package edu.yale.its.tp.cas.client.filter;

import com.fr.store.StateHubManager;
import com.fr.store.StateHubService;
import com.fr.third.springframework.web.util.WebUtils;
import edu.yale.its.tp.cas.client.ProxyTicketValidator;
import edu.yale.its.tp.cas.client.ServiceTicketValidator;
import edu.yale.its.tp.cas.client.Util;
import java.io.IOException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.StringTokenizer;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.parsers.ParserConfigurationException;
import org.xml.sax.SAXException;

/* loaded from: input_file:edu/yale/its/tp/cas/client/filter/CASFilter.class */
public class CASFilter implements Filter {
    public static final String CAS_FILTER_USER = "edu.yale.its.tp.cas.client.filter.user";
    private static final StateHubService CAS_LOGIN_SERVICE = StateHubManager.applyForService("cas_ticket_user");
    public static final String CAS_TICKET = "cas_login_ticket";
    private String casLogin;
    private String casValidate;
    private String casAuthorizedProxy;
    private String casServiceUrl;
    private String casRenew;
    private String casServerName;
    private boolean wrapRequest;
    private List<String> casExcludeUrl = new ArrayList();

    public void init(FilterConfig filterConfig) throws ServletException {
        this.casLogin = filterConfig.getInitParameter("edu.yale.its.tp.cas.client.filter.loginUrl");
        this.casValidate = filterConfig.getInitParameter("edu.yale.its.tp.cas.client.filter.validateUrl");
        this.casServiceUrl = filterConfig.getInitParameter("edu.yale.its.tp.cas.client.filter.serviceUrl");
        this.casAuthorizedProxy = filterConfig.getInitParameter("edu.yale.its.tp.cas.client.filter.authorizedProxy");
        this.casRenew = filterConfig.getInitParameter("edu.yale.its.tp.cas.client.filter.renew");
        this.casServerName = filterConfig.getInitParameter("edu.yale.its.tp.cas.client.filter.serverName");
        this.wrapRequest = Boolean.valueOf(filterConfig.getInitParameter("edu.yale.its.tp.cas.client.filter.wrapRequest")).booleanValue();
        for (String str : filterConfig.getInitParameter("edu.yale.its.tp.cas.client.filter.casExcludeUrl").split(",")) {
            this.casExcludeUrl.add(filterConfig.getServletContext().getContextPath() + str.trim());
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (!(servletRequest instanceof HttpServletRequest) || !(servletResponse instanceof HttpServletResponse)) {
            throw new ServletException("CASFilter protects only HTTP resources");
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (excludeUrl(httpServletRequest)) {
            httpServletRequest.setAttribute("casIgnoreRequest", true);
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        Map<String, String> currentUser = getCurrentUser(httpServletRequest, httpServletResponse);
        String str = currentUser.get("user");
        if (str != null) {
            httpServletRequest.setAttribute(CAS_FILTER_USER, str);
            httpServletRequest.setAttribute(CAS_TICKET, currentUser.get("ticket"));
            filterChain.doFilter(httpServletRequest, servletResponse);
            return;
        }
        String parameter = httpServletRequest.getParameter("ticket");
        if (parameter == null || parameter.equals("")) {
            if (this.casLogin == null) {
                throw new ServletException("When CASFilter protects pages that do not receive a 'ticket' parameter, it needs a edu.yale.its.tp.cas.client.filter.loginUrl filter parameter");
            }
            httpServletResponse.sendRedirect(this.casLogin + "?service=" + getService(httpServletRequest) + ((this.casRenew == null || this.casRenew.equals("")) ? "" : "&renew=" + this.casRenew));
            return;
        }
        String authenticatedUser = getAuthenticatedUser(httpServletRequest);
        if ("".equals(authenticatedUser)) {
            try {
                CAS_LOGIN_SERVICE.delete(parameter);
            } catch (Exception e) {
                e.printStackTrace();
            }
            httpServletResponse.sendRedirect(this.casLogin + "?service=" + getServiceWithoutTicket(httpServletRequest) + ((this.casRenew == null || this.casRenew.equals("")) ? "" : "&renew=" + this.casRenew));
            return;
        }
        if (authenticatedUser == null) {
            throw new ServletException("Unexpected CAS authentication error");
        }
        try {
            CAS_LOGIN_SERVICE.put(parameter, authenticatedUser, 3600000);
        } catch (Exception e2) {
            e2.printStackTrace();
        }
        addTicketToCookie(httpServletResponse, parameter, false);
        httpServletRequest.setAttribute(CAS_FILTER_USER, authenticatedUser);
        httpServletRequest.setAttribute(CAS_TICKET, parameter);
        filterChain.doFilter(httpServletRequest, servletResponse);
    }

    public void destroy() {
    }

    private String getAuthenticatedUser(HttpServletRequest httpServletRequest) throws ServletException {
        ServiceTicketValidator serviceTicketValidator = null;
        try {
            ProxyTicketValidator proxyTicketValidator = new ProxyTicketValidator();
            proxyTicketValidator.setCasValidateUrl(this.casValidate);
            proxyTicketValidator.setServiceTicket(httpServletRequest.getParameter("ticket"));
            proxyTicketValidator.setService(getService(httpServletRequest));
            proxyTicketValidator.setRenew(Boolean.valueOf(this.casRenew).booleanValue());
            proxyTicketValidator.validate();
            if (!proxyTicketValidator.isAuthenticationSuccesful()) {
                return "";
            }
            if (proxyTicketValidator.getProxyList().size() != 0) {
                if (this.casAuthorizedProxy == null) {
                    throw new ServletException("this page does not accept proxied tickets");
                }
                boolean z = false;
                String str = (String) proxyTicketValidator.getProxyList().get(0);
                StringTokenizer stringTokenizer = new StringTokenizer(this.casAuthorizedProxy);
                while (true) {
                    if (!stringTokenizer.hasMoreTokens()) {
                        break;
                    }
                    if (str.equals(stringTokenizer.nextToken())) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    throw new ServletException("unauthorized top-level proxy: '" + proxyTicketValidator.getProxyList().get(0) + "'");
                }
            }
            return proxyTicketValidator.getUser();
        } catch (IOException e) {
            throw new ServletException(e);
        } catch (ParserConfigurationException e2) {
            throw new ServletException(e2);
        } catch (SAXException e3) {
            throw new ServletException(e3 + " " + (0 != 0 ? serviceTicketValidator.getResponse() : ""));
        }
    }

    private String getService(HttpServletRequest httpServletRequest) throws ServletException {
        if (this.casServerName == null && this.casServiceUrl == null) {
            throw new ServletException("need one of the following configuration parameters: edu.yale.its.tp.cas.client.filter.serviceUrl or edu.yale.its.tp.cas.client.filter.serverName");
        }
        return this.casServiceUrl != null ? URLEncoder.encode(this.casServiceUrl) : Util.getService(httpServletRequest, this.casServerName);
    }

    private String getServiceWithoutTicket(HttpServletRequest httpServletRequest) {
        if (httpServletRequest == null) {
            throw new IllegalArgumentException("name of server is required");
        }
        StringBuffer stringBuffer = new StringBuffer();
        if (httpServletRequest.isSecure()) {
            stringBuffer.append("https://");
        } else {
            stringBuffer.append("http://");
        }
        stringBuffer.append(this.casServerName);
        stringBuffer.append(httpServletRequest.getRequestURI());
        return URLEncoder.encode(stringBuffer.toString());
    }

    private Map<String, String> getCurrentUser(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        HashMap hashMap = new HashMap();
        hashMap.put("ticket", null);
        hashMap.put("user", null);
        Cookie cookie = WebUtils.getCookie(httpServletRequest, CAS_TICKET);
        if (cookie == null) {
            return hashMap;
        }
        hashMap.put("ticket", cookie.getValue());
        Object obj = null;
        try {
            obj = CAS_LOGIN_SERVICE.get(cookie.getValue());
        } catch (Exception e) {
            e.printStackTrace();
        }
        if (obj != null) {
            hashMap.put("user", (String) obj);
            return hashMap;
        }
        addTicketToCookie(httpServletResponse, cookie.getValue(), true);
        return hashMap;
    }

    private void addTicketToCookie(HttpServletResponse httpServletResponse, String str, boolean z) {
        Cookie cookie = new Cookie(CAS_TICKET, str);
        cookie.setPath("/");
        cookie.setHttpOnly(true);
        if (z) {
            cookie.setMaxAge(0);
        }
        httpServletResponse.addCookie(cookie);
    }

    private boolean excludeUrl(HttpServletRequest httpServletRequest) {
        String requestURI = httpServletRequest.getRequestURI();
        for (String str : this.casExcludeUrl) {
            if (str.equals(requestURI)) {
                return true;
            }
            if (str.endsWith("/*") && requestURI.startsWith(str.substring(0, str.indexOf("/*")))) {
                return true;
            }
        }
        return false;
    }

    public static void deleteTicket(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Cookie cookie = WebUtils.getCookie(httpServletRequest, CAS_TICKET);
        if (cookie == null) {
            return;
        }
        try {
            CAS_LOGIN_SERVICE.delete(cookie.getValue());
        } catch (Exception e) {
            e.printStackTrace();
        }
        Cookie cookie2 = new Cookie(CAS_TICKET, "");
        cookie2.setMaxAge(0);
        cookie2.setPath("/");
        cookie2.setHttpOnly(true);
        httpServletResponse.addCookie(cookie2);
    }
}
