package org.alfresco.repo.security.authentication;

import java.util.Stack;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.GrantedAuthority;
import net.sf.acegisecurity.GrantedAuthorityImpl;
import net.sf.acegisecurity.UserDetails;
import net.sf.acegisecurity.context.Context;
import net.sf.acegisecurity.context.ContextHolder;
import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import net.sf.acegisecurity.providers.dao.User;
import org.alfresco.api.AlfrescoPublicApi;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.repo.tenant.TenantContextHolder;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.util.EqualsHelper;
import org.alfresco.util.Pair;
import org.alfresco.util.log.NDC;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;

@AlfrescoPublicApi
/* loaded from: input_file:WEB-INF/lib/alfresco-data-model-5.1.e.jar:org/alfresco/repo/security/authentication/AuthenticationUtil.class */
public class AuthenticationUtil implements InitializingBean {
    public static final String SYSTEM_USER_NAME = "System";
    static Log s_logger = LogFactory.getLog(AuthenticationUtil.class);
    private static boolean initialized = false;
    private static String defaultAdminUserName = PermissionService.ADMINISTRATOR_AUTHORITY;
    private static String defaultGuestUserName = PermissionService.GUEST_AUTHORITY;
    private static boolean mtEnabled = false;
    private static ThreadLocal<Stack<Authentication>> threadLocalFullAuthenticationStack = new ThreadLocalStack();
    private static ThreadLocal<Stack<Authentication>> threadLocalRunAsAuthenticationStack = new ThreadLocalStack();
    private static ThreadLocal<Stack<String>> threadLocalTenantDomainStack = new ThreadLocal<Stack<String>>() { // from class: org.alfresco.repo.security.authentication.AuthenticationUtil.1
        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.lang.ThreadLocal
        public Stack<String> initialValue() {
            return new Stack<>();
        }
    };

    @AlfrescoPublicApi
    /* loaded from: input_file:WEB-INF/lib/alfresco-data-model-5.1.e.jar:org/alfresco/repo/security/authentication/AuthenticationUtil$RunAsWork.class */
    public interface RunAsWork<Result> {
        Result doWork() throws Exception;
    }

    /* loaded from: input_file:WEB-INF/lib/alfresco-data-model-5.1.e.jar:org/alfresco/repo/security/authentication/AuthenticationUtil$ThreadLocalStack.class */
    static class ThreadLocalStack extends ThreadLocal<Stack<Authentication>> {
        ThreadLocalStack() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.lang.ThreadLocal
        public Stack<Authentication> initialValue() {
            return new Stack<>();
        }
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        initialized = true;
    }

    public void setDefaultAdminUserName(String str) {
        defaultAdminUserName = str;
    }

    public void setDefaultGuestUserName(String str) {
        defaultGuestUserName = str;
    }

    public static void setMtEnabled(boolean z) {
        if (s_logger.isDebugEnabled()) {
            s_logger.debug("MT is enabled: " + z);
        }
        mtEnabled = z;
    }

    public static boolean isMtEnabled() {
        return mtEnabled;
    }

    private static UsernamePasswordAuthenticationToken getAuthenticationToken(String str, UserDetails userDetails) {
        UserDetails userDetails2;
        if (str.equals(SYSTEM_USER_NAME)) {
            userDetails2 = new User(SYSTEM_USER_NAME, "", true, true, true, true, new GrantedAuthority[]{new GrantedAuthorityImpl("ROLE_SYSTEM")});
        } else if (str.equalsIgnoreCase(getGuestUserName())) {
            userDetails2 = new User(getGuestUserName().toLowerCase(), "", true, true, true, true, new GrantedAuthority[0]);
        } else {
            if (!userDetails.getUsername().equals(str)) {
                throw new AuthenticationException("Provided user details do not match the user name");
            }
            userDetails2 = userDetails;
        }
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(userDetails2, "", userDetails2.getAuthorities());
        usernamePasswordAuthenticationToken.setDetails(userDetails2);
        usernamePasswordAuthenticationToken.setAuthenticated(true);
        return usernamePasswordAuthenticationToken;
    }

    private static UserDetails getDefaultUserDetails(String str) {
        return new User(str, "", true, true, true, true, new GrantedAuthority[]{new GrantedAuthorityImpl("ROLE_AUTHENTICATED")});
    }

    private static String getUserName(Authentication authentication) {
        return authentication.getPrincipal() instanceof UserDetails ? ((UserDetails) authentication.getPrincipal()).getUsername() : authentication.getPrincipal().toString();
    }

    public static Authentication setAdminUserAsFullyAuthenticatedUser() {
        return setFullyAuthenticatedUser(getAdminUserName());
    }

    public static Authentication setFullyAuthenticatedUser(String str) {
        return setFullyAuthenticatedUser(str, getDefaultUserDetails(str));
    }

    private static Authentication setFullyAuthenticatedUser(String str, UserDetails userDetails) throws AuthenticationException {
        if (str == null) {
            throw new AuthenticationException("Null user name");
        }
        try {
            Pair<String, String> userTenant = getUserTenant(str);
            String first = userTenant.getFirst();
            String second = userTenant.getSecond();
            Authentication fullAuthentication = setFullAuthentication(getAuthenticationToken(first, userDetails));
            TenantContextHolder.setTenantDomain(second);
            return fullAuthentication;
        } catch (net.sf.acegisecurity.AuthenticationException e) {
            throw new AuthenticationException(e.getMessage(), e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v18, types: [org.alfresco.repo.security.authentication.AlfrescoSecureContext] */
    public static Authentication setFullAuthentication(Authentication authentication) {
        AlfrescoSecureContextImpl alfrescoSecureContextImpl;
        if (authentication == null) {
            clearCurrentSecurityContext();
            return null;
        }
        if (s_logger.isDebugEnabled()) {
            s_logger.debug("Setting fully authenticated principal: " + authentication.getName());
        }
        Context context = ContextHolder.getContext();
        if (context == null || !(context instanceof AlfrescoSecureContext)) {
            if (s_logger.isDebugEnabled()) {
                s_logger.debug("Creating new secure context.");
            }
            alfrescoSecureContextImpl = new AlfrescoSecureContextImpl();
            ContextHolder.setContext(alfrescoSecureContextImpl);
        } else {
            alfrescoSecureContextImpl = (AlfrescoSecureContext) context;
        }
        authentication.setAuthenticated(true);
        alfrescoSecureContextImpl.setRealAuthentication(authentication);
        alfrescoSecureContextImpl.setEffectiveAuthentication(authentication);
        return authentication;
    }

    public static Authentication setRunAsUserSystem() {
        return setRunAsUser(SYSTEM_USER_NAME);
    }

    public static Authentication setRunAsUser(String str) {
        return setRunAsUser(str, getDefaultUserDetails(str));
    }

    static Authentication setRunAsUser(String str, UserDetails userDetails) throws AuthenticationException {
        if (str == null) {
            throw new AuthenticationException("Null user name");
        }
        try {
            return setRunAsAuthentication(getAuthenticationToken(str, userDetails));
        } catch (net.sf.acegisecurity.AuthenticationException e) {
            throw new AuthenticationException(e.getMessage(), e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v23, types: [org.alfresco.repo.security.authentication.AlfrescoSecureContext] */
    static Authentication setRunAsAuthentication(Authentication authentication) {
        AlfrescoSecureContextImpl alfrescoSecureContextImpl;
        if (authentication == null) {
            clearCurrentSecurityContext();
            return null;
        }
        if (s_logger.isDebugEnabled()) {
            s_logger.debug("Setting RunAs principal: " + authentication.getName());
        }
        Context context = ContextHolder.getContext();
        if (context == null || !(context instanceof AlfrescoSecureContext)) {
            if (s_logger.isDebugEnabled()) {
                s_logger.debug("Creating new secure context.");
            }
            alfrescoSecureContextImpl = new AlfrescoSecureContextImpl();
            ContextHolder.setContext(alfrescoSecureContextImpl);
        } else {
            alfrescoSecureContextImpl = (AlfrescoSecureContext) context;
        }
        authentication.setAuthenticated(true);
        if (alfrescoSecureContextImpl.getRealAuthentication() == null) {
            if (s_logger.isDebugEnabled()) {
                s_logger.debug("There is no fully authenticated prinipal. Setting fully authenticated principal: " + authentication.getName());
            }
            alfrescoSecureContextImpl.setRealAuthentication(authentication);
        }
        alfrescoSecureContextImpl.setEffectiveAuthentication(authentication);
        return authentication;
    }

    public static Authentication getRunAsAuthentication() throws AuthenticationException {
        Context context = ContextHolder.getContext();
        if (context == null || !(context instanceof AlfrescoSecureContext)) {
            return null;
        }
        return ((AlfrescoSecureContext) context).getEffectiveAuthentication();
    }

    public static Authentication getFullAuthentication() throws AuthenticationException {
        Context context = ContextHolder.getContext();
        if (context == null || !(context instanceof AlfrescoSecureContext)) {
            return null;
        }
        return ((AlfrescoSecureContext) context).getRealAuthentication();
    }

    public static String getRunAsUser() throws AuthenticationException {
        Context context = ContextHolder.getContext();
        if (context == null || !(context instanceof AlfrescoSecureContext)) {
            return null;
        }
        AlfrescoSecureContext alfrescoSecureContext = (AlfrescoSecureContext) context;
        if (alfrescoSecureContext.getEffectiveAuthentication() == null) {
            return null;
        }
        return getUserName(alfrescoSecureContext.getEffectiveAuthentication());
    }

    public static boolean isRunAsUserTheSystemUser() {
        int indexOf;
        String runAsUser = getRunAsUser();
        if (runAsUser != null && isMtEnabled() && (indexOf = runAsUser.indexOf("@")) != -1) {
            runAsUser = runAsUser.substring(0, indexOf);
        }
        return EqualsHelper.nullSafeEquals(runAsUser, SYSTEM_USER_NAME);
    }

    public static String getFullyAuthenticatedUser() throws AuthenticationException {
        Context context = ContextHolder.getContext();
        if (context == null || !(context instanceof AlfrescoSecureContext)) {
            return null;
        }
        AlfrescoSecureContext alfrescoSecureContext = (AlfrescoSecureContext) context;
        if (alfrescoSecureContext.getRealAuthentication() == null) {
            return null;
        }
        return getUserName(alfrescoSecureContext.getRealAuthentication());
    }

    public static String getSystemUserName() {
        return SYSTEM_USER_NAME;
    }

    public static String getAdminUserName() {
        String runAsUser;
        if (!initialized) {
            throw new IllegalStateException("AuthenticationUtil not yet initialised; default admin username not available");
        }
        if (isMtEnabled() && (runAsUser = getRunAsUser()) != null) {
            String second = getUserTenant(runAsUser).getSecond();
            if (!"".equals(second)) {
                return defaultAdminUserName + "@" + second;
            }
        }
        return defaultAdminUserName;
    }

    public static String getAdminRoleName() {
        return PermissionService.ADMINISTRATOR_AUTHORITY;
    }

    public static String getGuestUserName() {
        if (initialized) {
            return defaultGuestUserName;
        }
        throw new IllegalStateException("AuthenticationUtil not yet initialised; default guest username not available");
    }

    public static String getGuestRoleName() {
        return PermissionService.GUEST_AUTHORITY;
    }

    public static void clearCurrentSecurityContext() {
        if (s_logger.isDebugEnabled()) {
            s_logger.debug("Removing the current security information.");
        }
        ContextHolder.setContext(null);
        InMemoryTicketComponentImpl.clearCurrentSecurityContext();
        NDC.remove();
        TenantContextHolder.clearTenantDomain();
    }

    public static <R> R runAs(RunAsWork<R> runAsWork, String str) {
        Authentication fullAuthentication = getFullAuthentication();
        Authentication runAsAuthentication = getRunAsAuthentication();
        try {
            try {
                if (fullAuthentication == null) {
                    setFullyAuthenticatedUser(str);
                } else {
                    setRunAsUser(str);
                }
                logNDC(str);
                R doWork = runAsWork.doWork();
                if (fullAuthentication == null) {
                    clearCurrentSecurityContext();
                    logNDC(null);
                } else {
                    setFullAuthentication(fullAuthentication);
                    setRunAsAuthentication(runAsAuthentication);
                    logNDC(getUserName(fullAuthentication));
                }
                return doWork;
            } catch (Throwable th) {
                if (th instanceof RuntimeException) {
                    throw ((RuntimeException) th);
                }
                throw new RuntimeException("Error during run as.", th);
            }
        } catch (Throwable th2) {
            if (fullAuthentication == null) {
                clearCurrentSecurityContext();
                logNDC(null);
            } else {
                setFullAuthentication(fullAuthentication);
                setRunAsAuthentication(runAsAuthentication);
                logNDC(getUserName(fullAuthentication));
            }
            throw th2;
        }
    }

    public static <R> R runAsSystem(RunAsWork<R> runAsWork) {
        return (R) runAs(runAsWork, getSystemUserName());
    }

    public static void pushAuthentication() {
        Authentication fullAuthentication = getFullAuthentication();
        Authentication runAsAuthentication = getRunAsAuthentication();
        threadLocalFullAuthenticationStack.get().push(fullAuthentication);
        threadLocalRunAsAuthenticationStack.get().push(runAsAuthentication);
        threadLocalTenantDomainStack.get().push(TenantContextHolder.getTenantDomain());
    }

    public static void popAuthentication() {
        Authentication pop = threadLocalFullAuthenticationStack.get().pop();
        Authentication pop2 = threadLocalRunAsAuthenticationStack.get().pop();
        if (pop == null) {
            clearCurrentSecurityContext();
        } else {
            setFullAuthentication(pop);
            setRunAsAuthentication(pop2);
        }
        TenantContextHolder.setTenantDomain(threadLocalTenantDomainStack.get().pop());
    }

    public static void logAuthenticatedUsers() {
        if (s_logger.isDebugEnabled()) {
            s_logger.debug("Authentication: \n   Fully authenticated: " + getFullyAuthenticatedUser() + "\n   Run as:              " + getRunAsUser());
        }
    }

    public static void logNDC(String str) {
        NDC.remove();
        if (str != null) {
            if (!isMtEnabled()) {
                NDC.push("User:" + str);
                return;
            }
            Pair<String, String> userTenant = getUserTenant(str);
            String first = userTenant.getFirst();
            String second = userTenant.getSecond();
            if ("".equals(second)) {
                NDC.push("User:" + first);
            } else {
                NDC.push("Tenant:" + second + " User:" + first);
            }
        }
    }

    public static Pair<String, String> getUserTenant(String str) {
        int indexOf;
        String tenantDomain = TenantContextHolder.getTenantDomain();
        if (tenantDomain == null) {
            tenantDomain = "";
            if (str != null && isMtEnabled() && (indexOf = str.indexOf("@")) > 0 && indexOf < str.length() - 1) {
                tenantDomain = str.substring(indexOf + 1);
                if (tenantDomain.indexOf("@") > 0) {
                    throw new AlfrescoRuntimeException("Unexpected tenant: " + tenantDomain + " (contains @)");
                }
                if (s_logger.isDebugEnabled()) {
                    s_logger.debug("Tenant domain implied: userName=" + str + ", tenantDomain=" + tenantDomain);
                }
            }
        }
        return new Pair<>(str, tenantDomain);
    }
}
