package pl.edu.icm.unity.rest.authn;

import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.log4j.Logger;
import pl.edu.icm.unity.rest.authn.ext.TLSRetrieval;
import pl.edu.icm.unity.server.api.internal.SessionManagement;
import pl.edu.icm.unity.server.authn.AuthenticatedEntity;
import pl.edu.icm.unity.server.authn.AuthenticationException;
import pl.edu.icm.unity.server.authn.AuthenticationProcessorUtil;
import pl.edu.icm.unity.server.authn.AuthenticationResult;
import pl.edu.icm.unity.server.authn.InvocationContext;
import pl.edu.icm.unity.server.authn.UnsuccessfulAuthenticationCounter;
import pl.edu.icm.unity.server.endpoint.BindingAuthn;
import pl.edu.icm.unity.server.utils.Log;
import pl.edu.icm.unity.server.utils.UnityMessageSource;
import pl.edu.icm.unity.types.authn.AuthenticationRealm;
import pl.edu.icm.unity.types.basic.IdentityTaV;

/* loaded from: input_file:pl/edu/icm/unity/rest/authn/AuthenticationInterceptor.class */
public class AuthenticationInterceptor extends AbstractPhaseInterceptor<Message> {
    private static final Logger log = Log.getLogger("unity.server.rest", AuthenticationInterceptor.class);
    private UnityMessageSource msg;
    protected List<Map<String, BindingAuthn>> authenticators;
    protected UnsuccessfulAuthenticationCounter unsuccessfulAuthenticationCounter;
    protected SessionManagement sessionMan;
    protected AuthenticationRealm realm;

    public AuthenticationInterceptor(UnityMessageSource unityMessageSource, List<Map<String, BindingAuthn>> list, AuthenticationRealm authenticationRealm, SessionManagement sessionManagement) {
        super("pre-invoke");
        this.msg = unityMessageSource;
        this.realm = authenticationRealm;
        this.authenticators = list;
        this.unsuccessfulAuthenticationCounter = new UnsuccessfulAuthenticationCounter(authenticationRealm.getBlockAfterUnsuccessfulLogins(), authenticationRealm.getBlockFor() * 1000);
        this.sessionMan = sessionManagement;
    }

    public void handleMessage(Message message) throws Fault {
        String clientIP = getClientIP();
        if (this.unsuccessfulAuthenticationCounter.getRemainingBlockedTime(clientIP) > 0) {
            log.info("Authentication blocked for client with IP " + clientIP);
            throw new Fault(new Exception("Too many invalid authentication attempts, try again later"));
        }
        HashMap hashMap = new HashMap();
        X509Certificate[] tLSCertificates = TLSRetrieval.getTLSCertificates();
        InvocationContext invocationContext = new InvocationContext(tLSCertificates == null ? null : new IdentityTaV("x500Name", tLSCertificates[0].getSubjectX500Principal().getName()), this.realm);
        InvocationContext.setCurrent(invocationContext);
        AuthenticationException authenticationException = null;
        AuthenticatedEntity authenticatedEntity = null;
        Iterator<Map<String, BindingAuthn>> it = this.authenticators.iterator();
        while (it.hasNext()) {
            try {
                authenticatedEntity = processAuthnSet(hashMap, it.next());
                break;
            } catch (AuthenticationException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Authentication set failed to authenticate the client, will try another: " + e);
                }
                if (authenticationException == null) {
                    authenticationException = new AuthenticationException(this.msg.getMessage(e.getMessage(), new Object[0]));
                }
            }
        }
        if (authenticatedEntity != null) {
            authnSuccess(authenticatedEntity, clientIP, invocationContext);
        } else {
            log.info("Authentication failed for client");
            this.unsuccessfulAuthenticationCounter.unsuccessfulAttempt(clientIP);
            throw new Fault(authenticationException == null ? new Exception("Authentication failed") : authenticationException);
        }
    }

    private void authnSuccess(AuthenticatedEntity authenticatedEntity, String str, InvocationContext invocationContext) {
        if (log.isDebugEnabled()) {
            log.debug("Client was successfully authenticated: [" + authenticatedEntity.getEntityId() + "] " + authenticatedEntity.getAuthenticatedWith().toString());
        }
        this.unsuccessfulAuthenticationCounter.successfulAttempt(str);
        invocationContext.setLoginSession(this.sessionMan.getCreateSession(authenticatedEntity.getEntityId().longValue(), this.realm, "", authenticatedEntity.isUsedOutdatedCredential(), (Date) null));
        invocationContext.addAuthenticatedIdentities(authenticatedEntity.getAuthenticatedWith());
    }

    private AuthenticatedEntity processAuthnSet(Map<String, AuthenticationResult> map, Map<String, BindingAuthn> map2) throws AuthenticationException {
        ArrayList arrayList = new ArrayList();
        for (Map.Entry<String, BindingAuthn> entry : map2.entrySet()) {
            AuthenticationResult authenticationResult = map.get(entry.getKey());
            if (authenticationResult == null) {
                log.trace("Processing authenticator " + entry.getKey());
                authenticationResult = ((CXFAuthentication) entry.getValue()).getAuthenticationResult();
                map.put(entry.getKey(), authenticationResult);
                log.trace("Authenticator " + entry.getKey() + " returned " + authenticationResult);
            } else {
                log.trace("Using cached result of " + entry.getKey() + ": " + authenticationResult);
            }
            arrayList.add(authenticationResult);
        }
        return AuthenticationProcessorUtil.processResults(arrayList);
    }

    private String getClientIP() {
        return ((HttpServletRequest) PhaseInterceptorChain.getCurrentMessage().get("HTTP.REQUEST")).getRemoteAddr();
    }
}
