package com.hypersocket.auth;

import com.google.gson.JsonArray;
import com.google.gson.JsonObject;
import com.hypersocket.config.ConfigurationService;
import com.hypersocket.events.EventService;
import com.hypersocket.i18n.I18NService;
import com.hypersocket.json.input.FormTemplate;
import com.hypersocket.permissions.AccessDeniedException;
import com.hypersocket.permissions.PermissionService;
import com.hypersocket.permissions.PermissionStrategy;
import com.hypersocket.permissions.PermissionType;
import com.hypersocket.permissions.Role;
import com.hypersocket.permissions.SystemPermission;
import com.hypersocket.realm.Principal;
import com.hypersocket.realm.PrincipalType;
import com.hypersocket.realm.Realm;
import com.hypersocket.realm.RealmAdapter;
import com.hypersocket.realm.RealmService;
import com.hypersocket.realm.UserVariableReplacementService;
import com.hypersocket.resource.ResourceException;
import com.hypersocket.resource.ResourceNotFoundException;
import com.hypersocket.servlet.request.Request;
import com.hypersocket.session.Session;
import com.hypersocket.session.SessionService;
import com.hypersocket.telemetry.TelemetryProducer;
import com.hypersocket.telemetry.TelemetryService;
import java.io.Closeable;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.PostConstruct;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.util.encoders.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:com/hypersocket/auth/AuthenticationServiceImpl.class */
public class AuthenticationServiceImpl extends PasswordEnabledAuthenticatedServiceImpl implements AuthenticationService, TelemetryProducer {
    public static final String BASIC_AUTHENTICATION_SCHEME = "Basic";
    public static final String BASIC_AUTHENTICATION_RESOURCE_KEY = "basic";
    public static final String ANONYMOUS_AUTHENTICATION_SCHEME = "Anonymous";
    public static final String ANONYMOUS_AUTHENTICATION_RESOURCE_KEY = "anonymous";
    public static final String AUTHENTICATION_SCHEME_USER_LOGIN_RESOURCE_KEY = "userLogin";
    public static final String AUTHENTICATION_SCHEME_NAME = "User Login";
    public static final String FALLBACK_AUTHENTICATION_RESOURCE_KEY = "fallback";
    private static Logger log = LoggerFactory.getLogger(AuthenticationServiceImpl.class);

    @Autowired
    private PermissionService permissionService;

    @Autowired
    private AuthenticationModuleRepository repository;

    @Autowired
    private AuthenticationSchemeRepository schemeRepository;

    @Autowired
    private SessionService sessionService;

    @Autowired
    private RealmService realmService;

    @Autowired
    private ConfigurationService configurationService;

    @Autowired
    private EventService eventService;

    @Autowired
    private TelemetryService telemetryService;

    @Autowired
    private I18NService i18nService;

    @Autowired
    private UserVariableReplacementService variableReplacement;
    private AuthenticationSchemeSelector authenticationSelector;
    private Map<String, Authenticator> authenticators = new HashMap();
    private List<PostAuthenticationStep> postAuthenticationSteps = new ArrayList();
    private List<AuthenticationServiceListener> listeners = new ArrayList();
    private List<AuthenticatorSelector> authenticatorSelectors = new ArrayList();

    @PostConstruct
    private void postConstruct() {
        if (log.isInfoEnabled()) {
            log.info("Configuring Authentication Service");
        }
        this.telemetryService.registerProducer(this);
        this.permissionService.registerPermission(AuthenticationPermission.LOGON, this.permissionService.registerPermissionCategory(AuthenticationService.RESOURCE_BUNDLE, "category.authentication"));
        this.eventService.registerEvent(AuthenticationAttemptEvent.class, AuthenticationService.RESOURCE_BUNDLE);
        this.i18nService.registerBundle(AuthenticationService.RESOURCE_BUNDLE);
        this.schemeRepository.registerAuthenticationScheme(BASIC_AUTHENTICATION_RESOURCE_KEY);
        this.schemeRepository.registerAuthenticationScheme(AUTHENTICATION_SCHEME_USER_LOGIN_RESOURCE_KEY);
        setupRealms();
        setupFallback();
    }

    private void setupFallback() {
        this.realmService.registerRealmListener(new RealmAdapter() { // from class: com.hypersocket.auth.AuthenticationServiceImpl.1
            @Override // com.hypersocket.realm.RealmAdapter, com.hypersocket.realm.RealmListener
            public boolean hasCreatedDefaultResources(Realm realm) {
                return AuthenticationServiceImpl.this.schemeRepository.getSchemeByResourceKeyCount(realm, AuthenticationServiceImpl.FALLBACK_AUTHENTICATION_RESOURCE_KEY).longValue() > 0;
            }

            @Override // com.hypersocket.realm.RealmAdapter, com.hypersocket.realm.RealmListener
            public void onCreateRealm(Realm realm) {
                if (AuthenticationServiceImpl.log.isInfoEnabled()) {
                    AuthenticationServiceImpl.log.info("Creating unlicensed authentication scheme for realm " + realm.getName());
                }
                ArrayList arrayList = new ArrayList();
                arrayList.add(FallbackAuthenticator.RESOURCE_KEY);
                AuthenticationServiceImpl.this.schemeRepository.createScheme(realm, AuthenticationServiceImpl.FALLBACK_AUTHENTICATION_RESOURCE_KEY, arrayList, AuthenticationServiceImpl.FALLBACK_AUTHENTICATION_RESOURCE_KEY, true, 1, AuthenticationModuleType.BASIC, false);
            }
        });
    }

    private void setupRealms() {
        this.realmService.registerRealmListener(new RealmAdapter() { // from class: com.hypersocket.auth.AuthenticationServiceImpl.2
            @Override // com.hypersocket.realm.RealmAdapter, com.hypersocket.realm.RealmListener
            public boolean hasCreatedDefaultResources(Realm realm) {
                return AuthenticationServiceImpl.this.schemeRepository.getSchemeByResourceKeyCount(realm, AuthenticationServiceImpl.BASIC_AUTHENTICATION_RESOURCE_KEY).longValue() > 0;
            }

            @Override // com.hypersocket.realm.RealmAdapter, com.hypersocket.realm.RealmListener
            public void onCreateRealm(Realm realm) {
                if (AuthenticationServiceImpl.log.isInfoEnabled()) {
                    AuthenticationServiceImpl.log.info("Creating Anonymous authentication scheme for realm " + realm.getName());
                }
                ArrayList arrayList = new ArrayList();
                AuthenticationServiceImpl.this.schemeRepository.createScheme(realm, AuthenticationServiceImpl.ANONYMOUS_AUTHENTICATION_SCHEME, arrayList, AuthenticationServiceImpl.ANONYMOUS_AUTHENTICATION_RESOURCE_KEY, true, 0, AuthenticationModuleType.HIDDEN, false);
                if (AuthenticationServiceImpl.log.isInfoEnabled()) {
                    AuthenticationServiceImpl.log.info("Creating Basic authentication scheme for realm " + realm.getName());
                }
                arrayList.add(UsernameAndPasswordAuthenticator.RESOURCE_KEY);
                AuthenticationServiceImpl.this.schemeRepository.createScheme(realm, AuthenticationServiceImpl.BASIC_AUTHENTICATION_SCHEME, arrayList, AuthenticationServiceImpl.BASIC_AUTHENTICATION_RESOURCE_KEY, false, 10, AuthenticationModuleType.HTML, false);
            }

            @Override // com.hypersocket.realm.RealmAdapter, com.hypersocket.realm.RealmListener
            public Integer getWeight() {
                return -2147482648;
            }
        });
        this.realmService.registerRealmListener(new RealmAdapter() { // from class: com.hypersocket.auth.AuthenticationServiceImpl.3
            @Override // com.hypersocket.realm.RealmAdapter, com.hypersocket.realm.RealmListener
            public boolean hasCreatedDefaultResources(Realm realm) {
                return AuthenticationServiceImpl.this.schemeRepository.getSchemeByResourceKeyCount(realm, AuthenticationServiceImpl.AUTHENTICATION_SCHEME_USER_LOGIN_RESOURCE_KEY).longValue() > 0;
            }

            @Override // com.hypersocket.realm.RealmAdapter, com.hypersocket.realm.RealmListener
            public void onCreateRealm(Realm realm) {
                if (AuthenticationServiceImpl.log.isInfoEnabled()) {
                    AuthenticationServiceImpl.log.info("Creating User Login authentication scheme for realm " + realm.getName());
                }
                AuthenticationScheme schemeByResourceKey2 = AuthenticationServiceImpl.this.schemeRepository.getSchemeByResourceKey2(realm, AuthenticationServiceImpl.BASIC_AUTHENTICATION_RESOURCE_KEY);
                ArrayList arrayList = new ArrayList();
                arrayList.add(UsernameAndPasswordAuthenticator.RESOURCE_KEY);
                if (AuthenticationServiceImpl.log.isInfoEnabled()) {
                    AuthenticationServiceImpl.log.info("Creating User Login authentication scheme for realm " + realm.getName());
                }
                AuthenticationScheme createScheme = AuthenticationServiceImpl.this.schemeRepository.createScheme(realm, AuthenticationServiceImpl.AUTHENTICATION_SCHEME_NAME, arrayList, AuthenticationServiceImpl.AUTHENTICATION_SCHEME_USER_LOGIN_RESOURCE_KEY, false, 10, AuthenticationModuleType.HTML, true);
                createScheme.setSystem(true);
                createScheme.setSupportsHomeRedirect(true);
                try {
                    AuthenticationServiceImpl.this.schemeRepository.saveResource(createScheme);
                    List<AuthenticationModule> modulesForScheme = AuthenticationServiceImpl.this.repository.getModulesForScheme(schemeByResourceKey2);
                    AuthenticationModule next = modulesForScheme.iterator().next();
                    next.setTemplate(UsernameAndPasswordAuthenticator.RESOURCE_KEY);
                    next.setIndex(0);
                    AuthenticationServiceImpl.this.repository.updateAuthenticationModule(next);
                    if (modulesForScheme.size() > 1) {
                        for (int i = 1; i < modulesForScheme.size(); i++) {
                            AuthenticationServiceImpl.this.repository.deleteModule(modulesForScheme.get(i));
                        }
                    }
                    schemeByResourceKey2.setHidden(true);
                    try {
                        AuthenticationServiceImpl.this.schemeRepository.saveResource(schemeByResourceKey2);
                    } catch (ResourceException e) {
                        AuthenticationServiceImpl.log.error("Failed to save authentication scheme", e);
                        throw new IllegalStateException(e.getMessage(), e);
                    }
                } catch (ResourceException e2) {
                    throw new IllegalStateException(e2.getMessage(), e2);
                }
            }

            @Override // com.hypersocket.realm.RealmAdapter, com.hypersocket.realm.RealmListener
            public Integer getWeight() {
                return -2147482647;
            }
        });
    }

    @Override // com.hypersocket.telemetry.TelemetryProducer
    public void fill(JsonObject jsonObject) throws ResourceException, AccessDeniedException {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        JsonArray jsonArray = new JsonArray();
        Iterator<Realm> it = this.realmService.allRealms().iterator();
        while (it.hasNext()) {
            Iterator<AuthenticationScheme> it2 = this.schemeRepository.allEnabledSchemes(it.next()).iterator();
            while (it2.hasNext()) {
                linkedHashSet.addAll((Collection) it2.next().getModules().stream().map(authenticationModule -> {
                    return authenticationModule.getTemplate();
                }).collect(Collectors.toList()));
            }
        }
        Iterator it3 = linkedHashSet.iterator();
        while (it3.hasNext()) {
            jsonArray.add((String) it3.next());
        }
        jsonObject.add("allModules", jsonArray);
    }

    @Override // com.hypersocket.telemetry.TelemetryProducer
    public void fillRealm(Realm realm, JsonObject jsonObject) throws ResourceException, AccessDeniedException {
        JsonArray jsonArray = new JsonArray();
        for (AuthenticationScheme authenticationScheme : this.schemeRepository.allEnabledSchemes(realm)) {
            JsonObject jsonObject2 = new JsonObject();
            jsonObject2.addProperty("name", authenticationScheme.getName());
            JsonArray jsonArray2 = new JsonArray();
            Iterator<AuthenticationModule> it = authenticationScheme.getModules().iterator();
            while (it.hasNext()) {
                jsonArray2.add(it.next().getTemplate());
            }
            jsonObject2.add("modules", jsonArray2);
            jsonArray.add(jsonObject2);
        }
        jsonObject.add("authenticationSchemes", jsonArray);
        jsonObject.addProperty("authenticationSchemesTotal", Integer.valueOf(jsonArray.size()));
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public void registerListener(AuthenticationServiceListener authenticationServiceListener) {
        this.listeners.add(authenticationServiceListener);
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public void registerAuthenticatorSelector(AuthenticatorSelector authenticatorSelector) {
        this.authenticatorSelectors.add(authenticatorSelector);
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public void registerAuthenticator(Authenticator authenticator) {
        if (this.authenticators.containsKey(authenticator.getResourceKey())) {
            throw new IllegalArgumentException("Duplicate Authenticator " + authenticator.getResourceKey());
        }
        if (log.isInfoEnabled()) {
            log.info("Registering " + authenticator.getResourceKey() + " authenticator");
        }
        this.authenticators.put(authenticator.getResourceKey(), authenticator);
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public Authenticator getAuthenticator(String str) {
        return this.authenticators.get(str);
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public AuthenticationScheme getDefaultScheme(String str, Map<String, Object> map, Realm realm) {
        AuthenticationScheme schemeByResourceKey2 = this.schemeRepository.getSchemeByResourceKey2(realm, BASIC_AUTHENTICATION_RESOURCE_KEY);
        if (schemeByResourceKey2 != null) {
            return schemeByResourceKey2;
        }
        List<AuthenticationScheme> allSchemes = this.schemeRepository.allSchemes(realm);
        if (allSchemes.size() == 0) {
            throw new IllegalArgumentException("There are no authentication schemes configured!");
        }
        return allSchemes.get(0);
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public boolean isAuthenticatorInScheme(Realm realm, String str, String str2) {
        Iterator<AuthenticationModule> it = this.repository.getAuthenticationModulesByScheme(this.schemeRepository.getSchemeByResourceKey(realm, str)).iterator();
        while (it.hasNext()) {
            if (it.next().getTemplate().equals(str2)) {
                return true;
            }
        }
        return false;
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public int getAuthenticatorCount(Realm realm, String str) {
        return this.repository.getAuthenticationModulesByScheme(this.schemeRepository.getSchemeByResourceKey(realm, str)).size();
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public AuthenticationScheme getSchemeByResourceKey(Realm realm, String str) throws AccessDeniedException {
        return getSchemeByResourceKey(realm, str, true);
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public AuthenticationScheme getSchemeByResourceKey(Realm realm, String str, boolean z) throws AccessDeniedException {
        return z ? this.schemeRepository.getSchemeByResourceKey(realm, str) : this.schemeRepository.getSchemeByResourceKey2(realm, str);
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public AuthenticationState createAuthenticationState(String str, String str2, Map<String, Object> map, Realm realm, Locale locale) throws AccessDeniedException {
        String str3;
        int indexOf;
        AuthenticationState authenticationState = new AuthenticationState(str2, map, locale);
        if (realm == null) {
            realm = this.realmService.getDefaultRealm();
        }
        authenticationState.setRealm(realm);
        if (log.isInfoEnabled()) {
            Logger logger = log;
            Object[] objArr = new Object[1];
            objArr[0] = realm == null ? "unknown" : realm.getName();
            logger.info(String.format("Creating authentication state for %s realm", objArr));
        }
        if (map.containsKey(BrowserEnvironment.AUTHORIZATION.toString())) {
            String obj = map.get(BrowserEnvironment.AUTHORIZATION.toString()).toString();
            if (obj.toLowerCase().startsWith(BASIC_AUTHENTICATION_RESOURCE_KEY) && (indexOf = (str3 = new String(Base64.decode(obj.substring(6)))).indexOf(58)) > -1) {
                String substring = str3.substring(0, indexOf);
                String substring2 = str3.substring(indexOf + 1);
                authenticationState.addParameter(UsernameAndPasswordTemplate.USERNAME_FIELD, substring);
                authenticationState.addParameter("password", substring2);
            }
        }
        AuthenticationScheme selectScheme = selectScheme(str, authenticationState);
        if (selectScheme == null) {
            if (realm == null) {
                realm = this.realmService.getDefaultRealm();
            }
            selectScheme = str != null ? getSchemeByResourceKey(realm, str) : getDefaultScheme(str2, map, realm);
        }
        if (selectScheme == null) {
            if (log.isWarnEnabled()) {
                log.warn(str + " is not a valid authentication scheme");
            }
            selectScheme = getSchemeByResourceKey(authenticationState.getRealm(), BASIC_AUTHENTICATION_RESOURCE_KEY);
        }
        authenticationState.setInitialScheme(selectScheme);
        List<AuthenticationModule> modulesForScheme = this.repository.getModulesForScheme(selectScheme);
        if (modulesForScheme.isEmpty()) {
            throw new AccessDeniedException(String.format("No authentication modules for the scheme %s.", selectScheme.getName()));
        }
        authenticationState.setScheme(selectScheme);
        authenticationState.setModules(modulesForScheme);
        return authenticationState;
    }

    private AuthenticationScheme selectScheme(String str, AuthenticationState authenticationState) throws AccessDeniedException {
        if (this.authenticationSelector != null) {
            return this.authenticationSelector.selectScheme(str, authenticationState);
        }
        return null;
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Failed to find 'out' block for switch in B:48:0x0106. Please report as an issue. */
    @Override // com.hypersocket.auth.AuthenticationService
    public boolean logon(AuthenticationState authenticationState, Map<String, String[]> map) throws AccessDeniedException, FallbackAuthenticationRequired {
        AuthenticatorResult authenticate;
        boolean z = false;
        if (!authenticationState.isAuthenticationComplete()) {
            Authenticator nextAuthenticator = nextAuthenticator(authenticationState);
            Realm realm = authenticationState.getRealm();
            if (nextAuthenticator == null) {
                throw new FallbackAuthenticationRequired();
            }
            if (nextAuthenticator.isTwoFactoryAuthenticationEntryPoint() || !nextAuthenticator.isSecretModule() || !authenticationState.isFakePrincipal()) {
                if (checkSuspensions(authenticationState, nextAuthenticator)) {
                    if (authenticationState.isFakePrincipal()) {
                        authenticate = AuthenticatorResult.AUTHENTICATION_FAILURE_INVALID_PRINCIPAL;
                    } else {
                        preProcess(nextAuthenticator, authenticationState, map);
                        authenticate = nextAuthenticator.authenticate(authenticationState, map);
                        postProcess(nextAuthenticator, authenticate, authenticationState, map);
                    }
                    switch (authenticate) {
                        case INSUFFICIENT_DATA:
                            if (authenticationState.getLastErrorMsg() == null && map.size() > 1 && authenticationState.getAttempts() >= 1) {
                                authenticationState.setLastErrorMsg("error.insufficentData");
                                authenticationState.setLastErrorIsResourceKey(true);
                                break;
                            }
                            break;
                        case INSUFFICIENT_DATA_NO_ERROR:
                            authenticationState.setLastErrorMsg(null);
                            authenticationState.setLastErrorIsResourceKey(false);
                            break;
                        case AUTHENTICATION_FAILURE_DISPLAY_ERROR:
                            if (!nextAuthenticator.isIdentityModule() || nextAuthenticator.isSecretModule() || !authenticationState.hasNextStep()) {
                                this.eventService.publishEvent(new AuthenticationAttemptEvent((Object) this, authenticationState, nextAuthenticator, false));
                                break;
                            } else {
                                authenticationState.fakeCredentials(this.realmService.getFakePrincipal());
                                authenticationState.nextModule();
                                break;
                            }
                        case AUTHENTICATION_FAILURE_INVALID_CREDENTIALS:
                            if (!nextAuthenticator.isIdentityModule() || nextAuthenticator.isSecretModule() || !authenticationState.hasNextStep()) {
                                authenticationState.setLastErrorMsg("error.genericLogonError");
                                authenticationState.setLastErrorIsResourceKey(true);
                                this.eventService.publishEvent(new AuthenticationAttemptEvent(this, authenticationState, nextAuthenticator, "hint.badCredentials"));
                                break;
                            } else {
                                authenticationState.fakeCredentials(this.realmService.getFakePrincipal());
                                authenticationState.nextModule();
                                break;
                            }
                            break;
                        case AUTHENTICATION_FAILURE_INVALID_PRINCIPAL:
                            if (nextAuthenticator.isTwoFactoryAuthenticationEntryPoint()) {
                                nextAuthenticator.authenticate(authenticationState, map);
                                nextAuthenticator(authenticationState);
                                break;
                            } else if (!nextAuthenticator.isIdentityModule() || nextAuthenticator.isSecretModule() || !authenticationState.hasNextStep()) {
                                authenticationState.setLastErrorMsg("error.genericLogonError");
                                authenticationState.setLastErrorIsResourceKey(true);
                                this.eventService.publishEvent(new AuthenticationAttemptEvent(this, authenticationState, nextAuthenticator, "hint.invalidPrincipal"));
                                break;
                            } else {
                                authenticationState.fakeCredentials(this.realmService.getFakePrincipal());
                                authenticationState.nextModule();
                                break;
                            }
                            break;
                        case AUTHENTICATION_FAILURE_INVALID_REALM:
                            if (!nextAuthenticator.isIdentityModule() || nextAuthenticator.isSecretModule() || !authenticationState.hasNextStep()) {
                                authenticationState.setLastErrorMsg("error.genericLogonError");
                                authenticationState.setLastErrorIsResourceKey(true);
                                this.eventService.publishEvent(new AuthenticationAttemptEvent(this, authenticationState, nextAuthenticator, "hint.invalidRealm"));
                                break;
                            } else {
                                authenticationState.fakeCredentials(this.realmService.getFakePrincipal());
                                authenticationState.nextModule();
                                break;
                            }
                            break;
                        case AUTHENTICATION_SUCCESS:
                        case AUTHENTICATION_SWITCHED:
                            try {
                                z = true;
                                authenticationState.setLastErrorMsg(null);
                                authenticationState.setLastErrorIsResourceKey(false);
                                if ((realm == null || !authenticationState.getRealm().equals(realm)) && authenticationState.getCurrentIndex().intValue() == 0) {
                                    AuthenticationScheme schemeByResourceKey = this.schemeRepository.getSchemeByResourceKey(authenticationState.getRealm(), authenticationState.getScheme().getResourceKey());
                                    List<AuthenticationModule> modulesForScheme = this.repository.getModulesForScheme(schemeByResourceKey);
                                    if (modulesForScheme.isEmpty()) {
                                        throw new IllegalStateException("Incorrect authentication configured. Contact your Administrator");
                                    }
                                    if (!authenticationState.getCurrentModule().getTemplate().equals(modulesForScheme.get(0).getTemplate())) {
                                        throw new IllegalStateException("Invalid realm configuration. Contact your Administrator");
                                    }
                                    if (log.isInfoEnabled()) {
                                        Logger logger = log;
                                        Object[] objArr = new Object[2];
                                        objArr[0] = realm == null ? "unknown" : realm.getName();
                                        objArr[1] = authenticationState.getRealm().getName();
                                        logger.info(String.format("Switching realms from %s to %s", objArr));
                                    }
                                    authenticationState.setScheme(schemeByResourceKey);
                                    authenticationState.setModules(modulesForScheme);
                                }
                                if (!checkSuspensions(authenticationState, nextAuthenticator)) {
                                    z = false;
                                    break;
                                } else {
                                    if (authenticationState.getPrincipal() != null) {
                                        Set<Role> allowedRoles = this.schemeRepository.getAllowedRoles(authenticationState.getScheme());
                                        Set<Role> deniedRoles = this.schemeRepository.getDeniedRoles(authenticationState.getScheme());
                                        if (!allowedRoles.isEmpty() && !this.permissionService.hasRole(authenticationState.getPrincipal(), allowedRoles)) {
                                            authenticationState.clean();
                                            authenticationState.setLastErrorMsg(StringUtils.isNotBlank(authenticationState.getScheme().getDeniedRoleError()) ? authenticationState.getScheme().getDeniedRoleError() : "error.roleNotAllowed");
                                            authenticationState.setLastErrorIsResourceKey(true);
                                            z = false;
                                            break;
                                        } else if (!deniedRoles.isEmpty() && this.permissionService.hasRole(authenticationState.getPrincipal(), deniedRoles)) {
                                            authenticationState.clean();
                                            authenticationState.setLastErrorMsg(StringUtils.isNotBlank(authenticationState.getScheme().getDeniedRoleError()) ? authenticationState.getScheme().getDeniedRoleError() : "error.roleDenied");
                                            authenticationState.setLastErrorIsResourceKey(true);
                                            z = false;
                                            break;
                                        }
                                    }
                                    if (authenticate == AuthenticatorResult.AUTHENTICATION_SUCCESS) {
                                        authenticationState.nextModule();
                                    }
                                    if (!authenticationState.isPrimaryState() && authenticationState.isAuthenticationComplete()) {
                                        authenticationState.switchBack();
                                    }
                                    if (authenticationState.isAuthenticationComplete()) {
                                        this.permissionService.verifyPermission(authenticationState.getRealm(), authenticationState.getPrincipal(), PermissionStrategy.INCLUDE_IMPLIED, AuthenticationPermission.LOGON, SystemPermission.SYSTEM_ADMINISTRATION);
                                        this.eventService.publishEvent(new AuthenticationAttemptEvent(this, authenticationState, nextAuthenticator));
                                        Closeable tryAs = tryAs(authenticationState.getPrincipal());
                                        try {
                                            authenticationState.addPostAuthenticationStep(new NullPostAuthenticationStep());
                                            for (PostAuthenticationStep postAuthenticationStep : this.postAuthenticationSteps) {
                                                if (postAuthenticationStep.requiresProcessing(authenticationState)) {
                                                    authenticationState.addPostAuthenticationStep(postAuthenticationStep);
                                                }
                                            }
                                            if (authenticationState.canCreateSession()) {
                                                authenticationState.setSession(completeLogon(authenticationState));
                                            }
                                            if (authenticationState.hasPostAuthenticationStep() && !authenticationState.getCurrentPostAuthenticationStep().requiresUserInput(authenticationState)) {
                                                z = logon(authenticationState, map);
                                            }
                                            if (tryAs != null) {
                                                tryAs.close();
                                            }
                                            break;
                                        } catch (Throwable th) {
                                            if (tryAs != null) {
                                                try {
                                                    tryAs.close();
                                                } catch (Throwable th2) {
                                                    th.addSuppressed(th2);
                                                }
                                            }
                                            throw th;
                                        }
                                    } else if (!nextAuthenticator(authenticationState).requiresUserInput(authenticationState)) {
                                        return logon(authenticationState, map);
                                    }
                                }
                            } catch (AccessDeniedException e) {
                                log.error("User cannot login", e);
                                this.eventService.publishEvent(new AuthenticationAttemptEvent(this, authenticationState, nextAuthenticator, "hint.noPermission"));
                                authenticationState.setLastErrorMsg("error.noLogonPermission");
                                authenticationState.setLastErrorIsResourceKey(true);
                                authenticationState.revertModule();
                                z = false;
                                break;
                            } catch (IOException e2) {
                                throw new IllegalStateException("Failed to clear context.", e2);
                            } catch (IllegalStateException e3) {
                                log.error("Encountereed error in authenticator", e3);
                                authenticationState.setLastErrorMsg(e3.getMessage());
                                authenticationState.setLastErrorIsResourceKey(false);
                                authenticationState.revertModule();
                                z = false;
                                break;
                            }
                            break;
                    }
                }
            } else {
                authenticationState.setLastErrorMsg("error.genericLogonError");
                authenticationState.setLastErrorIsResourceKey(true);
                this.eventService.publishEvent(new AuthenticationAttemptEvent(this, authenticationState, nextAuthenticator, "hint.invalidPrincipal"));
            }
            authenticationState.authAttempted();
        } else if (authenticationState.getSession() != null) {
            try {
                Closeable tryAs2 = tryAs(authenticationState.getSession(), authenticationState.getLocale());
                try {
                    z = doCompleteLogon(authenticationState, map, false);
                    if (tryAs2 != null) {
                        tryAs2.close();
                    }
                } finally {
                }
            } catch (IOException e4) {
                throw new IllegalStateException("Failed to logon.", e4);
            }
        } else {
            z = doCompleteLogon(authenticationState, map, false);
        }
        return z;
    }

    protected boolean doCompleteLogon(AuthenticationState authenticationState, Map<String, String[]> map, boolean z) throws AccessDeniedException, FallbackAuthenticationRequired {
        if (authenticationState.getCurrentPostAuthenticationStep() != null) {
            preProcess(authenticationState.getCurrentPostAuthenticationStep(), authenticationState, map);
            AuthenticatorResult process = authenticationState.getCurrentPostAuthenticationStep().process(authenticationState, map);
            postProcess(authenticationState.getCurrentPostAuthenticationStep(), process, authenticationState, map);
            switch (process) {
                case INSUFFICIENT_DATA:
                    if (authenticationState.getLastErrorMsg() == null) {
                        authenticationState.setLastErrorMsg("error.insufficentData");
                        authenticationState.setLastErrorIsResourceKey(true);
                        break;
                    }
                    break;
                case INSUFFICIENT_DATA_NO_ERROR:
                    authenticationState.setLastErrorMsg(null);
                    authenticationState.setLastErrorIsResourceKey(false);
                    break;
                case AUTHENTICATION_FAILURE_DISPLAY_ERROR:
                    break;
                case AUTHENTICATION_FAILURE_INVALID_CREDENTIALS:
                case AUTHENTICATION_FAILURE_INVALID_PRINCIPAL:
                case AUTHENTICATION_FAILURE_INVALID_REALM:
                default:
                    authenticationState.setLastErrorMsg("error.genericLogonError");
                    authenticationState.setLastErrorIsResourceKey(true);
                    break;
                case AUTHENTICATION_SUCCESS:
                    z = true;
                    authenticationState.nextPostAuthenticationStep();
                    if (authenticationState.canCreateSession()) {
                        authenticationState.setSession(completeLogon(authenticationState));
                    }
                    if (authenticationState.hasPostAuthenticationStep() && !authenticationState.getCurrentPostAuthenticationStep().requiresUserInput(authenticationState)) {
                        z = logon(authenticationState, map);
                        break;
                    }
                    break;
            }
        }
        return z;
    }

    private void postProcess(Authenticator authenticator, AuthenticatorResult authenticatorResult, AuthenticationState authenticationState, Map<String, String[]> map) {
        Iterator<AuthenticationServiceListener> it = this.listeners.iterator();
        while (it.hasNext()) {
            try {
                it.next().postProcess(authenticator, authenticatorResult, authenticationState, map);
            } catch (Throwable th) {
                log.error("Error post processing authentication", th);
            }
        }
    }

    private void preProcess(Authenticator authenticator, AuthenticationState authenticationState, Map<String, String[]> map) {
        Iterator<AuthenticationServiceListener> it = this.listeners.iterator();
        while (it.hasNext()) {
            try {
                it.next().preProcess(authenticator, authenticationState, map);
            } catch (Throwable th) {
                log.error("Error pre processing authentication", th);
            }
        }
    }

    private void preProcess(PostAuthenticationStep postAuthenticationStep, AuthenticationState authenticationState, Map<String, String[]> map) {
        Iterator<AuthenticationServiceListener> it = this.listeners.iterator();
        while (it.hasNext()) {
            try {
                it.next().preProcess(postAuthenticationStep, authenticationState, map);
            } catch (Throwable th) {
                log.error("Error pre processing post authentication", th);
            }
        }
    }

    private void postProcess(PostAuthenticationStep postAuthenticationStep, AuthenticatorResult authenticatorResult, AuthenticationState authenticationState, Map<String, String[]> map) {
        Iterator<AuthenticationServiceListener> it = this.listeners.iterator();
        while (it.hasNext()) {
            try {
                it.next().postProcess(postAuthenticationStep, authenticatorResult, authenticationState, map);
            } catch (Throwable th) {
                log.error("Error post processing post authentication", th);
            }
        }
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public Authenticator nextAuthenticator(AuthenticationState authenticationState) {
        Authenticator authenticator = this.authenticators.get(authenticationState.getCurrentModule().getTemplate());
        if (authenticator == null) {
            if (log.isErrorEnabled()) {
                log.error(authenticationState.getCurrentModule().getTemplate() + " is not a valid authentication template");
            }
            throw new IllegalStateException(authenticationState.getCurrentModule().getTemplate() + " is not a valid authenticator");
        }
        for (AuthenticatorSelector authenticatorSelector : this.authenticatorSelectors) {
            if (authenticatorSelector.isAuthenticatorOverridden(authenticationState, authenticator)) {
                authenticator = authenticatorSelector.selectAuthenticator(authenticationState, authenticator);
            }
        }
        return authenticator;
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public FormTemplate nextAuthenticationTemplate(AuthenticationState authenticationState, Map<String, String[]> map) {
        return modifyTemplate(authenticationState, nextAuthenticator(authenticationState).createTemplate(authenticationState, map), false);
    }

    private boolean checkSuspensions(AuthenticationState authenticationState, Authenticator authenticator) {
        if (!StringUtils.isNotBlank(authenticationState.getLastPrincipalName()) || !authenticator.isSecretModule() || this.realmService.verifyPrincipal(authenticationState.getLastPrincipalName(), authenticationState.getRealm())) {
            return true;
        }
        authenticationState.clean();
        authenticationState.setLastErrorMsg("error.accountSuspended");
        authenticationState.setLastErrorIsResourceKey(true);
        this.eventService.publishEvent(new AuthenticationAttemptEvent(this, authenticationState, authenticator, "hint.accountSuspended"));
        return false;
    }

    protected FormTemplate modifyTemplate(AuthenticationState authenticationState, FormTemplate formTemplate, boolean z) {
        Iterator<AuthenticationServiceListener> it = this.listeners.iterator();
        while (it.hasNext()) {
            it.next().modifyTemplate(authenticationState, formTemplate, z);
        }
        return formTemplate;
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public Session completeLogon(AuthenticationState authenticationState) throws AccessDeniedException {
        if (authenticationState.getPrincipal() == null) {
            throw new IllegalStateException("completeLogon called without a principal in the AuthenticationState!");
        }
        if (System.getProperty("hypersocket.cleanSessionOnLogin", "true").equals("true")) {
            Request.cleanSessionOnLogin();
        }
        Session openSession = this.sessionService.openSession(authenticationState.getRemoteAddress(), authenticationState.getPrincipal(), authenticationState.getScheme(), authenticationState.getUserAgent(), authenticationState.getParameters());
        try {
            Closeable tryAs = tryAs(openSession, authenticationState.getLocale());
            try {
                authenticationState.complete(openSession);
                if (authenticationState.hasParameter("password")) {
                    this.sessionService.setCurrentPassword(openSession, authenticationState.getParameter("password"));
                }
                if (this.permissionService.hasSystemPermission(getCurrentPrincipal()) && !this.realmService.getDefaultRealm().equals(getCurrentPrincipal().getRealm())) {
                    this.sessionService.switchRealm(openSession, this.realmService.getDefaultRealm());
                }
                String value = this.configurationService.getValue(authenticationState.getRealm(), "session.altHomePage");
                if (StringUtils.isNotBlank(value) && Arrays.asList(this.configurationService.getValues(authenticationState.getRealm(), "session.altHomePage.onSchemes")).contains(authenticationState.getScheme().getResourceKey())) {
                    authenticationState.setHomePage(this.variableReplacement.replaceVariables(getCurrentPrincipal(), value));
                }
                if (tryAs != null) {
                    tryAs.close();
                }
                return openSession;
            } finally {
            }
        } catch (IOException e) {
            throw new IllegalStateException(e);
        }
    }

    @Override // com.hypersocket.auth.PasswordEnabledAuthenticatedServiceImpl, com.hypersocket.auth.AuthenticatedServiceImpl
    protected void verifyPermission(Principal principal, PermissionStrategy permissionStrategy, PermissionType... permissionTypeArr) throws AccessDeniedException {
        this.permissionService.verifyPermission(principal, permissionStrategy, permissionTypeArr);
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public FormTemplate nextPostAuthenticationStep(AuthenticationState authenticationState) throws AccessDeniedException {
        if (authenticationState.hasPostAuthenticationStep()) {
            return modifyTemplate(authenticationState, authenticationState.getCurrentPostAuthenticationStep().createTemplate(authenticationState), true);
        }
        throw new IllegalStateException("There are no post authentcation steps to process!");
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public void registerPostAuthenticationStep(PostAuthenticationStep postAuthenticationStep) {
        this.postAuthenticationSteps.add(postAuthenticationStep);
        Collections.sort(this.postAuthenticationSteps, new Comparator<PostAuthenticationStep>() { // from class: com.hypersocket.auth.AuthenticationServiceImpl.4
            @Override // java.util.Comparator
            public int compare(PostAuthenticationStep postAuthenticationStep2, PostAuthenticationStep postAuthenticationStep3) {
                return Integer.valueOf(postAuthenticationStep2.getOrderPriority()).compareTo(Integer.valueOf(postAuthenticationStep3.getOrderPriority()));
            }
        });
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public void setAuthenticationSchemeSelector(AuthenticationSchemeSelector authenticationSchemeSelector) {
        if (this.authenticationSelector != null) {
            throw new IllegalStateException("You cannot set a scheme selector when its already set!");
        }
        this.authenticationSelector = authenticationSchemeSelector;
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public Map<String, Authenticator> getAuthenticators(String str) {
        HashMap hashMap = new HashMap();
        AuthenticationScheme schemeByResourceKey2 = this.schemeRepository.getSchemeByResourceKey2(getCurrentRealm(), str);
        AuthenticationModuleType type = Objects.isNull(schemeByResourceKey2) ? AuthenticationModuleType.HTML : schemeByResourceKey2.getType();
        for (Authenticator authenticator : this.authenticators.values()) {
            if (!authenticator.isHidden() && authenticator.isEnabled()) {
                if (type == AuthenticationModuleType.CUSTOM) {
                    hashMap.put(authenticator.getResourceKey(), authenticator);
                } else if (type.ordinal() >= authenticator.getType().ordinal()) {
                    hashMap.put(authenticator.getResourceKey(), authenticator);
                }
            }
        }
        return hashMap;
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public Principal resolvePrincipalAndRealm(AuthenticationState authenticationState, String str, Realm realm, PrincipalType... principalTypeArr) throws AccessDeniedException, PrincipalNotFoundException {
        authenticationState.setLastPrincipalName(str);
        if (realm != null) {
            authenticationState.setRealm(realm);
        }
        Realm realm2 = authenticationState.getRealm();
        if (realm2 != null) {
            authenticationState.setLastRealmName(realm2.getName());
        }
        if (log.isDebugEnabled()) {
            log.debug("Looking up principal " + str + " in " + (realm2 == null ? "all realms" : realm2.getName()));
        }
        Principal principal = null;
        if (this.realmService.isRealmStrictedToHost(realm2) || realm != null) {
            principal = this.realmService.getPrincipalByName(realm2, str, principalTypeArr);
        } else {
            try {
                principal = this.realmService.getUniquePrincipal(str, principalTypeArr);
            } catch (ResourceNotFoundException e) {
            }
        }
        if (principal == null) {
            if (log.isDebugEnabled()) {
                log.debug("Unable to find principal for " + str + " in " + (realm2 == null ? "all realms" : realm2.getName()));
            }
            if (realm2 != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Performing realm direct lookup for principal " + str + " in " + realm2.getName());
                }
                principal = this.realmService.getPrincipalByName(realm2, str, principalTypeArr);
            }
            if (principal == null) {
                throw new PrincipalNotFoundException(String.format("%s is not a valid username", str));
            }
        }
        authenticationState.setLastPrincipal(principal);
        return principal;
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public Collection<PostAuthenticationStep> getPostAuthenticationSteps() {
        return new ArrayList(this.postAuthenticationSteps);
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public boolean isAuthenticatorInUse(Realm realm, String str) {
        return this.repository.isAuthenticatorInUse(realm, str, new String[0]);
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public Set<Role> getAllowedRoles(AuthenticationScheme authenticationScheme) {
        return this.schemeRepository.getAllowedRoles(authenticationScheme);
    }

    @Override // com.hypersocket.auth.AuthenticationService
    public Set<Role> getDeniedRoles(AuthenticationScheme authenticationScheme) {
        return this.schemeRepository.getDeniedRoles(authenticationScheme);
    }
}
