package com.att.cadi.aaf.v2_0;

import com.att.cadi.AbsUserCache;
import com.att.cadi.Access;
import com.att.cadi.CachedPrincipal;
import com.att.cadi.GetCred;
import com.att.cadi.Hash;
import com.att.cadi.Taf;
import com.att.cadi.User;
import com.att.cadi.aaf.AAFPermission;
import com.att.cadi.principal.BasicPrincipal;
import com.att.cadi.principal.CachedBasicPrincipal;
import com.att.cadi.taf.HttpTaf;
import com.att.cadi.taf.TafResp;
import com.att.cadi.taf.basic.BasicHttpTafResp;
import java.io.IOException;
import java.security.Principal;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:com/att/cadi/aaf/v2_0/AAFTaf.class */
public class AAFTaf<CLIENT> extends AbsUserCache<AAFPermission> implements HttpTaf {
    private AAFCon<CLIENT> aaf;
    private boolean warn;

    public AAFTaf(AAFCon<CLIENT> aAFCon, boolean z) {
        super(aAFCon.access, aAFCon.cleanInterval, aAFCon.highCount, aAFCon.usageRefreshTriggerCount);
        this.aaf = aAFCon;
        this.warn = z;
    }

    public AAFTaf(AAFCon<CLIENT> aAFCon, boolean z, AbsUserCache<AAFPermission> absUserCache) {
        super(absUserCache);
        this.aaf = aAFCon;
        this.warn = z;
    }

    public TafResp validate(Taf.LifeForm lifeForm, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.startsWith("Basic ")) {
            return new BasicHttpTafResp(this.aaf.access, (Principal) null, "Requesting HTTP Basic Authorization", TafResp.RESP.TRY_AUTHENTICATING, httpServletResponse, this.aaf.getRealm(), false);
        }
        if (this.warn && !httpServletRequest.isSecure()) {
            this.aaf.access.log(Access.Level.WARN, new Object[]{"WARNING! BasicAuth has been used over an insecure channel"});
        }
        try {
            CachedBasicPrincipal cachedBasicPrincipal = httpServletRequest.getUserPrincipal() instanceof CachedBasicPrincipal ? (CachedBasicPrincipal) httpServletRequest.getUserPrincipal() : new CachedBasicPrincipal(this, header, this.aaf.getRealm(), this.aaf.userExpires);
            User user = getUser(cachedBasicPrincipal);
            if (user != null && user.principal != null && (user.principal instanceof GetCred) && Hash.isEqual(cachedBasicPrincipal.getCred(), user.principal.getCred())) {
                return new BasicHttpTafResp(this.aaf.access, cachedBasicPrincipal, cachedBasicPrincipal.getName() + " authenticated by cached AAF password", TafResp.RESP.IS_AUTHENTICATED, httpServletResponse, this.aaf.getRealm(), false);
            }
            AbsUserCache.Miss missed = missed(cachedBasicPrincipal.getName());
            if (missed != null && !missed.mayContinue(cachedBasicPrincipal.getCred())) {
                return new BasicHttpTafResp(this.aaf.access, (Principal) null, buildMsg(cachedBasicPrincipal, httpServletRequest, "User/Pass Retry limit exceeded"), TafResp.RESP.FAIL, httpServletResponse, this.aaf.getRealm(), true);
            }
            if (!this.aaf.client(AAFCon.AAF_LATEST_VERSION).forUser(this.aaf.basicAuthSS(cachedBasicPrincipal)).read("/authn/basicAuth", "text/plain", new String[0]).get(this.aaf.timeout)) {
                return addMiss(cachedBasicPrincipal.getName(), cachedBasicPrincipal.getCred()) ? new BasicHttpTafResp(this.aaf.access, (Principal) null, buildMsg(cachedBasicPrincipal, httpServletRequest, "User/Pass combo invalid via AAF"), TafResp.RESP.TRY_AUTHENTICATING, httpServletResponse, this.aaf.getRealm(), true) : new BasicHttpTafResp(this.aaf.access, (Principal) null, buildMsg(cachedBasicPrincipal, httpServletRequest, "User/Pass combo invalid via AAF - Retry limit exceeded"), TafResp.RESP.FAIL, httpServletResponse, this.aaf.getRealm(), true);
            }
            if (user != null) {
                user.principal = cachedBasicPrincipal;
            } else {
                addUser(new User(cachedBasicPrincipal, this.aaf.userExpires));
            }
            return new BasicHttpTafResp(this.aaf.access, cachedBasicPrincipal, cachedBasicPrincipal.getName() + " authenticated by AAF password", TafResp.RESP.IS_AUTHENTICATED, httpServletResponse, this.aaf.getRealm(), false);
        } catch (IOException e) {
            String buildMsg = buildMsg(null, httpServletRequest, "Invalid Auth Token");
            this.aaf.access.log(Access.Level.WARN, new Object[]{buildMsg, '(', e.getMessage(), ')'});
            return new BasicHttpTafResp(this.aaf.access, (Principal) null, buildMsg, TafResp.RESP.TRY_AUTHENTICATING, httpServletResponse, this.aaf.getRealm(), true);
        } catch (Exception e2) {
            String buildMsg2 = buildMsg(null, httpServletRequest, "Authenticating Service unavailable");
            this.aaf.access.log(Access.Level.WARN, new Object[]{buildMsg2, '(', e2.getMessage(), ')'});
            return new BasicHttpTafResp(this.aaf.access, (Principal) null, buildMsg2, TafResp.RESP.FAIL, httpServletResponse, this.aaf.getRealm(), false);
        }
    }

    private String buildMsg(Principal principal, HttpServletRequest httpServletRequest, Object... objArr) {
        StringBuilder sb = new StringBuilder();
        for (Object obj : objArr) {
            sb.append(obj.toString());
        }
        if (principal != null) {
            sb.append(" for ");
            sb.append(principal.getName());
        }
        sb.append(" from ");
        sb.append(httpServletRequest.getRemoteAddr());
        sb.append(':');
        sb.append(httpServletRequest.getRemotePort());
        return sb.toString();
    }

    public CachedPrincipal.Resp revalidate(CachedPrincipal cachedPrincipal) {
        if (!(cachedPrincipal instanceof BasicPrincipal)) {
            return CachedPrincipal.Resp.NOT_MINE;
        }
        try {
            return this.aaf.client(AAFCon.AAF_LATEST_VERSION).forUser(this.aaf.transferSS(cachedPrincipal)).read("/authn/basicAuth", "text/plain", new String[0]).get(this.aaf.timeout) ? CachedPrincipal.Resp.REVALIDATED : CachedPrincipal.Resp.UNVALIDATED;
        } catch (Exception e) {
            this.aaf.access.log(e, new Object[]{"Cannot Revalidate", cachedPrincipal.getName()});
            return CachedPrincipal.Resp.INACCESSIBLE;
        }
    }
}
