package ca.nrc.cadc.ac.server.web;

import ca.nrc.cadc.ac.Group;
import ca.nrc.cadc.ac.Role;
import ca.nrc.cadc.ac.UserNotFoundException;
import ca.nrc.cadc.ac.server.GroupDetailSelector;
import ca.nrc.cadc.ac.server.GroupPersistence;
import ca.nrc.cadc.ac.server.PluginFactory;
import ca.nrc.cadc.ac.server.UserPersistence;
import ca.nrc.cadc.ac.server.ldap.LdapGroupPersistence;
import ca.nrc.cadc.auth.AuthenticatorImpl;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.SSOCookieManager;
import ca.nrc.cadc.log.ServletLogInfo;
import ca.nrc.cadc.net.TransientException;
import ca.nrc.cadc.util.StringUtil;
import com.unboundid.ldap.sdk.LDAPException;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.AccessControlException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Set;
import javax.security.auth.Subject;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;

/* loaded from: input_file:ca/nrc/cadc/ac/server/web/LoginServlet.class */
public class LoginServlet extends HttpServlet {
    private static final Logger log = Logger.getLogger(LoginServlet.class);
    private static final String CONTENT_TYPE = "text/plain";
    private static final String PROXY_ACCESS = "Proxy user access: ";
    public static final String PROXY_USER_DELIM = "\\s[aA][sS]\\s";
    String proxyGroup;
    String nonImpersonGroup;
    UserPersistence userPersistence;
    GroupPersistence groupPersistence;
    boolean addPrincipalsToCookie = false;

    public void init(ServletConfig servletConfig) throws ServletException {
        super.init(servletConfig);
        try {
            this.proxyGroup = servletConfig.getInitParameter(LoginServlet.class.getName() + ".proxyGroup");
            log.debug("proxyGroup: " + this.proxyGroup);
            this.nonImpersonGroup = servletConfig.getInitParameter(LoginServlet.class.getName() + ".nonImpersonGroup");
            log.debug("nonImpersonGroup: " + this.nonImpersonGroup);
            String initParameter = servletConfig.getInitParameter("addPrincipalsToCookie");
            if (initParameter != null && Boolean.TRUE.toString().equalsIgnoreCase(initParameter)) {
                this.addPrincipalsToCookie = true;
            }
            log.debug("Add principals to cookie optimization on: " + this.addPrincipalsToCookie);
            PluginFactory pluginFactory = new PluginFactory();
            this.userPersistence = pluginFactory.createUserPersistence();
            this.groupPersistence = pluginFactory.createGroupPersistence();
        } catch (Exception e) {
            throw new ExceptionInInitializerError(e);
        }
    }

    public void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String generate;
        long currentTimeMillis = System.currentTimeMillis();
        ServletLogInfo servletLogInfo = new ServletLogInfo(httpServletRequest);
        try {
            try {
                try {
                    log.info(servletLogInfo.start());
                    String parameter = httpServletRequest.getParameter("username");
                    String parameter2 = httpServletRequest.getParameter("password");
                    String parameter3 = httpServletRequest.getParameter("scope");
                    if (parameter == null || parameter.length() == 0) {
                        throw new IllegalArgumentException("Missing username");
                    }
                    if (parameter2 == null || parameter2.length() == 0) {
                        throw new IllegalArgumentException("Missing password");
                    }
                    String trim = parameter.trim();
                    String trim2 = parameter2.trim();
                    String str = null;
                    String[] split = trim.split(PROXY_USER_DELIM);
                    if (split.length == 2) {
                        str = split[0].trim();
                        trim = split[1].trim();
                        checkCanImpersonate(trim, str);
                    }
                    if ((StringUtil.hasText(str) && this.userPersistence.doLogin(str, trim2).booleanValue()) || (!StringUtil.hasText(str) && this.userPersistence.doLogin(trim, trim2).booleanValue())) {
                        Principal httpPrincipal = new HttpPrincipal(trim, str);
                        Subject subject = new Subject();
                        subject.getPrincipals().add(httpPrincipal);
                        if (this.addPrincipalsToCookie) {
                            new AuthenticatorImpl().augmentSubject(subject);
                        }
                        Set<Principal> principals = subject.getPrincipals();
                        if (parameter3 != null) {
                            try {
                                generate = new SSOCookieManager().generate(principals, new URI(parameter3));
                            } catch (URISyntaxException e) {
                                throw new IllegalArgumentException("Invalid scope: " + parameter3);
                            }
                        } else {
                            generate = new SSOCookieManager().generate(principals, (URI) null);
                        }
                        httpServletResponse.setContentType(CONTENT_TYPE);
                        httpServletResponse.setContentLength(generate.length());
                        httpServletResponse.setHeader("x-vo-authenticated", trim);
                        httpServletResponse.getWriter().write(generate);
                    }
                    servletLogInfo.setElapsedTime(Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
                    log.info(servletLogInfo.end());
                } catch (TransientException e2) {
                    log.debug(e2.getMessage(), e2);
                    String message = e2.getMessage();
                    servletLogInfo.setMessage(message);
                    servletLogInfo.setSuccess(false);
                    httpServletResponse.setContentType("CONTENT_TYPE");
                    if (e2.getRetryDelay() > 0) {
                        httpServletResponse.setHeader("Retry-After", Integer.toString(e2.getRetryDelay()));
                    }
                    httpServletResponse.getWriter().write("Transient Error: " + message);
                    httpServletResponse.setStatus(503);
                    servletLogInfo.setElapsedTime(Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
                    log.info(servletLogInfo.end());
                } catch (AccessControlException e3) {
                    String message2 = e3.getMessage();
                    log.debug(e3.getMessage(), e3);
                    servletLogInfo.setMessage(message2);
                    httpServletResponse.setContentType(CONTENT_TYPE);
                    httpServletResponse.getWriter().write(message2);
                    httpServletResponse.setStatus(401);
                    servletLogInfo.setElapsedTime(Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
                    log.info(servletLogInfo.end());
                }
            } catch (IllegalArgumentException e4) {
                String message3 = e4.getMessage();
                if (message3.startsWith(PROXY_ACCESS)) {
                    log.warn(message3, e4);
                } else {
                    log.debug(message3, e4);
                }
                servletLogInfo.setMessage(message3);
                httpServletResponse.setContentType(CONTENT_TYPE);
                httpServletResponse.getWriter().write(message3);
                httpServletResponse.setStatus(400);
                servletLogInfo.setElapsedTime(Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
                log.info(servletLogInfo.end());
            } catch (Throwable th) {
                String str2 = "Internal Server Error: " + th.getMessage();
                log.error(str2, th);
                servletLogInfo.setSuccess(false);
                servletLogInfo.setMessage(str2);
                httpServletResponse.setContentType(CONTENT_TYPE);
                httpServletResponse.getWriter().write(str2);
                httpServletResponse.setStatus(500);
                servletLogInfo.setElapsedTime(Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
                log.info(servletLogInfo.end());
            }
        } catch (Throwable th2) {
            servletLogInfo.setElapsedTime(Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
            log.info(servletLogInfo.end());
            throw th2;
        }
    }

    protected void checkCanImpersonate(final String str, final String str2) throws AccessControlException, UserNotFoundException, TransientException, Throwable {
        AuthenticatorImpl authenticatorImpl = new AuthenticatorImpl();
        Subject subject = new Subject();
        subject.getPrincipals().add(new HttpPrincipal(str2));
        authenticatorImpl.augmentSubject(subject);
        try {
            Subject.doAs(subject, new PrivilegedExceptionAction<Object>() { // from class: ca.nrc.cadc.ac.server.web.LoginServlet.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    if (LoginServlet.this.groupPersistence.getGroups(Role.MEMBER, LoginServlet.this.proxyGroup).isEmpty()) {
                        throw new AccessControlException(LoginServlet.PROXY_ACCESS + str2 + " as " + str + " failed - not allowed to impersonate (" + str2 + " not in " + LoginServlet.this.proxyGroup + " group)");
                    }
                    return null;
                }
            });
            Subject subject2 = new Subject();
            subject2.getPrincipals().add(new HttpPrincipal(str));
            authenticatorImpl.augmentSubject(subject2);
            Subject.doAs(subject2, new PrivilegedExceptionAction<Object>() { // from class: ca.nrc.cadc.ac.server.web.LoginServlet.2
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    if (LoginServlet.this.groupPersistence.getGroups(Role.MEMBER, LoginServlet.this.nonImpersonGroup).isEmpty()) {
                        return null;
                    }
                    throw new AccessControlException(LoginServlet.PROXY_ACCESS + str2 + " as " + str + " failed - non impersonable (" + str + " in " + LoginServlet.this.nonImpersonGroup + " group)");
                }
            });
        } catch (PrivilegedActionException e) {
            Throwable cause = e.getCause();
            if (cause != null) {
                throw cause;
            }
            Exception exception = e.getException();
            if (exception == null) {
                throw e;
            }
            throw exception;
        }
    }

    protected LdapGroupPersistence getLdapGroupPersistence() throws AccessControlException, LDAPException {
        LdapGroupPersistence ldapGroupPersistence = new LdapGroupPersistence();
        ldapGroupPersistence.setDetailSelector(new GroupDetailSelector() { // from class: ca.nrc.cadc.ac.server.web.LoginServlet.3
            @Override // ca.nrc.cadc.ac.server.GroupDetailSelector
            public boolean isDetailedSearch(Group group, Role role) {
                return false;
            }
        });
        return ldapGroupPersistence;
    }
}
