package waffle.servlet;

import java.io.IOException;
import java.security.Principal;
import java.util.Locale;
import javax.security.auth.Subject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import waffle.servlet.spi.SecurityFilterProviderCollection;
import waffle.util.AuthorizationHeader;
import waffle.util.CorsPreFlightCheck;
import waffle.windows.auth.IWindowsAuthProvider;
import waffle.windows.auth.IWindowsIdentity;
import waffle.windows.auth.IWindowsImpersonationContext;
import waffle.windows.auth.PrincipalFormat;

/* loaded from: input_file:waffle/servlet/NegotiateSecurityFilter.class */
public class NegotiateSecurityFilter implements Filter {
    private static final Logger LOGGER = LoggerFactory.getLogger(NegotiateSecurityFilter.class);
    private static final String PRINCIPALSESSIONKEY = NegotiateSecurityFilter.class.getName() + ".PRINCIPAL";
    private static Boolean windows;
    private SecurityFilterProviderCollection providers;
    private IWindowsAuthProvider auth;
    private String[] excludePatterns;
    private boolean impersonate;
    private boolean excludeBearerAuthorization;
    private boolean excludeCorsPreflight;
    private boolean disableSSO;
    private PrincipalFormat principalFormat = PrincipalFormat.FQN;
    private PrincipalFormat roleFormat = PrincipalFormat.FQN;
    private boolean allowGuestLogin = true;

    public NegotiateSecurityFilter() {
        LOGGER.debug("[waffle.servlet.NegotiateSecurityFilter] loaded");
    }

    public void destroy() {
        LOGGER.info("[waffle.servlet.NegotiateSecurityFilter] stopped");
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        LOGGER.debug("{} {}, contentlength: {}", new Object[]{httpServletRequest.getMethod(), httpServletRequest.getRequestURI(), Integer.valueOf(httpServletRequest.getContentLength())});
        if (!isWindows()) {
            LOGGER.debug("Running in a non windows environment, SSO skipped");
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        if (this.disableSSO) {
            LOGGER.debug("SSO is disabled, resuming filter chain");
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        if (httpServletRequest.getRequestURL() != null && this.excludePatterns != null) {
            String stringBuffer = httpServletRequest.getRequestURL().toString();
            for (String str : this.excludePatterns) {
                if (stringBuffer.matches(str)) {
                    LOGGER.info("Pattern :{} excluded URL:{}", stringBuffer, str);
                    filterChain.doFilter(servletRequest, servletResponse);
                    return;
                }
            }
        }
        if (this.excludeCorsPreflight && CorsPreFlightCheck.isPreflight(httpServletRequest)) {
            LOGGER.debug("[waffle.servlet.NegotiateSecurityFilter] CORS preflight");
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        AuthorizationHeader authorizationHeader = new AuthorizationHeader(httpServletRequest);
        if (this.excludeBearerAuthorization && authorizationHeader.isBearerAuthorizationHeader()) {
            LOGGER.debug("[waffle.servlet.NegotiateSecurityFilter] Authorization: Bearer");
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (doFilterPrincipal(httpServletRequest, httpServletResponse, filterChain)) {
            return;
        }
        if (authorizationHeader.isNull()) {
            LOGGER.debug("authorization required");
            sendUnauthorized(httpServletResponse, false);
            return;
        }
        try {
            IWindowsIdentity doFilter = this.providers.doFilter(httpServletRequest, httpServletResponse);
            if (doFilter == null) {
                return;
            }
            IWindowsImpersonationContext iWindowsImpersonationContext = null;
            try {
                if (!this.allowGuestLogin && doFilter.isGuest()) {
                    LOGGER.warn("guest login disabled: {}", doFilter.getFqn());
                    sendUnauthorized(httpServletResponse, true);
                    if (!this.impersonate || 0 == 0) {
                        doFilter.dispose();
                        return;
                    } else {
                        LOGGER.debug("terminating impersonation");
                        iWindowsImpersonationContext.revertToSelf();
                        return;
                    }
                }
                LOGGER.debug("logged in user: {} ({})", doFilter.getFqn(), doFilter.getSidString());
                HttpSession session = httpServletRequest.getSession(true);
                if (session == null) {
                    throw new ServletException("Expected HttpSession");
                }
                Subject subject = (Subject) session.getAttribute("javax.security.auth.subject");
                if (subject == null) {
                    subject = new Subject();
                }
                WindowsPrincipal autoDisposableWindowsPrincipal = this.impersonate ? new AutoDisposableWindowsPrincipal(doFilter, this.principalFormat, this.roleFormat) : new WindowsPrincipal(doFilter, this.principalFormat, this.roleFormat);
                LOGGER.debug("roles: {}", autoDisposableWindowsPrincipal.getRolesString());
                subject.getPrincipals().add(autoDisposableWindowsPrincipal);
                httpServletRequest.getSession(false).setAttribute("javax.security.auth.subject", subject);
                LOGGER.info("successfully logged in user: {}", doFilter.getFqn());
                httpServletRequest.getSession(false).setAttribute(PRINCIPALSESSIONKEY, autoDisposableWindowsPrincipal);
                NegotiateRequestWrapper negotiateRequestWrapper = new NegotiateRequestWrapper(httpServletRequest, autoDisposableWindowsPrincipal);
                if (this.impersonate) {
                    LOGGER.debug("impersonating user");
                    iWindowsImpersonationContext = doFilter.impersonate();
                }
                filterChain.doFilter(negotiateRequestWrapper, httpServletResponse);
                if (!this.impersonate || iWindowsImpersonationContext == null) {
                    doFilter.dispose();
                } else {
                    LOGGER.debug("terminating impersonation");
                    iWindowsImpersonationContext.revertToSelf();
                }
            } catch (Throwable th) {
                if (!this.impersonate || 0 == 0) {
                    doFilter.dispose();
                } else {
                    LOGGER.debug("terminating impersonation");
                    iWindowsImpersonationContext.revertToSelf();
                }
                throw th;
            }
        } catch (IOException e) {
            LOGGER.warn("error logging in user: {}", e.getMessage());
            LOGGER.trace("", e);
            sendUnauthorized(httpServletResponse, true);
        }
    }

    private boolean doFilterPrincipal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpSession session;
        Principal userPrincipal = httpServletRequest.getUserPrincipal();
        if (userPrincipal == null && (session = httpServletRequest.getSession(false)) != null) {
            userPrincipal = (Principal) session.getAttribute(PRINCIPALSESSIONKEY);
        }
        if (userPrincipal == null || this.providers.isPrincipalException(httpServletRequest)) {
            return false;
        }
        if (!(userPrincipal instanceof WindowsPrincipal)) {
            LOGGER.debug("previously authenticated user: {}", userPrincipal.getName());
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return true;
        }
        LOGGER.debug("previously authenticated Windows user: {}", userPrincipal.getName());
        WindowsPrincipal windowsPrincipal = (WindowsPrincipal) userPrincipal;
        if (this.impersonate && windowsPrincipal.getIdentity() == null) {
            return false;
        }
        NegotiateRequestWrapper negotiateRequestWrapper = new NegotiateRequestWrapper(httpServletRequest, windowsPrincipal);
        IWindowsImpersonationContext iWindowsImpersonationContext = null;
        if (this.impersonate) {
            LOGGER.debug("re-impersonating user");
            iWindowsImpersonationContext = windowsPrincipal.getIdentity().impersonate();
        }
        try {
            filterChain.doFilter(negotiateRequestWrapper, httpServletResponse);
            if (!this.impersonate || iWindowsImpersonationContext == null) {
                return true;
            }
            LOGGER.debug("terminating impersonation");
            iWindowsImpersonationContext.revertToSelf();
            return true;
        } catch (Throwable th) {
            if (this.impersonate && iWindowsImpersonationContext != null) {
                LOGGER.debug("terminating impersonation");
                iWindowsImpersonationContext.revertToSelf();
            }
            throw th;
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:40:0x01c6 A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:44:0x01d8 A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:47:0x01e4 A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:50:0x01f0 A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:53:0x01fe A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:56:0x0204 A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:59:0x0214 A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:62:0x0220 A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:65:0x022c A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:68:0x0238 A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:71:0x01b4 A[SYNTHETIC] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void init(javax.servlet.FilterConfig r9) throws javax.servlet.ServletException {
        /*
            Method dump skipped, instructions count: 993
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: waffle.servlet.NegotiateSecurityFilter.init(javax.servlet.FilterConfig):void");
    }

    public void setPrincipalFormat(String str) {
        this.principalFormat = PrincipalFormat.valueOf(str.toUpperCase(Locale.ENGLISH));
        LOGGER.info("principal format: {}", this.principalFormat);
    }

    public PrincipalFormat getPrincipalFormat() {
        return this.principalFormat;
    }

    public void setRoleFormat(String str) {
        this.roleFormat = PrincipalFormat.valueOf(str.toUpperCase(Locale.ENGLISH));
        LOGGER.info("role format: {}", this.roleFormat);
    }

    public PrincipalFormat getRoleFormat() {
        return this.roleFormat;
    }

    private void sendUnauthorized(HttpServletResponse httpServletResponse, boolean z) {
        try {
            this.providers.sendUnauthorized(httpServletResponse);
            if (z) {
                httpServletResponse.setHeader("Connection", "close");
            } else {
                httpServletResponse.setHeader("Connection", "keep-alive");
            }
            httpServletResponse.sendError(401);
            httpServletResponse.flushBuffer();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public IWindowsAuthProvider getAuth() {
        return this.auth;
    }

    public void setAuth(IWindowsAuthProvider iWindowsAuthProvider) {
        this.auth = iWindowsAuthProvider;
    }

    public boolean isAllowGuestLogin() {
        return this.allowGuestLogin;
    }

    public void setImpersonate(boolean z) {
        this.impersonate = z;
    }

    public boolean isImpersonate() {
        return this.impersonate;
    }

    public SecurityFilterProviderCollection getProviders() {
        return this.providers;
    }

    private static boolean isWindows() {
        if (windows == null) {
            windows = Boolean.valueOf(System.getProperty("os.name").toLowerCase(Locale.ENGLISH).contains("win"));
        }
        return windows.booleanValue();
    }
}
