package org.sonatype.nexus.content.internal;

import com.google.common.base.Throwables;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Nullable;
import javax.inject.Inject;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.slf4j.Logger;
import org.sonatype.nexus.content.ContentRestrictionConstituent;
import org.sonatype.nexus.security.filter.authc.AuthenticationTokenFactory;
import org.sonatype.nexus.security.filter.authc.NexusHttpAuthenticationFilter;

/* loaded from: input_file:WEB-INF/plugin-repository/nexus-content-plugin-2.14.17-01/nexus-content-plugin-2.14.17-01.jar:org/sonatype/nexus/content/internal/ContentAuthenticationFilter.class */
public class ContentAuthenticationFilter extends NexusHttpAuthenticationFilter {
    private final List<ContentRestrictionConstituent> constituents;
    private List<AuthenticationTokenFactory> factories;
    private static final String RESTRICTED_ATTR = ContentRestrictedToken.class.getSimpleName();

    @Inject
    public ContentAuthenticationFilter(@Nullable List<ContentRestrictionConstituent> list, @Nullable List<AuthenticationTokenFactory> list2) {
        this.constituents = list;
        this.factories = list2;
        setApplicationName("Sonatype Nexus Repository Manager");
    }

    private boolean isRestricted(ServletRequest servletRequest) {
        if (this.constituents == null) {
            return false;
        }
        Iterator<ContentRestrictionConstituent> it = this.constituents.iterator();
        while (it.hasNext()) {
            if (it.next().isContentRestricted(servletRequest)) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.sonatype.nexus.security.filter.authc.NexusHttpAuthenticationFilter
    public String getUnauthorizedMessage(ServletRequest servletRequest) {
        return servletRequest.getAttribute(RESTRICTED_ATTR) != null ? "Content access is protected by token" : super.getUnauthorizedMessage(servletRequest);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter, org.apache.shiro.web.filter.authc.AuthenticatingFilter
    public AuthenticationToken createToken(ServletRequest servletRequest, ServletResponse servletResponse) {
        if (!isRestricted(servletRequest)) {
            AuthenticationToken createAuthenticationToken = createAuthenticationToken(servletRequest, servletResponse);
            return createAuthenticationToken != null ? createAuthenticationToken : super.createToken(servletRequest, servletResponse);
        }
        getLogger().debug("Content authentication for request is restricted");
        servletRequest.setAttribute(RESTRICTED_ATTR, true);
        return new ContentRestrictedToken((UsernamePasswordToken) super.createToken(servletRequest, servletResponse), servletRequest);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter, org.apache.shiro.web.filter.authc.AuthenticatingFilter, org.apache.shiro.web.filter.authc.AuthenticationFilter, org.apache.shiro.web.filter.AccessControlFilter
    public boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object obj) {
        if (isRestricted(servletRequest) || !isLoginAttempt(servletRequest, servletResponse)) {
            return super.isAccessAllowed(servletRequest, servletResponse, obj);
        }
        try {
            if (executeLogin(servletRequest, servletResponse)) {
                if (super.isAccessAllowed(servletRequest, servletResponse, obj)) {
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            throw Throwables.propagate(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter
    public boolean isLoginAttempt(ServletRequest servletRequest, ServletResponse servletResponse) {
        return isRestricted(servletRequest) ? super.isLoginAttempt(servletRequest, servletResponse) : createAuthenticationToken(servletRequest, servletResponse) != null || super.isLoginAttempt(servletRequest, servletResponse);
    }

    private AuthenticationToken createAuthenticationToken(ServletRequest servletRequest, ServletResponse servletResponse) {
        AuthenticationToken createToken;
        if (this.factories == null) {
            return null;
        }
        for (AuthenticationTokenFactory authenticationTokenFactory : this.factories) {
            try {
                createToken = authenticationTokenFactory.createToken(servletRequest, servletResponse);
            } catch (Exception e) {
                Logger logger = getLogger();
                Object[] objArr = new Object[4];
                objArr[0] = authenticationTokenFactory;
                objArr[1] = e.getClass().getName();
                objArr[2] = e.getMessage();
                objArr[3] = getLogger().isDebugEnabled() ? e : null;
                logger.warn("Factory {} failed to create an authentication token {}/{}", objArr);
            }
            if (createToken != null) {
                getLogger().debug("Token '{}' created by {}", createToken, authenticationTokenFactory);
                return createToken;
            }
            continue;
        }
        return null;
    }
}
