package edu.internet2.middleware.shibboleth.idp.session;

import edu.internet2.middleware.shibboleth.common.session.SessionManager;
import edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.util.Arrays;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import org.joda.time.DateTime;
import org.opensaml.ws.transport.http.HTTPTransportUtils;
import org.opensaml.xml.util.Base64;
import org.opensaml.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.MDC;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/session/IdPSessionFilter.class */
public class IdPSessionFilter implements Filter {
    private final Logger log = LoggerFactory.getLogger(IdPSessionFilter.class);
    private boolean consistentAddress;
    private SessionManager<Session> sessionManager;

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        Session validateCookie = validateCookie(getIdPSessionCookie(httpServletRequest), httpServletRequest);
        if (validateCookie != null) {
            this.log.trace("Updating IdP session activity time and adding session object to the request");
            validateCookie.setLastActivityInstant(new DateTime());
            MDC.put("idpSessionId", validateCookie.getSessionID());
            httpServletRequest.setAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE, validateCookie);
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        String initParameter = filterConfig.getInitParameter("sessionManagedId");
        if (DatatypeHelper.isEmpty(initParameter)) {
            initParameter = "shibboleth.SessionManager";
        }
        this.sessionManager = (SessionManager) filterConfig.getServletContext().getAttribute(initParameter);
        String initParameter2 = filterConfig.getInitParameter("ensureConsistentClientAddress");
        if (DatatypeHelper.isEmpty(initParameter2)) {
            this.consistentAddress = true;
        } else {
            this.consistentAddress = Boolean.parseBoolean(initParameter2);
        }
    }

    protected Cookie getIdPSessionCookie(HttpServletRequest httpServletRequest) {
        this.log.trace("Attempting to retrieve IdP session cookie.");
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (DatatypeHelper.safeEquals(cookie.getName(), AuthenticationEngine.IDP_SESSION_COOKIE_NAME)) {
                this.log.trace("Found IdP session cookie.");
                return cookie;
            }
        }
        return null;
    }

    protected Session validateCookie(Cookie cookie, HttpServletRequest httpServletRequest) {
        if (cookie == null) {
            return null;
        }
        String[] split = HTTPTransportUtils.urlDecode(cookie.getValue()).split("\\|");
        byte[] decode = Base64.decode(split[0]);
        byte[] decode2 = Base64.decode(split[1]);
        byte[] decode3 = Base64.decode(split[2]);
        if (this.consistentAddress) {
            String str = new String(decode);
            if (!httpServletRequest.getRemoteAddr().equals(str)) {
                this.log.error("Client sent a cookie from addres {} but the cookie was issued to address {}", httpServletRequest.getRemoteAddr(), str);
                return null;
            }
        }
        Session session = (Session) this.sessionManager.getSession(new String(decode2));
        if (session != null) {
            try {
                MessageDigest messageDigest = MessageDigest.getInstance("SHA");
                messageDigest.update(session.getSessionSecret());
                messageDigest.update(decode);
                messageDigest.update(decode2);
                if (!Arrays.equals(messageDigest.digest(), decode3)) {
                    this.log.error("Session cookie signature did not match, the session cookie has been tampered with");
                    return null;
                }
            } catch (GeneralSecurityException e) {
                this.log.error("Unable to computer over session cookie material", e);
            }
        } else {
            this.log.debug("No session associated with session ID {} - session must have timed out", split[1]);
        }
        return session;
    }
}
