccessDeniedException();
            }
            if (!_doAuthenticate(redirector, request, parameter)) {
                throw new AccessDeniedException();
            }
            request.setAttribute(REQUEST_AUTHENTICATED, "true");
            return EMPTY_MAP;
        }
        return EMPTY_MAP;
    }

    protected boolean _doAuthenticate(Redirector redirector, Request request, String str) throws Exception {
        Session session = request.getSession(false);
        if ((session == null || session.getAttribute(SESSION_USERIDENTITY) == null) ? false : true) {
            return true;
        }
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        boolean _determineCandidatesCredentialProviders = _determineCandidatesCredentialProviders(redirector, request, str, arrayList2, arrayList);
        if (!_determineCandidatesCredentialProviders) {
            _determineCandidatesCredentialProviders = _determineAndExecuteExactCP(redirector, request, arrayList2, arrayList);
        }
        return _determineCandidatesCredentialProviders;
    }

    private boolean _determineCandidatesCredentialProviders(Redirector redirector, Request request, String str, List<UserPopulation> list, List<CredentialProvider> list2) throws AccessDeniedException, ProcessingException, IOException {
        Iterator<String> it = _getUserPopulationsOnContext(str).iterator();
        while (it.hasNext()) {
            list.add(this._userPopulationDAO.getUserPopulation(it.next()));
        }
        String parameter = request.getParameter(SUBMITTED_POPULATION_PARAMETER_NAME);
        if (parameter != null) {
            UserPopulation userPopulation = this._userPopulationDAO.getUserPopulation(parameter);
            if (userPopulation != null && list.contains(userPopulation)) {
                list.removeIf(userPopulation2 -> {
                    return !userPopulation.equals(userPopulation2);
                });
                list2.addAll(userPopulation.getCredentialProviders());
                return false;
            }
            request.setAttribute(REQUEST_INVALID_POPULATION, "true");
        }
        if (list.size() == 0) {
            throw new AccessDeniedException();
        }
        if (list.size() == 1 || list.stream().map((v0) -> {
            return v0.getCredentialProviders();
        }).distinct().count() == 1) {
            list2.addAll(list.get(0).getCredentialProviders());
            return false;
        }
        _askUserHisPopulation(redirector, request, this._ametysPublic, list);
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set<String> _getUserPopulationsOnContext(String str) {
        return this._populationContextHelper.getUserPopulationsOnContext(str);
    }

    private void _askUserHisPopulation(Redirector redirector, Request request, Boolean bool, List<UserPopulation> list) throws ProcessingException, IOException {
        request.setAttribute(REQUEST_AMETYS_PUBLIC, bool);
        if (bool.booleanValue()) {
            request.setAttribute(REQUEST_POPULATIONS, list);
        } else {
            request.setAttribute(REQUEST_POPULATIONS, Collections.EMPTY_LIST);
        }
        redirector.redirect(false, __REDIRECT_URL_LOGIN_SCREEN);
    }

    private boolean _determineAndExecuteExactCP(Redirector redirector, Request request, List<UserPopulation> list, List<CredentialProvider> list2) throws Exception {
        String parameter = request.getParameter(SUBMITTED_CP_INDEX_PARAMETER_NAME);
        boolean z = parameter != null;
        ArrayList arrayList = new ArrayList();
        for (CredentialProvider credentialProvider : list2) {
            if (credentialProvider instanceof BlockingCredentialProvider) {
                arrayList.add(credentialProvider);
            }
            if (!z && (credentialProvider instanceof NonBlockingCredentialProvider) && _checkAuth(request, redirector, credentialProvider, false, list)) {
                return true;
            }
        }
        if (z) {
            return _execute(redirector, request, arrayList, (BlockingCredentialProvider) arrayList.get(Integer.parseInt(parameter)), list);
        }
        if (arrayList.size() == 1) {
            return _execute(redirector, request, arrayList, (BlockingCredentialProvider) arrayList.get(0), list);
        }
        if (arrayList.stream().filter(credentialProvider2 -> {
            return credentialProvider2 instanceof FormCredentialProvider;
        }).count() == 1) {
            FormCredentialProvider formCredentialProvider = (FormCredentialProvider) arrayList.stream().filter(credentialProvider3 -> {
                return credentialProvider3 instanceof FormCredentialProvider;
            }).findAny().get();
            int indexOf = arrayList.indexOf(formCredentialProvider);
            arrayList.remove(formCredentialProvider);
            _checkFormAuth(request, redirector, formCredentialProvider, indexOf, arrayList, list);
            return true;
        }
        request.setAttribute(REQUEST_CHOOSE_CP_LIST, arrayList);
        if (list.size() == 1) {
            request.setAttribute(REQUEST_POPULATIONS, list);
        }
        redirector.redirect(false, __REDIRECT_URL_LOGIN_SCREEN);
        return true;
    }

    private boolean _execute(Redirector redirector, Request request, List<CredentialProvider> list, BlockingCredentialProvider blockingCredentialProvider, List<UserPopulation> list2) throws Exception {
        if (!(blockingCredentialProvider instanceof FormCredentialProvider)) {
            return _checkAuth(request, redirector, blockingCredentialProvider, true, list2);
        }
        return _checkFormAuth(request, redirector, (FormCredentialProvider) blockingCredentialProvider, list.indexOf(blockingCredentialProvider), Collections.EMPTY_LIST, list2);
    }

    private boolean _checkFormAuth(Request request, Redirector redirector, FormCredentialProvider formCredentialProvider, int i, List<CredentialProvider> list, List<UserPopulation> list2) throws Exception {
        request.setAttribute(REQUEST_FORM_BASED_CREDENTIAL_PROVIDER, formCredentialProvider);
        request.setAttribute(REQUEST_POPULATIONS, list2);
        request.setAttribute(REQUEST_CHOOSE_CP_LIST, list);
        request.setAttribute(REQUEST_INDEX_FORM_CP, Integer.valueOf(i));
        request.setAttribute(REQUEST_AMETYS_PUBLIC, this._ametysPublic);
        return "true".equals(request.getAttribute(REQUEST_INVALID_POPULATION)) ? _checkAuth(request, redirector, formCredentialProvider, true, Collections.EMPTY_LIST) : _checkAuth(request, redirector, formCredentialProvider, true, list2);
    }

    protected boolean _checkAuth(Request request, Redirector redirector, CredentialProvider credentialProvider, boolean z, List<UserPopulation> list) throws Exception {
        boolean _validate = _validate(credentialProvider, z, redirector);
        if (redirector.hasRedirected() || _accept(credentialProvider, z)) {
            return true;
        }
        if (_validate) {
            String str = null;
            Session session = request.getSession(false);
            if (session != null) {
                str = (String) session.getAttribute(SESSION_USERIDENTITY);
            }
            if (str != null) {
                return true;
            }
        }
        Credentials _getCredentials = _getCredentials(credentialProvider, z, redirector);
        if (redirector.hasRedirected()) {
            return true;
        }
        if (_getCredentials == null) {
            _notAllowed(credentialProvider, z, redirector);
            return redirector.hasRedirected();
        }
        UserPopulation _determinePopulation = _determinePopulation(list, _getCredentials);
        if (_determinePopulation == null) {
            _notAllowed(credentialProvider, z, redirector);
            return redirector.hasRedirected();
        }
        User user = this._userManager.getUser(_determinePopulation, _getCredentials.getLogin());
        if (user == null) {
            if (!getLogger().isWarnEnabled()) {
                return false;
            }
            getLogger().warn("The user '" + _getCredentials.getLogin() + "' was authentified and authorized by authentications, but it can not be found by the user manager. Access to the application is therefore denied.");
            return false;
        }
        _allowed(credentialProvider, z, redirector);
        Session session2 = request.getSession(true);
        session2.setAttribute(SESSION_USERIDENTITY, user.getIdentity());
        session2.setAttribute(SESSION_CREDENTIALPROVIDER, credentialProvider);
        return true;
    }

    private UserPopulation _determinePopulation(List<UserPopulation> list, Credentials credentials) {
        for (UserPopulation userPopulation : list) {
            if (this._userManager.getUser(userPopulation, credentials.getLogin()) != null && _login(credentials, userPopulation)) {
                return userPopulation;
            }
        }
        return null;
    }

    private boolean _login(Credentials credentials, UserPopulation userPopulation) {
        if (credentials instanceof TokenCredentials) {
            return ((TokenCredentials) credentials).checkToken();
        }
        Iterator<UserDirectory> it = userPopulation.getUserDirectories().iterator();
        while (it.hasNext()) {
            if (it.next().checkCredentials(credentials)) {
                return true;
            }
        }
        return false;
    }

    private boolean _validate(CredentialProvider credentialProvider, boolean z, Redirector redirector) throws Exception {
        return z ? ((BlockingCredentialProvider) credentialProvider).validateBlocking(redirector) : ((NonBlockingCredentialProvider) credentialProvider).validateNonBlocking(redirector);
    }

    private boolean _accept(CredentialProvider credentialProvider, boolean z) {
        return z ? ((BlockingCredentialProvider) credentialProvider).acceptBlocking() : ((NonBlockingCredentialProvider) credentialProvider).acceptNonBlocking();
    }

    private Credentials _getCredentials(CredentialProvider credentialProvider, boolean z, Redirector redirector) throws Exception {
        return z ? ((BlockingCredentialProvider) credentialProvider).getCredentialsBlocking(redirector) : ((NonBlockingCredentialProvider) credentialProvider).getCredentialsNonBlocking(redirector);
    }

    private void _notAllowed(CredentialProvider credentialProvider, boolean z, Redirector redirector) throws Exception {
        if (z) {
            ((BlockingCredentialProvider) credentialProvider).notAllowedBlocking(redirector);
        } else {
            ((NonBlockingCredentialProvider) credentialProvider).notAllowedNonBlocking(redirector);
        }
    }

    private void _allowed(CredentialProvider credentialProvider, boolean z, Redirector redirector) {
        if (z) {
            ((BlockingCredentialProvider) credentialProvider).allowedBlocking(redirector);
        } else {
            ((NonBlockingCredentialProvider) credentialProvider).allowedNonBlocking(redirector);
        }
    }
}
