package com.ibm.ws.security.javaeesec.cdi.beans;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.javaeesec.properties.ModulePropertiesProvider;
import java.lang.annotation.Annotation;
import java.util.Map;
import java.util.Properties;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.inject.Default;
import javax.enterprise.inject.Instance;
import javax.enterprise.inject.spi.CDI;
import javax.security.auth.Subject;
import javax.security.enterprise.AuthenticationException;
import javax.security.enterprise.AuthenticationStatus;
import javax.security.enterprise.authentication.mechanism.http.AuthenticationParameters;
import javax.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
import javax.security.enterprise.authentication.mechanism.http.HttpMessageContext;
import javax.security.enterprise.credential.BasicAuthenticationCredential;
import javax.security.enterprise.credential.Credential;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@Default
@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@ApplicationScoped
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/javaeesec/cdi/beans/BasicHttpAuthenticationMechanism.class */
public class BasicHttpAuthenticationMechanism implements HttpAuthenticationMechanism {
    ModulePropertiesProvider mpp;
    private static final TraceComponent tc = Tr.register(BasicHttpAuthenticationMechanism.class, "security", "com.ibm.ws.security.javaeesec.cdi.internal.resources.JavaEESecMessages");
    private String realmName;
    private final Utils utils;
    static final long serialVersionUID = -2039149947710141941L;

    public BasicHttpAuthenticationMechanism() {
        this.mpp = null;
        this.realmName = "";
        this.utils = new Utils();
    }

    protected BasicHttpAuthenticationMechanism(Utils utils) {
        this.mpp = null;
        this.realmName = "";
        this.utils = utils;
    }

    public AuthenticationStatus validateRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMessageContext httpMessageContext) throws AuthenticationException {
        AuthenticationStatus handleNoAuthorizationHeader;
        AuthenticationStatus authenticationStatus = AuthenticationStatus.SEND_FAILURE;
        if (httpMessageContext.getRequest().getUserPrincipal() != null) {
            httpMessageContext.getResponse().setStatus(200);
            return AuthenticationStatus.SUCCESS;
        }
        setRealmName();
        Subject clientSubject = httpMessageContext.getClientSubject();
        AuthenticationParameters authParameters = httpMessageContext.getAuthParameters();
        Credential credential = null;
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "AuthenticationParameters : " + authParameters, new Object[0]);
        }
        if (authParameters != null) {
            credential = authParameters.getCredential();
        }
        if (credential != null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Credential is found.", new Object[0]);
            }
            handleNoAuthorizationHeader = this.utils.handleAuthenticate(getCDI(), this.realmName, credential, clientSubject, httpMessageContext);
        } else {
            String header = httpMessageContext.getRequest().getHeader("Authorization");
            handleNoAuthorizationHeader = header == null ? handleNoAuthorizationHeader(httpMessageContext) : handleAuthorizationHeader(header, clientSubject, httpMessageContext);
        }
        return handleNoAuthorizationHeader;
    }

    private void setRealmName() {
        Properties authMechProperties;
        this.mpp = getModulePropertiesProvider();
        if (this.mpp == null || (authMechProperties = this.mpp.getAuthMechProperties(BasicHttpAuthenticationMechanism.class)) == null) {
            return;
        }
        this.realmName = (String) authMechProperties.get("realmName");
    }

    private AuthenticationStatus handleNoAuthorizationHeader(HttpMessageContext httpMessageContext) {
        AuthenticationStatus challengeAuthorizationHeader;
        if (httpMessageContext.isAuthenticationRequest() || httpMessageContext.isProtected()) {
            challengeAuthorizationHeader = setChallengeAuthorizationHeader(httpMessageContext);
        } else {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "both isAuthenticationRequest and isProtected returns false. returing NOT_DONE,", new Object[0]);
            }
            challengeAuthorizationHeader = AuthenticationStatus.NOT_DONE;
        }
        return challengeAuthorizationHeader;
    }

    private AuthenticationStatus setChallengeAuthorizationHeader(HttpMessageContext httpMessageContext) {
        HttpServletResponse response = httpMessageContext.getResponse();
        response.setHeader("WWW-Authenticate", "Basic realm=\"" + this.realmName + "\"");
        response.setStatus(401);
        httpMessageContext.getMessageInfo().getMap().put("com.ibm.wsspi.security.cred.realm", this.realmName);
        return AuthenticationStatus.SEND_CONTINUE;
    }

    private AuthenticationStatus handleAuthorizationHeader(@Sensitive String str, Subject subject, HttpMessageContext httpMessageContext) throws AuthenticationException {
        AuthenticationStatus authenticationStatus = AuthenticationStatus.SEND_FAILURE;
        int i = 401;
        if (str.startsWith("Basic ")) {
            String substring = str.substring(6);
            if (isAuthorizationHeaderValid(decodeCookieString(substring))) {
                authenticationStatus = this.utils.validateUserAndPassword(getCDI(), this.realmName, subject, new BasicAuthenticationCredential(substring), httpMessageContext);
                if (authenticationStatus == AuthenticationStatus.SUCCESS) {
                    Map map = httpMessageContext.getMessageInfo().getMap();
                    map.put("javax.servlet.http.authType", "BASIC");
                    map.put("javax.servlet.http.registerSession", Boolean.TRUE.toString());
                    i = 200;
                } else if (authenticationStatus == AuthenticationStatus.NOT_DONE) {
                    i = 200;
                }
            }
        }
        httpMessageContext.getResponse().setStatus(i);
        return authenticationStatus;
    }

    @Sensitive
    private String decodeCookieString(@Sensitive String str) {
        try {
            return Base64Coder.base64Decode(str);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.javaeesec.cdi.beans.BasicHttpAuthenticationMechanism", "166", this, new Object[]{"<sensitive java.lang.String>"});
            return null;
        }
    }

    private boolean isAuthorizationHeaderValid(@Sensitive String str) {
        int indexOf;
        return !(str == null || str.isEmpty() || (indexOf = str.indexOf(58)) <= 0 || indexOf == str.length() - 1);
    }

    @FFDCIgnore({IllegalStateException.class})
    protected CDI getCDI() {
        try {
            return CDI.current();
        } catch (IllegalStateException e) {
            return null;
        }
    }

    protected ModulePropertiesProvider getModulePropertiesProvider() {
        Instance select = getCDI().select(ModulePropertiesProvider.class, new Annotation[0]);
        if (select != null) {
            return (ModulePropertiesProvider) select.get();
        }
        return null;
    }

    protected void setMPP(ModulePropertiesProvider modulePropertiesProvider) {
        this.mpp = modulePropertiesProvider;
    }
}
