package org.pentaho.platform.repository2.unified.jcr.jackrabbit.security;

import java.security.Principal;
import java.security.acl.Group;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.jcr.Credentials;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.jackrabbit.core.security.authentication.AbstractLoginModule;
import org.apache.jackrabbit.core.security.authentication.Authentication;
import org.pentaho.platform.engine.core.system.PentahoSystem;
import org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.messages.Messages;
import org.springframework.security.AuthenticationException;
import org.springframework.security.AuthenticationManager;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.providers.UsernamePasswordAuthenticationToken;

/* loaded from: input_file:org/pentaho/platform/repository2/unified/jcr/jackrabbit/security/SpringSecurityLoginModule.class */
public class SpringSecurityLoginModule extends AbstractLoginModule {
    private static final String KEY_PRE_AUTHENTICATION_TOKENS = "preAuthenticationTokens";
    private static final String PRE_AUTHENTICATION_TOKEN_SEPARATOR = ",";
    private AuthenticationManager authenticationManager;
    private static final Log logger = LogFactory.getLog(SpringSecurityLoginModule.class);
    private static Set<String> preAuthenticationTokens = new HashSet();
    protected static AuthenticationManager authManager = null;

    protected void doInit(CallbackHandler callbackHandler, Session session, Map map) throws LoginException {
        if (map.containsKey(KEY_PRE_AUTHENTICATION_TOKENS)) {
            String[] split = ((String) map.get(KEY_PRE_AUTHENTICATION_TOKENS)).split(PRE_AUTHENTICATION_TOKEN_SEPARATOR);
            if (split.length == 0) {
                throw new LoginException(Messages.getInstance().getString("AbstractPentahoLoginModule.ERROR_0001_PRE_AUTH_TOKENS_MALFORMED", new Object[]{KEY_PRE_AUTHENTICATION_TOKENS}));
            }
            for (String str : split) {
                preAuthenticationTokens.add(str.trim());
            }
            logger.debug("preAuthenticationTokens=" + preAuthenticationTokens);
        }
        this.authenticationManager = getAuthenticationManager(callbackHandler, session, map);
    }

    protected AuthenticationManager getAuthenticationManager(CallbackHandler callbackHandler, Session session, Map map) {
        if (authManager == null && PentahoSystem.getInitializedOK()) {
            authManager = (AuthenticationManager) PentahoSystem.get(AuthenticationManager.class);
        }
        return authManager;
    }

    protected Authentication getAuthentication(Principal principal, Credentials credentials) throws RepositoryException {
        if (!(credentials instanceof SimpleCredentials)) {
            logger.debug("credentials not instance of SimpleCredentials; returning null");
            return null;
        }
        SimpleCredentials simpleCredentials = (SimpleCredentials) credentials;
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(simpleCredentials.getUserID(), String.valueOf(simpleCredentials.getPassword()));
        boolean z = false;
        try {
            org.springframework.security.Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication == null || !authentication.getName().equals(simpleCredentials.getUserID())) {
                this.authenticationManager.authenticate(usernamePasswordAuthenticationToken);
                z = true;
            } else {
                z = true;
            }
        } catch (AuthenticationException e) {
            logger.debug("authentication exception", e);
        }
        final boolean z2 = z;
        return new Authentication() { // from class: org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityLoginModule.1
            public boolean canHandle(Credentials credentials2) {
                return true;
            }

            public boolean authenticate(Credentials credentials2) throws RepositoryException {
                return z2;
            }
        };
    }

    protected Principal getPrincipal(Credentials credentials) {
        Principal principal = this.principalProvider.getPrincipal(getUserID(credentials));
        if (principal == null || (principal instanceof Group)) {
            return null;
        }
        return principal;
    }

    protected boolean impersonate(Principal principal, Credentials credentials) throws RepositoryException, LoginException {
        throw new UnsupportedOperationException();
    }

    protected boolean isPreAuthenticated(Credentials credentials) {
        if (!super.isPreAuthenticated(credentials)) {
            return false;
        }
        SimpleCredentials simpleCredentials = (SimpleCredentials) credentials;
        boolean contains = preAuthenticationTokens.contains((String) simpleCredentials.getAttribute(getPreAuthAttributeName()));
        if (contains) {
            if (logger.isDebugEnabled()) {
                logger.debug(simpleCredentials.getUserID() + " is pre-authenticated");
            }
        } else if (logger.isDebugEnabled()) {
            logger.debug("pre-authentication token rejected");
        }
        return contains;
    }
}
