package com.tridium.jetty;

import com.tridium.authn.BAuthenticationService;
import com.tridium.authn.BDigestAuthenticationScheme;
import com.tridium.authn.LoginFailureCause;
import com.tridium.user.BGlobalPasswordConfiguration;
import com.tridium.user.BUserPasswordConfiguration;
import com.tridium.web.CookieUtil;
import com.tridium.web.authn.BHttpCallbackHandler;
import com.tridium.web.servlets.LoginSupport;
import com.tridium.web.servlets.WbServlet;
import com.tridium.web.servlets.WebStartServlet;
import com.tridium.web.session.NiagaraWebSession;
import com.tridium.web.session.WebSessionUtil;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.StringJoiner;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.baja.authn.BAuthenticationScheme;
import javax.baja.authn.BPasswordAuthenticationScheme;
import javax.baja.authn.BSSOAuthenticationScheme;
import javax.baja.file.types.application.BWasmFile;
import javax.baja.file.types.audio.BAudioFile;
import javax.baja.file.types.font.BFontFile;
import javax.baja.file.types.image.BImageFile;
import javax.baja.file.types.text.BCssFile;
import javax.baja.file.types.text.BHbsFile;
import javax.baja.file.types.text.BJavascriptFile;
import javax.baja.file.types.text.BJsonFile;
import javax.baja.file.types.video.BVideoFile;
import javax.baja.nre.util.FileUtil;
import javax.baja.registry.TypeInfo;
import javax.baja.security.BPassword;
import javax.baja.security.BPasswordAuthenticator;
import javax.baja.security.BPasswordCache;
import javax.baja.sys.BAbsTime;
import javax.baja.sys.BRelTime;
import javax.baja.sys.Flags;
import javax.baja.sys.LocalizableException;
import javax.baja.sys.Property;
import javax.baja.sys.Sys;
import javax.baja.user.BUser;
import javax.baja.user.BUserService;
import javax.baja.util.BTypeSpec;
import javax.baja.util.Lexicon;
import javax.baja.web.BWebService;
import javax.baja.web.authn.AuthMessage;
import javax.baja.web.authn.BHttpHeaderCallbackHandler;
import javax.baja.web.authn.BILoginHTMLForm;
import javax.baja.web.authn.BWebCallbackHandler;
import javax.baja.web.servlets.UnauthenticatedServlet;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.security.authentication.DeferredAuthentication;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.servlet.ServletHolder;

/* loaded from: input_file:com/tridium/jetty/NiagaraAuthenticator.class */
public final class NiagaraAuthenticator extends LoginAuthenticator {
    private static final String AUTH_METHOD = "NIAGARA_AUTH";
    private static final String __J_SECURITY_CHECK = "/j_security_check";
    protected static final String SESS_ATTR_CALLBACK = "callbackHandler";
    protected static final String SESS_ATTR_AUTH_SCHEME = "authenticationScheme";
    public static final String SESS_ATTR_CURRENT_FORM = "currentForm";
    public static final String SESS_ATTR_FORMS = "loginForms";
    public static final String SESS_ATTR_SCHEMES = "authenticationSchemes";
    private boolean webStartEnabled = false;
    private static final String[] TERMINAL_BLACKLIST = {"/login", "/logout", "/prelogin"};
    private static final Logger log = Logger.getLogger("web");

    /* loaded from: input_file:com/tridium/jetty/NiagaraAuthenticator$NiagaraAuthentication.class */
    public static final class NiagaraAuthentication extends UserAuthentication implements Authentication.ResponseSent {
        public NiagaraAuthentication(String str, UserIdentity userIdentity) {
            super(str, userIdentity);
        }

        public String toString() {
            return "Niagara" + super.toString();
        }
    }

    /* loaded from: input_file:com/tridium/jetty/NiagaraAuthenticator$NiagaraUserAuthentication.class */
    public static final class NiagaraUserAuthentication extends UserAuthentication implements Authentication.User {
        public NiagaraUserAuthentication(String str, UserIdentity userIdentity) {
            super(str, userIdentity);
        }

        public String toString() {
            return "Niagara" + super.toString();
        }
    }

    public String getAuthMethod() {
        return AUTH_METHOD;
    }

    public Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
        Request request = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        NiagaraWebSession session = WebSessionUtil.getSession(request);
        LoginSupport.handleUsernameCookie(request, httpServletResponse);
        String requestURI = request.getRequestURI();
        if (requestURI == null) {
            requestURI = "/";
        }
        if (request instanceof Request) {
            ServletHolder userIdentityScope = request.getUserIdentityScope();
            if ((userIdentityScope instanceof ServletHolder) && UnauthenticatedServlet.class.isAssignableFrom(userIdentityScope.getHeldClass())) {
                return new DeferredAuthentication(this);
            }
        }
        if (requestURI.toLowerCase().startsWith("/login-kerb")) {
            try {
                return authenticateKerberos(request, httpServletResponse, requestURI);
            } catch (IOException e) {
                throw new ServerAuthException(e);
            }
        }
        if (isWebStartDeferredRequest(requestURI) && !DeferredAuthentication.isDeferred(httpServletResponse)) {
            return new DeferredAuthentication(this);
        }
        try {
            if (isJSecurityCheck(requestURI)) {
                return jSecurityCheck(request, httpServletResponse, requestURI);
            }
            Authentication authentication = (Authentication) session.getAttribute("org.eclipse.jetty.security.UserIdentity");
            if (authentication != null) {
                return authentication;
            }
            if (request.getHeader("Authorization") != null) {
                return authenticateHeader(request, httpServletResponse, requestURI);
            }
            if (isValidRedirect(request)) {
                String str = requestURI;
                if (request.getQueryString() != null) {
                    str = str + "?" + request.getQueryString();
                }
                session.setAttribute("originURI", str);
            }
            if (session.getAttribute("loginFailureCause") != null) {
                httpServletResponse.sendRedirect("/login?auth=fail");
            } else {
                httpServletResponse.sendRedirect("/login");
            }
            return Authentication.SEND_CONTINUE;
        } catch (IOException e2) {
            throw new ServerAuthException(e2);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v28, types: [java.util.List] */
    /* JADX WARN: Type inference failed for: r0v39, types: [java.util.List] */
    /* JADX WARN: Type inference failed for: r0v42, types: [java.util.List] */
    private Authentication jSecurityCheck(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
        ArrayList arrayList;
        NiagaraWebSession session = WebSessionUtil.getSession(httpServletRequest);
        String str2 = (String) session.getAttribute("username");
        if (str2 == null) {
            str2 = "";
        }
        BUserService service = Sys.getService(BUserService.TYPE);
        ArrayList arrayList2 = new ArrayList();
        BILoginHTMLForm bILoginHTMLForm = null;
        BAuthenticationService service2 = Sys.getService(BAuthenticationService.TYPE);
        if (service2.getStrictAuthentication()) {
            arrayList = new ArrayList();
            arrayList.add(LoginSupport.getSelectedAuthenticationScheme(session));
        } else if (service.getUser(str2) == null) {
            arrayList2 = (List) session.getAttribute(SESS_ATTR_FORMS);
            List remoteSchemes = service2.getRemoteSchemes();
            bILoginHTMLForm = (BILoginHTMLForm) session.getAttribute(SESS_ATTR_CURRENT_FORM);
            if (arrayList2 == null) {
                arrayList2 = new ArrayList();
                arrayList2.add(bILoginHTMLForm);
                Iterator it = remoteSchemes.iterator();
                while (it.hasNext()) {
                    BILoginHTMLForm agentOn = ((BAuthenticationScheme) it.next()).getAgentOn(BILoginHTMLForm.class);
                    if (agentOn != null && !arrayList2.contains(agentOn)) {
                        arrayList2.add(agentOn);
                    }
                }
            }
            arrayList2.remove(bILoginHTMLForm);
            arrayList = (List) session.getAttribute(SESS_ATTR_SCHEMES);
            if (arrayList == null) {
                arrayList = service2.getRemoteSchemes();
                if (bILoginHTMLForm != null) {
                    int i = 0;
                    while (i < arrayList.size()) {
                        BILoginHTMLForm agentOn2 = ((BAuthenticationScheme) arrayList.get(i)).getAgentOn(BILoginHTMLForm.class);
                        if (agentOn2 == null || !agentOn2.getType().equals(bILoginHTMLForm.getType())) {
                            arrayList.remove(i);
                            i--;
                        }
                        i++;
                    }
                }
            }
        } else {
            arrayList = new ArrayList();
            try {
                BAuthenticationScheme authenticationSchemeForUser = service.getAuthenticationSchemeForUser(str2);
                if (authenticationSchemeForUser.getAgentOn(BILoginHTMLForm.class) != null) {
                    arrayList.add(service.getAuthenticationSchemeForUser(str2));
                } else {
                    log.warning(String.format("User <%s> attempting web login with unsupported authentication scheme <%s>", str2, authenticationSchemeForUser.getName()));
                }
            } catch (Exception e) {
            }
        }
        if (arrayList.isEmpty()) {
            arrayList.add(new BDigestAuthenticationScheme());
        }
        while (!arrayList.isEmpty()) {
            BAuthenticationScheme bAuthenticationScheme = (BAuthenticationScheme) arrayList.get(0);
            String str3 = (String) session.getAttribute("originURI");
            if (str3 == null) {
                str3 = "/ord";
            }
            BWebCallbackHandler bWebCallbackHandler = (BWebCallbackHandler) session.getAttribute(SESS_ATTR_CALLBACK);
            BAuthenticationScheme bAuthenticationScheme2 = (BSSOAuthenticationScheme) session.getAttribute("ssoScheme");
            if (bAuthenticationScheme2 != null) {
                bWebCallbackHandler = (BWebCallbackHandler) bAuthenticationScheme2.getAgentOn(BWebCallbackHandler.class);
                session.setAttribute(SESS_ATTR_CALLBACK, bWebCallbackHandler);
                bAuthenticationScheme = bAuthenticationScheme2;
            } else if (bWebCallbackHandler == null) {
                session = recreateSession(httpServletRequest, str3);
                bWebCallbackHandler = (BWebCallbackHandler) bAuthenticationScheme.getAgentOn(BWebCallbackHandler.class);
                session.setAttribute(SESS_ATTR_CALLBACK, bWebCallbackHandler);
            } else if (!bWebCallbackHandler.getType().equals(bAuthenticationScheme.getAgentOn(BWebCallbackHandler.class).getType())) {
                session = recreateSession(httpServletRequest, str3);
                bWebCallbackHandler = (BWebCallbackHandler) bAuthenticationScheme.getAgentOn(BWebCallbackHandler.class);
                session.setAttribute(SESS_ATTR_CALLBACK, bWebCallbackHandler);
            }
            session.setAttribute(SESS_ATTR_AUTH_SCHEME, bAuthenticationScheme);
            int handleRequest = bWebCallbackHandler.handleRequest(httpServletRequest, httpServletResponse);
            if (handleRequest == 2) {
                httpServletResponse.sendRedirect("/login");
                return Authentication.SEND_CONTINUE;
            }
            if (handleRequest == 0) {
                arrayList.remove(0);
                if (bWebCallbackHandler.getUsername() == null) {
                    httpServletResponse.sendRedirect("/login");
                    return Authentication.SEND_CONTINUE;
                }
                if (!str2.equals(bWebCallbackHandler.getUsername()) && !bWebCallbackHandler.getUsername().isEmpty() && !(bAuthenticationScheme instanceof BSSOAuthenticationScheme)) {
                    session.setAttribute("username", bWebCallbackHandler.getUsername());
                    if (Sys.getService(BWebService.TYPE).getRememberUserIdCookie()) {
                        Cookie createCookie = CookieUtil.createCookie("niagara_userid", bWebCallbackHandler.getUsername(), CookieUtil.COOKIE_AGE);
                        createCookie.setSecure(httpServletRequest.isSecure());
                        httpServletResponse.addCookie(createCookie);
                    }
                }
                str2 = bWebCallbackHandler.getUsername();
                UserIdentity login = login(bWebCallbackHandler.getUsername(), session, httpServletRequest);
                if (login != null) {
                    Boolean bool = (Boolean) session.getAttribute("forceReset");
                    if (bool == null || !bool.booleanValue()) {
                        if (handlePasswordReset(httpServletRequest, httpServletResponse, service.getUser(str2))) {
                            NiagaraWebSession session2 = WebSessionUtil.getSession(httpServletRequest);
                            LoginFailureCause loginFailureCause = (LoginFailureCause) session2.getAttribute("loginFailureCause");
                            if (loginFailureCause != null && (loginFailureCause == LoginFailureCause.ILLEGAL_NETWORK_USER_RESET || loginFailureCause == LoginFailureCause.INSECURE_PASSWORD_RESET)) {
                                return Authentication.SEND_FAILURE;
                            }
                            session2.setAttribute(SESS_ATTR_CALLBACK, bWebCallbackHandler);
                            session2.setAttribute(SESS_ATTR_CURRENT_FORM, bILoginHTMLForm);
                            session2.setAttribute(SESS_ATTR_FORMS, arrayList2);
                            session2.setAttribute(SESS_ATTR_SCHEMES, arrayList);
                            return Authentication.SEND_CONTINUE;
                        }
                    } else {
                        if (httpServletRequest.getParameter("resetToken") == null) {
                            NiagaraWebSession recreateSession = recreateSession(httpServletRequest, str3);
                            recreateSession.setAttribute("forceReset", true);
                            recreateSession.setAttribute(SESS_ATTR_CALLBACK, bWebCallbackHandler);
                            recreateSession.setAttribute(SESS_ATTR_CURRENT_FORM, bILoginHTMLForm);
                            recreateSession.setAttribute(SESS_ATTR_FORMS, arrayList2);
                            recreateSession.setAttribute(SESS_ATTR_SCHEMES, arrayList);
                            httpServletResponse.sendRedirect("/login");
                            return Authentication.SEND_CONTINUE;
                        }
                        try {
                            resetPassword(service.getUser(str2), new String(Base64.getDecoder().decode(httpServletRequest.getParameter("resetToken"))));
                            session.setAttribute("forceReset", false);
                        } catch (Exception e2) {
                            log.log(Level.SEVERE, "Unable to Reset Password", (Throwable) e2);
                            String message = e2.getMessage();
                            if (message == null) {
                                message = "Security Exception";
                            }
                            NiagaraWebSession recreateSession2 = recreateSession(httpServletRequest, str3);
                            recreateSession2.setAttribute("forceReset", true);
                            recreateSession2.setAttribute("resetError", message);
                            recreateSession2.setAttribute(SESS_ATTR_CALLBACK, bWebCallbackHandler);
                            recreateSession2.setAttribute(SESS_ATTR_CURRENT_FORM, bILoginHTMLForm);
                            recreateSession2.setAttribute(SESS_ATTR_FORMS, arrayList2);
                            recreateSession2.setAttribute(SESS_ATTR_SCHEMES, arrayList);
                            httpServletResponse.sendRedirect("/login");
                            return Authentication.SEND_CONTINUE;
                        }
                    }
                    httpServletResponse.sendRedirect(str3);
                    session.removeAttribute(SESS_ATTR_CALLBACK);
                    session.removeAttribute(SESS_ATTR_AUTH_SCHEME);
                    session.removeAttribute(SESS_ATTR_CURRENT_FORM);
                    session.removeAttribute(SESS_ATTR_SCHEMES);
                    session.removeAttribute(SESS_ATTR_FORMS);
                    return new NiagaraAuthentication(bAuthenticationScheme.getSchemeName(), login);
                }
                if (arrayList.isEmpty()) {
                    LoginFailureCause loginFailureCause2 = (LoginFailureCause) session.getAttribute("loginFailureCause");
                    NiagaraWebSession recreateSession3 = recreateSession(httpServletRequest, str3);
                    recreateSession3.setAttribute("loginFailureCause", loginFailureCause2);
                    if (!arrayList2.isEmpty()) {
                        recreateSession3.setAttribute(SESS_ATTR_CURRENT_FORM, arrayList2.get(0));
                        recreateSession3.setAttribute(SESS_ATTR_FORMS, arrayList2);
                    }
                    httpServletResponse.sendRedirect("/login?auth=fail");
                    return Authentication.SEND_FAILURE;
                }
            } else {
                if (handleRequest == 1) {
                    session.setAttribute(SESS_ATTR_CALLBACK, bWebCallbackHandler);
                    session.setAttribute(SESS_ATTR_CURRENT_FORM, bILoginHTMLForm);
                    session.setAttribute(SESS_ATTR_FORMS, arrayList2);
                    session.setAttribute(SESS_ATTR_SCHEMES, arrayList);
                    return Authentication.SEND_CONTINUE;
                }
                if (handleRequest == 3) {
                    arrayList.remove(0);
                    NiagaraWebSession recreateSession4 = recreateSession(httpServletRequest, str3);
                    if (!arrayList.isEmpty()) {
                        recreateSession4.setAttribute(SESS_ATTR_CURRENT_FORM, bILoginHTMLForm);
                        recreateSession4.setAttribute(SESS_ATTR_SCHEMES, arrayList);
                    } else if (!arrayList2.isEmpty()) {
                        recreateSession4.setAttribute(SESS_ATTR_CURRENT_FORM, arrayList2.get(0));
                    }
                    if (!arrayList2.isEmpty()) {
                        recreateSession4.setAttribute(SESS_ATTR_FORMS, arrayList2);
                    }
                    httpServletResponse.sendRedirect("/login?auth=fail");
                    return Authentication.SEND_FAILURE;
                }
            }
        }
        httpServletResponse.sendRedirect("/login");
        return Authentication.SEND_CONTINUE;
    }

    private Authentication authenticateKerberos(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
        NiagaraWebSession session = WebSessionUtil.getSession(httpServletRequest);
        List list = (List) session.getAttribute(SESS_ATTR_SCHEMES);
        if (list == null) {
            list = Sys.getService(BAuthenticationService.TYPE).getRemoteSchemes();
        }
        String str2 = (String) session.getAttribute("originURI");
        if (str2 == null) {
            str2 = "/ord";
        }
        while (!list.isEmpty()) {
            BAuthenticationScheme bAuthenticationScheme = (BAuthenticationScheme) list.get(0);
            if (bAuthenticationScheme.getSchemeName().equals("n4Kerberos")) {
                BWebCallbackHandler bWebCallbackHandler = (BWebCallbackHandler) session.getAttribute(SESS_ATTR_CALLBACK);
                if (bWebCallbackHandler == null) {
                    session = recreateSession(httpServletRequest, str2);
                    bWebCallbackHandler = (BWebCallbackHandler) bAuthenticationScheme.getAgentOn(BWebCallbackHandler.class);
                    session.setAttribute(SESS_ATTR_CALLBACK, bWebCallbackHandler);
                }
                if (!bWebCallbackHandler.getType().equals(bAuthenticationScheme.getAgentOn(BWebCallbackHandler.class).getType())) {
                    session = recreateSession(httpServletRequest, str2);
                    bWebCallbackHandler = (BWebCallbackHandler) bAuthenticationScheme.getAgentOn(BWebCallbackHandler.class);
                    session.setAttribute(SESS_ATTR_CALLBACK, bWebCallbackHandler);
                }
                session.setAttribute(SESS_ATTR_AUTH_SCHEME, bAuthenticationScheme);
                int handleRequest = bWebCallbackHandler.handleRequest(httpServletRequest, httpServletResponse);
                if (handleRequest == 0) {
                    list.remove(0);
                    UserIdentity login = login("", session, httpServletRequest);
                    if (login != null) {
                        httpServletResponse.sendRedirect(str2);
                        session.removeAttribute(SESS_ATTR_CALLBACK);
                        session.removeAttribute(SESS_ATTR_AUTH_SCHEME);
                        session.removeAttribute(SESS_ATTR_SCHEMES);
                        return new NiagaraAuthentication(bAuthenticationScheme.getSchemeName(), login);
                    }
                    if (list.isEmpty()) {
                        recreateSession(httpServletRequest, str2);
                        httpServletResponse.sendRedirect("/prelogin?auth=fail");
                        return Authentication.SEND_FAILURE;
                    }
                } else {
                    if (handleRequest == 1) {
                        session.setAttribute(SESS_ATTR_CALLBACK, bWebCallbackHandler);
                        session.setAttribute(SESS_ATTR_SCHEMES, list);
                        return Authentication.SEND_CONTINUE;
                    }
                    if (handleRequest == 3) {
                        recreateSession(httpServletRequest, str2);
                        list.remove(0);
                        NiagaraWebSession recreateSession = recreateSession(httpServletRequest, str2);
                        if (!list.isEmpty()) {
                            recreateSession.setAttribute(SESS_ATTR_SCHEMES, list);
                        }
                        httpServletResponse.sendRedirect("/prelogin?auth=fail");
                        return Authentication.SEND_FAILURE;
                    }
                }
            } else {
                list.remove(0);
                if (list.isEmpty()) {
                    recreateSession(httpServletRequest, str2);
                    httpServletResponse.sendRedirect("/prelogin?auth=fail");
                    return Authentication.SEND_FAILURE;
                }
            }
        }
        httpServletResponse.sendRedirect("/login");
        return Authentication.SEND_CONTINUE;
    }

    private Authentication authenticateHeader(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
        String header;
        NiagaraWebSession session = WebSessionUtil.getSession(httpServletRequest);
        boolean z = false;
        String header2 = httpServletRequest.getHeader("Authorization");
        AuthMessage authMessage = null;
        try {
            authMessage = AuthMessage.decodeFromString(header2);
        } catch (IllegalArgumentException e) {
        }
        BDigestAuthenticationScheme bDigestAuthenticationScheme = (BAuthenticationScheme) session.getAttribute(SESS_ATTR_AUTH_SCHEME);
        if (bDigestAuthenticationScheme == null) {
            String str2 = null;
            if (authMessage == null || !authMessage.getScheme().equalsIgnoreCase("HELLO")) {
                int indexOf = header2.indexOf(32);
                if (indexOf > -1) {
                    String substring = header2.substring(0, indexOf);
                    if ("Basic".equalsIgnoreCase(substring)) {
                        try {
                            String str3 = new String(Base64.getDecoder().decode(header2.substring(indexOf + 1)));
                            int indexOf2 = str3.indexOf(58);
                            if (indexOf2 > -1) {
                                str2 = str3.substring(0, indexOf2);
                            } else {
                                log.warning("Invalid authorization header, colon delimiter not found.");
                            }
                        } catch (IllegalArgumentException e2) {
                            log.warning("Invalid authorization header, not valid base64.");
                        }
                    } else {
                        log.warning("Invalid authorization header, scheme not supported: " + substring);
                    }
                } else {
                    log.warning("Invalid authorization header, unable to parse scheme.");
                }
            } else {
                z = true;
                try {
                    String parameter = authMessage.getParameter("username");
                    if (parameter != null) {
                        str2 = new String(Base64.getUrlDecoder().decode(parameter.getBytes()), StandardCharsets.UTF_8);
                    }
                } catch (IllegalArgumentException e3) {
                }
            }
            if (str2 != null) {
                bDigestAuthenticationScheme = Sys.getService(BUserService.TYPE).getAuthenticationSchemeForUser(str2);
                if (bDigestAuthenticationScheme == null && z) {
                    bDigestAuthenticationScheme = new BDigestAuthenticationScheme();
                }
                session.setAttribute(SESS_ATTR_AUTH_SCHEME, bDigestAuthenticationScheme);
            }
        }
        BHttpCallbackHandler bHttpCallbackHandler = (BHttpCallbackHandler) session.getAttribute(SESS_ATTR_CALLBACK);
        if (bHttpCallbackHandler == null && bDigestAuthenticationScheme != null) {
            bHttpCallbackHandler = z ? (BHttpCallbackHandler) bDigestAuthenticationScheme.getAgentOn(BHttpHeaderCallbackHandler.class) : bDigestAuthenticationScheme.getAgentOn(BWebCallbackHandler.class);
            session.setAttribute(SESS_ATTR_CALLBACK, bHttpCallbackHandler);
        }
        if (bHttpCallbackHandler == null) {
            httpServletResponse.sendError(401, "Authentication failed.");
            return Authentication.SEND_FAILURE;
        }
        int handleRequest = bHttpCallbackHandler.handleRequest(httpServletRequest, httpServletResponse);
        if (handleRequest != 0) {
            if (handleRequest != 1) {
                httpServletResponse.sendError(bHttpCallbackHandler instanceof BHttpHeaderCallbackHandler ? 403 : 401, "Authentication failed.");
                return Authentication.SEND_FAILURE;
            }
            httpServletResponse.setStatus(401);
            if ((bHttpCallbackHandler instanceof BHttpHeaderCallbackHandler) && (header = httpServletResponse.getHeader("WWW-Authenticate")) != null) {
                try {
                    AuthMessage decodeFromString = AuthMessage.decodeFromString(header);
                    decodeFromString.setParameter("handshakeToken", session.getId());
                    httpServletResponse.setHeader("WWW-Authenticate", decodeFromString.encodeToString());
                } catch (IllegalArgumentException e4) {
                }
            }
            return Authentication.SEND_CONTINUE;
        }
        NiagaraWebSession recreateSession = recreateSession(httpServletRequest, str);
        recreateSession.setAttribute(SESS_ATTR_CALLBACK, bHttpCallbackHandler);
        recreateSession.setAttribute(SESS_ATTR_AUTH_SCHEME, bDigestAuthenticationScheme);
        UserIdentity login = login(bHttpCallbackHandler.getUsername(), recreateSession, httpServletRequest);
        recreateSession.removeAttribute(SESS_ATTR_CALLBACK);
        recreateSession.removeAttribute(SESS_ATTR_AUTH_SCHEME);
        if (login == null) {
            httpServletResponse.sendError(bHttpCallbackHandler instanceof BHttpHeaderCallbackHandler ? 403 : 401, "Authentication failed.");
            return Authentication.SEND_FAILURE;
        }
        if (bHttpCallbackHandler instanceof BHttpHeaderCallbackHandler) {
            Map authInfoParameters = ((BHttpHeaderCallbackHandler) bHttpCallbackHandler).getAuthInfoParameters();
            StringJoiner stringJoiner = new StringJoiner(", ");
            stringJoiner.add("authToken=" + recreateSession.getId());
            for (Map.Entry entry : authInfoParameters.entrySet()) {
                stringJoiner.add(((String) entry.getKey()) + "=" + ((String) entry.getValue()));
            }
            httpServletResponse.setHeader("Authentication-Info", stringJoiner.toString());
        }
        return new NiagaraUserAuthentication(bDigestAuthenticationScheme.getSchemeName(), login);
    }

    private boolean handlePasswordReset(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, BUser bUser) throws IOException {
        NiagaraWebSession session = WebSessionUtil.getSession(httpServletRequest);
        BAuthenticationScheme authenticationScheme = bUser.getAuthenticationScheme();
        BPasswordAuthenticator authenticator = bUser.getAuthenticator();
        BUserPasswordConfiguration bUserPasswordConfiguration = null;
        BGlobalPasswordConfiguration[] bGlobalPasswordConfigurationArr = (BGlobalPasswordConfiguration[]) authenticationScheme.getChildren(BGlobalPasswordConfiguration.class);
        if (authenticator instanceof BPasswordAuthenticator) {
            bUserPasswordConfiguration = authenticator.getPasswordConfig();
        }
        boolean z = false;
        boolean z2 = false;
        boolean z3 = false;
        boolean z4 = false;
        TypeInfo typeInfo = BTypeSpec.make("niagaraDriver", "UserSyncExt").getTypeInfo();
        Property property = bUser.getProperty("syncExt");
        boolean z5 = bUser.getNetworkUser() && Flags.isReadonly(bUser.getParent(), bUser.getPropertyInParent()) && property != null && typeInfo != null && property.getType().is(typeInfo);
        if (bUserPasswordConfiguration != null) {
            if (bGlobalPasswordConfigurationArr.length > 0) {
                BAbsTime expiration = bUserPasswordConfiguration.getExpiration();
                BRelTime warningPeriod = bGlobalPasswordConfigurationArr[0].getWarningPeriod();
                if (!expiration.isNull() && expiration.isBefore(BAbsTime.now())) {
                    z2 = true;
                } else if (!expiration.isNull() && expiration.subtract(warningPeriod).isBefore(BAbsTime.now())) {
                    session.setAttribute("passwordExpires", Long.valueOf(expiration.getMillis()));
                    session.setAttribute("networkUser", Boolean.valueOf(z5));
                    z = true;
                    if (httpServletRequest.getParameter("yes-reset") != null) {
                        z4 = true;
                        session.removeAttribute("passwordExpires");
                        session.removeAttribute("networkUser");
                    } else if (httpServletRequest.getParameter("no-reset") != null) {
                        session.removeAttribute("passwordExpires");
                        session.removeAttribute("networkUser");
                        z = false;
                    }
                }
            }
            z2 = bUserPasswordConfiguration.getForceResetAtNextLogin() || z4 || z2;
            if (z2) {
                NiagaraWebSession recreateSession = recreateSession(httpServletRequest, (String) session.getAttribute("originURI"));
                if (!httpServletRequest.isSecure() && Sys.getService(BWebService.TYPE).getRequireHttpsForPasswords()) {
                    recreateSession.setAttribute("loginFailureCause", LoginFailureCause.INSECURE_PASSWORD_RESET);
                } else if (z5) {
                    recreateSession.setAttribute("loginFailureCause", LoginFailureCause.ILLEGAL_NETWORK_USER_RESET);
                } else {
                    z3 = true;
                    recreateSession.setAttribute("forceReset", true);
                }
                z = true;
            }
        }
        if (z2 && !z3) {
            httpServletResponse.sendRedirect("/login?auth=fail");
        } else if (z) {
            httpServletResponse.sendRedirect("/login");
        }
        return z;
    }

    public void resetPassword(BUser bUser, String str) throws Exception {
        BPasswordAuthenticationScheme authenticationScheme = bUser.getAuthenticationScheme();
        BPasswordCache authenticator = bUser.getAuthenticator();
        if (bUser.getAuthenticator().validate(str)) {
            throw new LocalizableException(Lexicon.make("baja"), "user.strongPassword.alreadyUsed");
        }
        if (authenticationScheme instanceof BPasswordAuthenticationScheme) {
            BPasswordAuthenticationScheme bPasswordAuthenticationScheme = authenticationScheme;
            bPasswordAuthenticationScheme.checkPassword(str);
            BUserPasswordConfiguration passwordConfig = bUser.getAuthenticator().getPasswordConfig();
            if (bPasswordAuthenticationScheme.isDuplicatePassword(str, bUser)) {
                throw new LocalizableException(Lexicon.make("baja"), "user.strongPassword.alreadyUsed");
            }
            passwordConfig.setForceResetAtNextLogin(false);
        }
        authenticator.setPassword(BPassword.make(str));
    }

    public boolean secureResponse(ServletRequest servletRequest, ServletResponse servletResponse, boolean z, Authentication.User user) throws ServerAuthException {
        return false;
    }

    public UserIdentity login(String str, Object obj, ServletRequest servletRequest) {
        return super.login(str, obj, servletRequest);
    }

    private boolean isJSecurityCheck(String str) {
        char charAt;
        int indexOf = str.indexOf(__J_SECURITY_CHECK);
        if (indexOf < 0) {
            return false;
        }
        int length = indexOf + __J_SECURITY_CHECK.length();
        return length == str.length() || (charAt = str.charAt(length)) == ';' || charAt == '#' || charAt == '/' || charAt == '?';
    }

    private static NiagaraWebSession recreateSession(HttpServletRequest httpServletRequest, String str) {
        return LoginSupport.recreateSession(httpServletRequest, (String) null, str);
    }

    private boolean isWebStartDeferredRequest(String str) {
        if (!this.webStartEnabled) {
            return false;
        }
        if (str.startsWith("/webstart/") && WebStartServlet.matchDeferredAuthRequest(str)) {
            return true;
        }
        return str.startsWith("/wb/wbapplet") ? WebStartServlet.getAppletHref().equals(str) : !WbServlet.disableJxBrowser && str.startsWith("/wb/bin/ext/jxbrowser") && WebStartServlet.isJxBrowserJarRequest(str);
    }

    public void setWebStartEnabled(boolean z) {
        this.webStartEnabled = z;
    }

    private static boolean isValidRedirect(HttpServletRequest httpServletRequest) {
        if (!httpServletRequest.getMethod().equals("GET")) {
            return false;
        }
        String servletPath = httpServletRequest.getServletPath();
        for (String str : TERMINAL_BLACKLIST) {
            if (servletPath.equals(str)) {
                return false;
            }
        }
        String requestURI = httpServletRequest.getRequestURI();
        if (WebStartServlet.matchDeferredAuthRequest(requestURI)) {
            return false;
        }
        return isValidRedirectFile(requestURI) && (Objects.isNull(httpServletRequest.getQueryString()) || isValidRedirectFile(httpServletRequest.getQueryString()));
    }

    private static boolean isValidRedirectFile(String str) {
        TypeInfo fileTypeForExtension;
        String extension = FileUtil.getExtension(str);
        if (extension == null || (fileTypeForExtension = Sys.getRegistry().getFileTypeForExtension(extension)) == null) {
            return true;
        }
        return (fileTypeForExtension.is(BImageFile.TYPE.getTypeInfo()) || fileTypeForExtension.is(BAudioFile.TYPE.getTypeInfo()) || fileTypeForExtension.is(BVideoFile.TYPE.getTypeInfo()) || fileTypeForExtension.is(BCssFile.TYPE.getTypeInfo()) || fileTypeForExtension.is(BJavascriptFile.TYPE.getTypeInfo()) || fileTypeForExtension.is(BFontFile.TYPE.getTypeInfo()) || fileTypeForExtension.is(BWasmFile.TYPE.getTypeInfo()) || fileTypeForExtension.is(BHbsFile.TYPE.getTypeInfo()) || fileTypeForExtension.is(BJsonFile.TYPE.getTypeInfo())) ? false : true;
    }
}
