package com.techempower.gemini.pyxis;

import com.techempower.gemini.Context;
import com.techempower.gemini.GeminiApplication;
import com.techempower.gemini.pyxis.LoginTokenManager;
import com.techempower.gemini.session.Session;
import java.sql.SQLException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/techempower/gemini/pyxis/SessionAuthenticationArbiter.class */
public class SessionAuthenticationArbiter implements PyxisAuthenticationArbiter {
    public static final String MULTISESSION_VIOLATION = "MultiSessionViolation";
    private final GeminiApplication application;
    private final LoginTokenManager loginTokenManager;
    private final Logger log = LoggerFactory.getLogger(getClass());
    private final Map<Long, String> userSessionIDs = Collections.synchronizedMap(new HashMap());

    public SessionAuthenticationArbiter(GeminiApplication geminiApplication) {
        this.application = geminiApplication;
        this.loginTokenManager = new LoginTokenManager(geminiApplication);
    }

    @Override // com.techempower.gemini.pyxis.PyxisAuthenticationArbiter
    public void beginMasquerade(Context context, PyxisUser pyxisUser) {
        PyxisUser user = getUser(context);
        if (user == null || pyxisUser == null || !isMasqueradePermitted(user, pyxisUser)) {
            return;
        }
        this.log.info("{} now masquerading as {}", user, pyxisUser);
        storeUserInSession(context, pyxisUser, PyxisConstants.SESSION_IMPERSONATED_USER);
    }

    @Override // com.techempower.gemini.pyxis.PyxisAuthenticationArbiter
    public boolean endMasquerade(Context context) {
        PyxisUser masqueradingUser = getMasqueradingUser(context);
        if (masqueradingUser == null) {
            return false;
        }
        this.log.info("{} ended masquerading.", masqueradingUser);
        context.session().remove(PyxisConstants.SESSION_IMPERSONATED_USER);
        return true;
    }

    @Override // com.techempower.gemini.pyxis.PyxisAuthenticationArbiter
    public PyxisUser getMasqueradingUser(Context context) {
        if (getUserFromSession(context, PyxisConstants.SESSION_IMPERSONATED_USER) != null) {
            return getUserFromSession(context, PyxisConstants.SESSION_USER);
        }
        return null;
    }

    @Override // com.techempower.gemini.pyxis.PyxisAuthenticationArbiter
    public PyxisUser getUser(Context context) {
        PyxisUser userFromSession = getUserFromSession(context, PyxisConstants.SESSION_IMPERSONATED_USER);
        return userFromSession != null ? userFromSession : getUserFromSession(context, PyxisConstants.SESSION_USER);
    }

    public PyxisUser getUser(Session session) {
        PyxisUser userFromSession = getUserFromSession(session, PyxisConstants.SESSION_IMPERSONATED_USER);
        return userFromSession != null ? userFromSession : getUserFromSession(session, PyxisConstants.SESSION_USER);
    }

    @Override // com.techempower.gemini.pyxis.PyxisAuthenticationArbiter
    public boolean isLoggedIn(Context context) {
        PyxisUser user = getUser(context);
        boolean z = user != null;
        if (z && !this.application.getSecurity().getSettings().allowsMultipleSessions()) {
            String str = this.userSessionIDs.get(Long.valueOf(user.getId()));
            String id = context.getSession(true).getId();
            if (str == null) {
                recordUserSessionId(context, user);
            } else if (!str.equalsIgnoreCase("EXEMPT") && !id.equalsIgnoreCase(str)) {
                context.delivery().put(MULTISESSION_VIOLATION, true);
                context.session().clear();
                return false;
            }
        }
        return !z ? cookieLogin(context) : z;
    }

    @Override // com.techempower.gemini.pyxis.PyxisAuthenticationArbiter
    public void login(Context context, PyxisUser pyxisUser, boolean z) {
        if (getUser(context) != null) {
            logout(context);
        }
        storeUserInSession(context, pyxisUser);
        recordUserSessionId(context, pyxisUser);
        if (z && isCookieLoginPermitted(context)) {
            this.loginTokenManager.createAndPersistToken(context, this.application.getSecurity().sanitizeUsername(pyxisUser.getUserUsername()));
        }
    }

    @Override // com.techempower.gemini.pyxis.PyxisAuthenticationArbiter
    public void logout(Context context) {
        PyxisUser user = getUser(context);
        removeUserFromSession(context);
        if (this.application.getSecurity().getSettings().isInvalidateSessionAtLogout()) {
            context.session().invalidate();
        }
        if (this.application.getSecurity().getSettings().logoutDeletesCookie()) {
            this.loginTokenManager.clearCookie(context, user);
        }
    }

    protected boolean cookieLogin(Context context) {
        if (!isCookieLoginPermitted(context)) {
            return false;
        }
        if (!this.application.getSecurity().isLoginAttemptPermitted(context)) {
            this.log.debug("Too many attempts from {}; cookie login blocked temporarily.", context.getClientId());
            return false;
        }
        try {
            LoginTokenManager.TokenValidation validateAndUpdateToken = this.loginTokenManager.validateAndUpdateToken(context);
            if (validateAndUpdateToken.isAttempt()) {
                this.log.debug("Cookie login attempt: {}", validateAndUpdateToken);
            }
            if (!validateAndUpdateToken.isValid()) {
                if (!validateAndUpdateToken.isAttempt()) {
                    return false;
                }
                this.application.getSecurity().captureFailedLoginAttempt(context);
                return false;
            }
            PyxisUser user = this.application.getSecurity().getUser(validateAndUpdateToken.getUsername());
            if (!this.application.getSecurity().login(context, user, false)) {
                this.application.getSecurity().captureFailedLoginAttempt(context);
                return false;
            }
            this.log.info("Successful cookie login for user {}.", user.getUserUsername());
            context.session().put(PyxisConstants.SESSION_COOKIE_LOGIN, true);
            this.application.getSecurity().captureSuccessfulLoginAttempt(context);
            return true;
        } catch (SQLException e) {
            this.log.warn("SQL exception while validating and updating token.", e);
            return false;
        }
    }

    protected boolean isMasqueradePermitted(PyxisUser pyxisUser, PyxisUser pyxisUser2) {
        return pyxisUser.isAdministrator() && !pyxisUser2.isAdministrator();
    }

    private void recordUserSessionId(Context context, PyxisUser pyxisUser) {
        this.userSessionIDs.put(Long.valueOf(pyxisUser.getId()), context.getSession(true).getId());
    }

    private void storeUserInSession(Context context, PyxisUser pyxisUser) {
        storeUserInSession(context, pyxisUser, PyxisConstants.SESSION_USER);
    }

    private void removeUserFromSession(Context context) {
        context.session().put(PyxisConstants.SESSION_CLOSE_INDICATOR, 1).remove(PyxisConstants.SESSION_USER).remove(PyxisConstants.SESSION_CLOSE_INDICATOR).remove(PyxisConstants.SESSION_IMPERSONATED_USER).remove(PyxisConstants.SESSION_COOKIE_LOGIN).remove(PyxisConstants.SESSION_EXPIRATION_WARNED);
    }

    private boolean isCookieLoginPermitted(Context context) {
        return this.application.getSecurity().getSettings().isCookieLoginEnabled() && (!this.application.getSecurity().getSettings().isCookieLoginSslOnly() || context.isSecure());
    }

    private void storeUserInSession(Context context, PyxisUser pyxisUser, String str) {
        if (this.application.getSecurity().getSettings().storeUserAsId()) {
            context.session().put(str, pyxisUser.getId());
        } else {
            context.session().putObject(str, pyxisUser);
        }
    }

    private PyxisUser getUserFromSession(Context context, String str) {
        return this.application.getSecurity().getSettings().storeUserAsId() ? this.application.getSecurity().getUser(context.session().getLong(str, 0L)) : (PyxisUser) context.session().getObject(str);
    }

    private PyxisUser getUserFromSession(Session session, String str) {
        if (!this.application.getSecurity().getSettings().storeUserAsId()) {
            return (PyxisUser) session.getAttribute(str);
        }
        Long l = (Long) session.getAttribute(str);
        if (l != null) {
            return this.application.getSecurity().getUser(l.longValue());
        }
        return null;
    }
}
