package org.fcrepo.server.security.jaas;

import java.io.File;
import java.io.IOException;
import java.security.Principal;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.HttpMethod;
import org.fcrepo.common.Constants;
import org.fcrepo.common.http.FilterConfigBean;
import org.fcrepo.server.rest.RestParam;
import org.fcrepo.server.security.jaas.auth.AuthHttpServletRequestWrapper;
import org.fcrepo.server.security.jaas.auth.handler.UsernamePasswordCallbackHandler;
import org.fcrepo.server.security.jaas.util.Base64;
import org.fcrepo.server.security.jaas.util.SubjectUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/fcrepo-security-jaas-3.6.1.jar:org/fcrepo/server/security/jaas/AuthFilterJAAS.class */
public class AuthFilterJAAS implements Filter {
    private static final Logger logger = LoggerFactory.getLogger(AuthFilterJAAS.class);
    private static final String SESSION_SUBJECT_KEY = "javax.security.auth.subject";
    private static final String JAAS_CONFIG_KEY = "java.security.auth.login.config";
    private static final String JAAS_CONFIG_DEFAULT = "fedora-auth";
    private static final String ROLE_KEY = "role";
    private static final String FEDORA_ROLE_KEY = "fedoraRole";
    private static final String FEDORA_ATTRIBUTES_KEY = "FEDORA_AUX_SUBJECT_ATTRIBUTES";
    private String jaasConfigName = null;
    private final FilterConfigBean filterConfigBean = new FilterConfigBean();
    private FilterConfig filterConfig = this.filterConfigBean;
    private Set<String> userClassNames = null;
    private Set<String> roleClassNames = null;
    private Set<String> roleAttributeNames = null;
    private boolean authnAPIA = true;

    public void setUserClassNames(String str) {
        this.filterConfigBean.addInitParameter("userClassNames", str);
    }

    public void setAuthnAPIA(String str) {
        this.filterConfigBean.addInitParameter("authnAPIA", str);
    }

    public void setJaasConfigLocation(String str) {
        this.filterConfigBean.addInitParameter("jaas.config.location", str);
    }

    public void setJaasConfigName(String str) {
        this.filterConfigBean.addInitParameter("jaas.config.name", str);
    }

    public void setRoleClassNames(String str) {
        this.filterConfigBean.addInitParameter("roleClassNames", str);
    }

    public void setRoleAttributeNames(String str) {
        this.filterConfigBean.addInitParameter("roleAttributeNames", str);
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.filterConfig = filterConfig;
        if (this.filterConfig == null) {
            logger.info("No configuration for: " + getClass().getName());
        }
        init();
    }

    public void init() throws ServletException {
        String[] split;
        String[] split2;
        String[] split3;
        String str = Constants.FEDORA_HOME;
        if (str == null || "".equals(str)) {
            throw new ServletException("FEDORA_HOME environment variable not set");
        }
        logger.info("using FEDORA_HOME: " + str);
        String str2 = str + "/server/config/jaas.conf";
        this.jaasConfigName = JAAS_CONFIG_DEFAULT;
        String initParameter = this.filterConfig.getInitParameter("jaas.config.location");
        if (initParameter != null && !"".equals(initParameter)) {
            str2 = initParameter;
            if (logger.isDebugEnabled()) {
                logger.debug("using location from init file: " + str2);
            }
        }
        String initParameter2 = this.filterConfig.getInitParameter("jaas.config.name");
        if (initParameter2 != null && !"".equals(initParameter2)) {
            this.jaasConfigName = initParameter2;
            if (logger.isDebugEnabled()) {
                logger.debug("using name from init file: " + this.jaasConfigName);
            }
        }
        this.authnAPIA = Boolean.parseBoolean(this.filterConfig.getInitParameter("authnAPIA"));
        String initParameter3 = this.filterConfig.getInitParameter("userClassNames");
        this.userClassNames = new HashSet();
        if (initParameter3 != null && (split3 = initParameter3.split(" *, *")) != null && split3.length > 0) {
            for (String str3 : split3) {
                this.userClassNames.add(str3);
            }
        }
        String initParameter4 = this.filterConfig.getInitParameter("roleClassNames");
        this.roleClassNames = new HashSet();
        if (initParameter4 != null && (split2 = initParameter4.split(" *, *")) != null && split2.length > 0) {
            for (String str4 : split2) {
                this.roleClassNames.add(str4);
            }
        }
        String initParameter5 = this.filterConfig.getInitParameter("roleAttributeNames");
        this.roleAttributeNames = new HashSet();
        this.roleAttributeNames.add("role");
        this.roleAttributeNames.add("fedoraRole");
        if (initParameter5 != null && (split = initParameter5.split(" *, *")) != null && split.length > 0) {
            for (String str5 : split) {
                this.roleAttributeNames.add(str5);
            }
        }
        File file = new File(str2);
        if (!file.exists()) {
            String str6 = "JAAS config file not at: " + file.getAbsolutePath();
            logger.error(str6);
            throw new ServletException(str6);
        }
        System.setProperty(JAAS_CONFIG_KEY, file.getAbsolutePath());
        logger.info("initialised servlet filter: " + getClass().getName());
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        boolean z = true;
        if (!this.authnAPIA && httpServletRequest.getMethod().equals(HttpMethod.GET)) {
            String pathInfo = httpServletRequest.getPathInfo();
            if (pathInfo == null) {
                pathInfo = "";
            }
            String requestURI = httpServletRequest.getRequestURI();
            z = pathInfo.endsWith("/export") || pathInfo.endsWith("/objectXML") || ((pathInfo.contains("/datastreams/") && !pathInfo.endsWith("/content")) || (pathInfo.endsWith("/datastreams") && Boolean.valueOf(servletRequest.getParameter(RestParam.PROFILES)).booleanValue())) || pathInfo.endsWith("/relationships") || pathInfo.endsWith("/validate") || (requestURI.endsWith("/management/control") || requestURI.endsWith("/management/getNextPID")) || requestURI.endsWith("/user");
        }
        if (logger.isDebugEnabled()) {
            logger.debug("incoming filter: " + getClass().getName());
            logger.debug("session-id: " + httpServletRequest.getSession().getId());
        }
        Subject authenticate = authenticate(httpServletRequest);
        if (authenticate == null) {
            if (z) {
                loginForm(httpServletResponse);
                return;
            } else {
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }
        }
        Principal userPrincipal = getUserPrincipal(authenticate);
        Set<String> userRoles = getUserRoles(authenticate);
        AuthHttpServletRequestWrapper authHttpServletRequestWrapper = new AuthHttpServletRequestWrapper(httpServletRequest);
        authHttpServletRequestWrapper.setUserPrincipal(userPrincipal);
        authHttpServletRequestWrapper.setUserRoles(userRoles);
        addRolesToSubject(authenticate, userRoles);
        populateFedoraAttributes(authenticate, userRoles, authHttpServletRequestWrapper);
        filterChain.doFilter(authHttpServletRequestWrapper, servletResponse);
        if (logger.isDebugEnabled()) {
            logger.debug("outgoing filter: " + getClass().getName());
        }
    }

    public void destroy() {
        logger.info("destroying servlet filter: " + getClass().getName());
        this.filterConfig = null;
    }

    private void loginForm(HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.reset();
        httpServletResponse.addHeader("WWW-Authenticate", "Basic realm=\"!!Fedora Repository Server\"");
        httpServletResponse.setStatus(401);
        ServletOutputStream outputStream = httpServletResponse.getOutputStream();
        outputStream.write("Fedora: 401 ".getBytes());
        outputStream.flush();
        outputStream.close();
    }

    private Subject authenticate(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("authorization");
        if (header == null || "".equals(header.trim())) {
            return null;
        }
        Subject subject = (Subject) httpServletRequest.getSession().getAttribute(header);
        if (subject != null) {
            return subject;
        }
        try {
            String str = new String(Base64.decode(header.substring(6)));
            String substring = str.substring(0, str.indexOf(58));
            String substring2 = str.substring(str.indexOf(58) + 1);
            if (logger.isDebugEnabled()) {
                logger.debug("auth username: " + substring);
            }
            try {
                LoginContext loginContext = new LoginContext(this.jaasConfigName, new UsernamePasswordCallbackHandler(substring, substring2));
                loginContext.login();
                Subject subject2 = loginContext.getSubject();
                httpServletRequest.getSession().setAttribute(SESSION_SUBJECT_KEY, subject2);
                httpServletRequest.getSession().setAttribute(header, subject2);
                return subject2;
            } catch (LoginException e) {
                logger.error(e.toString());
                return null;
            }
        } catch (IOException e2) {
            logger.error(e2.toString());
            return null;
        }
    }

    private Principal getUserPrincipal(Subject subject) {
        Principal principal = null;
        Set<Principal> principals = subject.getPrincipals();
        if (this.userClassNames != null && this.userClassNames.size() > 0) {
            for (Principal principal2 : principals) {
                if (principal == null && this.userClassNames.contains(principal2.getClass().getName())) {
                    principal = principal2;
                }
            }
        }
        if (principal == null) {
            Iterator<Principal> it = principals.iterator();
            if (it.hasNext()) {
                principal = it.next();
            }
        }
        if (logger.isDebugEnabled()) {
            logger.debug("found userPrincipal [" + principal.getClass().getName() + "]: " + principal.getName());
        }
        return principal;
    }

    private Set<String> getUserRoles(Subject subject) {
        HashSet hashSet = new HashSet();
        Set<Principal> principals = subject.getPrincipals();
        if (this.roleClassNames != null && this.roleClassNames.size() > 0) {
            for (Principal principal : principals) {
                if (this.roleClassNames.contains(principal.getClass().getName())) {
                    hashSet.add(principal.getName());
                }
            }
        }
        Map<String, Set<String>> attributes = SubjectUtils.getAttributes(subject);
        if (attributes != null) {
            for (String str : attributes.keySet()) {
                if (this.roleAttributeNames.contains(str)) {
                    hashSet.addAll(attributes.get(str));
                }
            }
        }
        if (logger.isDebugEnabled()) {
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                logger.debug("found role: " + ((String) it.next()));
            }
        }
        return hashSet;
    }

    private void addRolesToSubject(Subject subject, Set<String> set) {
        if (set == null) {
            set = new HashSet();
        }
        Map<String, Set<String>> attributes = SubjectUtils.getAttributes(subject);
        Set<String> set2 = attributes.get("role");
        if (set2 == null) {
            set2 = new HashSet();
            attributes.put("role", set2);
        }
        for (String str : set) {
            set2.add(str);
            if (logger.isDebugEnabled()) {
                logger.debug("added role: " + str);
            }
        }
    }

    private void populateFedoraAttributes(Subject subject, Set<String> set, HttpServletRequest httpServletRequest) {
        Map<String, Set<String>> attributes = SubjectUtils.getAttributes(subject);
        if (attributes == null) {
            attributes = new HashMap();
        }
        Set<String> set2 = attributes.get("fedoraRole");
        if (set2 == null) {
            set2 = new HashSet();
            attributes.put("fedoraRole", set2);
        }
        set2.addAll(set);
        httpServletRequest.setAttribute("FEDORA_AUX_SUBJECT_ATTRIBUTES", attributes);
    }
}
