package no.kantega.publishing.security.filter;

import com.opensymphony.oscache.web.filter.CacheFilter;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.InvocationTargetException;
import java.math.BigInteger;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.jsp.JspException;
import no.kantega.commons.util.HttpHelper;
import no.kantega.publishing.client.filter.CrossSiteRequestForgeryContentRewriter;
import no.kantega.publishing.common.Aksess;
import no.kantega.publishing.common.exception.ExceptionHandler;
import no.kantega.publishing.common.service.ContentManagementService;
import no.kantega.publishing.security.SecuritySession;
import no.kantega.publishing.spring.RootContext;
import org.apache.log4j.Logger;
import org.apache.xalan.xsltc.compiler.Constants;
import org.springframework.web.servlet.support.WebContentGenerator;
import org.springframework.web.util.NestedServletException;

/* loaded from: input_file:WEB-INF/lib/openaksess-core-6.1.6.jar:no/kantega/publishing/security/filter/AdminFilter.class */
public class AdminFilter implements Filter {
    private ServletContext servletContext;
    private Logger log = Logger.getLogger(getClass());

    public void init(FilterConfig filterConfig) throws ServletException {
        this.servletContext = filterConfig.getServletContext();
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        httpServletRequest.setAttribute(ServletContext.class.getName(), this.servletContext);
        try {
            SecuritySession securitySession = new ContentManagementService(httpServletRequest).getSecuritySession();
            if (!securitySession.isLoggedIn()) {
                securitySession.initiateLogin(httpServletRequest, httpServletResponse);
                return;
            }
            if (!securitySession.isUserInRole(Aksess.getAdminRole()) && !securitySession.isUserInRole(Aksess.getAuthorRoles())) {
                httpServletResponse.sendError(403);
                return;
            }
            httpServletRequest.getSession(true).setAttribute("adminMode", "true");
            if (isForgedPost(httpServletRequest)) {
                this.log.info("Possible CSRF detected: by " + securitySession.getIdentity().getUserId() + "@" + securitySession.getIdentity().getDomain() + " from " + httpServletRequest.getRemoteHost() + ", posting to " + httpServletRequest.getRequestURL().toString());
                httpServletResponse.sendError(403, "CSRF detected");
            } else {
                httpServletResponse.setDateHeader(CacheFilter.HEADER_EXPIRES, 0L);
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            }
        } catch (Exception e) {
            ExceptionHandler exceptionHandler = new ExceptionHandler();
            JspException jspException = e;
            if (jspException instanceof JspException) {
                jspException = jspException.getRootCause();
                if (jspException == null) {
                    jspException = e;
                }
            }
            if (jspException instanceof ServletException) {
                jspException = ((ServletException) jspException).getRootCause();
                if (jspException == null) {
                    jspException = e;
                }
            }
            if (jspException instanceof NestedServletException) {
                jspException = ((NestedServletException) jspException).getRootCause();
                if (jspException == null) {
                    jspException = e;
                }
            }
            if (jspException instanceof InvocationTargetException) {
                jspException = ((InvocationTargetException) jspException).getTargetException();
                if (jspException == null) {
                    jspException = e;
                }
            }
            e.printStackTrace();
            exceptionHandler.setThrowable(jspException, httpServletRequest.getRequestURI());
            httpServletRequest.getSession(true).setAttribute(Constants.TRANSLET_OUTPUT_PNAME, exceptionHandler);
            httpServletRequest.getRequestDispatcher(Aksess.ERROR_URL).forward(httpServletRequest, httpServletResponse);
        }
    }

    private boolean isForgedPost(HttpServletRequest httpServletRequest) {
        if (!httpServletRequest.getMethod().equals(WebContentGenerator.METHOD_POST) || "XMLHttpRequest".equals(httpServletRequest.getHeader("X-Requested-With")) || !HttpHelper.isAdminMode(httpServletRequest)) {
            return false;
        }
        Map beansOfType = RootContext.getInstance().getBeansOfType(CrossSiteRequestForgeryContentRewriter.class);
        if (beansOfType.size() == 0) {
            return false;
        }
        CrossSiteRequestForgeryContentRewriter crossSiteRequestForgeryContentRewriter = (CrossSiteRequestForgeryContentRewriter) beansOfType.values().iterator().next();
        String parameter = httpServletRequest.getParameter(CrossSiteRequestForgeryContentRewriter.CSRF_KEY);
        if (parameter == null || parameter.length() == 0) {
            return true;
        }
        try {
            try {
                return !new BigInteger(parameter).xor(crossSiteRequestForgeryContentRewriter.getSecret()).equals(new BigInteger(httpServletRequest.getSession().getId().getBytes("utf-8")));
            } catch (UnsupportedEncodingException e) {
                throw new RuntimeException(e);
            }
        } catch (Exception e2) {
            return true;
        }
    }

    public void destroy() {
    }
}
