package org.apache.cxf.fediz.tomcat7;

import java.io.File;
import java.io.IOException;
import java.security.Principal;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.bind.JAXBException;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Session;
import org.apache.catalina.authenticator.FormAuthenticator;
import org.apache.catalina.authenticator.SavedRequest;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.cxf.fediz.core.FedizPrincipal;
import org.apache.cxf.fediz.core.config.FedizConfigurator;
import org.apache.cxf.fediz.core.config.FedizContext;
import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.metadata.MetadataDocumentHandler;
import org.apache.cxf.fediz.core.processor.FedizProcessorFactory;
import org.apache.cxf.fediz.core.processor.FedizResponse;
import org.apache.cxf.fediz.core.processor.RedirectionResponse;
import org.apache.cxf.fediz.tomcat7.handler.TomcatLogoutHandler;
import org.apache.cxf.fediz.tomcat7.handler.TomcatSigninHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apache/cxf/fediz/tomcat7/FederationAuthenticator.class */
public class FederationAuthenticator extends FormAuthenticator {
    public static final String SESSION_SAVED_REQUEST_PREFIX = "SAVED_REQUEST_";
    public static final String SESSION_SAVED_URI_PREFIX = "SAVED_URI_";
    public static final String FEDERATION_NOTE = "org.apache.cxf.fediz.tomcat.FEDERATION";
    public static final String REQUEST_STATE = "org.apache.cxf.fediz.REQUEST_STATE";
    public static final String SECURITY_TOKEN = "org.apache.fediz.SECURITY_TOKEN";
    protected static final String INFO = "org.apache.cxf.fediz.tomcat.WsFedAuthenticator/1.0";
    protected static final String TRUSTED_ISSUER = "org.apache.cxf.fediz.tomcat.TRUSTED_ISSUER";
    private static final Logger LOG = LoggerFactory.getLogger(FormAuthenticator.class);
    protected String configFile;
    protected String encoding = "UTF-8";
    private FedizConfigurator configurator;

    public FederationAuthenticator() {
        LOG.debug("WsFedAuthenticator()");
    }

    public String getInfo() {
        return INFO;
    }

    public String getConfigFile() {
        return this.configFile;
    }

    public void setConfigFile(String str) {
        this.configFile = str;
    }

    public String getEncoding() {
        return this.encoding;
    }

    public void setEncoding(String str) {
        this.encoding = str;
    }

    protected synchronized void startInternal() throws LifecycleException {
        String property;
        try {
            File file = new File(getConfigFile());
            if (!file.exists() && (property = System.getProperty("catalina.base")) != null && property.length() > 0) {
                file = new File(property.concat(File.separator + getConfigFile()));
            }
            this.configurator = new FedizConfigurator();
            this.configurator.loadConfig(file);
            LOG.debug("Fediz configuration read from " + file.getAbsolutePath());
            super.startInternal();
        } catch (JAXBException | IOException e) {
            throw new LifecycleException("Failed to load Fediz configuration", e);
        }
    }

    protected synchronized void stopInternal() throws LifecycleException {
        List fedizContextList;
        if (this.configurator != null && (fedizContextList = this.configurator.getFedizContextList()) != null) {
            Iterator it = fedizContextList.iterator();
            while (it.hasNext()) {
                try {
                    ((FedizContext) it.next()).close();
                } catch (IOException e) {
                }
            }
        }
        super.stopInternal();
    }

    protected synchronized FedizContext getContextConfiguration(String str) {
        if (this.configurator == null) {
            throw new IllegalStateException("No Fediz configuration available");
        }
        FedizContext fedizContext = this.configurator.getFedizContext(str);
        if (fedizContext == null) {
            throw new IllegalStateException("No Fediz configuration for context :" + str);
        }
        String property = System.getProperty("catalina.base");
        if (property != null && property.length() > 0) {
            fedizContext.setRelativePath(property);
        }
        return fedizContext;
    }

    public void invoke(Request request, Response response) throws IOException, ServletException {
        LOG.debug("WsFedAuthenticator:invoke()");
        request.setCharacterEncoding(this.encoding);
        String contextPath = request.getServletContext().getContextPath();
        if (contextPath == null || contextPath.isEmpty()) {
            contextPath = "/";
        }
        FedizContext contextConfiguration = getContextConfiguration(contextPath);
        MetadataDocumentHandler metadataDocumentHandler = new MetadataDocumentHandler(contextConfiguration);
        if (metadataDocumentHandler.canHandleRequest(request)) {
            metadataDocumentHandler.handleRequest(request, response);
            return;
        }
        TomcatLogoutHandler tomcatLogoutHandler = new TomcatLogoutHandler(contextConfiguration, contextPath, request);
        if (!tomcatLogoutHandler.canHandleRequest(request)) {
            super.invoke(request, response);
        } else {
            tomcatLogoutHandler.setToken((Element) request.getSession().getAttribute(SECURITY_TOKEN));
            tomcatLogoutHandler.handleRequest(request, response);
        }
    }

    public boolean authenticate(Request request, HttpServletResponse httpServletResponse, LoginConfig loginConfig) throws IOException {
        LOG.debug("authenticate invoked");
        String contextPath = request.getServletContext().getContextPath();
        if (contextPath == null || contextPath.isEmpty()) {
            contextPath = "/";
        }
        LOG.debug("reading configuration for context path: {}", contextPath);
        FedizContext contextConfiguration = getContextConfiguration(contextPath);
        TomcatSigninHandler tomcatSigninHandler = new TomcatSigninHandler(contextConfiguration);
        tomcatSigninHandler.setLandingPage(this.landingPage);
        if (tomcatSigninHandler.canHandleRequest(request)) {
            FedizPrincipal fedizPrincipal = (FedizPrincipal) tomcatSigninHandler.handleRequest(request, httpServletResponse);
            if (fedizPrincipal == null) {
                httpServletResponse.sendError(401);
                return false;
            }
            LOG.debug("Authentication of '{}' was successful", fedizPrincipal);
            resumeRequest(request, httpServletResponse);
            return false;
        }
        if (matchRequest(request)) {
            return restoreRequest(request, httpServletResponse);
        }
        if (checkUserAuthentication(request, httpServletResponse, contextConfiguration)) {
            return true;
        }
        LOG.info("No valid principal found in existing session. Redirecting to IDP");
        redirectToIdp(request, httpServletResponse, contextConfiguration);
        return false;
    }

    protected void resumeRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String parameter = httpServletRequest.getParameter("wctx");
        if (parameter == null) {
            LOG.warn("The 'wctx' parameter has not been provided back with signin request.");
            httpServletResponse.sendError(401);
            return;
        }
        Session sessionInternal = ((Request) httpServletRequest).getSessionInternal();
        String str = (String) sessionInternal.getNote(SESSION_SAVED_URI_PREFIX + parameter);
        sessionInternal.removeNote(SESSION_SAVED_URI_PREFIX + parameter);
        try {
            if (str != null) {
                LOG.debug("Restore request to {}", str);
                httpServletResponse.sendRedirect(httpServletResponse.encodeRedirectURL(str));
            } else {
                LOG.debug("User took so long to log on the session expired");
                if (this.landingPage == null) {
                    httpServletResponse.sendError(408, sm.getString("authenticator.sessionExpired"));
                } else {
                    httpServletResponse.sendRedirect(httpServletResponse.encodeRedirectURL(httpServletRequest.getContextPath() + this.landingPage));
                }
            }
        } catch (IOException e) {
            LOG.error("Cannot resume with request.", e.getMessage());
        }
    }

    protected boolean restoreRequest(Request request, HttpServletResponse httpServletResponse) throws IOException {
        Session sessionInternal = request.getSessionInternal();
        LOG.debug("Restore request from session '{}'", sessionInternal.getIdInternal());
        register(request, httpServletResponse, (Principal) sessionInternal.getNote("org.apache.catalina.authenticator.PRINCIPAL"), "WSFED", null, null);
        request.removeNote("org.apache.catalina.authenticator.PRINCIPAL");
        if (restoreRequest(request)) {
            LOG.debug("Proceed to restored request");
            return true;
        }
        LOG.warn("Restore of original request failed");
        httpServletResponse.sendError(400);
        return false;
    }

    protected void redirectToIdp(Request request, HttpServletResponse httpServletResponse, FedizContext fedizContext) throws IOException {
        try {
            RedirectionResponse createSignInRequest = FedizProcessorFactory.newFedizProcessor(fedizContext.getProtocol()).createSignInRequest(request, fedizContext);
            String redirectionURL = createSignInRequest.getRedirectionURL();
            if (redirectionURL != null) {
                Map headers = createSignInRequest.getHeaders();
                if (!headers.isEmpty()) {
                    for (Map.Entry entry : headers.entrySet()) {
                        httpServletResponse.addHeader((String) entry.getKey(), (String) entry.getValue());
                    }
                }
                try {
                    saveRequest(request, createSignInRequest.getRequestState().getState());
                } catch (IOException e) {
                    LOG.debug("Request body too big to save during authentication");
                    httpServletResponse.sendError(403, sm.getString("authenticator.requestBodyTooBig"));
                }
                httpServletResponse.sendRedirect(redirectionURL);
            } else {
                LOG.warn("Failed to create SignInRequest.");
                httpServletResponse.sendError(500, "Failed to create SignInRequest.");
            }
        } catch (ProcessingException e2) {
            LOG.warn("Failed to create SignInRequest: {}", e2.getMessage());
            httpServletResponse.sendError(500, "Failed to create SignInRequest.");
        }
    }

    protected boolean matchRequest(Request request) {
        SavedRequest savedRequest;
        boolean matchRequest;
        Session sessionInternal = request.getSessionInternal(false);
        String decodedRequestURI = request.getDecodedRequestURI();
        if (sessionInternal == null || decodedRequestURI == null || (savedRequest = (SavedRequest) sessionInternal.getNote(SESSION_SAVED_REQUEST_PREFIX + decodedRequestURI)) == null) {
            return false;
        }
        synchronized (sessionInternal) {
            sessionInternal.setNote("org.apache.catalina.authenticator.REQUEST", savedRequest);
            matchRequest = super.matchRequest(request);
        }
        return matchRequest;
    }

    protected void saveRequest(Request request, String str) throws IOException {
        SavedRequest savedRequest;
        String decodedRequestURI = request.getDecodedRequestURI();
        Session sessionInternal = request.getSessionInternal(true);
        if (sessionInternal != null) {
            LOG.debug("Save request in session '{}'", sessionInternal.getIdInternal());
        }
        if (sessionInternal == null || decodedRequestURI == null) {
            return;
        }
        synchronized (sessionInternal) {
            super.saveRequest(request, sessionInternal);
            savedRequest = (SavedRequest) sessionInternal.getNote("org.apache.catalina.authenticator.REQUEST");
        }
        sessionInternal.setNote(SESSION_SAVED_REQUEST_PREFIX + decodedRequestURI, savedRequest);
        StringBuilder sb = new StringBuilder(savedRequest.getRequestURI());
        if (savedRequest.getQueryString() != null) {
            sb.append('?');
            sb.append(savedRequest.getQueryString());
        }
        sessionInternal.setNote(SESSION_SAVED_URI_PREFIX + str, sb.toString());
    }

    protected boolean restoreRequest(Request request) throws IOException {
        SavedRequest savedRequest;
        boolean restoreRequest;
        Session sessionInternal = request.getSessionInternal(false);
        String decodedRequestURI = request.getDecodedRequestURI();
        if (sessionInternal == null || decodedRequestURI == null || (savedRequest = (SavedRequest) sessionInternal.getNote(SESSION_SAVED_REQUEST_PREFIX + decodedRequestURI)) == null) {
            return false;
        }
        sessionInternal.removeNote(SESSION_SAVED_REQUEST_PREFIX + decodedRequestURI);
        synchronized (sessionInternal) {
            sessionInternal.setNote("org.apache.catalina.authenticator.REQUEST", savedRequest);
            restoreRequest = super.restoreRequest(request, sessionInternal);
        }
        return restoreRequest;
    }

    protected boolean checkUserAuthentication(Request request, HttpServletResponse httpServletResponse, FedizContext fedizContext) {
        Principal userPrincipal = request.getUserPrincipal();
        if (userPrincipal == null) {
            return false;
        }
        LOG.debug("Already authenticated '{}'", userPrincipal.getName());
        if (fedizContext.isDetectExpiredTokens()) {
            return validateToken(request, httpServletResponse, fedizContext);
        }
        LOG.debug("Token expiration not validated.");
        return true;
    }

    protected boolean validateToken(Request request, HttpServletResponse httpServletResponse, FedizContext fedizContext) {
        Session sessionInternal = request.getSessionInternal();
        if (sessionInternal == null) {
            LOG.debug("Session should not be null after authentication");
            return false;
        }
        Date tokenExpires = ((FedizResponse) sessionInternal.getNote(FEDERATION_NOTE)).getTokenExpires();
        if (tokenExpires == null) {
            LOG.debug("Token doesn't expire");
            return true;
        }
        if (!new Date().after(tokenExpires)) {
            return true;
        }
        LOG.warn("Token already expired. Clean up and redirect");
        sessionInternal.removeNote(FEDERATION_NOTE);
        sessionInternal.setPrincipal((Principal) null);
        request.getSession().removeAttribute(SECURITY_TOKEN);
        return false;
    }

    protected String getAuthMethod() {
        return "WSFED";
    }
}
