package org.eclipse.kura.internal.rest.auth;

import java.security.Principal;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.Priority;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import javax.ws.rs.container.ContainerRequestContext;
import org.eclipse.kura.audit.AuditConstants;
import org.eclipse.kura.audit.AuditContext;
import org.eclipse.kura.internal.rest.provider.RestServiceOptions;
import org.eclipse.kura.rest.auth.AuthenticationProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(300)
/* loaded from: input_file:org/eclipse/kura/internal/rest/auth/SessionAuthProvider.class */
public class SessionAuthProvider implements AuthenticationProvider {
    private static final Logger auditLogger = LoggerFactory.getLogger("AuditLogger");
    private final RestSessionHelper sessionHelper;
    private RestServiceOptions restServiceOptions;
    private final Set<String> lockedSessionAllowedPaths;
    private final Set<String> allowNoXsrfTokenPaths;

    public SessionAuthProvider(RestSessionHelper restSessionHelper, Set<String> set, Set<String> set2) {
        this.sessionHelper = restSessionHelper;
        this.lockedSessionAllowedPaths = set;
        this.allowNoXsrfTokenPaths = set2;
    }

    @Override // org.eclipse.kura.rest.auth.AuthenticationProvider
    public void onEnabled() {
    }

    @Override // org.eclipse.kura.rest.auth.AuthenticationProvider
    public void onDisabled() {
    }

    public void setOptions(RestServiceOptions restServiceOptions) {
        this.restServiceOptions = restServiceOptions;
    }

    @Override // org.eclipse.kura.rest.auth.AuthenticationProvider
    public Optional<Principal> authenticate(HttpServletRequest httpServletRequest, ContainerRequestContext containerRequestContext) {
        AuditContext currentOrInternal = AuditContext.currentOrInternal();
        Optional<HttpSession> existingSession = this.sessionHelper.getExistingSession(httpServletRequest);
        if (!existingSession.isPresent()) {
            return Optional.empty();
        }
        currentOrInternal.getProperties().put("session.id", Integer.toUnsignedString(Objects.hash(existingSession.get().getId())));
        Optional<Principal> principalFromSession = this.sessionHelper.getPrincipalFromSession(existingSession.get());
        if (!principalFromSession.isPresent()) {
            return Optional.empty();
        }
        currentOrInternal.getProperties().put(AuditConstants.KEY_IDENTITY.getValue(), principalFromSession.get().getName());
        if (!isXsrfTokenValid(httpServletRequest, containerRequestContext)) {
            auditLogger.warn("{} Rest - Failure - Session authentication failed, invalid XSRF token", currentOrInternal);
            return Optional.empty();
        }
        if (this.sessionHelper.isSessionExpired(existingSession.get(), this.restServiceOptions.getSessionInactivityInterval())) {
            auditLogger.warn("{} Rest - Failure - Session authentication failed, session expired", currentOrInternal);
            existingSession.get().invalidate();
            return Optional.empty();
        }
        if (isSessionLocked(existingSession.get(), containerRequestContext)) {
            auditLogger.warn("{} Rest - Failure - Session authentication failed, session is locked", currentOrInternal);
            return Optional.empty();
        }
        if (this.sessionHelper.credentialsChanged(existingSession.get(), principalFromSession.get().getName())) {
            auditLogger.warn("{} Rest - Failure - Session authentication failed, user credentials changed", currentOrInternal);
            existingSession.get().invalidate();
            return Optional.empty();
        }
        this.sessionHelper.updateLastActivity(existingSession.get());
        auditLogger.info("{} Rest - Success - Authentication succeeded via session provider", currentOrInternal);
        return principalFromSession;
    }

    private boolean isSessionLocked(HttpSession httpSession, ContainerRequestContext containerRequestContext) {
        if (containsPath(this.lockedSessionAllowedPaths, containerRequestContext)) {
            return false;
        }
        return this.sessionHelper.isSessionLocked(httpSession);
    }

    private boolean isXsrfTokenValid(HttpServletRequest httpServletRequest, ContainerRequestContext containerRequestContext) {
        if (containsPath(this.allowNoXsrfTokenPaths, containerRequestContext)) {
            return true;
        }
        return this.sessionHelper.isXsrfTokenValid(httpServletRequest);
    }

    private boolean containsPath(Set<String> set, ContainerRequestContext containerRequestContext) {
        return set.contains(String.valueOf('/') + ((String) containerRequestContext.getUriInfo().getPathSegments().stream().map((v0) -> {
            return v0.getPath();
        }).collect(Collectors.joining("/"))));
    }
}
