package org.owasp.esapi.reference;

import java.util.Date;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.owasp.esapi.Authenticator;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.HTTPUtilities;
import org.owasp.esapi.Logger;
import org.owasp.esapi.User;
import org.owasp.esapi.errors.AccessControlException;
import org.owasp.esapi.errors.AuthenticationCredentialsException;
import org.owasp.esapi.errors.AuthenticationException;
import org.owasp.esapi.errors.AuthenticationLoginException;
import org.owasp.esapi.errors.EnterpriseSecurityException;

/* loaded from: input_file:lib/XMLConnector.jar:lib/esapi-2.0GA.jar:org/owasp/esapi/reference/AbstractAuthenticator.class */
public abstract class AbstractAuthenticator implements Authenticator {
    protected static final String USER = "ESAPIUserSessionKey";
    private final Logger logger = ESAPI.getLogger(org.opensaml.ws.wstrust.Authenticator.ELEMENT_LOCAL_NAME);
    private final ThreadLocalUser currentUser = new ThreadLocalUser();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/XMLConnector.jar:lib/esapi-2.0GA.jar:org/owasp/esapi/reference/AbstractAuthenticator$ThreadLocalUser.class */
    public class ThreadLocalUser extends InheritableThreadLocal<User> {
        private ThreadLocalUser() {
        }

        @Override // java.lang.ThreadLocal
        public User initialValue() {
            return User.ANONYMOUS;
        }

        public User getUser() {
            return (User) super.get();
        }

        public void setUser(User user) {
            super.set(user);
        }
    }

    @Override // org.owasp.esapi.Authenticator
    public void clearCurrent() {
        this.currentUser.setUser(null);
    }

    @Override // org.owasp.esapi.Authenticator
    public boolean exists(String str) {
        return getUser(str) != null;
    }

    @Override // org.owasp.esapi.Authenticator
    public User getCurrentUser() {
        User user = (User) this.currentUser.get();
        if (user == null) {
            user = User.ANONYMOUS;
        }
        return user;
    }

    protected User getUserFromSession() {
        if (ESAPI.httpUtilities().getCurrentRequest().getSession(false) == null) {
            return null;
        }
        return (User) ESAPI.httpUtilities().getSessionAttribute(USER);
    }

    protected DefaultUser getUserFromRememberToken() {
        try {
            String cookie = ESAPI.httpUtilities().getCookie(ESAPI.currentRequest(), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME);
            if (cookie == null) {
                return null;
            }
            String[] split = ESAPI.encryptor().unseal(cookie).split("\\|");
            if (split.length != 2) {
                this.logger.warning(Logger.SECURITY_FAILURE, "Found corrupt or expired remember token");
                ESAPI.httpUtilities().killCookie(ESAPI.currentRequest(), ESAPI.currentResponse(), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME);
                return null;
            }
            String str = split[0];
            String str2 = split[1];
            DefaultUser defaultUser = (DefaultUser) getUser(str);
            if (defaultUser == null) {
                this.logger.warning(Logger.SECURITY_FAILURE, "Found valid remember token but no user matching " + str);
                return null;
            }
            this.logger.info(Logger.SECURITY_SUCCESS, "Logging in user with remember token: " + defaultUser.getAccountName());
            defaultUser.loginWithPassword(str2);
            return defaultUser;
        } catch (AuthenticationException e) {
            this.logger.warning(Logger.SECURITY_FAILURE, "Login via remember me cookie failed", e);
            ESAPI.httpUtilities().killCookie(ESAPI.currentRequest(), ESAPI.currentResponse(), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME);
            return null;
        } catch (EnterpriseSecurityException e2) {
            this.logger.warning(Logger.SECURITY_FAILURE, "Remember token was missing, corrupt, or expired");
            ESAPI.httpUtilities().killCookie(ESAPI.currentRequest(), ESAPI.currentResponse(), HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME);
            return null;
        }
    }

    private User loginWithUsernameAndPassword(HttpServletRequest httpServletRequest) throws AuthenticationException {
        String parameter = httpServletRequest.getParameter(ESAPI.securityConfiguration().getUsernameParameterName());
        String parameter2 = httpServletRequest.getParameter(ESAPI.securityConfiguration().getPasswordParameterName());
        User currentUser = getCurrentUser();
        if (currentUser != null && !currentUser.isAnonymous()) {
            this.logger.warning(Logger.SECURITY_SUCCESS, "User requested relogin. Performing logout then authentication");
            currentUser.logout();
        }
        if (parameter == null || parameter2 == null) {
            if (parameter == null) {
                parameter = "unspecified user";
            }
            throw new AuthenticationCredentialsException("Authentication failed", "Authentication failed for " + parameter + " because of null username or password");
        }
        User user = getUser(parameter);
        if (user == null) {
            throw new AuthenticationCredentialsException("Authentication failed", "Authentication failed because user " + parameter + " doesn't exist");
        }
        user.loginWithPassword(parameter2);
        httpServletRequest.setAttribute(user.getCSRFToken(), "authenticated");
        return user;
    }

    @Override // org.owasp.esapi.Authenticator
    public User login() throws AuthenticationException {
        return login(ESAPI.currentRequest(), ESAPI.currentResponse());
    }

    @Override // org.owasp.esapi.Authenticator
    public User login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
        if (httpServletRequest == null || httpServletResponse == null) {
            throw new AuthenticationCredentialsException("Invalid request", "Request or response objects were null");
        }
        DefaultUser defaultUser = (DefaultUser) getUserFromSession();
        if (defaultUser == null) {
            defaultUser = getUserFromRememberToken();
        }
        if (defaultUser == null) {
            defaultUser = (DefaultUser) loginWithUsernameAndPassword(httpServletRequest);
        }
        defaultUser.setLastHostAddress(httpServletRequest.getRemoteHost());
        try {
            ESAPI.httpUtilities().assertSecureRequest(ESAPI.currentRequest());
            if (defaultUser.isAnonymous()) {
                defaultUser.logout();
                throw new AuthenticationLoginException("Login failed", "Anonymous user cannot be set to current user. User: " + defaultUser.getAccountName());
            }
            if (!defaultUser.isEnabled()) {
                defaultUser.logout();
                defaultUser.incrementFailedLoginCount();
                defaultUser.setLastFailedLoginTime(new Date());
                throw new AuthenticationLoginException("Login failed", "Disabled user cannot be set to current user. User: " + defaultUser.getAccountName());
            }
            if (defaultUser.isLocked()) {
                defaultUser.logout();
                defaultUser.incrementFailedLoginCount();
                defaultUser.setLastFailedLoginTime(new Date());
                throw new AuthenticationLoginException("Login failed", "Locked user cannot be set to current user. User: " + defaultUser.getAccountName());
            }
            if (defaultUser.isExpired()) {
                defaultUser.logout();
                defaultUser.incrementFailedLoginCount();
                defaultUser.setLastFailedLoginTime(new Date());
                throw new AuthenticationLoginException("Login failed", "Expired user cannot be set to current user. User: " + defaultUser.getAccountName());
            }
            if (defaultUser.isSessionTimeout()) {
                defaultUser.logout();
                defaultUser.incrementFailedLoginCount();
                defaultUser.setLastFailedLoginTime(new Date());
                throw new AuthenticationLoginException("Login failed", "Session inactivity timeout: " + defaultUser.getAccountName());
            }
            if (defaultUser.isSessionAbsoluteTimeout()) {
                defaultUser.logout();
                defaultUser.incrementFailedLoginCount();
                defaultUser.setLastFailedLoginTime(new Date());
                throw new AuthenticationLoginException("Login failed", "Session absolute timeout: " + defaultUser.getAccountName());
            }
            defaultUser.setLocale(httpServletRequest.getLocale());
            HttpSession session = httpServletRequest.getSession();
            defaultUser.addSession(session);
            session.setAttribute(USER, defaultUser);
            setCurrentUser(defaultUser);
            return defaultUser;
        } catch (AccessControlException e) {
            throw new AuthenticationException("Attempt to login with an insecure request", e.getLogMessage(), e);
        }
    }

    @Override // org.owasp.esapi.Authenticator
    public void logout() {
        User currentUser = getCurrentUser();
        if (currentUser == null || currentUser.isAnonymous()) {
            return;
        }
        currentUser.logout();
    }

    @Override // org.owasp.esapi.Authenticator
    public void setCurrentUser(User user) {
        this.currentUser.setUser(user);
    }
}
