package nl.b3p.web.filter;

import java.io.IOException;
import java.security.Principal;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.ObjectUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.builder.ToStringBuilder;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:WEB-INF/lib/web-commons-5.2.1.jar:nl/b3p/web/filter/HeaderAuthenticationFilter.class */
public class HeaderAuthenticationFilter implements Filter {
    private FilterConfig filterConfig = null;
    private static final String CONTEXT_PARAM_PREFIX = "headerAuth";
    public static final String PARAM_HEADER_PREFIX = "prefix";
    public static final String PARAM_USER_HEADER = "userHeader";
    public static final String PARAM_AUTH_PATH = "authPath";
    public static final String PARAM_AUTH_INIT_PATH = "authInitPath";
    public static final String PARAM_ROLES_HEADER = "rolesHeader";
    public static final String PARAM_ROLES_SEPARATOR = "rolesSeparator";
    public static final String PARAM_USE_ROLES_NSUFFIX = "useRolesNSuffix";
    public static final String PARAM_COMMON_ROLE = "commonRole";
    public static final String PARAM_SAVE_EXTRA_HEADERS = "saveExtraHeaders";
    private String headerPrefix;
    private String userHeader;
    private String authPath;
    private String authInitPath;
    private String rolesHeader;
    private String rolesSeparator;
    private boolean useRolesNSuffix;
    private String commonRole;
    private String saveExtraHeaders;
    private boolean enabled;
    private static final Log log = LogFactory.getLog(HeaderAuthenticationFilter.class);
    private static final String ATTR_RETURN_TO = HeaderAuthenticationFilter.class.getName() + ".RETURN_TO";
    private static final String ATTR_PRINCIPAL = HeaderAuthenticationFilter.class.getName() + ".PRINCIPAL";
    private static final String ATTR_EXTRA_HEADERS = HeaderAuthenticationFilter.class.getName() + ".EXTRA_HEADERS";

    /* loaded from: input_file:WEB-INF/lib/web-commons-5.2.1.jar:nl/b3p/web/filter/HeaderAuthenticationFilter$HeaderAuthenticatedPrincipal.class */
    private class HeaderAuthenticatedPrincipal implements Principal {
        private final String name;
        private final Set<String> roles;

        public HeaderAuthenticatedPrincipal(String str, Set<String> set) {
            this.name = str;
            this.roles = set;
        }

        @Override // java.security.Principal
        public String getName() {
            return this.name;
        }

        public boolean isUserInRole(String str) {
            return this.roles.contains(str);
        }

        public Set<String> getRoles() {
            return this.roles;
        }
    }

    private String getInitParameter(String str) {
        String str2 = CONTEXT_PARAM_PREFIX + StringUtils.capitalize(str);
        String initParameter = this.filterConfig.getServletContext().getInitParameter(str2);
        if (initParameter == null) {
            initParameter = this.filterConfig.getInitParameter(str);
            log.debug("Using filter init parameter " + str + ": " + initParameter);
        } else {
            log.debug("Using context parameter " + str2 + ": " + initParameter);
        }
        return initParameter;
    }

    public void init(FilterConfig filterConfig) {
        this.filterConfig = filterConfig;
        this.headerPrefix = (String) ObjectUtils.firstNonNull(getInitParameter(PARAM_HEADER_PREFIX), "[disabled]");
        this.enabled = !"[disabled]".equals(this.headerPrefix);
        this.userHeader = this.headerPrefix + ((String) ObjectUtils.firstNonNull(getInitParameter(PARAM_USER_HEADER), "_uid"));
        this.authPath = (String) ObjectUtils.firstNonNull(getInitParameter(PARAM_AUTH_PATH), "auth/saml");
        this.authInitPath = (String) ObjectUtils.firstNonNull(getInitParameter(PARAM_AUTH_PATH), "auth/init");
        this.rolesHeader = this.headerPrefix + ((String) ObjectUtils.firstNonNull(getInitParameter(PARAM_ROLES_HEADER), "_roles"));
        this.rolesSeparator = getInitParameter(PARAM_ROLES_SEPARATOR);
        if (this.rolesSeparator != null) {
            this.useRolesNSuffix = false;
        }
        this.useRolesNSuffix = "true".equals(getInitParameter(PARAM_USE_ROLES_NSUFFIX)) || this.rolesSeparator == null;
        this.commonRole = getInitParameter(PARAM_COMMON_ROLE);
        this.saveExtraHeaders = getInitParameter(PARAM_SAVE_EXTRA_HEADERS);
        log.info("Initialized - " + toString());
    }

    public void destroy() {
    }

    public String toString() {
        return ToStringBuilder.reflectionToString(this);
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String str;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpSession session = httpServletRequest.getSession();
        if (!this.enabled) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        if (httpServletRequest.getUserPrincipal() != null) {
            if (httpServletRequest.getRequestURI().equals(httpServletRequest.getContextPath() + "/" + this.authInitPath)) {
                log.warn("Login requested but already authenticated by servlet container!");
                session.invalidate();
            }
            if (log.isTraceEnabled()) {
                log.trace("HeaderAuthenticationFilter: already authenticated as user " + httpServletRequest.getRemoteUser() + " (principal " + httpServletRequest.getUserPrincipal() + "), passing through " + httpServletRequest.getRequestURI());
            }
            filterChain.doFilter(httpServletRequest, servletResponse);
            return;
        }
        if (httpServletRequest.getRequestURI().equals(httpServletRequest.getContextPath() + "/" + this.authInitPath)) {
            String parameter = httpServletRequest.getParameter("returnTo");
            if (parameter == null || !parameter.startsWith(httpServletRequest.getContextPath())) {
                parameter = httpServletRequest.getHeader("Referer");
                str = parameter != null ? ", redirecting to this Referer after successful login: " + parameter : ", no relative returnTo parameter or Referer header, redirecting to contextPath after succesful login";
            } else {
                str = ", redirecting to returnTo parameter after successful login: " + parameter;
            }
            session.setAttribute(ATTR_RETURN_TO, parameter);
            log.info("Redirecting to authPath " + this.authPath + str);
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + "/" + this.authPath);
            return;
        }
        if (!httpServletRequest.getRequestURI().equals(httpServletRequest.getContextPath() + "/" + this.authPath)) {
            final HeaderAuthenticatedPrincipal headerAuthenticatedPrincipal = (HeaderAuthenticatedPrincipal) session.getAttribute(ATTR_PRINCIPAL);
            if (headerAuthenticatedPrincipal != null) {
                if (log.isTraceEnabled()) {
                    log.trace("Chaining authenticated request for user " + headerAuthenticatedPrincipal.getName() + " for URL " + ((Object) httpServletRequest.getRequestURL()));
                }
                filterChain.doFilter(new HttpServletRequestWrapper(httpServletRequest) { // from class: nl.b3p.web.filter.HeaderAuthenticationFilter.1
                    public String getRemoteUser() {
                        return headerAuthenticatedPrincipal.getName();
                    }

                    public Principal getUserPrincipal() {
                        return headerAuthenticatedPrincipal;
                    }

                    public boolean isUserInRole(String str2) {
                        return headerAuthenticatedPrincipal.isUserInRole(str2);
                    }
                }, httpServletResponse);
                return;
            } else {
                if (log.isTraceEnabled()) {
                    log.trace("Chaining unauthenticated request for URL " + ((Object) httpServletRequest.getRequestURL()));
                }
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
        }
        String header = httpServletRequest.getHeader(this.userHeader);
        if (header == null) {
            log.warn("No user header returned, Apache should have denied access!");
            httpServletResponse.sendError(403, "Not authorized by identity provider");
            return;
        }
        HashSet hashSet = new HashSet();
        if (this.commonRole != null) {
            hashSet.add(this.commonRole);
        }
        if (this.useRolesNSuffix) {
            int i = 0;
            while (true) {
                int i2 = i;
                i++;
                String header2 = httpServletRequest.getHeader(this.rolesHeader + "_" + i2);
                if (header2 == null || "(null)".equals(header2)) {
                    break;
                } else {
                    hashSet.add(header2);
                }
            }
        } else {
            String header3 = httpServletRequest.getHeader(this.rolesHeader);
            if (header3 != null) {
                hashSet.addAll(Arrays.asList(header3.split(Pattern.quote(this.rolesSeparator))));
            }
        }
        log.info("Authenticated user from header [prefix]" + this.userHeader.substring(this.headerPrefix.length()) + ": " + header + ", roles: " + hashSet);
        session.setAttribute(ATTR_PRINCIPAL, new HeaderAuthenticatedPrincipal(header, hashSet));
        if (this.saveExtraHeaders != null) {
            HashMap hashMap = new HashMap();
            for (String str2 : this.saveExtraHeaders.split(",")) {
                hashMap.put(str2, httpServletRequest.getHeader(this.headerPrefix + str2));
            }
            session.setAttribute(ATTR_EXTRA_HEADERS, hashMap);
            log.info("Extra headers saved from auth request: " + hashMap);
        }
        String str3 = (String) session.getAttribute(ATTR_RETURN_TO);
        if (str3 != null) {
            log.info("Redirecting after successful login to: " + str3);
            httpServletResponse.sendRedirect(str3);
        } else {
            log.info("Redirecting to default page after successful login");
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath());
        }
    }

    public static Map<String, String> getExtraHeaders(HttpServletRequest httpServletRequest) {
        return (Map) httpServletRequest.getSession().getAttribute(ATTR_EXTRA_HEADERS);
    }
}
