package org.artifactory.webapp.servlet;

import com.google.common.cache.CacheBuilder;
import java.io.IOException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.TimeUnit;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang3.StringUtils;
import org.artifactory.api.context.ArtifactoryContext;
import org.artifactory.api.context.ContextHelper;
import org.artifactory.api.security.SecurityListener;
import org.artifactory.api.security.SecurityService;
import org.artifactory.common.ArtifactoryHome;
import org.artifactory.common.ConstantValues;
import org.artifactory.common.property.ArtifactorySystemProperties;
import org.artifactory.security.AccessLogger;
import org.artifactory.security.HttpAuthenticationDetailsSource;
import org.artifactory.util.HttpUtils;
import org.artifactory.util.SessionUtils;
import org.artifactory.util.UiRequestUtils;
import org.artifactory.webapp.servlet.authentication.ArtifactoryAuthenticationFilter;
import org.artifactory.webapp.servlet.authentication.ArtifactoryAuthenticationFilterChain;
import org.artifactory.webapp.servlet.authentication.interceptor.anonymous.AnonymousAuthenticationInterceptor;
import org.artifactory.webapp.servlet.authentication.interceptor.anonymous.AnonymousAuthenticationInterceptors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.WebAuthenticationDetails;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;

/* loaded from: input_file:org/artifactory/webapp/servlet/AccessFilter.class */
public class AccessFilter extends DelayedFilterBase implements SecurityListener {
    private static final Logger log = LoggerFactory.getLogger(AccessFilter.class);
    public static final String AUTHENTICATED_USERNAME_ATTRIBUTE = "authenticated_username";
    private ArtifactoryContext context;
    private ArtifactoryAuthenticationFilterChain authFilterChain;
    private BasicAuthenticationEntryPoint authenticationEntryPoint;
    private AnonymousAuthenticationInterceptors authInterceptors;
    private ConcurrentMap<AuthCacheKey, Authentication> nonUiAuthCache;
    private ConcurrentMap<String, AuthenticationCache> userChangedCache;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/artifactory/webapp/servlet/AccessFilter$AuthCacheKey.class */
    public static class AuthCacheKey {
        private static final String EMPTY_HEADER = DigestUtils.shaHex("");
        private final String hashedHeader;
        private final String ip;

        private AuthCacheKey(String str, String str2) {
            if (str == null) {
                this.hashedHeader = EMPTY_HEADER;
            } else {
                this.hashedHeader = DigestUtils.shaHex(str);
            }
            this.ip = str2;
        }

        public boolean hasEmptyHeader() {
            return this.hashedHeader.equals(EMPTY_HEADER);
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            AuthCacheKey authCacheKey = (AuthCacheKey) obj;
            return this.hashedHeader.equals(authCacheKey.hashedHeader) && this.ip.equals(authCacheKey.ip);
        }

        public int hashCode() {
            return (31 * this.hashedHeader.hashCode()) + this.ip.hashCode();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/artifactory/webapp/servlet/AccessFilter$AuthenticationCache.class */
    public class AuthenticationCache {
        Set<AuthCacheKey> authCacheKeys;
        Map<Integer, Integer> authState = new HashMap(3);

        AuthenticationCache(Authentication authentication) {
            this.authState.put(Integer.valueOf(authentication.hashCode()), 0);
        }

        synchronized void addAuthCacheKey(AuthCacheKey authCacheKey) {
            if (this.authCacheKeys == null) {
                this.authCacheKeys = new HashSet();
            }
            this.authCacheKeys.add(authCacheKey);
        }

        synchronized void changed() {
            if (this.authCacheKeys != null) {
                Iterator<AuthCacheKey> it = this.authCacheKeys.iterator();
                while (it.hasNext()) {
                    Authentication authentication = (Authentication) AccessFilter.this.nonUiAuthCache.remove(it.next());
                    if (authentication != null) {
                        Integer valueOf = Integer.valueOf(authentication.hashCode());
                        AccessFilter.log.debug("Removed {}:{} from the non-ui authentication cache", authentication.getName(), valueOf);
                        this.authState.put(valueOf, 1);
                    }
                }
                this.authCacheKeys.clear();
            }
            Iterator it2 = new HashSet(this.authState.keySet()).iterator();
            while (it2.hasNext()) {
                this.authState.put((Integer) it2.next(), 1);
            }
        }

        boolean isChanged(Authentication authentication) {
            Integer num = this.authState.get(Integer.valueOf(authentication.hashCode()));
            return num != null && num.intValue() == 1;
        }

        void loggedOut(Authentication authentication) {
            this.authState.put(Integer.valueOf(authentication.hashCode()), 2);
        }

        void loggedIn(Authentication authentication) {
            this.authState.put(Integer.valueOf(authentication.hashCode()), 0);
        }
    }

    @Override // org.artifactory.webapp.servlet.DelayedFilterBase
    public void initLater(FilterConfig filterConfig) throws ServletException {
        this.context = RequestUtils.getArtifactoryContext(filterConfig.getServletContext());
        this.authenticationEntryPoint = (BasicAuthenticationEntryPoint) this.context.beanForType(BasicAuthenticationEntryPoint.class);
        this.authFilterChain = new ArtifactoryAuthenticationFilterChain(this.authenticationEntryPoint);
        this.authFilterChain.addFilters(this.context.beansForType(ArtifactoryAuthenticationFilter.class).values());
        initCaches(filterConfig);
        this.authFilterChain.init(filterConfig);
        this.authInterceptors = new AnonymousAuthenticationInterceptors();
        RequestUtils.setPackagesEndpointUseBasicAuth();
        this.authInterceptors.addInterceptors(this.context.beansForType(AnonymousAuthenticationInterceptor.class).values());
    }

    private void initCaches(FilterConfig filterConfig) {
        ArtifactorySystemProperties artifactoryProperties = ((ArtifactoryHome) filterConfig.getServletContext().getAttribute("artifactory.home.obj")).getArtifactoryProperties();
        long longValue = artifactoryProperties.getLongProperty(ConstantValues.securityAuthenticationCacheIdleTimeSecs).longValue();
        long longValue2 = artifactoryProperties.getLongProperty(ConstantValues.securityAuthenticationCacheInitSize).longValue();
        this.nonUiAuthCache = CacheBuilder.newBuilder().softValues().initialCapacity((int) longValue2).expireAfterWrite(longValue, TimeUnit.SECONDS).build().asMap();
        this.userChangedCache = CacheBuilder.newBuilder().softValues().initialCapacity((int) longValue2).expireAfterWrite(longValue, TimeUnit.SECONDS).build().asMap();
        ((SecurityService) this.context.beanForType(SecurityService.class)).addListener(this);
    }

    public void onClearSecurity() {
        this.nonUiAuthCache.clear();
        this.userChangedCache.clear();
    }

    public void onUserUpdate(String str) {
        invalidateUserAuthCache(str);
    }

    public void onUserDelete(String str) {
        invalidateUserAuthCache(str);
    }

    private void invalidateUserAuthCache(String str) {
        AuthenticationCache authenticationCache = this.userChangedCache.get(str);
        if (authenticationCache != null) {
            authenticationCache.changed();
        }
    }

    public void destroy() {
        if (this.authFilterChain != null) {
            this.authFilterChain.destroy();
        }
        if (this.nonUiAuthCache != null) {
            this.nonUiAuthCache.clear();
            this.nonUiAuthCache = null;
        }
        if (this.userChangedCache != null) {
            this.userChangedCache.clear();
            this.userChangedCache = null;
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (shouldSkipFilter(servletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            doFilterInternal((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // org.artifactory.webapp.servlet.DelayedFilterBase
    public boolean shouldSkipFilter(ServletRequest servletRequest) {
        return super.shouldSkipFilter(servletRequest) || isOpenidGatewayResource((HttpServletRequest) servletRequest);
    }

    private boolean isOpenidGatewayResource(HttpServletRequest httpServletRequest) {
        return !isDefaultAuthorizationRequired(httpServletRequest) && httpServletRequest.getRequestURI().contains("api/system/gateway/openid");
    }

    private boolean isDefaultAuthorizationRequired(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("X-Default-Authorization");
        return header != null && header.toLowerCase().equals("true");
    }

    private void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (shouldRedirectWebapp(httpServletRequest, httpServletResponse, RequestUtils.getServletPathFromRequest(httpServletRequest), httpServletRequest.getMethod())) {
            return;
        }
        Authentication authentication = SessionUtils.getAuthentication(httpServletRequest);
        boolean z = authentication != null && authentication.isAuthenticated();
        ArtifactoryAuthenticationFilter acceptFilter = this.authFilterChain.acceptFilter(httpServletRequest);
        boolean z2 = !z || handleReauthentication(httpServletRequest, httpServletResponse, authentication, acceptFilter);
        SecurityContext context = SecurityContextHolder.getContext();
        if (!z2) {
            log.debug("Using authentication {} from Http session.", authentication);
            useAuthentication(httpServletRequest, httpServletResponse, filterChain, authentication, context);
        } else if (acceptFilter == null || !acceptFilter.acceptFilter(httpServletRequest)) {
            useAnonymousIfPossible(httpServletRequest, httpServletResponse, filterChain, context, acceptFilter);
        } else {
            authenticateAndExecute(httpServletRequest, httpServletResponse, filterChain, context, acceptFilter, this.authFilterChain);
        }
    }

    private boolean handleReauthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication, ArtifactoryAuthenticationFilter artifactoryAuthenticationFilter) {
        if (!reAuthenticationRequired(httpServletRequest, authentication, artifactoryAuthenticationFilter)) {
            return false;
        }
        Iterator it = ContextHelper.get().beansForType(LogoutHandler.class).values().iterator();
        while (it.hasNext()) {
            ((LogoutHandler) it.next()).logout(httpServletRequest, httpServletResponse, authentication);
        }
        return true;
    }

    private boolean shouldRedirectWebapp(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) throws IOException {
        RequestUtils.addAdditionalHeadersToWebAppRequest(httpServletRequest, httpServletResponse);
        if (!"get".equalsIgnoreCase(str2)) {
            return false;
        }
        if (str != null && !"/".equals(str) && str.length() != 0 && !str.equals("/webapp")) {
            return false;
        }
        httpServletResponse.sendRedirect(HttpUtils.getServletContextUrl(httpServletRequest) + "/webapp/");
        return true;
    }

    private boolean reAuthenticationRequired(HttpServletRequest httpServletRequest, Authentication authentication, ArtifactoryAuthenticationFilter artifactoryAuthenticationFilter) {
        if (authentication == null || !authentication.isAuthenticated()) {
            return false;
        }
        AuthenticationCache authenticationCache = this.userChangedCache.get(authentication.getName());
        if (authenticationCache != null && authenticationCache.isChanged(authentication)) {
            authenticationCache.loggedOut(authentication);
            return true;
        }
        if (isAuthenticatedUIRequest(httpServletRequest, artifactoryAuthenticationFilter, authentication)) {
            return false;
        }
        return artifactoryAuthenticationFilter == null || artifactoryAuthenticationFilter.requiresReAuthentication(httpServletRequest, authentication);
    }

    private boolean isAuthenticatedUIRequest(HttpServletRequest httpServletRequest, ArtifactoryAuthenticationFilter artifactoryAuthenticationFilter, Authentication authentication) {
        if (artifactoryAuthenticationFilter == null && authentication.getClass().getSimpleName().equals("HttpSsoAuthenticationToken")) {
            return false;
        }
        return UiRequestUtils.isUiRestRequest(httpServletRequest) || (httpServletRequest.getRequestURI().contains("webapp") && artifactoryAuthenticationFilter == null) || artifactoryAuthenticationFilter == null;
    }

    private void authenticateAndExecute(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, SecurityContext securityContext, ArtifactoryAuthenticationFilter artifactoryAuthenticationFilter, ArtifactoryAuthenticationFilterChain artifactoryAuthenticationFilterChain) throws IOException, ServletException {
        String cacheKey = artifactoryAuthenticationFilter.getCacheKey(httpServletRequest);
        log.debug("Cached key has been found for request: '{}' with method: '{}'", httpServletRequest.getRequestURI(), httpServletRequest.getMethod());
        AuthCacheKey authCacheKey = new AuthCacheKey(cacheKey, httpServletRequest.getRemoteAddr());
        Authentication nonUiCachedAuthentication = getNonUiCachedAuthentication(httpServletRequest, authCacheKey);
        if (nonUiCachedAuthentication != null && nonUiCachedAuthentication.isAuthenticated() && !reAuthenticationRequired(httpServletRequest, nonUiCachedAuthentication, artifactoryAuthenticationFilter)) {
            log.debug("Header authentication {} found in cache.", nonUiCachedAuthentication);
            useAuthentication(httpServletRequest, httpServletResponse, filterChain, nonUiCachedAuthentication, securityContext);
            addToUserChange(nonUiCachedAuthentication);
            return;
        }
        try {
            artifactoryAuthenticationFilterChain.doFilter(httpServletRequest, httpServletResponse, artifactoryAuthenticationFilter, filterChain);
            String str = "non_authenticated_user";
            Authentication authentication = securityContext.getAuthentication();
            if (authentication == null || !authentication.isAuthenticated()) {
                UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(extractUsername(httpServletRequest), (Object) null);
                usernamePasswordAuthenticationToken.setDetails(new WebAuthenticationDetails(httpServletRequest));
                AccessLogger.loginDenied(usernamePasswordAuthenticationToken);
            } else {
                AccessLogger.loggedIn(authentication);
                addToUserChange(authentication);
                if (SessionUtils.setAuthentication(httpServletRequest, authentication, false)) {
                    log.debug("Added authentication {} in Http session.", authentication);
                    str = authentication.getName();
                } else {
                    str = authentication.getName();
                    if (("anonymous".equals(str) && authCacheKey.hasEmptyHeader()) || (!"anonymous".equals(str) && !authCacheKey.hasEmptyHeader())) {
                        this.nonUiAuthCache.put(authCacheKey, authentication);
                        AuthenticationCache authenticationCache = this.userChangedCache.get(str);
                        if (authenticationCache != null) {
                            authenticationCache.addAuthCacheKey(authCacheKey);
                        }
                        log.debug("Added authentication {} in cache.", authentication);
                    }
                }
            }
            securityContext.setAuthentication((Authentication) null);
            httpServletRequest.setAttribute(AUTHENTICATED_USERNAME_ATTRIBUTE, str);
        } catch (Throwable th) {
            String str2 = "non_authenticated_user";
            Authentication authentication2 = securityContext.getAuthentication();
            if (authentication2 == null || !authentication2.isAuthenticated()) {
                UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken2 = new UsernamePasswordAuthenticationToken(extractUsername(httpServletRequest), (Object) null);
                usernamePasswordAuthenticationToken2.setDetails(new WebAuthenticationDetails(httpServletRequest));
                AccessLogger.loginDenied(usernamePasswordAuthenticationToken2);
            } else {
                AccessLogger.loggedIn(authentication2);
                addToUserChange(authentication2);
                if (SessionUtils.setAuthentication(httpServletRequest, authentication2, false)) {
                    log.debug("Added authentication {} in Http session.", authentication2);
                    str2 = authentication2.getName();
                } else {
                    str2 = authentication2.getName();
                    if (("anonymous".equals(str2) && authCacheKey.hasEmptyHeader()) || (!"anonymous".equals(str2) && !authCacheKey.hasEmptyHeader())) {
                        this.nonUiAuthCache.put(authCacheKey, authentication2);
                        AuthenticationCache authenticationCache2 = this.userChangedCache.get(str2);
                        if (authenticationCache2 != null) {
                            authenticationCache2.addAuthCacheKey(authCacheKey);
                        }
                        log.debug("Added authentication {} in cache.", authentication2);
                    }
                }
            }
            securityContext.setAuthentication((Authentication) null);
            httpServletRequest.setAttribute(AUTHENTICATED_USERNAME_ATTRIBUTE, str2);
            throw th;
        }
    }

    private String extractUsername(HttpServletRequest httpServletRequest) {
        String extractUsernameFromRequest = RequestUtils.extractUsernameFromRequest(httpServletRequest);
        return StringUtils.isNotBlank(extractUsernameFromRequest) ? extractUsernameFromRequest : "NA";
    }

    private void addToUserChange(Authentication authentication) {
        AuthenticationCache putIfAbsent;
        String name = authentication.getName();
        if ("anonymous".equals(name) || (putIfAbsent = this.userChangedCache.putIfAbsent(name, new AuthenticationCache(authentication))) == null) {
            return;
        }
        putIfAbsent.loggedIn(authentication);
    }

    private void useAnonymousIfPossible(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, SecurityContext securityContext, ArtifactoryAuthenticationFilter artifactoryAuthenticationFilter) throws IOException, ServletException {
        if (!this.context.getAuthorizationService().isAnonAccessEnabled() && !this.authInterceptors.accept(httpServletRequest)) {
            if (RequestUtils.isUiRequest(httpServletRequest)) {
                log.debug("No filter or entry just chain");
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            } else {
                log.debug("Sending request requiring authentication");
                this.authenticationEntryPoint.commence(httpServletRequest, httpServletResponse, new InsufficientAuthenticationException("Authentication is required"));
                return;
            }
        }
        log.debug("Using anonymous");
        AuthCacheKey authCacheKey = getAuthCacheKey(httpServletRequest, artifactoryAuthenticationFilter);
        Authentication nonUiCachedAuthentication = getNonUiCachedAuthentication(httpServletRequest, authCacheKey);
        if (nonUiCachedAuthentication == null) {
            log.debug("Creating the Anonymous token");
            UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken("anonymous", "");
            usernamePasswordAuthenticationToken.setDetails(new HttpAuthenticationDetailsSource().buildDetails(httpServletRequest));
            nonUiCachedAuthentication = ((AuthenticationManager) this.context.beanForType("authenticationManager", AuthenticationManager.class)).authenticate(usernamePasswordAuthenticationToken);
            if (nonUiCachedAuthentication != null && nonUiCachedAuthentication.isAuthenticated() && !RequestUtils.isUiRequest(httpServletRequest)) {
                this.nonUiAuthCache.put(authCacheKey, nonUiCachedAuthentication);
                log.debug("Added anonymous authentication {} to cache", nonUiCachedAuthentication);
            }
        } else {
            log.debug("Using cached anonymous authentication");
        }
        useAuthentication(httpServletRequest, httpServletResponse, filterChain, nonUiCachedAuthentication, securityContext);
    }

    private AuthCacheKey getAuthCacheKey(HttpServletRequest httpServletRequest, ArtifactoryAuthenticationFilter artifactoryAuthenticationFilter) {
        return artifactoryAuthenticationFilter != null ? new AuthCacheKey(artifactoryAuthenticationFilter.getCacheKey(httpServletRequest), httpServletRequest.getRemoteAddr()) : new AuthCacheKey(null, httpServletRequest.getRemoteAddr());
    }

    private Authentication getNonUiCachedAuthentication(HttpServletRequest httpServletRequest, AuthCacheKey authCacheKey) {
        if (RequestUtils.isUiRequest(httpServletRequest)) {
            return null;
        }
        return this.nonUiAuthCache.get(authCacheKey);
    }

    private void useAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, Authentication authentication, SecurityContext securityContext) throws IOException, ServletException {
        try {
            securityContext.setAuthentication(authentication);
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            addToUserChange(authentication);
            securityContext.setAuthentication((Authentication) null);
            httpServletRequest.setAttribute(AUTHENTICATED_USERNAME_ATTRIBUTE, authentication != null ? authentication.getName() : "non_authenticated_user");
        } catch (Throwable th) {
            securityContext.setAuthentication((Authentication) null);
            httpServletRequest.setAttribute(AUTHENTICATED_USERNAME_ATTRIBUTE, authentication != null ? authentication.getName() : "non_authenticated_user");
            throw th;
        }
    }

    public int compareTo(SecurityListener securityListener) {
        return 0;
    }
}
