package io.milton.http.http11.auth;

import io.milton.common.Utils;
import io.milton.dns.utils.base64;
import io.milton.ftp.NameAndAuthority;
import io.milton.http.AuthenticationHandler;
import io.milton.http.BeanCookie;
import io.milton.http.Cookie;
import io.milton.http.HttpManager;
import io.milton.http.Request;
import io.milton.http.ResourceFactory;
import io.milton.http.Response;
import io.milton.http.exceptions.BadRequestException;
import io.milton.http.exceptions.NotAuthorizedException;
import io.milton.http.http11.auth.NonceProvider;
import io.milton.principal.DiscretePrincipal;
import io.milton.resource.Resource;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/milton/http/http11/auth/CookieAuthenticationHandler.class */
public class CookieAuthenticationHandler implements AuthenticationHandler {
    private static final Logger log = LoggerFactory.getLogger(CookieAuthenticationHandler.class);
    private static final String HANDLER_ATT_NAME = "_delegatedAuthenticationHandler";
    public static final int SECONDS_PER_YEAR = 31536000;
    private final List<AuthenticationHandler> handlers;
    private final ResourceFactory principalResourceFactory;
    private final NonceProvider nonceProvider;
    private final List<String> keys;
    private final String requestParamLogout = "miltonLogout";
    private final String cookieUserUrlValue = "miltonUserUrl";
    private final String cookieUserUrlHash = "miltonUserUrlHash";
    private final String loginTokenName = "loginToken";
    private String userUrlAttName = "userUrl";
    private boolean useLongLivedCookies = true;
    private String keepLoggedInParamName = "keepLoggedIn";

    public CookieAuthenticationHandler(NonceProvider nonceProvider, List<AuthenticationHandler> list, ResourceFactory resourceFactory, List<String> list2) {
        this.nonceProvider = nonceProvider;
        this.handlers = list;
        this.principalResourceFactory = resourceFactory;
        this.keys = list2;
    }

    @Override // io.milton.http.AuthenticationHandler
    public boolean credentialsPresent(Request request) {
        String userUrlFromRequest = getUserUrlFromRequest(request);
        if (userUrlFromRequest != null && userUrlFromRequest.length() > 0) {
            return true;
        }
        Iterator<AuthenticationHandler> it = this.handlers.iterator();
        while (it.hasNext()) {
            if (it.next().credentialsPresent(request)) {
                return true;
            }
        }
        return false;
    }

    @Override // io.milton.http.AuthenticationHandler
    public boolean supports(Resource resource, Request request) {
        if (isLogout(request)) {
            String userUrl = getUserUrl(request);
            log.info("Is LogOut request, clear cookie");
            if (userUrl != null && userUrl.length() > 0) {
                clearCookieValue(HttpManager.response());
            }
        }
        ArrayList arrayList = new ArrayList();
        for (AuthenticationHandler authenticationHandler : this.handlers) {
            if (authenticationHandler.supports(resource, request)) {
                log.info("Found child handler who supports this request {}", authenticationHandler);
                arrayList.add(authenticationHandler);
            }
        }
        if (arrayList.isEmpty()) {
            return getUserUrl(request) != null;
        }
        request.getAttributes().put(HANDLER_ATT_NAME, arrayList);
        return true;
    }

    @Override // io.milton.http.AuthenticationHandler
    public Object authenticate(Resource resource, Request request) {
        Resource resource2;
        List<AuthenticationHandler> list = (List) request.getAttributes().get(HANDLER_ATT_NAME);
        if (list != null && !list.isEmpty()) {
            for (AuthenticationHandler authenticationHandler : list) {
                if (log.isTraceEnabled()) {
                    log.trace("authenticate: use delegateHandler: " + authenticationHandler);
                }
                Object authenticate = authenticationHandler.authenticate(resource, request);
                if (authenticate != null) {
                    if (authenticate instanceof DiscretePrincipal) {
                        setLoginCookies((DiscretePrincipal) authenticate, request);
                        log.trace("authenticate: authentication passed by delegated handler, persisted userUrl to cookie");
                    } else {
                        log.warn("authenticate: auth.tag is not an instance of " + DiscretePrincipal.class + ", is: " + authenticate.getClass() + " so is not compatible with cookie authentication");
                        if (authenticationHandler instanceof FormAuthenticationHandler) {
                            LoginResponseHandler.setDisableHtmlResponse(request);
                            return null;
                        }
                    }
                    return authenticate;
                }
                log.info("Login failed by delegated handler: " + authenticationHandler.getClass());
            }
            return null;
        }
        log.trace("no delegating handler");
        if (isLogout(request)) {
            log.trace("authenticate: is logout");
            return null;
        }
        String userUrl = getUserUrl(request);
        if (userUrl == null) {
            log.trace("authenticate: no userUrl in request or cookie, nothing to do");
            return null;
        }
        if (log.isTraceEnabled()) {
            log.trace("authenticate: userUrl=" + userUrl);
        }
        String hostHeader = request.getHostHeader();
        try {
            resource2 = this.principalResourceFactory.getResource(hostHeader, userUrl);
            log.trace("found current user: " + resource2);
        } catch (NotAuthorizedException e) {
            log.error("Couldnt check userUrl in cookie", e);
            resource2 = null;
        } catch (BadRequestException e2) {
            log.error("Couldnt check userUrl in cookie", e2);
            resource2 = null;
        }
        if (resource2 == null) {
            log.warn("User not found host: " + hostHeader + " userUrl: " + userUrl + " with resourcefactory: " + this.principalResourceFactory);
            clearCookieValue(HttpManager.response());
        } else if (request.getParams() == null || !(request.getParams().containsKey("miltonUserUrl") || request.getParams().containsKey("loginToken"))) {
            log.trace("Do not set cookies, because token did not come from request variable");
        } else if (resource2 instanceof DiscretePrincipal) {
            setLoginCookies((DiscretePrincipal) resource2, request);
        } else {
            log.warn("Found user from request, but user object is not expected type. Should be " + DiscretePrincipal.class + " but is " + resource2.getClass());
        }
        return resource2;
    }

    public void setLoginCookies(DiscretePrincipal discretePrincipal, Request request) {
        log.trace("setLoginCookies");
        if (discretePrincipal == null) {
            throw new NullPointerException("user object is null");
        }
        if (discretePrincipal.getIdenitifer() == null) {
            throw new NullPointerException("getIdenitifer object is null");
        }
        String value = discretePrincipal.getIdenitifer().getValue();
        if (value == null) {
            throw new NullPointerException("user identifier returned a null value");
        }
        setLoginCookies(value, request);
    }

    public void setLoginCookies(String str, Request request) {
        if (request == null) {
            return;
        }
        Response response = HttpManager.response();
        if (response == null) {
            log.trace("setLoginCookies: No response object");
            return;
        }
        String urlSigningHash = getUrlSigningHash(str, request);
        String str2 = null;
        if (request.getParams() != null) {
            str2 = (String) request.getParams().get(this.keepLoggedInParamName);
        }
        setCookieValues(response, str, urlSigningHash, str2 != null ? str2.equalsIgnoreCase("true") : true);
        request.getAttributes().put(this.userUrlAttName, str);
    }

    @Override // io.milton.http.AuthenticationHandler
    public void appendChallenges(Resource resource, Request request, List<String> list) {
        for (AuthenticationHandler authenticationHandler : this.handlers) {
            if (authenticationHandler.isCompatible(resource, request)) {
                authenticationHandler.appendChallenges(resource, request, list);
            }
        }
    }

    @Override // io.milton.http.AuthenticationHandler
    public boolean isCompatible(Resource resource, Request request) {
        Iterator<AuthenticationHandler> it = this.handlers.iterator();
        while (it.hasNext()) {
            if (it.next().isCompatible(resource, request)) {
                return true;
            }
        }
        return false;
    }

    private boolean isLogout(Request request) {
        String str;
        return (request.getParams() == null || (str = (String) request.getParams().get("miltonLogout")) == null || str.length() <= 0) ? false : true;
    }

    public String getUserUrl(Request request) {
        String userUrlFromRequest;
        if (request == null || (userUrlFromRequest = getUserUrlFromRequest(request)) == null) {
            return null;
        }
        String trim = userUrlFromRequest.trim();
        if (trim.length() <= 0) {
            return null;
        }
        if (verifyHash(trim, request)) {
            return trim;
        }
        log.info("Invalid userUrl hash, possible attempted hacking attempt. userUrl=" + trim);
        return null;
    }

    public String getUserUrlFromRequest(Request request) {
        String str = null;
        String cookieOrParam = getCookieOrParam(request, "loginToken");
        if (cookieOrParam != null) {
            String str2 = new String(base64.fromString(cookieOrParam));
            if (str2.contains("|")) {
                String[] split = str2.split("\\|");
                if (split.length == 2) {
                    str = split[0];
                    request.getAttributes().put("miltonUserUrlHash", split[1]);
                } else {
                    log.warn("getUserUrlFromRequest: loginToken is invalid: {}", str2);
                }
            } else {
                log.warn("getUserUrlFromRequest: loginToken is invalid: {}", str2);
            }
        }
        if (str == null) {
            str = getCookieOrParam(request, "miltonUserUrl");
        }
        if (str == null) {
            log.trace("getUserUrlFromRequest: Null encodedUserUrl");
            return null;
        }
        if (log.isDebugEnabled()) {
            log.debug("getUserUrlFromRequest: Raw:" + str);
        }
        if (!str.startsWith("b64")) {
            log.trace("Looks like a plain path, return as is");
            return str;
        }
        log.trace("Looks like a base64 encoded string");
        String decodePath = Utils.decodePath(str.substring(3));
        if (log.isDebugEnabled()) {
            log.debug("getUserUrlFromRequest: Percent decoded:" + decodePath);
        }
        byte[] fromString = base64.fromString(decodePath);
        if (fromString == null) {
            log.debug("Failed to decode encodedUserUrl, so maybe its not encoded, return as it is");
            return decodePath;
        }
        String str3 = new String(fromString);
        if (log.isDebugEnabled()) {
            log.debug("getUserUrlFromRequest: Decoded user url:" + str3);
        }
        return str3;
    }

    public String getHashFromRequest(Request request) {
        String cookieOrParam;
        String paramVal = getParamVal(request, "miltonUserUrlHash");
        if (paramVal == null) {
            if (request.getAttributes().containsKey("miltonUserUrlHash")) {
                paramVal = (String) request.getAttributes().get("miltonUserUrlHash");
            }
            if (paramVal == null && (cookieOrParam = getCookieOrParam(request, "loginToken")) != null) {
                String str = new String(base64.fromString(cookieOrParam));
                if (str.contains("|")) {
                    String[] split = str.split("\\|");
                    if (split.length == 2) {
                        paramVal = split[1];
                    } else {
                        log.warn("getHashFromRequest: loginToken is invalid: {}", str);
                    }
                } else {
                    log.warn("getHashFromRequest: loginToken is invalid: {}", str);
                }
            }
        }
        if (paramVal == null) {
            paramVal = getCookieOrParam(request, "miltonUserUrlHash");
        }
        return paramVal;
    }

    private boolean verifyHash(String str, Request request) {
        String hashFromRequest = getHashFromRequest(request);
        if (hashFromRequest == null) {
            return false;
        }
        String trim = hashFromRequest.replace("\"", "").trim();
        if (trim.length() == 0) {
            log.warn("cookie signature is not present in cookie: miltonUserUrlHash");
            return false;
        }
        for (String str2 : this.keys) {
            if (str2 != null && str2.length() > 0 && verifyHash(str, str2, trim, request)) {
                return true;
            }
        }
        return false;
    }

    private boolean verifyHash(String str, String str2, String str3, Request request) {
        int indexOf = str3.indexOf(NameAndAuthority.DELIM_AUTHORITY);
        if (indexOf < 1) {
            log.warn("Invalid cookie signing format, no semi-colon: " + str3 + " Should be in form - nonce:hmac");
            return false;
        }
        String domain = getDomain(request);
        String substring = str3.substring(0, indexOf);
        String substring2 = str3.substring(indexOf + 1);
        String str4 = substring + NameAndAuthority.DELIM_AUTHORITY + str + NameAndAuthority.DELIM_AUTHORITY + domain;
        String calcShaHash = HmacUtils.calcShaHash(str4, str2);
        if (log.isTraceEnabled()) {
            log.trace("Message:" + str4);
            log.trace("Key:" + str2);
            log.trace("Hash:" + calcShaHash);
            log.trace("Given Signing:" + str3);
        }
        if (!calcShaHash.equals(substring2)) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Cookie sig does not match expected. Given=" + substring2 + " Expected=" + calcShaHash);
            return false;
        }
        NonceProvider.NonceValidity nonceValidity = this.nonceProvider.getNonceValidity(substring, null);
        if (nonceValidity == null) {
            throw new RuntimeException("Unhandled nonce validity value");
        }
        switch (nonceValidity) {
            case OK:
                return true;
            case EXPIRED:
                log.warn("Nonce is valid, but expired. We will accept it but reset it");
                setLoginCookies(str, request);
                return true;
            case INVALID:
                log.warn("Received an invalid nonce: " + substring + " not found in provider: " + this.nonceProvider);
                return false;
            default:
                throw new RuntimeException("Unhandled nonce validity value");
        }
    }

    private String getDomain(Request request) {
        String hostHeader = request.getHostHeader();
        if (hostHeader.contains(NameAndAuthority.DELIM_AUTHORITY)) {
            hostHeader = hostHeader.substring(0, hostHeader.indexOf(NameAndAuthority.DELIM_AUTHORITY));
        }
        if (hostHeader == null) {
            hostHeader = "nohost";
        }
        return hostHeader;
    }

    public String getUrlSigningHash(String str, Request request) {
        return getUrlSigningHash(str, request, getDomain(request));
    }

    public String getUrlSigningHash(String str, Request request, String str2) {
        String createNonce = this.nonceProvider.createNonce(request);
        String str3 = createNonce + NameAndAuthority.DELIM_AUTHORITY + str + NameAndAuthority.DELIM_AUTHORITY + str2;
        String str4 = this.keys.get(this.keys.size() - 1);
        String calcShaHash = HmacUtils.calcShaHash(str3, str4);
        String str5 = createNonce + NameAndAuthority.DELIM_AUTHORITY + calcShaHash;
        if (log.isTraceEnabled()) {
            log.trace("Message:" + str3);
            log.trace("Key:" + str4);
            log.trace("Hash:" + calcShaHash);
            log.trace("Signing:" + str5);
        }
        return str5;
    }

    public String getLoginToken(String str, Request request) {
        return getLoginToken(str, request, getDomain(request));
    }

    public String getLoginToken(String str, Request request, String str2) {
        return getLoginToken(str, getUrlSigningHash(str, request, str2));
    }

    public String getLoginToken(String str, String str2) {
        return base64.toString((str + '|' + str2).getBytes());
    }

    private void setCookieValues(Response response, String str, String str2, boolean z) {
        log.trace("setCookieValues");
        BeanCookie beanCookie = new BeanCookie("miltonUserUrl");
        beanCookie.setValue(encodeUserUrl(str));
        beanCookie.setPath("/");
        beanCookie.setVersion(1);
        if (z && this.useLongLivedCookies) {
            beanCookie.setExpiry(SECONDS_PER_YEAR);
        }
        response.setCookie(beanCookie);
        BeanCookie beanCookie2 = new BeanCookie("miltonUserUrlHash");
        beanCookie2.setValue("\"" + str2 + "\"");
        beanCookie2.setHttpOnly(true);
        beanCookie2.setVersion(1);
        beanCookie2.setPath("/");
        if (z && this.useLongLivedCookies) {
            beanCookie2.setExpiry(SECONDS_PER_YEAR);
        }
        response.setCookie(beanCookie2);
    }

    public String encodeUserUrl(String str) {
        return "b64" + Utils.percentEncode(base64.toString(str.getBytes(Utils.UTF8)));
    }

    private void clearCookieValue(Response response) {
        log.info("clearCookieValue");
        response.setCookie("miltonUserUrl", "");
        response.setCookie("miltonUserUrlHash", "");
    }

    private String getCookieOrParam(Request request, String str) {
        String str2;
        if (request == null) {
            return null;
        }
        if (request.getParams() != null && (str2 = (String) request.getParams().get(str)) != null) {
            return str2;
        }
        Cookie cookie = request.getCookie(str);
        if (cookie != null) {
            return cookie.getValue();
        }
        return null;
    }

    private String getParamVal(Request request, String str) {
        String str2;
        if (request.getParams() == null || (str2 = (String) request.getParams().get(str)) == null) {
            return null;
        }
        return str2;
    }

    public String getCookieNameUserUrlHash() {
        return "miltonUserUrlHash";
    }

    public String getCookieNameUserUrl() {
        return "miltonUserUrl";
    }

    public String getUserUrlAttName() {
        return this.userUrlAttName;
    }

    public String getLoginTokenName() {
        return "loginToken";
    }

    public void setUserUrlAttName(String str) {
        this.userUrlAttName = str;
    }

    public void setUseLongLivedCookies(boolean z) {
        this.useLongLivedCookies = z;
    }

    public boolean isUseLongLivedCookies() {
        return this.useLongLivedCookies;
    }
}
