package org.picketlink.http.internal;

import java.io.IOException;
import java.lang.annotation.Annotation;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.enterprise.inject.Any;
import javax.enterprise.inject.Instance;
import javax.inject.Inject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.jboss.logging.Logger;
import org.picketlink.Identity;
import org.picketlink.annotations.PicketLink;
import org.picketlink.authentication.AuthenticationException;
import org.picketlink.config.http.AuthenticationConfiguration;
import org.picketlink.config.http.AuthenticationSchemeConfiguration;
import org.picketlink.config.http.AuthorizationConfiguration;
import org.picketlink.config.http.BasicAuthenticationConfiguration;
import org.picketlink.config.http.CustomAuthenticationConfiguration;
import org.picketlink.config.http.DigestAuthenticationConfiguration;
import org.picketlink.config.http.FormAuthenticationConfiguration;
import org.picketlink.config.http.HttpSecurityConfiguration;
import org.picketlink.config.http.HttpSecurityConfigurationException;
import org.picketlink.config.http.OutboundRedirectConfiguration;
import org.picketlink.config.http.PathConfiguration;
import org.picketlink.config.http.TokenAuthenticationConfiguration;
import org.picketlink.config.http.X509AuthenticationConfiguration;
import org.picketlink.credential.DefaultLoginCredentials;
import org.picketlink.extension.PicketLinkExtension;
import org.picketlink.http.AccessDeniedException;
import org.picketlink.http.AuthenticationRequiredException;
import org.picketlink.http.HttpMethod;
import org.picketlink.http.MethodNotAllowedException;
import org.picketlink.http.authentication.HttpAuthenticationScheme;
import org.picketlink.http.authorization.PathAuthorizer;
import org.picketlink.http.internal.authentication.schemes.BasicAuthenticationScheme;
import org.picketlink.http.internal.authentication.schemes.DigestAuthenticationScheme;
import org.picketlink.http.internal.authentication.schemes.FormAuthenticationScheme;
import org.picketlink.http.internal.authentication.schemes.TokenAuthenticationScheme;
import org.picketlink.http.internal.authentication.schemes.X509AuthenticationScheme;
import org.picketlink.http.internal.authorization.ExpressionPathAuthorizer;
import org.picketlink.http.internal.authorization.GroupPathAuthorizer;
import org.picketlink.http.internal.authorization.RealmPathAuthorizer;
import org.picketlink.http.internal.authorization.RolePathAuthorizer;
import org.picketlink.http.internal.util.RequestUtil;
import org.picketlink.idm.PartitionManager;
import org.picketlink.internal.el.ELProcessor;
import org.picketlink.log.BaseLog;

/* loaded from: input_file:org/picketlink/http/internal/SecurityFilter.class */
public class SecurityFilter implements Filter {
    public static final String AUTHENTICATION_ORIGINAL_PATH = SecurityFilter.class.getName() + ".authc.original.path";

    @Inject
    private PicketLinkExtension picketLinkExtension;

    @Inject
    private Instance<PartitionManager> partitionManager;

    @Inject
    private Instance<Identity> identityInstance;

    @Inject
    private Instance<DefaultLoginCredentials> credentialsInstance;

    @Inject
    @Any
    private Instance<HttpAuthenticationScheme> authenticationSchemesInstance;

    @Inject
    @Any
    private Instance<PathAuthorizer> pathAuthorizerInstance;

    @Inject
    @PicketLink
    private Instance<HttpServletRequest> picketLinkHttpServletRequest;

    @Inject
    private ELProcessor elProcessor;
    private HttpSecurityConfiguration configuration;
    private PathMatcher pathMatcher;
    private Map<PathConfiguration, HttpAuthenticationScheme> authenticationSchemes = new HashMap();
    private Map<PathConfiguration, List<PathAuthorizer>> pathAuthorizers = new HashMap();

    public void init(FilterConfig filterConfig) throws ServletException {
        this.configuration = this.picketLinkExtension.getSecurityConfigurationBuilder().build().getHttpSecurityConfiguration();
        if (this.configuration == null) {
            throw new HttpSecurityConfigurationException("No configuration provided.");
        }
        initializePathMatcher();
        initializeAuthenticationSchemes();
        initializePathAuthorizers();
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!HttpServletRequest.class.isInstance(servletRequest)) {
            throw new ServletException("This filter can only process HttpServletRequest requests.");
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        try {
            HttpServletRequest httpServletRequest2 = (HttpServletRequest) this.picketLinkHttpServletRequest.get();
            if (BaseLog.HTTP_LOGGER.isDebugEnabled()) {
                BaseLog.HTTP_LOGGER.debugf("Processing request to path [%s].", httpServletRequest2.getRequestURI());
            }
            PathConfiguration matches = this.pathMatcher.matches(httpServletRequest2);
            Identity identity = getIdentity();
            performAuthenticationIfRequired(matches, identity, httpServletRequest2, httpServletResponse);
            if (isSecured(matches)) {
                if (!isMethodAllowed(matches, httpServletRequest2)) {
                    throw new MethodNotAllowedException("The given method is not allowed [" + httpServletRequest2.getMethod() + "] for path [" + matches.getUri() + "].");
                }
                if (!httpServletResponse.isCommitted()) {
                    if (!identity.isLoggedIn()) {
                        challengeClientForCredentials(matches, httpServletRequest2, httpServletResponse);
                    } else if (isLogoutPath(matches)) {
                        performLogout(httpServletRequest2, httpServletResponse, identity, matches);
                    } else if (!isAuthorized(matches, httpServletRequest2, httpServletResponse)) {
                        throw new AccessDeniedException("The request for the given path [" + matches.getUri() + "] was forbidden.");
                    }
                }
            }
            performOutboundProcessing(matches, httpServletRequest2, httpServletResponse, filterChain);
        } catch (Exception e) {
            handleException(null, httpServletRequest, httpServletResponse, e);
        }
    }

    private boolean isSecured(PathConfiguration pathConfiguration) {
        return pathConfiguration != null && pathConfiguration.isSecured();
    }

    private boolean isMethodAllowed(PathConfiguration pathConfiguration, HttpServletRequest httpServletRequest) {
        return pathConfiguration.getMethods().contains(HttpMethod.valueOf(httpServletRequest.getMethod().toUpperCase()));
    }

    private void performOutboundProcessing(PathConfiguration pathConfiguration, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (httpServletResponse.isCommitted()) {
            if (BaseLog.HTTP_LOGGER.isDebugEnabled()) {
                BaseLog.HTTP_LOGGER.debugf("Response already commited. Ignoring outbound processing for path [%s].", pathConfiguration);
                return;
            }
            return;
        }
        if (!isSecured(pathConfiguration)) {
            if (this.configuration.isPermissive()) {
                processRequest(pathConfiguration, httpServletRequest, httpServletResponse, filterChain);
                return;
            } else {
                if (pathConfiguration == null) {
                    httpServletResponse.sendError(403, "No configuration found for the given path [" + httpServletRequest.getRequestURI() + "] ");
                    return;
                }
                return;
            }
        }
        String redirectUrl = pathConfiguration.getRedirectUrl(OutboundRedirectConfiguration.Condition.OK);
        if (isLogoutPath(pathConfiguration)) {
            if (RequestUtil.isAjaxRequest(httpServletRequest)) {
                httpServletResponse.setStatus(204);
            } else if (redirectUrl == null) {
                redirectUrl = httpServletRequest.getContextPath();
            }
        }
        if (redirectUrl != null) {
            redirect(redirectUrl, httpServletRequest, httpServletResponse);
        } else {
            processRequest(pathConfiguration, httpServletRequest, httpServletResponse, filterChain);
        }
    }

    private void redirect(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String formatRedirectUrl = formatRedirectUrl(httpServletRequest, str);
        if (BaseLog.HTTP_LOGGER.isDebugEnabled()) {
            BaseLog.HTTP_LOGGER.debugf("Redirecting to [%s].", formatRedirectUrl);
        }
        httpServletResponse.sendRedirect(formatRedirectUrl);
    }

    private void handleException(PathConfiguration pathConfiguration, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Throwable th) throws IOException {
        int i;
        String str = null;
        if (BaseLog.HTTP_LOGGER.isDebugEnabled()) {
            BaseLog.HTTP_LOGGER.debugf("Handling exception [%s] for path [%s].", th, httpServletRequest.getRequestURI());
        }
        if (AuthenticationRequiredException.class.isInstance(th)) {
            i = 401;
        } else if (AccessDeniedException.class.isInstance(th)) {
            i = 403;
            if (isSecured(pathConfiguration)) {
                str = pathConfiguration.getRedirectUrl(OutboundRedirectConfiguration.Condition.FORBIDDEN);
            }
        } else if (MethodNotAllowedException.class.isInstance(th)) {
            i = 405;
        } else {
            i = 500;
            if (isSecured(pathConfiguration)) {
                str = pathConfiguration.getRedirectUrl(OutboundRedirectConfiguration.Condition.ERROR);
            }
        }
        if (str != null) {
            redirect(str, httpServletRequest, httpServletResponse);
            return;
        }
        String message = th.getMessage();
        if (message == null) {
            message = "The server could not process your request.";
        }
        if (BaseLog.HTTP_LOGGER.isEnabled(Logger.Level.ERROR)) {
            BaseLog.HTTP_LOGGER.errorf(th, "Exception thrown during processing for path [%s]. Sending error with status code [%s].", httpServletRequest.getRequestURI(), Integer.valueOf(i));
        }
        httpServletResponse.sendError(i, message);
    }

    private String formatRedirectUrl(HttpServletRequest httpServletRequest, String str) {
        if (str.startsWith("/") && !str.startsWith(httpServletRequest.getContextPath())) {
            str = httpServletRequest.getContextPath() + str;
        }
        return str;
    }

    private void performLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Identity identity, PathConfiguration pathConfiguration) throws IOException {
        if (identity.isLoggedIn()) {
            identity.logout();
        }
    }

    private boolean isLogoutPath(PathConfiguration pathConfiguration) {
        return (pathConfiguration == null || pathConfiguration.getLogoutConfiguration() == null) ? false : true;
    }

    private boolean isAuthorized(PathConfiguration pathConfiguration, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        List<PathAuthorizer> list = this.pathAuthorizers.get(pathConfiguration);
        if (list == null) {
            return true;
        }
        Iterator<PathAuthorizer> it = list.iterator();
        while (it.hasNext()) {
            if (!it.next().authorize(pathConfiguration, httpServletRequest, httpServletResponse)) {
                return false;
            }
        }
        return true;
    }

    private void processRequest(PathConfiguration pathConfiguration, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) {
        try {
            if (BaseLog.HTTP_LOGGER.isDebugEnabled()) {
                BaseLog.HTTP_LOGGER.debugf("Continuing to process request for path [%s].", httpServletRequest.getRequestURI());
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } catch (Exception e) {
            throw new RuntimeException("Could not process request.", e);
        }
    }

    private void challengeClientForCredentials(PathConfiguration pathConfiguration, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        HttpAuthenticationScheme authenticationScheme = getAuthenticationScheme(pathConfiguration, httpServletRequest);
        if (authenticationScheme != null) {
            if (BaseLog.HTTP_LOGGER.isDebugEnabled()) {
                BaseLog.HTTP_LOGGER.debugf("Challenging client using authentication scheme [%s].", authenticationScheme);
            }
            try {
                authenticationScheme.challengeClient(httpServletRequest, httpServletResponse);
                HttpSession session = httpServletRequest.getSession(false);
                if (session != null) {
                    PathConfiguration pathConfiguration2 = (PathConfiguration) session.getAttribute(AUTHENTICATION_ORIGINAL_PATH);
                    if (pathConfiguration2 == null || !pathConfiguration2.equals(pathConfiguration)) {
                        session.setAttribute(AUTHENTICATION_ORIGINAL_PATH, pathConfiguration);
                    }
                }
            } catch (Exception e) {
                throw new RuntimeException("Could not challenge client for credentials.", e);
            }
        }
    }

    private void performAuthenticationIfRequired(PathConfiguration pathConfiguration, Identity identity, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        HttpAuthenticationScheme authenticationScheme = getAuthenticationScheme(pathConfiguration, httpServletRequest);
        if (authenticationScheme == null) {
            if (!identity.isLoggedIn() && pathConfiguration != null && pathConfiguration.getAuthorizationConfiguration() != null) {
                throw new AuthenticationRequiredException("The given path [" + pathConfiguration.getUri() + "] requires authentication.");
            }
            return;
        }
        DefaultLoginCredentials extractCredentials = extractCredentials(httpServletRequest, authenticationScheme);
        if (BaseLog.HTTP_LOGGER.isDebugEnabled()) {
            BaseLog.HTTP_LOGGER.debugf("Credentials extracted from request [%s]", extractCredentials.getCredential());
        }
        if (extractCredentials.getCredential() != null) {
            if (identity.isLoggedIn()) {
                if (BaseLog.HTTP_LOGGER.isDebugEnabled()) {
                    BaseLog.HTTP_LOGGER.debugf("Forcing re-authentication. Logging out current user [%s]", identity.getAccount());
                }
                identity.logout();
            }
            extractCredentials = extractCredentials(httpServletRequest, authenticationScheme);
        }
        if (extractCredentials.getCredential() != null) {
            try {
                if (BaseLog.HTTP_LOGGER.isDebugEnabled()) {
                    BaseLog.HTTP_LOGGER.debugf("Authenticating using credentials [%s]", extractCredentials.getCredential());
                }
                identity.login();
                authenticationScheme.onPostAuthentication(httpServletRequest, httpServletResponse);
            } catch (AuthenticationException e) {
                BaseLog.HTTP_LOGGER.authenticationFailed(extractCredentials.getUserId(), e);
            }
        }
    }

    private HttpAuthenticationScheme getAuthenticationScheme(PathConfiguration pathConfiguration, HttpServletRequest httpServletRequest) {
        Class schemeType;
        HttpAuthenticationScheme httpAuthenticationScheme = null;
        if (pathConfiguration != null) {
            AuthenticationConfiguration authenticationConfiguration = pathConfiguration.getAuthenticationConfiguration();
            if (authenticationConfiguration != null) {
                CustomAuthenticationConfiguration authenticationSchemeConfiguration = authenticationConfiguration.getAuthenticationSchemeConfiguration();
                httpAuthenticationScheme = this.authenticationSchemes.get(pathConfiguration);
                if (httpAuthenticationScheme == null) {
                    if (FormAuthenticationConfiguration.class.isInstance(authenticationSchemeConfiguration)) {
                        schemeType = FormAuthenticationScheme.class;
                    } else if (DigestAuthenticationConfiguration.class.isInstance(authenticationSchemeConfiguration)) {
                        schemeType = DigestAuthenticationScheme.class;
                    } else if (BasicAuthenticationConfiguration.class.isInstance(authenticationSchemeConfiguration)) {
                        schemeType = BasicAuthenticationScheme.class;
                    } else if (X509AuthenticationConfiguration.class.isInstance(authenticationSchemeConfiguration)) {
                        schemeType = X509AuthenticationScheme.class;
                    } else if (TokenAuthenticationConfiguration.class.isInstance(authenticationSchemeConfiguration)) {
                        schemeType = TokenAuthenticationScheme.class;
                    } else {
                        if (!CustomAuthenticationConfiguration.class.isInstance(authenticationSchemeConfiguration)) {
                            throw new HttpSecurityConfigurationException("Unexpected Authentication Scheme configuration [" + authenticationSchemeConfiguration + "].");
                        }
                        schemeType = authenticationSchemeConfiguration.getSchemeType();
                    }
                    httpAuthenticationScheme = (HttpAuthenticationScheme) resolveInstance(this.authenticationSchemesInstance, schemeType);
                    this.authenticationSchemes.put(pathConfiguration, httpAuthenticationScheme);
                }
            }
        } else {
            httpAuthenticationScheme = restorePreviousAuthenticationScheme(httpServletRequest);
        }
        return httpAuthenticationScheme;
    }

    public void destroy() {
    }

    private HttpAuthenticationScheme restorePreviousAuthenticationScheme(HttpServletRequest httpServletRequest) {
        HttpSession session;
        PathConfiguration pathConfiguration;
        for (Map.Entry<PathConfiguration, HttpAuthenticationScheme> entry : this.authenticationSchemes.entrySet()) {
            if (extractCredentials(httpServletRequest, entry.getValue()).getCredential() != null && (session = httpServletRequest.getSession(false)) != null && (pathConfiguration = (PathConfiguration) session.getAttribute(AUTHENTICATION_ORIGINAL_PATH)) != null && pathConfiguration.equals(entry.getKey())) {
                session.removeAttribute(AUTHENTICATION_ORIGINAL_PATH);
                return entry.getValue();
            }
        }
        return null;
    }

    private DefaultLoginCredentials extractCredentials(HttpServletRequest httpServletRequest, HttpAuthenticationScheme httpAuthenticationScheme) {
        DefaultLoginCredentials credentials = getCredentials();
        credentials.invalidate();
        httpAuthenticationScheme.extractCredential(httpServletRequest, credentials);
        return credentials;
    }

    private DefaultLoginCredentials getCredentials() {
        return (DefaultLoginCredentials) resolveInstance(this.credentialsInstance);
    }

    private Identity getIdentity() {
        return (Identity) resolveInstance(this.identityInstance);
    }

    private <I> I resolveInstance(Instance<I> instance) {
        return (I) resolveInstance(instance, null);
    }

    private <I> I resolveInstance(Instance<I> instance, Class<? extends I> cls) {
        Instance<I> select;
        if (cls != null) {
            try {
                select = instance.select(cls, new Annotation[0]);
            } catch (Exception e) {
                throw new IllegalStateException("Could not retrieve fromInstance [" + instance + "].", e);
            }
        } else {
            select = instance;
        }
        if (select.isUnsatisfied()) {
            throw new IllegalStateException("Instance [" + select + "] not found.");
        }
        if (select.isAmbiguous()) {
            throw new IllegalStateException("Instance [" + select + "] is ambiguous.");
        }
        return (I) select.get();
    }

    private void initializeAuthenticationSchemes() {
        HttpAuthenticationScheme authenticationScheme;
        Iterator it = this.configuration.getPaths().values().iterator();
        while (it.hasNext()) {
            for (PathConfiguration pathConfiguration : (List) it.next()) {
                if (pathConfiguration.isSecured() && (authenticationScheme = getAuthenticationScheme(pathConfiguration, null)) != null) {
                    AuthenticationSchemeConfiguration authenticationSchemeConfiguration = pathConfiguration.getAuthenticationConfiguration().getAuthenticationSchemeConfiguration();
                    if (CustomAuthenticationConfiguration.class.isInstance(authenticationSchemeConfiguration)) {
                        continue;
                    } else {
                        try {
                            authenticationScheme.initialize(authenticationSchemeConfiguration);
                        } catch (Exception e) {
                            throw new HttpSecurityConfigurationException("Could not initialize Http Authentication Scheme [" + authenticationScheme + "].", e);
                        }
                    }
                }
            }
        }
    }

    private void initializePathAuthorizers() {
        AuthorizationConfiguration authorizationConfiguration;
        Iterator it = this.configuration.getPaths().values().iterator();
        while (it.hasNext()) {
            for (PathConfiguration pathConfiguration : (List) it.next()) {
                if (pathConfiguration.isSecured() && (authorizationConfiguration = pathConfiguration.getAuthorizationConfiguration()) != null) {
                    ArrayList arrayList = new ArrayList();
                    ArrayList<Class> arrayList2 = new ArrayList(authorizationConfiguration.getAuthorizers());
                    arrayList2.addAll(getDefaultPathAuthorizers());
                    for (Class cls : arrayList2) {
                        try {
                            arrayList.add(resolveInstance(this.pathAuthorizerInstance, cls));
                        } catch (Exception e) {
                            throw new HttpSecurityConfigurationException("Could not resolve PathAuthorizer [" + cls + "].", e);
                        }
                    }
                    this.pathAuthorizers.put(pathConfiguration, arrayList);
                }
            }
        }
    }

    private Set<Class<? extends PathAuthorizer>> getDefaultPathAuthorizers() {
        HashSet hashSet = new HashSet();
        hashSet.add(RolePathAuthorizer.class);
        hashSet.add(GroupPathAuthorizer.class);
        hashSet.add(RealmPathAuthorizer.class);
        hashSet.add(ExpressionPathAuthorizer.class);
        return hashSet;
    }

    private void initializePathMatcher() {
        this.pathMatcher = new PathMatcher(this.configuration.getPaths(), this.elProcessor);
    }
}
