package cc.alcina.framework.servlet.authentication;

import cc.alcina.framework.common.client.csobjects.LoginResponse;
import cc.alcina.framework.common.client.logic.domain.Entity;
import cc.alcina.framework.common.client.logic.domaintransform.AuthenticationSession;
import cc.alcina.framework.common.client.logic.domaintransform.ClientInstance;
import cc.alcina.framework.common.client.logic.domaintransform.Iid;
import cc.alcina.framework.common.client.logic.permissions.IUser;
import cc.alcina.framework.common.client.logic.permissions.PermissionsManager;
import cc.alcina.framework.common.client.logic.permissions.UserlandProvider;
import cc.alcina.framework.common.client.logic.reflection.Permission;
import cc.alcina.framework.common.client.logic.reflection.Registration;
import cc.alcina.framework.common.client.logic.reflection.registry.Registry;
import cc.alcina.framework.common.client.util.Ax;
import cc.alcina.framework.common.client.util.LooseContext;
import cc.alcina.framework.entity.Configuration;
import cc.alcina.framework.entity.SEUtilities;
import cc.alcina.framework.entity.persistence.AuthenticationPersistence;
import cc.alcina.framework.entity.persistence.mvcc.Transaction;
import cc.alcina.framework.gwt.client.rpc.AlcinaRpcRequestBuilder;
import cc.alcina.framework.servlet.servlet.AuthenticationTokenStore;
import java.util.Date;
import java.util.Objects;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Registration.Singleton
/* loaded from: input_file:alcina-servlet.jar:cc/alcina/framework/servlet/authentication/AuthenticationManager.class */
public class AuthenticationManager {
    private static final String CONTEXT_AUTHENTICATION_CONTEXT = AuthenticationManager.class.getName() + ".CONTEXT_AUTHENTICATION_CONTEXT";
    public static final String CONTEXT_ALLOW_EXPIRED_ANONYMOUS_AUTHENTICATION_SESSION = AuthenticationManager.class.getName() + ".CONTEXT_ALLOW_EXPIRED_ANONYMOUS_AUTHENTICATION_SESSION";
    public static final String COOKIE_NAME_IID = "IID";
    public static final String COOKIE_NAME_SESSIONID = "alcsessionid";
    private Logger logger = LoggerFactory.getLogger(getClass());
    private AuthenticationPersistence persistence = AuthenticationPersistence.get();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:alcina-servlet.jar:cc/alcina/framework/servlet/authentication/AuthenticationManager$AuthenticationContext.class */
    public static class AuthenticationContext {
        Iid iid;
        ClientInstance clientInstance;
        AuthenticationSession session;
        String userName;
        AuthenticationTokenStore tokenStore;
        private Authenticator<?> localAuthenticator = (Authenticator) Registry.impl(Authenticator.class);

        AuthenticationContext() {
        }

        <U extends Entity & IUser> Authenticator<U> typedAuthenticator() {
            return (Authenticator<U>) this.localAuthenticator;
        }
    }

    /* loaded from: input_file:alcina-servlet.jar:cc/alcina/framework/servlet/authentication/AuthenticationManager$ExpiredClientInstanceException.class */
    public static class ExpiredClientInstanceException extends RuntimeException {
        public ExpiredClientInstanceException() {
            super("Not authorized - client instance expired");
        }
    }

    public static AuthenticationManager get() {
        return (AuthenticationManager) Registry.impl(AuthenticationManager.class);
    }

    public static boolean hasContext() {
        return LooseContext.has(CONTEXT_AUTHENTICATION_CONTEXT);
    }

    public static Long provideAuthenticatedClientInstanceId() {
        return (Long) get().getContextClientInstance().map((v0) -> {
            return v0.getId();
        }).orElse(null);
    }

    public AuthenticationSession createAuthenticationSession(Date date, IUser iUser, String str, boolean z) {
        AuthenticationContext ensureContext = ensureContext();
        if (ensureContext.session != null) {
            this.logger.info("Expired session :: id: {} reason: {} old_user: {} current_user: {}", Long.valueOf(ensureContext.session.getId()), ensureContext.session.getEndReason(), ensureContext.session.getUser(), iUser);
            invalidateSession(ensureContext.session, "Replaced by new session");
        }
        String generateId = SEUtilities.generateId();
        AuthenticationSession createAuthenticationSession = this.persistence.createAuthenticationSession(ensureContext.iid, date, generateId, iUser, str);
        ensureContext.session = createAuthenticationSession;
        ensureContext.tokenStore.setCookieValue(COOKIE_NAME_SESSIONID, generateId);
        this.logger.info("Created session :: cookie: {} user: {} type: {}", generateId, iUser, str);
        ensureContext.localAuthenticator.postCreateAuthenticationSession(createAuthenticationSession);
        if (z) {
            createClientInstance(ensureContext);
        }
        return createAuthenticationSession;
    }

    public ClientInstance createNonHttpClientInstance(String str, IUser iUser) {
        return null;
    }

    public Optional<AuthenticationSession> getAuthenticationSession() {
        return Optional.ofNullable(ensureContext().session);
    }

    public Optional<ClientInstance> getContextClientInstance() {
        return Optional.ofNullable(ensureContext().clientInstance);
    }

    public Long getContextClientInstanceId() {
        return (Long) getContextClientInstance().map((v0) -> {
            return v0.getId();
        }).orElse(null);
    }

    public String getExternalAuthorizationUrl(Permission permission) {
        return ensureContext().localAuthenticator.getExternalAuthorizationUrl(permission);
    }

    public LoginResponse hello() {
        AuthenticationContext ensureContext = ensureContext();
        LoginResponse loginResponse = new LoginResponse();
        loginResponse.setOk(true);
        createClientInstance(ensureContext);
        Transaction.commit();
        loginResponse.setClientInstance(ensureContext.clientInstance);
        loginResponse.setUser(ensureContext.clientInstance.getAuthenticationSession().getUser());
        return loginResponse;
    }

    public void initialiseContext(AuthenticationTokenStore authenticationTokenStore) {
        AuthenticationContext ensureContext = ensureContext();
        ensureContext.tokenStore = authenticationTokenStore;
        IUser iUser = (IUser) UserlandProvider.get().getAnonymousUser();
        PermissionsManager.get().setUser(iUser);
        PermissionsManager.get().setLoginState(PermissionsManager.LoginState.NOT_LOGGED_IN);
        ensureIid(ensureContext);
        ensureAuthenticationSession(ensureContext);
        setupClientInstanceFromHeaders(ensureContext);
        if (ensureContext.session != null && ensureContext.session.getUser() != iUser) {
            PermissionsManager.get().setUser(ensureContext.session.getUser());
            PermissionsManager.get().setLoginState(PermissionsManager.LoginState.LOGGED_IN);
        }
        if (ensureContext.clientInstance != null) {
            this.persistence.wasAccessed(ensureContext.clientInstance);
            PermissionsManager.get().setClientInstance(ensureContext.clientInstance);
        }
        Transaction.commit();
    }

    public void invalidateSession(AuthenticationSession authenticationSession, String str) {
        authenticationSession.markInvalid(str);
        ensureContext().localAuthenticator.invalidateSession(authenticationSession);
    }

    private void createClientInstance(AuthenticationContext authenticationContext) {
        authenticationContext.clientInstance = this.persistence.createClientInstance(authenticationContext.session, authenticationContext.tokenStore.getUserAgent(), authenticationContext.tokenStore.getRemoteAddress(), authenticationContext.tokenStore.getReferrer(), authenticationContext.tokenStore.getUrl());
        authenticationContext.localAuthenticator.postCreateClientInstance(authenticationContext.clientInstance);
    }

    private void ensureAuthenticationSession(AuthenticationContext authenticationContext) {
        String cookieValue = authenticationContext.tokenStore.getCookieValue(COOKIE_NAME_SESSIONID);
        AuthenticationSession unvalidatedClientInstanceFromHeaders = getUnvalidatedClientInstanceFromHeaders(authenticationContext);
        if (unvalidatedClientInstanceFromHeaders != null) {
            cookieValue = unvalidatedClientInstanceFromHeaders.getSessionId();
        }
        String validateClientUid = validateClientUid(cookieValue);
        this.logger.trace("Ensure session: id {}", validateClientUid);
        if (Ax.notBlank(validateClientUid)) {
            authenticationContext.session = this.persistence.getAuthenticationSession(validateClientUid);
        }
        if (authenticationContext.session != null && authenticationContext.session.getMaxInstances() != 0 && unvalidatedClientInstanceFromHeaders == null && authenticationContext.session.getMaxInstances() <= authenticationContext.session.getClientInstances().size()) {
            this.logger.info("Ensure new session: (existing reached max instances): {}", validateClientUid);
            authenticationContext.session = null;
        }
        boolean z = (authenticationContext.session == null || authenticationContext.session.getUser() == null) ? false : true;
        if (z && isExpired(authenticationContext.session)) {
            if (unvalidatedClientInstanceFromHeaders == null) {
                z = false;
            } else {
                if (!authenticationContext.session.getUser().provideIsAnonymous() || !LooseContext.is(CONTEXT_ALLOW_EXPIRED_ANONYMOUS_AUTHENTICATION_SESSION)) {
                    setupClientInstanceFromHeaders(authenticationContext);
                    this.logger.warn("Throwing due to rpc exception with expired session id: {}", validateClientUid);
                    throw new ExpiredClientInstanceException();
                }
                this.logger.warn("Permitting expired session - anonymous/expired explicit permission - id: {}", validateClientUid);
                z = true;
            }
        }
        if (!z) {
            createAuthenticationSession(new Date(), (IUser) UserlandProvider.get().getAnonymousUser(), "anonymous", false);
            if (authenticationContext.session.getIid().getRememberMeUser_id() != null) {
                this.persistence.populateSessionUserFromRememberMeUser(authenticationContext.session);
                return;
            }
            return;
        }
        IUser user = authenticationContext.session.getUser();
        boolean equals = Objects.equals(user.getUserName(), PermissionsManager.ANONYMOUS_USER_NAME);
        IUser iUser = (IUser) UserlandProvider.get().getAnonymousUser();
        if (equals && user != iUser) {
            authenticationContext.session = createAuthenticationSession(new Date(), iUser, "replace-anonymous", false);
            return;
        }
        ((AuthenticationExpiration) Registry.impl(AuthenticationExpiration.class)).checkExpiration(authenticationContext.session);
        this.logger.trace("Check expiration :: session {}", authenticationContext.session);
        if (authenticationContext.session.provideIsExpired()) {
            this.logger.info("Session expired :: session {}", authenticationContext.session);
            authenticationContext.session = null;
        }
    }

    private AuthenticationContext ensureContext() {
        return (AuthenticationContext) LooseContext.ensure(CONTEXT_AUTHENTICATION_CONTEXT, AuthenticationContext::new);
    }

    private void ensureIid(AuthenticationContext authenticationContext) {
        String validateClientUid = validateClientUid(authenticationContext.tokenStore.getCookieValue(COOKIE_NAME_IID));
        if (Ax.notBlank(validateClientUid)) {
            authenticationContext.iid = this.persistence.getIid(validateClientUid);
        }
        if (authenticationContext.iid == null) {
            if (Ax.notBlank(validateClientUid)) {
                this.logger.warn("Invalid iid cookie :: {} {}", validateClientUid, authenticationContext.tokenStore.getRemoteAddress());
            }
            String generateId = SEUtilities.generateId();
            authenticationContext.tokenStore.setCookieValue(COOKIE_NAME_IID, generateId);
            authenticationContext.iid = this.persistence.createIid(generateId);
        }
    }

    private AuthenticationSession getUnvalidatedClientInstanceFromHeaders(AuthenticationContext authenticationContext) {
        ClientInstance clientInstance;
        try {
            String validateClientUid = validateClientUid(getValidatedHeaderId(authenticationContext));
            if (!Ax.matches(validateClientUid, "\\d+") || (clientInstance = this.persistence.getClientInstance(Long.parseLong(validateClientUid))) == null) {
                return null;
            }
            AuthenticationSession authenticationSession = clientInstance.getAuthenticationSession();
            if (authenticationSession != null) {
                return authenticationSession;
            }
            return null;
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }

    private boolean isExpired(AuthenticationSession authenticationSession) {
        if (!Configuration.is("sessionExpirationEnabled")) {
            return false;
        }
        ensureContext().localAuthenticator.checkExternalExpiration(authenticationSession);
        boolean provideIsExpired = authenticationSession.provideIsExpired();
        if (provideIsExpired && authenticationSession.getEndTime() == null) {
            this.logger.warn("Marking authentication session as ended (login disabled?) - {} {}", authenticationSession, authenticationSession.getUser());
            authenticationSession.setEndTime(new Date());
            authenticationSession.setEndReason("Access not permitted");
        }
        return provideIsExpired;
    }

    private void setupClientInstanceFromHeaders(AuthenticationContext authenticationContext) {
        ClientInstance clientInstance;
        try {
            String validateClientUid = validateClientUid(getValidatedHeaderId(authenticationContext));
            if (Ax.matches(validateClientUid, "\\d+") && (clientInstance = this.persistence.getClientInstance(Long.parseLong(validateClientUid))) != null) {
                AuthenticationSession authenticationSession = clientInstance.getAuthenticationSession();
                if (authenticationSession == null) {
                    this.persistence.putSession(clientInstance, authenticationContext.session);
                }
                if (isExpired(authenticationSession)) {
                    authenticationContext.tokenStore.addHeader(AlcinaRpcRequestBuilder.RESPONSE_HEADER_CLIENT_INSTANCE_EXPIRED, validateClientUid);
                    this.logger.warn("Sending client instance expired:  - {} {} {}", clientInstance, authenticationSession, authenticationSession.getUser());
                } else {
                    authenticationContext.clientInstance = clientInstance;
                }
            }
        } catch (Exception e) {
            e.printStackTrace();
            authenticationContext.clientInstance = null;
        }
    }

    private String validateClientUid(String str) {
        if (Ax.matches(str, "server:.+")) {
            return null;
        }
        return str;
    }

    String getValidatedHeaderId(AuthenticationContext authenticationContext) {
        ClientInstance clientInstance;
        String headerValue = authenticationContext.tokenStore.getHeaderValue(AlcinaRpcRequestBuilder.REQUEST_HEADER_CLIENT_INSTANCE_ID_KEY);
        String headerValue2 = authenticationContext.tokenStore.getHeaderValue(AlcinaRpcRequestBuilder.REQUEST_HEADER_CLIENT_INSTANCE_AUTH_KEY);
        if (Ax.matches(headerValue, "\\d+") && Ax.matches(headerValue2, "\\d+") && (clientInstance = this.persistence.getClientInstance(Long.parseLong(headerValue))) != null && clientInstance.getAuth().intValue() == Integer.parseInt(headerValue2)) {
            return headerValue;
        }
        return null;
    }
}
