package org.forgerock.openam.authentication.modules.persistentcookie;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.security.EncodeAction;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.sm.SMSException;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.login.LoginException;
import javax.security.auth.message.MessageInfo;
import org.apache.commons.lang.StringUtils;
import org.forgerock.json.jose.jwt.Jwt;
import org.forgerock.openam.authentication.modules.common.JaspiAuthLoginModule;
import org.forgerock.openam.core.CoreWrapper;
import org.forgerock.openam.utils.ClientUtils;

/* loaded from: input_file:org/forgerock/openam/authentication/modules/persistentcookie/PersistentCookieAuthModule.class */
public class PersistentCookieAuthModule extends JaspiAuthLoginModule {
    private static final Debug DEBUG = Debug.getInstance(PersistentCookieModuleWrapper.AUTH_RESOURCE_BUNDLE_NAME);
    private static final int MINUTES_IN_HOUR = 60;
    private static final String COOKIE_IDLE_TIMEOUT_SETTING_KEY = "openam-auth-persistent-cookie-idle-time";
    private static final String COOKIE_MAX_LIFE_SETTING_KEY = "openam-auth-persistent-cookie-max-life";
    private final CoreWrapper coreWrapper;
    private Integer tokenIdleTime;
    private Integer maxTokenLife;
    private boolean enforceClientIP;
    private boolean secureCookie;
    private boolean httpOnlyCookie;
    private String cookieName;
    private Collection<String> cookieDomains;
    private String encryptedHmacKey;
    private String UIField;
    private String RepoField;
    private Integer MaxTokens;
    private Principal principal;
    private final PersistentCookieModuleWrapper persistentCookieModuleWrapper;

    public PersistentCookieAuthModule() {
        this(new CoreWrapper(), new PersistentCookieModuleWrapper());
    }

    public PersistentCookieAuthModule(CoreWrapper coreWrapper, PersistentCookieModuleWrapper persistentCookieModuleWrapper) {
        super(PersistentCookieModuleWrapper.AUTH_RESOURCE_BUNDLE_NAME, persistentCookieModuleWrapper);
        this.coreWrapper = coreWrapper;
        this.persistentCookieModuleWrapper = persistentCookieModuleWrapper;
    }

    protected Map<String, Object> generateConfig(Subject subject, Map map, Map map2) {
        String mapAttr = CollectionHelper.getMapAttr(map2, COOKIE_IDLE_TIMEOUT_SETTING_KEY);
        String mapAttr2 = CollectionHelper.getMapAttr(map2, COOKIE_MAX_LIFE_SETTING_KEY);
        if (StringUtils.isEmpty(mapAttr)) {
            DEBUG.warning("Cookie Idle Timeout not set. Defaulting to 0");
            mapAttr = "0";
        }
        if (StringUtils.isEmpty(mapAttr2)) {
            DEBUG.warning("Cookie Max Life not set. Defaulting to 0");
            mapAttr2 = "0";
        }
        this.tokenIdleTime = Integer.valueOf(Integer.parseInt(mapAttr) * MINUTES_IN_HOUR);
        this.maxTokenLife = Integer.valueOf(Integer.parseInt(mapAttr2) * MINUTES_IN_HOUR);
        this.enforceClientIP = CollectionHelper.getBooleanMapAttr(map2, PersistentCookieModuleWrapper.ENFORCE_CLIENT_IP_SETTING_KEY, false);
        this.secureCookie = CollectionHelper.getBooleanMapAttr(map2, PersistentCookieModuleWrapper.SECURE_COOKIE_KEY, true);
        this.httpOnlyCookie = CollectionHelper.getBooleanMapAttr(map2, PersistentCookieModuleWrapper.HTTP_ONLY_COOKIE_KEY, true);
        this.cookieName = CollectionHelper.getMapAttr(map2, PersistentCookieModuleWrapper.COOKIE_NAME_KEY);
        this.cookieDomains = this.coreWrapper.getCookieDomainsForRequest(getHttpServletRequest());
        this.UIField = CollectionHelper.getMapAttr(map2, "openam-auth-persistent-cookie-input");
        this.RepoField = CollectionHelper.getMapAttr(map2, "openam-auth-persistent-cookie-field");
        String mapAttr3 = CollectionHelper.getMapAttr(map2, "openam-auth-persistent-cookie-field-max");
        if (StringUtils.isEmpty(mapAttr3)) {
            DEBUG.warning("MaxTokens not set. Defaulting to 5");
            mapAttr3 = "5";
        }
        this.MaxTokens = Integer.valueOf(Integer.parseInt(mapAttr3));
        String mapAttr4 = CollectionHelper.getMapAttr(map2, PersistentCookieModuleWrapper.HMAC_KEY);
        this.encryptedHmacKey = (String) AccessController.doPrivileged((PrivilegedAction) new EncodeAction(mapAttr4));
        try {
            return this.persistentCookieModuleWrapper.generateConfig(this.tokenIdleTime.toString(), this.maxTokenLife.toString(), this.enforceClientIP, getRequestOrg(), this.secureCookie, this.httpOnlyCookie, this.cookieName, this.cookieDomains, mapAttr4);
        } catch (SMSException e) {
            DEBUG.error("Error initialising Authentication Module", e);
            return null;
        } catch (SSOException e2) {
            DEBUG.error("Error initialising Authentication Module", e2);
            return null;
        }
    }

    public int process(Callback[] callbackArr, int i) throws LoginException {
        switch (i) {
            case 1:
                setUserSessionProperty("tokenIdleTimeMinutes", this.tokenIdleTime.toString());
                setUserSessionProperty("maxTokenLifeMinutes", this.maxTokenLife.toString());
                setUserSessionProperty(PersistentCookieModuleWrapper.ENFORCE_CLIENT_IP_SETTING_KEY, Boolean.toString(this.enforceClientIP));
                setUserSessionProperty(PersistentCookieModuleWrapper.SECURE_COOKIE_KEY, Boolean.toString(this.secureCookie));
                setUserSessionProperty(PersistentCookieModuleWrapper.HTTP_ONLY_COOKIE_KEY, Boolean.toString(this.httpOnlyCookie));
                if (this.cookieName != null) {
                    setUserSessionProperty(PersistentCookieModuleWrapper.COOKIE_NAME_KEY, this.cookieName);
                }
                String str = "";
                Iterator<String> it = this.cookieDomains.iterator();
                while (it.hasNext()) {
                    str = str + it.next() + ",";
                }
                setUserSessionProperty(PersistentCookieModuleWrapper.COOKIE_DOMAINS_KEY, str);
                setUserSessionProperty(PersistentCookieModuleWrapper.HMAC_KEY, this.encryptedHmacKey);
                if (StringUtils.isNotBlank(this.RepoField)) {
                    setUserSessionProperty("openam.field.repo", this.RepoField);
                    setUserSessionProperty("openam.field.repo.max", this.MaxTokens == null ? "1" : this.MaxTokens.toString());
                }
                if (!process(this.persistentCookieModuleWrapper.prepareMessageInfo(getHttpServletRequest(), getHttpServletResponse()), new Subject(), callbackArr)) {
                    throw new AuthLoginException(PersistentCookieModuleWrapper.AUTH_RESOURCE_BUNDLE_NAME, "cookieNotValid", (Object[]) null);
                }
                if (this.principal == null) {
                    return -1;
                }
                setAuthenticatingUserName(this.principal.getName());
                return -1;
            default:
                throw new AuthLoginException(PersistentCookieModuleWrapper.AUTH_RESOURCE_BUNDLE_NAME, "incorrectState", (Object[]) null);
        }
    }

    protected boolean process(MessageInfo messageInfo, Subject subject, Callback[] callbackArr) throws LoginException {
        Jwt validateJwtSessionCookie = this.persistentCookieModuleWrapper.validateJwtSessionCookie(messageInfo);
        if (validateJwtSessionCookie == null) {
            if (StringUtils.isNotBlank(this.UIField)) {
                setUserSessionProperty("openam.field.ui", this.UIField);
                if (StringUtils.equalsIgnoreCase("POST", getHttpServletRequest().getMethod()) && getHttpServletRequest().getParameter(this.UIField) != null) {
                    setUserSessionProperty("remember.check", "1");
                }
            }
            throw new AuthLoginException(PersistentCookieModuleWrapper.AUTH_RESOURCE_BUNDLE_NAME, "cookieNotValid", (Object[]) null);
        }
        Map map = (Map) validateJwtSessionCookie.getClaimsSet().getClaim("org.forgerock.authentication.context", Map.class);
        if (map == null) {
            throw new AuthLoginException(PersistentCookieModuleWrapper.AUTH_RESOURCE_BUNDLE_NAME, "jaspiContextNotFound", (Object[]) null);
        }
        if (!getRequestOrg().equals((String) map.get(PersistentCookieModuleWrapper.OPENAM_REALM_CLAIM_KEY))) {
            throw new AuthLoginException(PersistentCookieModuleWrapper.AUTH_RESOURCE_BUNDLE_NAME, "authFailedDiffRealm", (Object[]) null);
        }
        String str = (String) map.get(PersistentCookieModuleWrapper.OPENAM_CLIENT_IP_CLAIM_KEY);
        if (this.enforceClientIP) {
            enforceClientIP(str);
        }
        final String str2 = (String) map.get(PersistentCookieModuleWrapper.OPENAM_USER_CLAIM_KEY);
        this.principal = new Principal() { // from class: org.forgerock.openam.authentication.modules.persistentcookie.PersistentCookieAuthModule.1
            @Override // java.security.Principal
            public String getName() {
                return str2;
            }
        };
        if (!StringUtils.isNotBlank(this.RepoField)) {
            setUserSessionProperty("jwtValidated", Boolean.TRUE.toString());
            return true;
        }
        try {
            AMIdentity identity = IdUtils.getIdentity((SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance()), str2, getRequestOrg());
            HashMap hashMap = new HashMap(1);
            Set attribute = identity.getAttribute(this.RepoField);
            hashMap.put(this.RepoField, attribute);
            if (!attribute.remove(map.get(PersistentCookieModuleWrapper.OPENAM_SESSION_ID_CLAIM_KEY))) {
                throw new AuthLoginException("Token expired");
            }
            identity.setAttributes(hashMap);
            identity.store();
            return true;
        } catch (Exception e) {
            throw new AuthLoginException("Token expired");
        }
    }

    private void enforceClientIP(String str) throws AuthLoginException {
        String clientIPAddress = ClientUtils.getClientIPAddress(getHttpServletRequest());
        if (str == null || str.isEmpty()) {
            DEBUG.message("Client IP not stored when persistent cookie was issued.");
            throw new AuthLoginException(PersistentCookieModuleWrapper.AUTH_RESOURCE_BUNDLE_NAME, "authFailedClientIPDifferent", (Object[]) null);
        }
        if (clientIPAddress == null || clientIPAddress.isEmpty()) {
            DEBUG.message("Client IP could not be retrieved from request.");
            throw new AuthLoginException(PersistentCookieModuleWrapper.AUTH_RESOURCE_BUNDLE_NAME, "authFailedClientIPDifferent", (Object[]) null);
        }
        if (str.equals(clientIPAddress)) {
            return;
        }
        DEBUG.message("Client IP not the same, original: " + str + ", request: " + clientIPAddress);
        throw new AuthLoginException(PersistentCookieModuleWrapper.AUTH_RESOURCE_BUNDLE_NAME, "authFailedClientIPDifferent", (Object[]) null);
    }

    public Principal getPrincipal() {
        return this.principal;
    }
}
