package nl.b3p.commons.security.aselect;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.Date;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Map;
import java.util.Properties;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.batik.svggen.font.table.FeatureTags;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.log4j.MDC;
import org.apache.log4j.spi.LocationInfo;

/* loaded from: input_file:WEB-INF/lib/b3p-commons-core-5.0.3.jar:nl/b3p/commons/security/aselect/ASelectAuthorizationFilter.class */
public class ASelectAuthorizationFilter implements Filter, ASelectConstants {
    private static final int ASELECT_API_AGENT = 0;
    private static final int ASELECT_API_SERVER = 1;
    private static final int ASELECT_API_WEBSERVERFILTER = 2;
    private static final String ASELECT_REDIRECT_BACK = "aselect__redirect_back";
    private boolean configOK = false;
    private FilterConfig filterConfig = null;
    private int api;
    private String appId;
    private boolean avoidURLParamsInRedirect;
    private ASelectClient client;
    private static Log log = LogFactory.getLog(ASelectAuthorizationFilter.class);
    private static final String ASELECT_ORIGINAL_APP_URL = ASelectAuthorizationFilter.class.getName() + ".ORIGINAL_APP_URL";
    private static final String ASELECT_FORCE_LOGIN = ASelectAuthorizationFilter.class.getName() + ".FORCE_LOGIN";

    public void init(FilterConfig filterConfig) {
        String initParameter;
        if (log.isInfoEnabled()) {
            log.info(FeatureTags.FEATURE_TAG_INIT);
        }
        this.configOK = false;
        try {
            this.filterConfig = filterConfig;
            initParameter = filterConfig.getInitParameter("api");
            if (initParameter != null) {
                initParameter = initParameter.toLowerCase();
            }
        } catch (IllegalArgumentException e) {
            log.error("error initializing filter " + filterConfig.getFilterName(), e);
        }
        if (!initParameter.equals("agent")) {
            throw new IllegalArgumentException("invalid \"api\" init parameter");
        }
        this.api = 0;
        this.client = new ASelectAgentClient(filterConfigToProperties(filterConfig));
        this.appId = filterConfig.getInitParameter("app_id");
        if (this.appId == null) {
            throw new IllegalArgumentException("\"app_id\" init parameter required");
        }
        this.avoidURLParamsInRedirect = "true".equals(filterConfig.getInitParameter("avoid_url_params_in_redirect"));
        this.configOK = true;
        if (this.configOK) {
            return;
        }
        log.error("bad config; disallowing access to application");
    }

    private Properties filterConfigToProperties(FilterConfig filterConfig) {
        Properties properties = new Properties();
        Enumeration initParameterNames = filterConfig.getInitParameterNames();
        while (initParameterNames.hasMoreElements()) {
            String str = (String) initParameterNames.nextElement();
            properties.setProperty(str, filterConfig.getInitParameter(str));
        }
        return properties;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        MDC.remove("ASelectUid");
        MDC.remove("ASelectTicket");
        if (!this.configOK) {
            throw new ServletException("Invalid filter configuration");
        }
        try {
            if (checkAuthorization((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse)) {
                filterChain.doFilter(servletRequest, servletResponse);
            }
        } catch (ASelectAuthorizationException e) {
            if (log.isErrorEnabled()) {
                log.error("ASelectAuthorizationException: " + e.getMessage());
            }
            throw new ServletException(e);
        }
    }

    public void destroy() {
    }

    public static void forceLogin(HttpSession httpSession) {
        httpSession.setAttribute(ASELECT_FORCE_LOGIN, "true");
    }

    private boolean checkAuthorization(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ASelectAuthorizationException, ServletException, IOException {
        if (this.api == 2) {
            return verifyWebFilterCookies(httpServletRequest);
        }
        String parameter = httpServletRequest.getParameter("rid");
        String parameter2 = httpServletRequest.getParameter("aselect_credentials");
        if (parameter == null || parameter2 == null) {
            ASelectTicket fromSession = ASelectTicket.getFromSession(httpServletRequest.getSession());
            if (fromSession == null) {
                if (log.isInfoEnabled()) {
                    log.info("redirecting to A-Select server");
                }
                redirectToASelect(httpServletRequest, httpServletResponse);
                return false;
            }
            try {
                fromSession.verify();
                MDC.put("ASelectUid", fromSession.getUid());
                MDC.put("ASelectTicket", fromSession.getTicketId());
                return true;
            } catch (IOException e) {
                throw new ServletException("Error verifying ticket", e);
            }
        }
        if (log.isInfoEnabled()) {
            log.info("verifying credentials");
        }
        if (!verifyCredentials(httpServletRequest, parameter, parameter2)) {
            throw new ServletException("Credentials could not be verified");
        }
        if (!this.avoidURLParamsInRedirect || !"true".equals(httpServletRequest.getParameter(ASELECT_REDIRECT_BACK))) {
            return true;
        }
        HttpSession session = httpServletRequest.getSession();
        String str = (String) session.getAttribute(ASELECT_ORIGINAL_APP_URL);
        if (str == null) {
            throw new ServletException("Invalid state: no original app URL in session to redirect to");
        }
        session.removeAttribute(ASELECT_ORIGINAL_APP_URL);
        if (log.isInfoEnabled()) {
            log.info("redirecting to original app URL: " + str);
        }
        httpServletResponse.sendRedirect(str);
        return false;
    }

    private boolean verifyWebFilterCookies(HttpServletRequest httpServletRequest) throws ASelectAuthorizationException {
        throw new ASelectAuthorizationException("not implemented");
    }

    private boolean isUserError(String str) {
        return ASelectConstants.ASELECT_AGENT_TICKET_UNKNOWN.equals(str) || ASelectConstants.ASELECT_AGENT_TICKET_EXPIRED.equals(str) || ASelectConstants.ASELECT_AGENT_TICKET_INVALID.equals(str) || ASelectConstants.ASELECT_AGENT_AUTHSESSION_EXPIRED.equals(str);
    }

    private boolean verifyCredentials(HttpServletRequest httpServletRequest, String str, String str2) throws ServletException, ASelectAuthorizationException {
        Hashtable hashtable = new Hashtable();
        hashtable.put("request", "verify_credentials");
        hashtable.put("rid", str);
        hashtable.put("aselect_credentials", str2);
        try {
            Map performRequest = this.client.performRequest(hashtable);
            String str3 = (String) performRequest.get("result_code");
            String str4 = (String) performRequest.get("ticket");
            String str5 = (String) performRequest.get("ticket_exp_time");
            String str6 = (String) performRequest.get("uid");
            String str7 = (String) performRequest.get("organization");
            String str8 = (String) performRequest.get("authsp_level");
            String str9 = (String) performRequest.get("authsp");
            String str10 = (String) performRequest.get("attributes");
            if (!"0000".equals(str3)) {
                log.info("Received error code \"" + str3 + "\" from A-Select when verifying credentials (from IP: " + httpServletRequest.getRemoteHost() + ")");
                if (isUserError(str3)) {
                    return false;
                }
                throw new ServletException("A-Select communication error");
            }
            Date date = this.api == 0 ? new Date(Long.parseLong((String) performRequest.get("ticket_start_time"))) : new Date();
            try {
                Date date2 = new Date(Long.parseLong(str5));
                log.debug("Ticket start date/time:      " + date);
                log.debug("Ticket expiration date/time: " + date2);
                if (date.compareTo(date2) > 0) {
                    throw new ServletException("A-Select server specified ticket expiration time in the past");
                }
                (this.api == 0 ? new ASelectAgentTicket(str4, this.appId, date, date2, str6, str7, str8, str9, str10, (ASelectAgentClient) this.client) : null).putOnSession(httpServletRequest.getSession());
                return true;
            } catch (NumberFormatException e) {
                log.error("invalid date received from A-Select server", e);
                throw new ServletException("A-Select communication error");
            }
        } catch (IOException e2) {
            throw new ServletException(e2);
        }
    }

    private void redirectToASelect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException {
        StringBuffer stringBuffer;
        String queryString = httpServletRequest.getQueryString();
        String str = ((Object) httpServletRequest.getRequestURL()) + (queryString != null ? LocationInfo.NA + queryString : "");
        if (log.isWarnEnabled() && !"GET".equals(httpServletRequest.getMethod())) {
            log.warn("redirect to A-Select for request with other method than GET (" + httpServletRequest.getMethod() + " " + str + ")");
        }
        if (this.api == 0 && this.avoidURLParamsInRedirect) {
            httpServletRequest.getSession().setAttribute(ASELECT_ORIGINAL_APP_URL, str);
            stringBuffer = httpServletRequest.getRequestURL();
            stringBuffer.append("?aselect__redirect_back=true");
        } else {
            stringBuffer = new StringBuffer(str);
        }
        try {
            Hashtable hashtable = new Hashtable();
            hashtable.put("request", "authenticate");
            hashtable.put("app_id", this.appId);
            hashtable.put("app_url", stringBuffer.toString());
            if (httpServletRequest.getSession().getAttribute(ASELECT_FORCE_LOGIN) != null) {
                hashtable.put("forced_logon", "true");
                httpServletRequest.getSession().removeAttribute(ASELECT_FORCE_LOGIN);
            }
            Map performRequest = this.client.performRequest(hashtable);
            String str2 = (String) performRequest.get("result_code");
            String str3 = (String) performRequest.get("as_url");
            String str4 = (String) performRequest.get("a-select-server");
            String str5 = (String) performRequest.get("rid");
            if (!"0000".equals(str2) && log.isErrorEnabled()) {
                throw new ServletException("A-Select communication error; result code " + str2);
            }
            if (str3 == null || str4 == null || str5 == null) {
                log.error("missing result parameters; response: " + performRequest.get("complete_response"));
                throw new ServletException("A-Select communication error");
            }
            Hashtable hashtable2 = new Hashtable();
            hashtable2.put("a-select-server", str4);
            hashtable2.put("rid", str5);
            try {
                httpServletResponse.sendRedirect(ASelectUtils.appendQueryParameters(str3, hashtable2, this.client.getCharset()));
            } catch (UnsupportedEncodingException e) {
                throw new ServletException("Internal error", e);
            } catch (IOException e2) {
                throw new ServletException(e2);
            } catch (IllegalStateException e3) {
                throw new ServletException(e3);
            }
        } catch (IOException e4) {
            log.error("error initiating authentication with A-Select", e4);
            throw new ServletException("A-Select communication error");
        }
    }
}
