package org.overlord.commons.auth.filters;

import java.io.IOException;
import java.io.StringReader;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;
import java.security.KeyPair;
import java.security.KeyStore;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.stream.XMLInputFactory;
import org.apache.commons.codec.binary.Base64;
import org.apache.http.HttpStatus;
import org.overlord.commons.auth.Messages;
import org.overlord.commons.auth.util.SAMLBearerTokenUtil;
import org.picketlink.identity.federation.core.parsers.saml.SAMLAssertionParser;
import org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil;
import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
import org.w3c.dom.Document;

/* loaded from: input_file:WEB-INF/lib/overlord-commons-auth-2.0.9.Final.jar:org/overlord/commons/auth/filters/SamlBearerTokenAuthFilter.class */
public class SamlBearerTokenAuthFilter implements Filter {
    public static final ThreadLocal<SimplePrincipal> TL_principal = new ThreadLocal<>();
    private static final SimplePrincipal NO_PROXY = new SimplePrincipal(null);
    private String realm;
    private Set<String> allowedIssuers;
    private boolean signatureRequired;
    private String keystorePath;
    private String keystorePassword;
    private String keyAlias;
    private String keyPassword;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:WEB-INF/lib/overlord-commons-auth-2.0.9.Final.jar:org/overlord/commons/auth/filters/SamlBearerTokenAuthFilter$Creds.class */
    public static class Creds {
        public String username;
        public String password;

        public Creds(String str, String str2) {
            this.username = str;
            this.password = str2;
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        String initParameter = filterConfig.getInitParameter("realm");
        if (initParameter == null || initParameter.trim().length() <= 0) {
            this.realm = defaultRealm();
        } else {
            this.realm = initParameter;
        }
        String initParameter2 = filterConfig.getInitParameter("allowedIssuers");
        if (initParameter2 == null || initParameter2.trim().length() <= 0) {
            this.allowedIssuers = defaultAllowedIssuers();
        } else {
            this.allowedIssuers = new HashSet();
            for (String str : initParameter2.split(",")) {
                this.allowedIssuers.add(str);
            }
        }
        String initParameter3 = filterConfig.getInitParameter("signatureRequired");
        if (initParameter3 == null || initParameter3.trim().length() <= 0) {
            this.signatureRequired = defaultSignatureRequired();
        } else {
            this.signatureRequired = Boolean.parseBoolean(initParameter3);
        }
        String initParameter4 = filterConfig.getInitParameter("keystorePath");
        if (initParameter4 == null || initParameter4.trim().length() <= 0) {
            this.keystorePath = defaultKeystorePath();
        } else {
            this.keystorePath = initParameter4;
        }
        String initParameter5 = filterConfig.getInitParameter("keystorePassword");
        if (initParameter5 == null || initParameter5.trim().length() <= 0) {
            this.keystorePassword = defaultKeystorePassword();
        } else {
            this.keystorePassword = initParameter5;
        }
        String initParameter6 = filterConfig.getInitParameter("keyAlias");
        if (initParameter6 == null || initParameter6.trim().length() <= 0) {
            this.keyAlias = defaultKeyAlias();
        } else {
            this.keyAlias = initParameter6;
        }
        String initParameter7 = filterConfig.getInitParameter("keyPassword");
        if (initParameter7 == null || initParameter7.trim().length() <= 0) {
            this.keyPassword = defaultKeyPassword();
        } else {
            this.keyPassword = initParameter7;
        }
    }

    protected String defaultKeystorePassword() {
        return null;
    }

    protected String defaultKeyAlias() {
        return null;
    }

    protected String defaultKeyPassword() {
        return null;
    }

    protected String defaultKeystorePath() {
        return null;
    }

    protected boolean defaultSignatureRequired() {
        return false;
    }

    protected Set<String> defaultAllowedIssuers() {
        return Collections.emptySet();
    }

    protected String defaultRealm() {
        return "Overlord";
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        TL_principal.remove();
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        Creds parseAuthorizationHeader = parseAuthorizationHeader(httpServletRequest.getHeader("Authorization"));
        if (parseAuthorizationHeader == null) {
            sendAuthResponse((HttpServletResponse) servletResponse);
            return;
        }
        SimplePrincipal login = login(parseAuthorizationHeader, httpServletRequest, (HttpServletResponse) servletResponse);
        if (login != null) {
            doFilterChain(servletRequest, servletResponse, filterChain, login);
        } else {
            sendAuthResponse((HttpServletResponse) servletResponse);
        }
    }

    protected void doFilterChain(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain, SimplePrincipal simplePrincipal) throws IOException, ServletException {
        if (simplePrincipal == NO_PROXY) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            filterChain.doFilter(proxyRequest(servletRequest, simplePrincipal), servletResponse);
        }
    }

    private HttpServletRequest proxyRequest(final ServletRequest servletRequest, final SimplePrincipal simplePrincipal) {
        return (HttpServletRequest) Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(), new Class[]{HttpServletRequest.class}, new InvocationHandler() { // from class: org.overlord.commons.auth.filters.SamlBearerTokenAuthFilter.1
            @Override // java.lang.reflect.InvocationHandler
            public Object invoke(Object obj, Method method, Object[] objArr) throws Throwable {
                if (method.getName().equals("getUserPrincipal")) {
                    return simplePrincipal;
                }
                if (method.getName().equals("getRemoteUser")) {
                    return simplePrincipal.getName();
                }
                if (!method.getName().equals("isUserInRole")) {
                    return method.invoke(servletRequest, objArr);
                }
                return Boolean.valueOf(simplePrincipal.getRoles().contains((String) objArr[0]));
            }
        });
    }

    private Creds parseAuthorizationHeader(String str) {
        if (str == null || !str.toUpperCase().startsWith("BASIC ")) {
            return null;
        }
        try {
            String str2 = new String(Base64.decodeBase64(str.substring(6)), "UTF-8");
            int indexOf = str2.indexOf(58);
            return indexOf > 0 ? new Creds(str2.substring(0, indexOf), str2.substring(indexOf + 1)) : new Creds(str2, null);
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    protected SimplePrincipal login(Creds creds, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        return "SAML-BEARER-TOKEN".equals(creds.username) ? doSamlLogin(creds.password, httpServletRequest) : doBasicLogin(creds.username, creds.password, httpServletRequest);
    }

    protected SimplePrincipal doSamlLogin(String str, HttpServletRequest httpServletRequest) throws IOException {
        try {
            Document document = DocumentUtil.getDocument(str);
            AssertionType assertionType = (AssertionType) new SAMLAssertionParser().parse(XMLInputFactory.newInstance().createXMLEventReader(new StringReader(str)));
            SAMLBearerTokenUtil.validateAssertion(assertionType, httpServletRequest, this.allowedIssuers);
            if (!this.signatureRequired || SAMLBearerTokenUtil.isSAMLAssertionSignatureValid(document, getKeyPair(assertionType))) {
                return consumeAssertion(assertionType);
            }
            throw new IOException(Messages.getString("SamlBearerTokenAuthFilter.InvalidSig"));
        } catch (IOException e) {
            throw e;
        } catch (Exception e2) {
            throw new RuntimeException(e2);
        }
    }

    private KeyPair getKeyPair(AssertionType assertionType) throws IOException {
        try {
            return SAMLBearerTokenUtil.getKeyPair(loadKeystore(), this.keyAlias, this.keyPassword);
        } catch (Exception e) {
            e.printStackTrace();
            throw new IOException(Messages.getString("SamlBearerTokenAuthFilter.FailedToGetKeyPair") + this.keyAlias);
        }
    }

    private KeyStore loadKeystore() throws IOException {
        try {
            return SAMLBearerTokenUtil.loadKeystore(this.keystorePath, this.keystorePassword);
        } catch (Exception e) {
            e.printStackTrace();
            throw new IOException(Messages.getString("SamlBearerTokenAuthFilter.ErrorLoadingKeystore") + e.getMessage());
        }
    }

    private SimplePrincipal consumeAssertion(AssertionType assertionType) throws Exception {
        SimplePrincipal simplePrincipal = new SimplePrincipal(assertionType.getSubject().getSubType().getBaseID().getValue());
        for (AttributeStatementType attributeStatementType : assertionType.getStatements()) {
            if (attributeStatementType instanceof AttributeStatementType) {
                for (AttributeStatementType.ASTChoiceType aSTChoiceType : attributeStatementType.getAttributes()) {
                    if (aSTChoiceType.getAttribute() != null && aSTChoiceType.getAttribute().getName().equals("Role")) {
                        for (Object obj : aSTChoiceType.getAttribute().getAttributeValue()) {
                            if (obj != null) {
                                simplePrincipal.addRole(obj.toString());
                            }
                        }
                    }
                }
            }
        }
        TL_principal.set(simplePrincipal);
        return simplePrincipal;
    }

    protected SimplePrincipal doBasicLogin(String str, String str2, HttpServletRequest httpServletRequest) throws IOException {
        try {
            httpServletRequest.login(str, str2);
            return NO_PROXY;
        } catch (Exception e) {
            return null;
        }
    }

    private void sendAuthResponse(HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.setHeader("WWW-Authenticate", String.format("BASIC realm=\"%1$s\"", this.realm));
        httpServletResponse.sendError(HttpStatus.SC_UNAUTHORIZED);
    }

    public void destroy() {
    }
}
