package org.kantega.respiro.kerberos;

import java.io.File;
import java.io.IOException;
import java.nio.file.Path;
import java.security.Principal;
import java.util.Optional;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.simplericity.serberuhs.DefaultKerberosSubjectFactory;
import org.simplericity.serberuhs.KerberosSubjectFactory;
import org.simplericity.serberuhs.SpNego;
import org.simplericity.serberuhs.SpNegoResult;
import org.simplericity.serberuhs.filter.KerberosFilterConfiguration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/kantega/respiro/kerberos/KerberosFilter.class */
public class KerberosFilter implements Filter {
    private final Logger logger = LoggerFactory.getLogger(KerberosFilter.class);
    private final KerberosSubjectFactory factory = new DefaultKerberosSubjectFactory();
    private final Configuration configuration;
    private final ActiveDirectoryDAO activeDirectoryDAO;
    static final String AUTORIZED_PRINCIPAL_SESSION_ATTRIBUTE = KerberosFilter.class.getName() + "_AUTHORIZED_PRINCIPAL";
    static final String COMMON_NAME_SESSION_ATTRIBUTE = KerberosFilter.class.getName() + "_COMMON_NAME";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/kantega/respiro/kerberos/KerberosFilter$Configuration.class */
    public static class Configuration implements KerberosFilterConfiguration {
        private final boolean enabled;
        private final Path keytabFile;
        private final String principal;
        private final String password;

        /* JADX INFO: Access modifiers changed from: package-private */
        public Configuration(boolean z, Path path, String str, String str2) {
            this.enabled = z;
            this.keytabFile = path;
            this.principal = str;
            this.password = str2;
        }

        public String getFallbackLoginPath() {
            return null;
        }

        public boolean isEnabled() {
            return this.enabled;
        }

        public File getKeytabFile() {
            return this.keytabFile.toFile();
        }

        public String getPrincipal() {
            return this.principal;
        }

        public String getPassword() {
            return this.password;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public KerberosFilter(Configuration configuration, ActiveDirectoryDAO activeDirectoryDAO) {
        this.configuration = configuration;
        this.activeDirectoryDAO = activeDirectoryDAO;
        this.factory.setConfiguration(configuration);
    }

    public final void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (!this.configuration.isEnabled()) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (isUserLoggedIn(httpServletRequest)) {
            authenticatedDispatch(httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        SpNego spNego = new SpNego();
        spNego.negotiate(this.factory.getSubject(), httpServletRequest, httpServletResponse);
        if (spNego.getResult() == SpNegoResult.AUTHORIZED) {
            handleSuccessfulAuthorization(spNego.getAuthorizedPrincipal(), httpServletRequest, httpServletResponse, filterChain);
        } else if (spNego.getResult() == SpNegoResult.MISSING_AUTHORIZATION_HEADER) {
            handleMissingAuthorizationHeader(httpServletRequest, httpServletResponse);
        } else {
            this.logger.error("Failed to authorize user " + spNego.getResult() + ":" + (spNego.getException() == null ? "" : spNego.getException().getMessage()));
            handleUnsuccessfulAutorization(httpServletRequest, httpServletResponse);
        }
    }

    private boolean isUserLoggedIn(HttpServletRequest httpServletRequest) {
        return !this.activeDirectoryDAO.shouldReload(UserInfo.from(httpServletRequest, Optional.empty()));
    }

    private void dispatchToFallback(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        if (this.configuration.getFallbackLoginPath() != null) {
            httpServletRequest.getRequestDispatcher(this.configuration.getFallbackLoginPath()).forward(httpServletRequest, httpServletResponse);
        } else {
            httpServletResponse.setStatus(401);
        }
    }

    private void handleMissingAuthorizationHeader(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        dispatchToFallback(httpServletRequest, httpServletResponse);
    }

    private void handleUnsuccessfulAutorization(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        dispatchToFallback(httpServletRequest, httpServletResponse);
    }

    private void handleSuccessfulAuthorization(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        exposePrincipalSessionAttribute(str, httpServletRequest);
        exposeCommonNameSessionAttribute(UserInfo.from(httpServletRequest, Optional.of(this.activeDirectoryDAO)), httpServletRequest);
        authenticatedDispatch(httpServletRequest, httpServletResponse, filterChain);
    }

    private void authenticatedDispatch(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        final UserInfo from = UserInfo.from(httpServletRequest, Optional.of(this.activeDirectoryDAO));
        filterChain.doFilter(new HttpServletRequestWrapper(httpServletRequest) { // from class: org.kantega.respiro.kerberos.KerberosFilter.1
            public String getRemoteUser() {
                return from.getPrincipal();
            }

            public boolean isUserInRole(String str) {
                return from.getGroups().contains(str);
            }

            public Principal getUserPrincipal() {
                return this::getRemoteUser;
            }
        }, httpServletResponse);
    }

    private void exposePrincipalSessionAttribute(String str, HttpServletRequest httpServletRequest) {
        httpServletRequest.getSession().setAttribute(AUTORIZED_PRINCIPAL_SESSION_ATTRIBUTE, str);
    }

    private void exposeCommonNameSessionAttribute(UserInfo userInfo, HttpServletRequest httpServletRequest) {
        httpServletRequest.getSession().setAttribute(COMMON_NAME_SESSION_ATTRIBUTE, userInfo.getCommonName());
    }

    public void destroy() {
    }
}
