package org.securityfilter.authenticator;

import java.io.IOException;
import java.security.Principal;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.FilterConfig;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import org.apache.batik.constants.XMLConstants;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.securityfilter.config.SecurityConfig;
import org.securityfilter.filter.SecurityRequestWrapper;
import org.securityfilter.filter.URLPatternMatcher;
import org.securityfilter.realm.ExternalAuthenticatedRealm;

/* loaded from: input_file:WEB-INF/lib/securityfilter-b3p-5.0.1.jar:org/securityfilter/authenticator/FormDomainCookieTokenAuthenticator.class */
public class FormDomainCookieTokenAuthenticator extends FormAuthenticator {
    private static final Log log = LogFactory.getLog(FormDomainCookieTokenAuthenticator.class);
    protected static final String AUTH_TOKEN_COOKIE_PRINCIPAL = FormDomainCookieTokenAuthenticator.class.getName() + ".AUTH_TOKEN_COOKIE_PRINCIPAL";
    protected static final String AUTHORIZED_BY_AUTH_TOKEN = FormDomainCookieTokenAuthenticator.class.getName() + ".AUTHORIZED_BY_AUTH_TOKEN";
    protected static final String COOKIE_NAME = "AuthToken";
    protected static final String CHARSET = "US-ASCII";
    protected static final String encryptionAlgorithm = "AES";
    protected SecretKey secretKey;
    protected String extraHashString;
    protected String[] cookiePaths;
    protected int cookieExpire;
    protected boolean setCookies;
    protected boolean acceptCookie;

    /* loaded from: input_file:WEB-INF/lib/securityfilter-b3p-5.0.1.jar:org/securityfilter/authenticator/FormDomainCookieTokenAuthenticator$DelayRedirectHttpServletResponseWrapper.class */
    private class DelayRedirectHttpServletResponseWrapper extends HttpServletResponseWrapper {
        private String redirectLocation;

        public DelayRedirectHttpServletResponseWrapper(HttpServletResponse httpServletResponse) {
            super(httpServletResponse);
            this.redirectLocation = null;
        }

        public void sendRedirect(String str) {
            if (this.redirectLocation == null) {
                this.redirectLocation = str;
            }
        }

        public String getRedirectLocation() {
            return this.redirectLocation;
        }

        public void sendDelayedRedirect() throws IOException {
            if (this.redirectLocation != null) {
                super.sendRedirect(getRedirectLocation());
            }
        }
    }

    @Override // org.securityfilter.authenticator.FormAuthenticator, org.securityfilter.authenticator.Authenticator
    public void init(FilterConfig filterConfig, SecurityConfig securityConfig) throws Exception {
        super.init(filterConfig, securityConfig);
        this.setCookies = securityConfig.isSetCookies();
        this.acceptCookie = securityConfig.isAcceptCookie();
        if (this.acceptCookie && !(securityConfig.getRealm() instanceof ExternalAuthenticatedRealm)) {
            throw new IllegalArgumentException("Security realm must implement ExternalAuthenticatedRealm to accept auth token cookies");
        }
        String secretKey = securityConfig.getSecretKey();
        log.info("secrey key hex length: " + secretKey.length());
        setEncryptionKey(new Hex().decode(secretKey.getBytes("US-ASCII")));
        this.extraHashString = securityConfig.getExtraHashString();
        if (this.setCookies) {
            this.cookiePaths = securityConfig.getCookiePaths().split(XMLConstants.XML_CHAR_REF_SUFFIX);
            for (int i = 0; i < this.cookiePaths.length; i++) {
                this.cookiePaths[i] = this.cookiePaths[i].trim();
            }
            this.cookieExpire = securityConfig.getCookieExpire();
        }
    }

    @Override // org.securityfilter.authenticator.FormAuthenticator, org.securityfilter.authenticator.Authenticator
    public boolean processLogin(SecurityRequestWrapper securityRequestWrapper, HttpServletResponse httpServletResponse) throws Exception {
        Cookie[] cookies;
        boolean z = false;
        if (this.acceptCookie) {
            if (Boolean.TRUE.equals(securityRequestWrapper.getSession().getAttribute(AUTHORIZED_BY_AUTH_TOKEN))) {
                z = true;
            } else if (securityRequestWrapper.getRemoteUser() == null && (cookies = securityRequestWrapper.getCookies()) != null) {
                int i = 0;
                while (true) {
                    if (i >= cookies.length) {
                        break;
                    }
                    if (COOKIE_NAME.equals(cookies[i].getName())) {
                        Principal authTokenPrincipal = getAuthTokenPrincipal(securityRequestWrapper, cookies[i]);
                        if (authTokenPrincipal != null) {
                            securityRequestWrapper.setUserPrincipal(authTokenPrincipal);
                            securityRequestWrapper.getSession().setAttribute(AUTHORIZED_BY_AUTH_TOKEN, Boolean.TRUE);
                            log.info("user " + securityRequestWrapper.getRemoteUser() + " logged in by auth token cookie (" + cookies[i].getValue() + ")");
                            z = true;
                        }
                    } else {
                        i++;
                    }
                }
            }
        }
        if (!this.setCookies || z) {
            return super.processLogin(securityRequestWrapper, httpServletResponse);
        }
        DelayRedirectHttpServletResponseWrapper delayRedirectHttpServletResponseWrapper = new DelayRedirectHttpServletResponseWrapper(httpServletResponse);
        boolean processLogin = super.processLogin(securityRequestWrapper, delayRedirectHttpServletResponseWrapper);
        if (securityRequestWrapper.getUserPrincipal() != null && securityRequestWrapper.getUserPrincipal() != securityRequestWrapper.getSession().getAttribute(AUTH_TOKEN_COOKIE_PRINCIPAL)) {
            securityRequestWrapper.getSession().setAttribute(AUTH_TOKEN_COOKIE_PRINCIPAL, securityRequestWrapper.getUserPrincipal());
            setAuthTokenCookies(securityRequestWrapper, httpServletResponse);
        }
        if (securityRequestWrapper.getUserPrincipal() == null && securityRequestWrapper.getSession().getAttribute(AUTH_TOKEN_COOKIE_PRINCIPAL) != null) {
            removeCookies(securityRequestWrapper, httpServletResponse);
            securityRequestWrapper.getSession().removeAttribute(AUTH_TOKEN_COOKIE_PRINCIPAL);
        }
        delayRedirectHttpServletResponseWrapper.sendDelayedRedirect();
        return processLogin;
    }

    private void setAuthTokenCookies(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        String parameter = httpServletRequest.getParameter("j_username");
        String parameter2 = httpServletRequest.getParameter("j_password");
        if (log.isDebugEnabled()) {
            log.debug("set AuthToken cookie(s) for user: " + parameter);
        }
        for (int i = 0; i < this.cookiePaths.length; i++) {
            String str = this.cookiePaths[i];
            String str2 = System.currentTimeMillis() + XMLConstants.XML_CHAR_REF_SUFFIX + this.cookieExpire + XMLConstants.XML_CHAR_REF_SUFFIX + parameter + XMLConstants.XML_CHAR_REF_SUFFIX + parameter2 + XMLConstants.XML_CHAR_REF_SUFFIX + str;
            String str3 = str2 + XMLConstants.XML_CHAR_REF_SUFFIX + DigestUtils.shaHex((str2 + XMLConstants.XML_CHAR_REF_SUFFIX + this.extraHashString).getBytes("US-ASCII"));
            String replaceAll = encryptText(str3, getCipherParameters(), this.secretKey, "US-ASCII").replaceAll("[\r\n]", "");
            log.debug("settting auth token cookie value (len=" + str3.length() + "): " + str3 + " - encrypted: (len=" + replaceAll.length() + "): " + replaceAll);
            Cookie cookie = new Cookie(COOKIE_NAME, replaceAll);
            cookie.setPath(str);
            cookie.setMaxAge(this.cookieExpire);
            httpServletResponse.addCookie(cookie);
        }
    }

    private Principal getAuthTokenPrincipal(SecurityRequestWrapper securityRequestWrapper, Cookie cookie) throws Exception {
        try {
            String[] split = decryptText(cookie.getValue(), getCipherParameters(), this.secretKey, "US-ASCII").split(XMLConstants.XML_CHAR_REF_SUFFIX);
            if (split.length != 6) {
                log.warn("invalid auth token cookie (invalid field count: " + split.length + ")");
                return null;
            }
            try {
                long parseLong = Long.parseLong(split[0]);
                int parseInt = Integer.parseInt(split[1]);
                String str = split[2];
                String str2 = split[3];
                String str3 = split[4];
                String str4 = split[5];
                if (!securityRequestWrapper.getContextPath().equals(str3)) {
                    log.warn("auth token cookie path invalid: " + str3);
                    return null;
                }
                String str5 = parseLong + XMLConstants.XML_CHAR_REF_SUFFIX + parseInt + XMLConstants.XML_CHAR_REF_SUFFIX + str + XMLConstants.XML_CHAR_REF_SUFFIX + str2 + XMLConstants.XML_CHAR_REF_SUFFIX + str3 + XMLConstants.XML_CHAR_REF_SUFFIX + this.extraHashString;
                String shaHex = DigestUtils.shaHex(str5.getBytes("US-ASCII"));
                if (shaHex.equals(str4)) {
                    log.info("accepting auth token cookie for user " + str);
                    return ((ExternalAuthenticatedRealm) this.realm).getAuthenticatedPrincipal(str, str2);
                }
                log.warn("auth token cookie hash mismatch: input=" + str5 + "; hashed=" + shaHex + "; cookie hash=" + split[4]);
                return null;
            } catch (NumberFormatException e) {
                log.warn("invalid auth token cookie, wrong number format");
                return null;
            }
        } catch (Exception e2) {
            log.info("Not accepting auth token cookie because of exception during decryption: " + e2.getClass() + ": " + e2.getMessage());
            log.debug("Exception decrypting auth token cookie", e2);
            return null;
        }
    }

    private String getCipherParameters() {
        return encryptionAlgorithm;
    }

    private String encryptText(String str, String str2, SecretKey secretKey, String str3) throws Exception {
        Base64 base64 = new Base64();
        Cipher cipher = Cipher.getInstance(str2);
        cipher.init(1, secretKey);
        return new String(base64.encode(cipher.doFinal(str.getBytes())), str3);
    }

    private static String decryptText(String str, String str2, SecretKey secretKey, String str3) throws Exception {
        byte[] decode = new Base64().decode(str.getBytes(str3));
        Cipher cipher = Cipher.getInstance(str2);
        cipher.init(2, secretKey);
        return new String(cipher.doFinal(decode));
    }

    private void removeCookies(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (log.isDebugEnabled()) {
            log.debug("removing AuthToken cookies in request: " + httpServletRequest.getRequestURI());
        }
        for (int i = 0; i < this.cookiePaths.length; i++) {
            Cookie cookie = new Cookie(COOKIE_NAME, "none");
            cookie.setPath(this.cookiePaths[i]);
            cookie.setMaxAge(0);
            httpServletResponse.addCookie(cookie);
        }
    }

    @Override // org.securityfilter.authenticator.FormAuthenticator, org.securityfilter.authenticator.Authenticator
    public boolean processLogout(SecurityRequestWrapper securityRequestWrapper, HttpServletResponse httpServletResponse, URLPatternMatcher uRLPatternMatcher) throws Exception {
        boolean processLogout = super.processLogout(securityRequestWrapper, httpServletResponse, uRLPatternMatcher);
        if (processLogout) {
            if (securityRequestWrapper.getSession().getAttribute(AUTH_TOKEN_COOKIE_PRINCIPAL) != null) {
                removeCookies(securityRequestWrapper, httpServletResponse);
                securityRequestWrapper.getSession().removeAttribute(AUTH_TOKEN_COOKIE_PRINCIPAL);
            }
            if (Boolean.TRUE.equals(securityRequestWrapper.getSession().getAttribute(AUTHORIZED_BY_AUTH_TOKEN))) {
                log.debug("processLogout(): principal was authorized by auth token cookie, removing cookie");
                Cookie cookie = new Cookie(COOKIE_NAME, "none");
                cookie.setPath(securityRequestWrapper.getContextPath());
                cookie.setMaxAge(0);
                httpServletResponse.addCookie(cookie);
            }
        }
        return processLogout;
    }

    private void setEncryptionKey(byte[] bArr) throws Exception {
        this.secretKey = new SecretKeySpec(bArr, encryptionAlgorithm);
    }
}
