package org.apache.qpid.server.management.plugin.filter;

import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.PrivilegedActionException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
import org.apache.qpid.server.management.plugin.HttpManagementUtil;
import org.apache.qpid.server.management.plugin.HttpRequestInteractiveAuthenticator;
import org.apache.qpid.server.management.plugin.servlet.ServletConnectionPrincipal;
import org.apache.qpid.server.plugin.QpidServiceLoader;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;

/* loaded from: input_file:org/apache/qpid/server/management/plugin/filter/InteractiveAuthenticationFilter.class */
public class InteractiveAuthenticationFilter implements Filter {
    private static final Collection<HttpRequestInteractiveAuthenticator> AUTHENTICATORS;
    private HttpManagementConfiguration _managementConfiguration;

    public void destroy() {
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this._managementConfiguration = HttpManagementUtil.getManagementConfiguration(filterConfig.getServletContext());
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        Subject authorisedSubject = HttpManagementUtil.getAuthorisedSubject(httpServletRequest);
        if (authorisedSubject != null && !authorisedSubject.getPrincipals(AuthenticatedPrincipal.class).isEmpty()) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpRequestInteractiveAuthenticator.AuthenticationHandler authenticationHandler = null;
        Iterator<HttpRequestInteractiveAuthenticator> it = AUTHENTICATORS.iterator();
        while (it.hasNext()) {
            authenticationHandler = it.next().getAuthenticationHandler(httpServletRequest, this._managementConfiguration);
            if (authenticationHandler != null) {
                break;
            }
        }
        if (authenticationHandler != null) {
            invokeAuthenticationHandler(httpServletRequest, httpServletResponse, authenticationHandler);
        } else {
            httpServletResponse.sendError(403);
        }
    }

    private void invokeAuthenticationHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpRequestInteractiveAuthenticator.AuthenticationHandler authenticationHandler) throws ServletException {
        try {
            Subject.doAs(new Subject(true, Set.of(new ServletConnectionPrincipal(httpServletRequest)), Set.of(), Set.of()), () -> {
                authenticationHandler.handleAuthentication(httpServletResponse);
                return null;
            });
        } catch (PrivilegedActionException e) {
            throw new ServletException(e);
        }
    }

    static {
        ArrayList arrayList = new ArrayList();
        Iterator it = new QpidServiceLoader().instancesOf(HttpRequestInteractiveAuthenticator.class).iterator();
        while (it.hasNext()) {
            arrayList.add((HttpRequestInteractiveAuthenticator) it.next());
        }
        AUTHENTICATORS = Collections.unmodifiableList(arrayList);
    }
}
