package dk.itst.oiosaml.sp.service;

import dk.itst.oiosaml.common.OIOSAMLConstants;
import dk.itst.oiosaml.configuration.OIOSAMLBootstrap;
import dk.itst.oiosaml.configuration.SAMLConfiguration;
import dk.itst.oiosaml.configuration.SAMLConfigurationFactory;
import dk.itst.oiosaml.logging.Audit;
import dk.itst.oiosaml.logging.Logger;
import dk.itst.oiosaml.logging.LoggerFactory;
import dk.itst.oiosaml.logging.Operation;
import dk.itst.oiosaml.sp.UserAssertion;
import dk.itst.oiosaml.sp.UserAssertionHolder;
import dk.itst.oiosaml.sp.develmode.DevelMode;
import dk.itst.oiosaml.sp.develmode.DevelModeImpl;
import dk.itst.oiosaml.sp.metadata.CRLChecker;
import dk.itst.oiosaml.sp.metadata.IdpMetadata;
import dk.itst.oiosaml.sp.metadata.SPMetadata;
import dk.itst.oiosaml.sp.service.session.Request;
import dk.itst.oiosaml.sp.service.session.SessionCleaner;
import dk.itst.oiosaml.sp.service.session.SessionHandler;
import dk.itst.oiosaml.sp.service.session.SessionHandlerFactory;
import dk.itst.oiosaml.sp.service.util.Constants;
import java.io.IOException;
import java.util.Iterator;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.configuration.Configuration;
import org.opensaml.saml2.core.Attribute;
import org.opensaml.saml2.core.AttributeStatement;

/* loaded from: input_file:dk/itst/oiosaml/sp/service/SPFilter.class */
public class SPFilter implements Filter {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SPFilter.class);
    private boolean filterInitialized;
    private SAMLConfiguration conf;
    private String hostname;
    private SessionHandlerFactory sessionHandlerFactory;
    private DevelMode develMode;
    private CRLChecker crlChecker = new CRLChecker();
    private AtomicBoolean cleanerRunning = new AtomicBoolean(false);

    public void destroy() {
        SessionCleaner.stopCleaner();
        this.crlChecker.stopChecker();
        if (this.sessionHandlerFactory != null) {
            this.sessionHandlerFactory.close();
        }
        SessionHandlerFactory.Factory.close();
    }

    /* JADX WARN: Finally extract failed */
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (log.isDebugEnabled()) {
            log.debug("OIOSAML-J SP Filter invoked");
        }
        if (!(servletRequest instanceof HttpServletRequest)) {
            throw new RuntimeException("Not supported operation...");
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        Audit.init(httpServletRequest);
        if (!isFilterInitialized()) {
            try {
                setRuntimeConfiguration(SAMLConfigurationFactory.getConfiguration().getSystemConfiguration());
            } catch (IllegalStateException e) {
                servletRequest.getRequestDispatcher("/saml/configure").forward(servletRequest, servletResponse);
                return;
            }
        }
        ensureSignatureAlgorithm();
        if (this.conf.getSystemConfiguration().getBoolean(Constants.PROP_DEVEL_MODE, false)) {
            log.warn("Running in debug mode, skipping regular filter");
            this.develMode.doFilter(httpServletRequest, (HttpServletResponse) servletResponse, filterChain, this.conf.getSystemConfiguration());
            return;
        }
        if (this.cleanerRunning.compareAndSet(false, true)) {
            SessionCleaner.startCleaner(this.sessionHandlerFactory.getHandler(), ((HttpServletRequest) servletRequest).getSession().getMaxInactiveInterval(), 30);
        }
        SessionHandler handler = this.sessionHandlerFactory.getHandler();
        if (httpServletRequest.getServletPath().equals(this.conf.getSystemConfiguration().getProperty(Constants.PROP_SAML_SERVLET))) {
            log.debug("Request to SAML servlet, access granted");
            filterChain.doFilter(new SAMLHttpServletRequest(httpServletRequest, this.hostname, (String) null), servletResponse);
            return;
        }
        HttpSession session = httpServletRequest.getSession();
        if (log.isDebugEnabled()) {
            log.debug("sessionId....:" + session.getId());
        }
        Boolean bool = false;
        if (servletRequest.getParameterMap().containsKey(Constants.QUERY_STRING_FORCE_AUTHN)) {
            bool = Boolean.valueOf(servletRequest.getParameter(Constants.QUERY_STRING_FORCE_AUTHN).toLowerCase().equals("true"));
        }
        if (!handler.isLoggedIn(session.getId()) || session.getAttribute(Constants.SESSION_USER_ASSERTION) == null || bool.booleanValue()) {
            session.removeAttribute(Constants.SESSION_USER_ASSERTION);
            UserAssertionHolder.set(null);
            saveRequestAndGotoLogin((HttpServletResponse) servletResponse, httpServletRequest);
            return;
        }
        validateAssuranceLevel(handler, session);
        validateProfile(handler, session);
        UserAssertion userAssertion = (UserAssertion) session.getAttribute(Constants.SESSION_USER_ASSERTION);
        if (log.isDebugEnabled()) {
            log.debug("Everything is ok... Assertion: " + userAssertion);
        }
        Audit.log(Operation.ACCESS, httpServletRequest.getRequestURI());
        try {
            UserAssertionHolder.set(userAssertion);
            filterChain.doFilter(new SAMLHttpServletRequest(httpServletRequest, userAssertion, this.hostname), servletResponse);
            UserAssertionHolder.set(null);
        } catch (Throwable th) {
            UserAssertionHolder.set(null);
            throw th;
        }
    }

    private void validateProfile(SessionHandler sessionHandler, HttpSession httpSession) {
        String string = this.conf.getSystemConfiguration().getString(Constants.PROP_REQUESTED_PROFILE, (String) null);
        if (string == null || OIOSAMLConstants.PROFILE_PERSON.equals(string)) {
            return;
        }
        if (!OIOSAMLConstants.PROFILE_PROFESSIONAL.equals(string)) {
            log.warn("Unknown profile: " + string);
            return;
        }
        boolean z = false;
        boolean z2 = false;
        Iterator it = sessionHandler.getAssertion(httpSession.getId()).getAssertion().getAttributeStatements().iterator();
        while (it.hasNext()) {
            for (Attribute attribute : ((AttributeStatement) it.next()).getAttributes()) {
                if (OIOSAMLConstants.ATTRIBUTE_EID_PROFESSIONAL_CVR.equals(attribute.getName())) {
                    z = true;
                } else if (OIOSAMLConstants.ATTRIBUTE_EID_PROFESSIONAL_ORGNAME.equals(attribute.getName())) {
                    z2 = true;
                }
            }
        }
        if (z && z2) {
            return;
        }
        sessionHandler.logOut(httpSession);
        throw new RuntimeException("Mandatory attributes for professional profile not present: " + (!z ? OIOSAMLConstants.ATTRIBUTE_EID_PROFESSIONAL_CVR : "") + " " + (!z2 ? OIOSAMLConstants.ATTRIBUTE_EID_PROFESSIONAL_ORGNAME : ""));
    }

    private void validateAssuranceLevel(SessionHandler sessionHandler, HttpSession httpSession) {
        int assuranceLevel = sessionHandler.getAssertion(httpSession.getId()).getAssuranceLevel();
        String nSISLevel = sessionHandler.getAssertion(httpSession.getId()).getNSISLevel();
        int i = this.conf.getSystemConfiguration().getInt(Constants.PROP_ASSURANCE_LEVEL, 0);
        String string = this.conf.getSystemConfiguration().getString(Constants.PROP_NSIS_LEVEL, (String) null);
        boolean z = false;
        if (i == 0 && string == null) {
            z = true;
        } else if (i > 0 && assuranceLevel >= i) {
            z = true;
        } else if (string != null && nSISLevel != null) {
            if (string.equals(OIOSAMLConstants.NSIS_REQUEST_LEVEL_HIGH)) {
                if (nSISLevel.equals(OIOSAMLConstants.NSIS_RESPONSE_LEVEL_HIGH)) {
                    z = true;
                }
            } else if (string.equals(OIOSAMLConstants.NSIS_REQUEST_LEVEL_SUBSTANTIAL)) {
                if (nSISLevel.equals(OIOSAMLConstants.NSIS_RESPONSE_LEVEL_HIGH) || nSISLevel.equals(OIOSAMLConstants.NSIS_RESPONSE_LEVEL_SUBSTANTIAL)) {
                    z = true;
                }
            } else if (string.equals(OIOSAMLConstants.NSIS_REQUEST_LEVEL_LOW) && (nSISLevel.equals(OIOSAMLConstants.NSIS_RESPONSE_LEVEL_HIGH) || nSISLevel.equals(OIOSAMLConstants.NSIS_RESPONSE_LEVEL_SUBSTANTIAL) || nSISLevel.equals(OIOSAMLConstants.NSIS_RESPONSE_LEVEL_LOW))) {
                z = true;
            }
        }
        if (z) {
            return;
        }
        sessionHandler.logOut(httpSession);
        String str = (string == null || i != 0) ? (string != null || i <= 0) ? "Both NSIS level and Assurance level where too low: " + assuranceLevel + " / " + nSISLevel + ", required: " + i + " / " + string : "Assurance level too low: " + assuranceLevel + ", required: " + i : "NSIS level too low: " + nSISLevel + ", required: " + string;
        log.warn(str);
        throw new RuntimeException(str);
    }

    protected void saveRequestAndGotoLogin(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws ServletException, IOException {
        String saveRequest = this.sessionHandlerFactory.getHandler().saveRequest(Request.fromHttpRequest(httpServletRequest));
        String string = this.conf.getSystemConfiguration().getString(Constants.PROP_PROTOCOL, "saml20");
        String string2 = this.conf.getSystemConfiguration().getString(Constants.PROP_SAML_SERVLET, "/saml");
        String string3 = this.conf.getSystemConfiguration().getString("oiosaml-sp.protocol." + string);
        if (string3 == null) {
            throw new RuntimeException("No protocol url configured for oiosaml-sp.protocol." + string);
        }
        String str = string2 + string3;
        if (log.isDebugEnabled()) {
            log.debug("Redirecting to " + string + " login handler at " + str);
        }
        httpServletRequest.getRequestDispatcher(str).forward(new SAMLHttpServletRequest(httpServletRequest, this.hostname, saveRequest), httpServletResponse);
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.conf = SAMLConfigurationFactory.getConfiguration();
        if (this.conf.isConfigured()) {
            try {
                Configuration systemConfiguration = SAMLConfigurationFactory.getConfiguration().getSystemConfiguration();
                if (!systemConfiguration.getBoolean(Constants.PROP_DEVEL_MODE, false)) {
                    setRuntimeConfiguration(systemConfiguration);
                    setFilterInitialized(true);
                    return;
                } else {
                    this.develMode = new DevelModeImpl();
                    setConfiguration(systemConfiguration);
                    setFilterInitialized(true);
                    return;
                }
            } catch (IllegalStateException e) {
                log.error("Unable to configure", e);
            }
        }
        setFilterInitialized(false);
    }

    private void setRuntimeConfiguration(Configuration configuration) {
        restartCRLChecker(configuration);
        setFilterInitialized(true);
        setConfiguration(configuration);
        if (!IdpMetadata.getInstance().enableDiscovery()) {
            log.info("Discovery profile disabled, only one metadata file found");
        } else if (configuration.getString(Constants.DISCOVERY_LOCATION) == null) {
            throw new IllegalStateException("Discovery location cannot be null when discovery profile is active");
        }
        setHostname();
        this.sessionHandlerFactory = SessionHandlerFactory.Factory.newInstance(configuration);
        this.sessionHandlerFactory.getHandler().resetReplayProtection(configuration.getInt(Constants.PROP_NUM_TRACKED_ASSERTIONIDS));
        ensureSignatureAlgorithm();
        log.info("Home url: " + configuration.getString(Constants.PROP_HOME));
        log.info("Assurance level: " + configuration.getInt(Constants.PROP_ASSURANCE_LEVEL));
        log.info("SP entity ID: " + SPMetadata.getInstance().getEntityID());
        log.info("Base hostname: " + this.hostname);
    }

    private static void ensureSignatureAlgorithm() {
        org.opensaml.Configuration.getGlobalSecurityConfiguration().registerSignatureAlgorithmURI("RSA", SAMLConfigurationFactory.getConfiguration().getSystemConfiguration().getString(Constants.SIGNATURE_ALGORITHM, "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"));
    }

    private void setHostname() {
        String location = SPMetadata.getInstance().getDefaultAssertionConsumerService().getLocation();
        setHostname(location.substring(0, location.indexOf(47, 8)));
    }

    private void restartCRLChecker(Configuration configuration) {
        this.crlChecker.stopChecker();
        int i = configuration.getInt(Constants.PROP_CRL_CHECK_PERIOD, 600);
        if (i > 0) {
            this.crlChecker.startChecker(i, IdpMetadata.getInstance(), configuration);
        } else {
            log.warn("Revocation check of IdP certificates has been disabled. All certificates including self signed certificates will be considered valid.");
            this.crlChecker.setAllCertificatesValid(IdpMetadata.getInstance());
        }
    }

    public void setHostname(String str) {
        this.hostname = str;
    }

    public void setFilterInitialized(boolean z) {
        this.filterInitialized = z;
    }

    public boolean isFilterInitialized() {
        return this.filterInitialized;
    }

    public void setConfiguration(Configuration configuration) {
        SAMLConfigurationFactory.getConfiguration().setConfiguration(configuration);
        this.conf = SAMLConfigurationFactory.getConfiguration();
    }

    public void setSessionHandlerFactory(SessionHandlerFactory sessionHandlerFactory) {
        this.sessionHandlerFactory = sessionHandlerFactory;
    }

    public void setDevelMode(DevelMode develMode) {
        this.develMode = develMode;
    }

    static {
        OIOSAMLBootstrap.init();
    }
}
