package top.dcenter.ums.security.core.auth.session.strategy;

import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.lang.NonNull;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.session.SessionInformation;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationException;
import org.springframework.security.web.authentication.session.SessionFixationProtectionEvent;
import org.springframework.util.Assert;
import org.springframework.web.util.WebUtils;
import top.dcenter.ums.security.core.api.session.SessionEnhanceCheckService;
import top.dcenter.ums.security.core.auth.properties.ClientProperties;

/* loaded from: input_file:top/dcenter/ums/security/core/auth/session/strategy/EnhanceConcurrentControlAuthenticationStrategy.class */
public class EnhanceConcurrentControlAuthenticationStrategy extends ConcurrentSessionControlAuthenticationStrategy implements ApplicationEventPublisherAware {
    private static final Logger log = LoggerFactory.getLogger(EnhanceConcurrentControlAuthenticationStrategy.class);
    private final SessionEnhanceCheckService sessionEnhanceCheckService;
    private ApplicationEventPublisher applicationEventPublisher;
    private boolean exceptionIfMaximumExceeded;
    private int maximumSessions;
    private final SessionRegistry sessionRegistry;
    private final ClientProperties clientProperties;
    private boolean alwaysCreateSession;

    /* loaded from: input_file:top/dcenter/ums/security/core/auth/session/strategy/EnhanceConcurrentControlAuthenticationStrategy$NullEventPublisher.class */
    protected static final class NullEventPublisher implements ApplicationEventPublisher {
        protected NullEventPublisher() {
        }

        public void publishEvent(@NonNull ApplicationEvent applicationEvent) {
        }

        public void publishEvent(@NonNull Object obj) {
        }
    }

    public EnhanceConcurrentControlAuthenticationStrategy(SessionEnhanceCheckService sessionEnhanceCheckService, SessionRegistry sessionRegistry, ClientProperties clientProperties) {
        super(sessionRegistry);
        this.applicationEventPublisher = new NullEventPublisher();
        this.exceptionIfMaximumExceeded = false;
        this.maximumSessions = 1;
        this.sessionEnhanceCheckService = sessionEnhanceCheckService;
        this.sessionRegistry = sessionRegistry;
        this.clientProperties = clientProperties;
    }

    public void onAuthentication(Authentication authentication, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String id;
        HttpSession applySessionFixation;
        String id2;
        HttpSession session;
        if (this.clientProperties.getSession().getSessionNumberControl().booleanValue()) {
            List<SessionInformation> allSessions = this.sessionRegistry.getAllSessions(authentication.getPrincipal(), false);
            int size = allSessions.size();
            int maximumSessionsForThisUser = getMaximumSessionsForThisUser(authentication);
            if (size >= maximumSessionsForThisUser && maximumSessionsForThisUser != -1) {
                if (size == maximumSessionsForThisUser && (session = httpServletRequest.getSession(false)) != null) {
                    Iterator<SessionInformation> it = allSessions.iterator();
                    while (it.hasNext()) {
                        if (it.next().getSessionId().equals(session.getId())) {
                            return;
                        }
                    }
                }
                allowableSessionsExceeded(allSessions, maximumSessionsForThisUser, this.sessionRegistry);
                return;
            }
            return;
        }
        boolean z = httpServletRequest.getSession(false) != null;
        if (z || this.alwaysCreateSession) {
            HttpSession session2 = httpServletRequest.getSession();
            if (z && httpServletRequest.isRequestedSessionIdValid()) {
                synchronized (WebUtils.getSessionMutex(session2)) {
                    id = session2.getId();
                    applySessionFixation = applySessionFixation(httpServletRequest);
                    id2 = applySessionFixation.getId();
                }
                if (id.equals(id2)) {
                    log.warn("session-fixation attacks: Your servlet container did not change the session ID when a new session was created. You will not be adequately protected against session-fixation attacks");
                }
                onSessionChange(id, applySessionFixation, authentication);
                if (this.sessionEnhanceCheckService != null) {
                    this.sessionEnhanceCheckService.setEnhanceCheckValue(applySessionFixation, httpServletRequest);
                }
            }
        }
    }

    protected void allowableSessionsExceeded(List<SessionInformation> list, int i, SessionRegistry sessionRegistry) throws SessionAuthenticationException {
        if (this.exceptionIfMaximumExceeded || list == null) {
            throw new SessionAuthenticationException(this.messages.getMessage("ConcurrentSessionControlAuthenticationStrategy.exceededAllowed", new Object[]{Integer.valueOf(i)}, "Maximum sessions of {0} for this principal exceeded"));
        }
        list.sort(Comparator.comparing((v0) -> {
            return v0.getLastRequest();
        }));
        Iterator<SessionInformation> it = list.subList(0, (list.size() - i) + 1).iterator();
        while (it.hasNext()) {
            it.next().expireNow();
        }
    }

    protected void onSessionChange(String str, HttpSession httpSession, Authentication authentication) {
        this.applicationEventPublisher.publishEvent(new SessionFixationProtectionEvent(authentication, str, httpSession.getId()));
    }

    public void setExceptionIfMaximumExceeded(boolean z) {
        super.setExceptionIfMaximumExceeded(z);
        this.exceptionIfMaximumExceeded = z;
    }

    HttpSession applySessionFixation(HttpServletRequest httpServletRequest) {
        httpServletRequest.changeSessionId();
        return httpServletRequest.getSession();
    }

    public void setMaximumSessions(int i) {
        Assert.isTrue(i != 0, "MaximumLogins must be either -1 to allow unlimited logins, or a positive integer to specify a maximum");
        super.setMaximumSessions(i);
        this.maximumSessions = i;
    }

    public void setApplicationEventPublisher(@NonNull ApplicationEventPublisher applicationEventPublisher) {
        Assert.notNull(applicationEventPublisher, "applicationEventPublisher cannot be null");
        this.applicationEventPublisher = applicationEventPublisher;
    }

    public void setAlwaysCreateSession(boolean z) {
        this.alwaysCreateSession = z;
    }
}
