package org.gluu.radius.server.filter;

import java.util.Iterator;
import org.apache.log4j.Logger;
import org.gluu.oxauth.client.supergluu.SuperGluuAuthClient;
import org.gluu.oxauth.client.supergluu.SuperGluuAuthClientConfig;
import org.gluu.oxauth.client.supergluu.SuperGluuAuthStatus;
import org.gluu.oxauth.client.supergluu.impl.ICryptoProviderFactory;
import org.gluu.oxauth.client.supergluu.impl.IHttpClientFactory;
import org.gluu.oxauth.client.supergluu.impl.crypto.SingletonOxAuthCryptoProviderFactory;
import org.gluu.oxauth.client.supergluu.impl.http.PoolingConnectionHttpClientFactory;
import org.gluu.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.gluu.radius.exception.GluuRadiusException;
import org.gluu.radius.server.AccessRequestContext;
import org.gluu.radius.server.AccessRequestFilter;

/* loaded from: input_file:org/gluu/radius/server/filter/SuperGluuAccessRequestFilter.class */
public class SuperGluuAccessRequestFilter implements AccessRequestFilter {
    private static final Logger log = Logger.getLogger(SuperGluuAccessRequestFilter.class);
    private static final long statusCheckInterval = 50;
    private Long authenticationTimeout;
    private SuperGluuAuthClientConfig authClientConfig;
    private IHttpClientFactory httpClientFactory = new PoolingConnectionHttpClientFactory();
    private ICryptoProviderFactory cryptoProviderFactory;

    public SuperGluuAccessRequestFilter(SuperGluuAccessRequestFilterConfig superGluuAccessRequestFilterConfig) {
        try {
            this.cryptoProviderFactory = new SingletonOxAuthCryptoProviderFactory(superGluuAccessRequestFilterConfig.getJwtKeyStoreFile(), superGluuAccessRequestFilterConfig.getJwtKeyStorePin());
            String jwtAuthKeyId = superGluuAccessRequestFilterConfig.getJwtAuthKeyId();
            String tokenEndpointUrl = superGluuAccessRequestFilterConfig.getTokenEndpointUrl();
            SignatureAlgorithm jwtAuthSignAlgo = superGluuAccessRequestFilterConfig.getJwtAuthSignAlgo();
            String openidUsername = superGluuAccessRequestFilterConfig.getOpenidUsername();
            this.authClientConfig = new SuperGluuAuthClientConfig(jwtAuthKeyId, jwtAuthSignAlgo, tokenEndpointUrl);
            this.authClientConfig.setClientId(openidUsername);
        } catch (Exception e) {
            log.warn("Using PRIVATE_KEY_JWT auth failed. Trying CLIENT_SECRET_BASIC", e);
            this.authClientConfig = new SuperGluuAuthClientConfig(superGluuAccessRequestFilterConfig.getOpenidUsername(), superGluuAccessRequestFilterConfig.getOpenidPassword());
        }
        this.authClientConfig.setTokenEndpointUrl(superGluuAccessRequestFilterConfig.getTokenEndpointUrl());
        this.authClientConfig.setSessionStatusUrl(superGluuAccessRequestFilterConfig.getSessionStatusUrl());
        this.authClientConfig.setAcrValue(superGluuAccessRequestFilterConfig.getAcrValue());
        Iterator<String> it = superGluuAccessRequestFilterConfig.getScopes().iterator();
        while (it.hasNext()) {
            this.authClientConfig.addScope(it.next());
        }
        this.authenticationTimeout = superGluuAccessRequestFilterConfig.getAuthenticationTimeout();
    }

    @Override // org.gluu.radius.server.AccessRequestFilter
    public boolean processAccessRequest(AccessRequestContext accessRequestContext) {
        try {
            SuperGluuAuthClient superGluuAuthClient = new SuperGluuAuthClient(this.authClientConfig, this.httpClientFactory, this.cryptoProviderFactory);
            String clientIpAddress = accessRequestContext.getClientIpAddress();
            String username = accessRequestContext.getUsername();
            String password = accessRequestContext.getPassword();
            log.debug(String.format("Initiating authentication for user {%s}.", username));
            long currentTimeMillis = System.currentTimeMillis();
            Boolean initiateAuthentication = superGluuAuthClient.initiateAuthentication(username, password, clientIpAddress);
            if (initiateAuthentication == null || !(initiateAuthentication == null || initiateAuthentication.booleanValue())) {
                log.debug(String.format("Auth init failed for user {%s}.", username));
                return false;
            }
            log.debug(String.format("User {%s} auth init success. Checking auth status(super-gluu).", username));
            SuperGluuAuthStatus superGluuAuthStatus = SuperGluuAuthStatus.UNAUTHENTICATED;
            while (System.currentTimeMillis() - currentTimeMillis < this.authenticationTimeout.longValue()) {
                superGluuAuthStatus = superGluuAuthClient.checkAuthenticationStatus();
                if (superGluuAuthStatus == SuperGluuAuthStatus.AUTHENTICATED) {
                    break;
                }
                try {
                    Thread.sleep(statusCheckInterval);
                } catch (InterruptedException e) {
                }
            }
            if (superGluuAuthStatus == SuperGluuAuthStatus.UNAUTHENTICATED) {
                log.debug(String.format("Timeout reached while checking auth status for user {%s}.", username));
                return false;
            }
            log.debug(String.format("Auth status ok. Performing additional verification for user {%s}.", username));
            Boolean verifyAuthentication = superGluuAuthClient.verifyAuthentication(username, password);
            if (verifyAuthentication == null || !(verifyAuthentication == null || verifyAuthentication.booleanValue())) {
                log.debug(String.format("Authentication verification failed for user {%s}.", username));
                return false;
            }
            log.debug(String.format("User {%s} successfully authenticated.", username));
            return true;
        } catch (GluuRadiusException e2) {
            log.debug(String.format("auth failed for user {%s}.", accessRequestContext.getUsername()), e2);
            return false;
        } catch (Exception e3) {
            log.debug(String.format("auth failed for user {%s}.", accessRequestContext.getUsername()), e3);
            return false;
        }
    }
}
