package org.apache.cxf.fediz.jetty9;

import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Map;
import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.xml.bind.JAXBException;
import org.apache.cxf.fediz.core.config.FederationProtocol;
import org.apache.cxf.fediz.core.config.FedizConfigurator;
import org.apache.cxf.fediz.core.config.FedizContext;
import org.apache.cxf.fediz.core.config.SAMLProtocol;
import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.metadata.MetadataDocumentHandler;
import org.apache.cxf.fediz.core.processor.FedizProcessor;
import org.apache.cxf.fediz.core.processor.FedizProcessorFactory;
import org.apache.cxf.fediz.core.processor.FedizRequest;
import org.apache.cxf.fediz.core.processor.RedirectionResponse;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.eclipse.jetty.http.HttpMethod;
import org.eclipse.jetty.http.MimeTypes;
import org.eclipse.jetty.security.Authenticator;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.security.authentication.DeferredAuthentication;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.security.authentication.SessionAuthentication;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.util.MultiMap;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;

/* loaded from: input_file:org/apache/cxf/fediz/jetty9/FederationAuthenticator.class */
public class FederationAuthenticator extends LoginAuthenticator {
    public static final String J_URI = "org.eclipse.jetty.security.form_URI";
    public static final String J_POST = "org.eclipse.jetty.security.form_POST";
    private static final Logger LOG = Log.getLogger(FederationAuthenticator.class);
    private static final String SECURITY_TOKEN_ATTR = "org.apache.fediz.SECURITY_TOKEN";
    private String configFile;
    private FedizConfigurator configurator;
    private String encoding = "UTF-8";

    /* loaded from: input_file:org/apache/cxf/fediz/jetty9/FederationAuthenticator$FederationAuthentication.class */
    public static class FederationAuthentication extends UserAuthentication implements Authentication.ResponseSent {
        public FederationAuthentication(String str, UserIdentity userIdentity) {
            super(str, userIdentity);
        }

        public String toString() {
            return "WSFED" + super.toString();
        }
    }

    public void setConfiguration(Authenticator.AuthConfiguration authConfiguration) {
        String property;
        super.setConfiguration(authConfiguration);
        LOG.debug(authConfiguration.getInitParameterNames().toString(), new Object[0]);
        try {
            File file = new File(getConfigFile());
            if (!file.exists() && (property = System.getProperty("jetty.home")) != null && property.length() > 0) {
                file = new File(property.concat(File.separator + getConfigFile()));
            }
            this.configurator = new FedizConfigurator();
            this.configurator.loadConfig(file);
            LOG.debug("Fediz configuration read from " + file.getAbsolutePath(), new Object[0]);
        } catch (JAXBException e) {
            throw new RuntimeException("Failed to load Fediz configuration", e);
        }
    }

    public String getAuthMethod() {
        return "WSFED";
    }

    public String getConfigFile() {
        return this.configFile;
    }

    public void setConfigFile(String str) {
        this.configFile = str;
    }

    public String getEncoding() {
        return this.encoding;
    }

    public void setEncoding(String str) {
        this.encoding = str;
    }

    public Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
        String str;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpSession session = httpServletRequest.getSession(true);
        String contextPath = httpServletRequest.getSession().getServletContext().getContextPath();
        if (contextPath == null || contextPath.isEmpty()) {
            contextPath = "/";
        }
        FedizContext contextConfiguration = getContextConfiguration(contextPath);
        MetadataDocumentHandler metadataDocumentHandler = new MetadataDocumentHandler(contextConfiguration);
        if (metadataDocumentHandler.canHandleRequest(httpServletRequest)) {
            return metadataDocumentHandler.handleRequest(httpServletRequest, httpServletResponse).booleanValue() ? Authentication.SEND_CONTINUE : Authentication.SEND_FAILURE;
        }
        if (!z) {
            return new DeferredAuthentication(this);
        }
        try {
            servletRequest.setCharacterEncoding(this.encoding);
        } catch (UnsupportedEncodingException e) {
            LOG.warn("Unsupported encoding '" + this.encoding + "'", e);
        }
        String requestURI = httpServletRequest.getRequestURI();
        if (requestURI == null) {
            requestURI = "/";
        }
        try {
            String parameter = httpServletRequest.getParameter("wa");
            String responseToken = getResponseToken(httpServletRequest, contextConfiguration);
            if (isSignInRequest(httpServletRequest, contextConfiguration)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("SignIn request found", new Object[0]);
                }
                if (responseToken == null) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("SignIn request must contain a response token from the IdP", new Object[0]);
                    }
                    httpServletResponse.sendError(400);
                    return Authentication.SEND_FAILURE;
                }
                FedizRequest fedizRequest = new FedizRequest();
                fedizRequest.setAction(parameter);
                fedizRequest.setResponseToken(responseToken);
                fedizRequest.setState(httpServletRequest.getParameter("RelayState"));
                fedizRequest.setRequest(httpServletRequest);
                fedizRequest.setCerts((X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate"));
                UserIdentity login = ((FederationLoginService) this._loginService).login((String) null, fedizRequest, contextConfiguration);
                if (login != null) {
                    HttpSession renewSession = renewSession(httpServletRequest, httpServletResponse);
                    renewSession.setAttribute(SECURITY_TOKEN_ATTR, ((FederationUserIdentity) login).getToken());
                    synchronized (renewSession) {
                        str = (String) renewSession.getAttribute(J_URI);
                        if (str == null || str.length() == 0) {
                            str = httpServletRequest.getContextPath();
                            if (str.length() == 0) {
                                str = "/";
                            }
                        }
                        renewSession.setAttribute("org.eclipse.jetty.security.UserIdentity", new SessionAuthentication(getAuthMethod(), login, (Object) null));
                    }
                    httpServletResponse.setContentLength(0);
                    httpServletResponse.sendRedirect(httpServletResponse.encodeRedirectURL(str));
                    return new FederationAuthentication(getAuthMethod(), login);
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("WSFED authentication FAILED", new Object[0]);
                }
                if (httpServletResponse != null) {
                    httpServletResponse.sendError(403);
                }
            } else if ("wsignoutcleanup1.0".equals(parameter)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("SignOutCleanup request found", new Object[0]);
                    LOG.debug("SignOutCleanup action...", new Object[0]);
                }
                session.invalidate();
                ServletOutputStream outputStream = httpServletResponse.getOutputStream();
                InputStream resourceAsStream = getClass().getClassLoader().getResourceAsStream("logout.jpg");
                if (resourceAsStream == null) {
                    LOG.warn("Could not write logout.jpg", new Object[0]);
                    return Authentication.SEND_FAILURE;
                }
                byte[] bArr = new byte[1024];
                while (true) {
                    int read = resourceAsStream.read(bArr);
                    if (read == -1) {
                        resourceAsStream.close();
                        outputStream.flush();
                        return Authentication.SEND_SUCCESS;
                    }
                    outputStream.write(bArr, 0, read);
                }
            } else if (parameter != null) {
                LOG.warn("Not supported action found in parameter wa: " + parameter, new Object[0]);
                httpServletResponse.sendError(400);
                return Authentication.UNAUTHENTICATED;
            }
            Authentication.User user = (Authentication) session.getAttribute("org.eclipse.jetty.security.UserIdentity");
            if (user != null) {
                if (!(user instanceof Authentication.User) || !isTokenExpired(contextConfiguration, user.getUserIdentity())) {
                    String logoutURL = contextConfiguration.getLogoutURL();
                    if (logoutURL != null && !logoutURL.isEmpty() && requestURI.equals(contextPath + logoutURL)) {
                        session.invalidate();
                        signOutRedirectToIssuer(httpServletRequest, httpServletResponse, FedizProcessorFactory.newFedizProcessor(contextConfiguration.getProtocol()));
                        return Authentication.SEND_CONTINUE;
                    }
                    String str2 = (String) session.getAttribute(J_URI);
                    if (str2 != null) {
                        MultiMap multiMap = (MultiMap) session.getAttribute(J_POST);
                        if (multiMap != null) {
                            StringBuffer requestURL = httpServletRequest.getRequestURL();
                            if (httpServletRequest.getQueryString() != null) {
                                requestURL.append("?").append(httpServletRequest.getQueryString());
                            }
                            if (str2.equals(requestURL.toString())) {
                                session.removeAttribute(J_POST);
                                Request request = (Request) servletRequest;
                                request.setMethod(HttpMethod.POST.asString());
                                request.setQueryParameters(multiMap);
                            }
                        } else {
                            session.removeAttribute(J_URI);
                        }
                    }
                    return user;
                }
                session.removeAttribute("org.eclipse.jetty.security.UserIdentity");
            }
            if (DeferredAuthentication.isDeferred(httpServletResponse)) {
                LOG.debug("auth deferred {}", new Object[]{session.getId()});
                return Authentication.UNAUTHENTICATED;
            }
            synchronized (session) {
                if (session.getAttribute(J_URI) == null) {
                    StringBuffer requestURL2 = httpServletRequest.getRequestURL();
                    if (httpServletRequest.getQueryString() != null) {
                        requestURL2.append("?").append(httpServletRequest.getQueryString());
                    }
                    session.setAttribute(J_URI, requestURL2.toString());
                    if (MimeTypes.Type.FORM_ENCODED.equals(servletRequest.getContentType()) && HttpMethod.POST.equals(httpServletRequest.getMethod())) {
                        Request request2 = (Request) servletRequest;
                        request2.extractParameters();
                        session.setAttribute(J_POST, new MultiMap(request2.getQueryParameters()));
                    }
                }
            }
            signInRedirectToIssuer(httpServletRequest, httpServletResponse, FedizProcessorFactory.newFedizProcessor(contextConfiguration.getProtocol()));
            return Authentication.SEND_CONTINUE;
        } catch (IOException e2) {
            throw new ServerAuthException(e2);
        }
    }

    private boolean isTokenExpired(FedizContext fedizContext, UserIdentity userIdentity) {
        if (!fedizContext.isDetectExpiredTokens()) {
            return false;
        }
        try {
            Date expiryDate = ((FederationUserIdentity) userIdentity).getExpiryDate();
            if (expiryDate == null) {
                LOG.debug("Token doesn't expire", new Object[0]);
                return false;
            }
            if (!new Date().after(expiryDate)) {
                return false;
            }
            LOG.warn("Token already expired. Clean up and redirect", new Object[0]);
            return true;
        } catch (ClassCastException e) {
            LOG.warn("UserIdentity must be instance of FederationUserIdentity", new Object[0]);
            throw new IllegalStateException("UserIdentity must be instance of FederationUserIdentity");
        }
    }

    private boolean isSignInRequest(ServletRequest servletRequest, FedizContext fedizContext) {
        if ((fedizContext.getProtocol() instanceof FederationProtocol) && "wsignin1.0".equals(servletRequest.getParameter("wa"))) {
            return true;
        }
        return (fedizContext.getProtocol() instanceof SAMLProtocol) && servletRequest.getParameter("RelayState") != null;
    }

    private String getResponseToken(ServletRequest servletRequest, FedizContext fedizContext) {
        if (fedizContext.getProtocol() instanceof FederationProtocol) {
            return servletRequest.getParameter("wresult");
        }
        if (fedizContext.getProtocol() instanceof SAMLProtocol) {
            return servletRequest.getParameter("SAMLResponse");
        }
        return null;
    }

    public boolean secureResponse(ServletRequest servletRequest, ServletResponse servletResponse, boolean z, Authentication.User user) throws ServerAuthException {
        return true;
    }

    protected void signInRedirectToIssuer(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FedizProcessor fedizProcessor) throws IOException {
        String contextPath = httpServletRequest.getSession().getServletContext().getContextPath();
        if (contextPath == null || contextPath.isEmpty()) {
            contextPath = "/";
        }
        try {
            RedirectionResponse createSignInRequest = fedizProcessor.createSignInRequest(httpServletRequest, this.configurator.getFedizContext(contextPath));
            String redirectionURL = createSignInRequest.getRedirectionURL();
            if (redirectionURL != null) {
                Map headers = createSignInRequest.getHeaders();
                if (!headers.isEmpty()) {
                    for (String str : headers.keySet()) {
                        httpServletResponse.addHeader(str, (String) headers.get(str));
                    }
                }
                httpServletResponse.sendRedirect(redirectionURL);
            } else {
                LOG.warn("Failed to create SignInRequest.", new Object[0]);
                httpServletResponse.sendError(500, "Failed to create SignInRequest.");
            }
        } catch (ProcessingException e) {
            LOG.warn("Failed to create SignInRequest: " + e.getMessage(), new Object[0]);
            httpServletResponse.sendError(500, "Failed to create SignInRequest.");
        }
    }

    protected void signOutRedirectToIssuer(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FedizProcessor fedizProcessor) throws IOException {
        String contextPath = httpServletRequest.getSession().getServletContext().getContextPath();
        if (contextPath == null || contextPath.isEmpty()) {
            contextPath = "/";
        }
        try {
            RedirectionResponse createSignOutRequest = fedizProcessor.createSignOutRequest(httpServletRequest, (SamlAssertionWrapper) null, this.configurator.getFedizContext(contextPath));
            String redirectionURL = createSignOutRequest.getRedirectionURL();
            if (redirectionURL != null) {
                Map headers = createSignOutRequest.getHeaders();
                if (!headers.isEmpty()) {
                    for (String str : headers.keySet()) {
                        httpServletResponse.addHeader(str, (String) headers.get(str));
                    }
                }
                httpServletResponse.sendRedirect(redirectionURL);
            } else {
                LOG.warn("Failed to create SignOutRequest.", new Object[0]);
                httpServletResponse.sendError(500, "Failed to create SignOutRequest.");
            }
        } catch (ProcessingException e) {
            LOG.warn("Failed to create SignOutRequest: " + e.getMessage(), new Object[0]);
            httpServletResponse.sendError(500, "Failed to create SignOutRequest.");
        }
    }

    private FedizContext getContextConfiguration(String str) {
        if (this.configurator == null) {
            throw new IllegalStateException("No Fediz configuration available");
        }
        FedizContext fedizContext = this.configurator.getFedizContext(str);
        if (fedizContext == null) {
            throw new IllegalStateException("No Fediz configuration for context :" + str);
        }
        String property = System.getProperty("jetty.home");
        if (property != null && property.length() > 0) {
            fedizContext.setRelativePath(property);
        }
        return fedizContext;
    }
}
