package org.keycloak.adapters.saml.servlet;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.keycloak.adapters.saml.DefaultSamlDeployment;
import org.keycloak.adapters.saml.SamlAuthenticator;
import org.keycloak.adapters.saml.SamlDeployment;
import org.keycloak.adapters.saml.SamlDeploymentContext;
import org.keycloak.adapters.saml.SamlSession;
import org.keycloak.adapters.saml.SamlSessionStore;
import org.keycloak.adapters.saml.config.parsers.DeploymentBuilder;
import org.keycloak.adapters.saml.config.parsers.ResourceLoader;
import org.keycloak.adapters.saml.profile.SamlAuthenticationHandler;
import org.keycloak.adapters.saml.profile.webbrowsersso.BrowserHandler;
import org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint;
import org.keycloak.adapters.servlet.ServletHttpFacade;
import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.InMemorySessionIdMapper;
import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.saml.common.exceptions.ParsingException;

/* loaded from: input_file:org/keycloak/adapters/saml/servlet/SamlFilter.class */
public class SamlFilter implements Filter {
    protected SamlDeploymentContext deploymentContext;
    protected SessionIdMapper idMapper;
    private static final Logger log = Logger.getLogger("" + SamlFilter.class);
    private static final Pattern PROTOCOL_PATTERN = Pattern.compile("^[a-zA-Z][a-zA-Z0-9+.-]*:");

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v34, types: [java.io.InputStream] */
    public void init(final FilterConfig filterConfig) throws ServletException {
        FileInputStream fileInputStream;
        DefaultSamlDeployment build;
        this.deploymentContext = (SamlDeploymentContext) filterConfig.getServletContext().getAttribute(SamlDeploymentContext.class.getName());
        if (this.deploymentContext != null) {
            this.idMapper = (SessionIdMapper) filterConfig.getServletContext().getAttribute(SessionIdMapper.class.getName());
            return;
        }
        String initParameter = filterConfig.getInitParameter("keycloak.config.resolver");
        if (initParameter != null) {
            try {
                throw new RuntimeException("Not implemented yet");
            } catch (Exception e) {
                log.log(Level.FINE, "The specified resolver {0} could NOT be loaded. Keycloak is unconfigured and will deny all requests. Reason: {1}", new Object[]{initParameter, e.getMessage()});
            }
        } else {
            String initParameter2 = filterConfig.getInitParameter("keycloak.config.file");
            if (initParameter2 != null) {
                try {
                    fileInputStream = new FileInputStream(initParameter2);
                } catch (FileNotFoundException e2) {
                    throw new RuntimeException(e2);
                }
            } else {
                String initParameter3 = filterConfig.getInitParameter("keycloak.config.path");
                fileInputStream = filterConfig.getServletContext().getResourceAsStream(initParameter3 != null ? initParameter3 : "/WEB-INF/keycloak-saml.xml");
            }
            if (fileInputStream == null) {
                log.info("No adapter configuration. Keycloak is unconfigured and will deny all requests.");
                build = new DefaultSamlDeployment();
            } else {
                try {
                    build = new DeploymentBuilder().build(fileInputStream, new ResourceLoader() { // from class: org.keycloak.adapters.saml.servlet.SamlFilter.1
                        public InputStream getResourceAsStream(String str) {
                            return filterConfig.getServletContext().getResourceAsStream(str);
                        }
                    });
                } catch (ParsingException e3) {
                    throw new RuntimeException((Throwable) e3);
                }
            }
            this.deploymentContext = new SamlDeploymentContext(build);
            log.fine("Keycloak is using a per-deployment configuration.");
        }
        this.idMapper = new InMemorySessionIdMapper();
        filterConfig.getServletContext().setAttribute(SamlDeploymentContext.class.getName(), this.deploymentContext);
        filterConfig.getServletContext().setAttribute(SessionIdMapper.class.getName(), this.idMapper);
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        ServletHttpFacade servletHttpFacade = new ServletHttpFacade(httpServletRequest, httpServletResponse);
        SamlDeployment resolveDeployment = this.deploymentContext.resolveDeployment(servletHttpFacade);
        if (resolveDeployment == null || !resolveDeployment.isConfigured()) {
            httpServletResponse.sendError(403);
            log.fine("deployment not configured");
            return;
        }
        FilterSamlSessionStore filterSamlSessionStore = new FilterSamlSessionStore(httpServletRequest, servletHttpFacade, 100000, this.idMapper);
        SamlAuthenticator samlAuthenticator = httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length()).endsWith("/saml") ? new SamlAuthenticator(servletHttpFacade, resolveDeployment, filterSamlSessionStore) { // from class: org.keycloak.adapters.saml.servlet.SamlFilter.2
            protected void completeAuthentication(SamlSession samlSession) {
            }

            protected SamlAuthenticationHandler createBrowserHandler(HttpFacade httpFacade, SamlDeployment samlDeployment, SamlSessionStore samlSessionStore) {
                return new SamlEndpoint(httpFacade, samlDeployment, samlSessionStore);
            }
        } : new SamlAuthenticator(servletHttpFacade, resolveDeployment, filterSamlSessionStore) { // from class: org.keycloak.adapters.saml.servlet.SamlFilter.3
            protected void completeAuthentication(SamlSession samlSession) {
            }

            protected SamlAuthenticationHandler createBrowserHandler(HttpFacade httpFacade, SamlDeployment samlDeployment, SamlSessionStore samlSessionStore) {
                return new BrowserHandler(httpFacade, samlDeployment, samlSessionStore);
            }
        };
        AuthOutcome authenticate = samlAuthenticator.authenticate();
        if (authenticate == AuthOutcome.AUTHENTICATED) {
            log.fine("AUTHENTICATED");
            if (servletHttpFacade.isEnded()) {
                return;
            }
            filterChain.doFilter(filterSamlSessionStore.getWrap(), servletResponse);
            return;
        }
        if (authenticate == AuthOutcome.LOGGED_OUT) {
            filterSamlSessionStore.logoutAccount();
            String logoutPage = resolveDeployment.getLogoutPage();
            if (logoutPage == null) {
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            } else if (!PROTOCOL_PATTERN.matcher(logoutPage).find()) {
                servletRequest.getRequestDispatcher(logoutPage).forward(servletRequest, servletResponse);
                return;
            } else {
                httpServletResponse.sendRedirect(logoutPage);
                log.log(Level.FINE, "Redirected to logout page {0}", logoutPage);
                return;
            }
        }
        AuthChallenge challenge = samlAuthenticator.getChallenge();
        if (challenge != null) {
            log.fine("challenge");
            challenge.challenge(servletHttpFacade);
        } else if (!resolveDeployment.isIsPassive() || authenticate != AuthOutcome.NOT_AUTHENTICATED) {
            if (servletHttpFacade.isEnded()) {
                return;
            }
            httpServletResponse.sendError(403);
        } else {
            log.fine("PASSIVE_NOT_AUTHENTICATED");
            if (servletHttpFacade.isEnded()) {
                return;
            }
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    public void destroy() {
    }
}
