package org.nuxeo.ecm.platform.ui.web.auth.oauth;

import java.io.IOException;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.security.Principal;
import java.util.LinkedHashMap;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.oauth.OAuth;
import net.oauth.OAuthAccessor;
import net.oauth.OAuthException;
import net.oauth.OAuthMessage;
import net.oauth.OAuthValidator;
import net.oauth.SimpleOAuthValidator;
import net.oauth.server.OAuthServlet;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nuxeo.common.utils.URIUtils;
import org.nuxeo.ecm.platform.oauth.consumers.NuxeoOAuthConsumer;
import org.nuxeo.ecm.platform.oauth.consumers.OAuthConsumerRegistry;
import org.nuxeo.ecm.platform.oauth.keys.OAuthServerKeyManager;
import org.nuxeo.ecm.platform.oauth.tokens.OAuthToken;
import org.nuxeo.ecm.platform.oauth.tokens.OAuthTokenStore;
import org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Filter;
import org.nuxeo.ecm.platform.oauth2.NuxeoOAuth2Servlet;
import org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter;
import org.nuxeo.ecm.platform.ui.web.auth.NuxeoSecuredRequestWrapper;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthPreFilter;
import org.nuxeo.ecm.platform.web.common.vh.VirtualHostHelper;
import org.nuxeo.runtime.api.Framework;
import org.nuxeo.runtime.transaction.TransactionHelper;

/* loaded from: input_file:org/nuxeo/ecm/platform/ui/web/auth/oauth/NuxeoOAuthFilter.class */
public class NuxeoOAuthFilter implements NuxeoAuthPreFilter {
    protected static final Log log = LogFactory.getLog(NuxeoOAuthFilter.class);
    protected static OAuthValidator validator;
    protected static OAuthConsumerRegistry consumerRegistry;

    protected OAuthValidator getValidator() {
        if (validator == null) {
            validator = new SimpleOAuthValidator();
        }
        return validator;
    }

    protected OAuthConsumerRegistry getOAuthConsumerRegistry() {
        if (consumerRegistry == null) {
            consumerRegistry = (OAuthConsumerRegistry) Framework.getService(OAuthConsumerRegistry.class);
        }
        return consumerRegistry;
    }

    protected OAuthTokenStore getOAuthTokenStore() {
        return (OAuthTokenStore) Framework.getService(OAuthTokenStore.class);
    }

    protected boolean isOAuthSignedRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(NuxeoOAuth2Filter.AUTHORIZATION_HEADER);
        if (header != null && header.contains("OAuth")) {
            return true;
        }
        if (!"GET".equals(httpServletRequest.getMethod()) || httpServletRequest.getParameter("oauth_signature") == null) {
            return "POST".equals(httpServletRequest.getMethod()) && "application/x-www-form-urlencoded".equals(httpServletRequest.getContentType()) && httpServletRequest.getParameter("oauth_signature") != null;
        }
        return true;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!accept(servletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        boolean z = false;
        if (!TransactionHelper.isTransactionActive()) {
            z = TransactionHelper.startTransaction();
        }
        boolean z2 = false;
        try {
            process(servletRequest, servletResponse, filterChain);
            z2 = true;
            if (z) {
                if (1 == 0) {
                    TransactionHelper.setTransactionRollbackOnly();
                }
                TransactionHelper.commitOrRollbackTransaction();
            }
        } catch (Throwable th) {
            if (z) {
                if (!z2) {
                    TransactionHelper.setTransactionRollbackOnly();
                }
                TransactionHelper.commitOrRollbackTransaction();
            }
            throw th;
        }
    }

    protected boolean accept(ServletRequest servletRequest) {
        if (!(servletRequest instanceof HttpServletRequest)) {
            return false;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        return httpServletRequest.getRequestURI().contains("/oauth/") || isOAuthSignedRequest(httpServletRequest);
    }

    protected void process(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String requestURI = httpServletRequest.getRequestURI();
        if (requestURI.contains("/oauth/")) {
            String str = requestURI.split("/oauth/")[1];
            if (str.equals(NuxeoOAuth2Servlet.ENDPOINT_AUTH)) {
                processAuthorize(httpServletRequest, httpServletResponse);
                return;
            }
            if (str.equals("request-token")) {
                processRequestToken(httpServletRequest, httpServletResponse);
                return;
            } else if (str.equals("access-token")) {
                processAccessToken(httpServletRequest, httpServletResponse);
                return;
            } else {
                httpServletResponse.sendError(405, "OAuth call not supported");
                return;
            }
        }
        if (!isOAuthSignedRequest(httpServletRequest)) {
            throw new RuntimeException("request is not a outh request");
        }
        LoginContext processSignedRequest = processSignedRequest(httpServletRequest, httpServletResponse);
        if (processSignedRequest == null) {
            if (httpServletResponse.isCommitted()) {
                return;
            }
            httpServletResponse.sendError(401);
        } else {
            try {
                filterChain.doFilter(new NuxeoSecuredRequestWrapper(httpServletRequest, (Principal) processSignedRequest.getSubject().getPrincipals().toArray()[0]), servletResponse);
            } finally {
                try {
                    processSignedRequest.logout();
                } catch (LoginException e) {
                    log.warn("Error when loging out", e);
                }
            }
        }
    }

    protected void processAuthorize(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        String parameter = httpServletRequest.getParameter("oauth_token");
        if (httpServletRequest.getMethod().equals("GET")) {
            log.debug("OAuth authorize : from end user ");
            String baseURL = VirtualHostHelper.getBaseURL(httpServletRequest);
            httpServletRequest.getSession(true).setAttribute("OAUTH-INFO", getOAuthTokenStore().getRequestToken(parameter));
            httpServletResponse.sendRedirect(baseURL + "login.jsp?requestedUrl=" + URLEncoder.encode("oauthGrant.jsp?oauth_token=" + parameter, "UTF-8"));
            return;
        }
        log.debug("OAuth authorize validate ");
        String parameter2 = httpServletRequest.getParameter("nuxeo_login");
        OAuthToken addVerifierToRequestToken = getOAuthTokenStore().addVerifierToRequestToken(parameter, Long.valueOf(Long.parseLong(httpServletRequest.getParameter("duration"))));
        addVerifierToRequestToken.setNuxeoLogin(parameter2);
        String callbackUrl = addVerifierToRequestToken.getCallbackUrl();
        if (callbackUrl == null) {
            NuxeoOAuthConsumer consumer = getOAuthConsumerRegistry().getConsumer(addVerifierToRequestToken.getConsumerKey());
            if (consumer != null) {
                callbackUrl = consumer.getCallbackURL();
            }
            if (callbackUrl == null) {
                callbackUrl = "http://oauth.gmodules.com/gadgets/oauthcallback";
            }
        }
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("oauth_token", addVerifierToRequestToken.getToken());
        linkedHashMap.put("oauth_verifier", addVerifierToRequestToken.getVerifier());
        String addParametersToURIQuery = URIUtils.addParametersToURIQuery(callbackUrl, linkedHashMap);
        log.debug("redirecting user after successful grant " + addParametersToURIQuery);
        httpServletResponse.sendRedirect(addParametersToURIQuery);
    }

    protected void processRequestToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        OAuthMessage message = OAuthServlet.getMessage(httpServletRequest, (String) null);
        String consumerKey = message.getConsumerKey();
        NuxeoOAuthConsumer consumer = getOAuthConsumerRegistry().getConsumer(consumerKey, message.getSignatureMethod());
        if (consumer == null) {
            log.error("Consumer " + consumerKey + " is not registered");
            httpServletResponse.sendError(((Integer) OAuth.Problems.TO_HTTP_CODE.get("consumer_key_unknown")).intValue(), "Unknown consumer key");
            return;
        }
        try {
            getValidator().validateMessage(message, new OAuthAccessor(consumer));
            log.debug("OAuth request-token : generate a tmp token");
            OAuthToken createRequestToken = getOAuthTokenStore().createRequestToken(consumerKey, message.getParameter("oauth_callback"));
            httpServletResponse.setContentType("application/x-www-form-urlencoded");
            httpServletResponse.setStatus(200);
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("oauth_token");
            stringBuffer.append("=");
            stringBuffer.append(createRequestToken.getToken());
            stringBuffer.append("&");
            stringBuffer.append("oauth_token_secret");
            stringBuffer.append("=");
            stringBuffer.append(createRequestToken.getTokenSecret());
            stringBuffer.append("&oauth_callback_confirmed=true");
            log.debug("returning : " + stringBuffer.toString());
            httpServletResponse.getWriter().write(stringBuffer.toString());
        } catch (OAuthException | IOException | URISyntaxException e) {
            log.error("Error while validating OAuth signature", e);
            httpServletResponse.sendError(((Integer) OAuth.Problems.TO_HTTP_CODE.get("signature_invalid")).intValue(), "Can not validate signature");
        }
    }

    protected void processAccessToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        OAuthMessage message = OAuthServlet.getMessage(httpServletRequest, (String) null);
        String consumerKey = message.getConsumerKey();
        String token = message.getToken();
        NuxeoOAuthConsumer consumer = getOAuthConsumerRegistry().getConsumer(consumerKey, message.getSignatureMethod());
        if (consumer == null) {
            log.error("Consumer " + consumerKey + " is not registered");
            httpServletResponse.sendError(((Integer) OAuth.Problems.TO_HTTP_CODE.get("consumer_key_unknown")).intValue(), "Unknown consumer key");
            return;
        }
        OAuthAccessor oAuthAccessor = new OAuthAccessor(consumer);
        OAuthToken requestToken = getOAuthTokenStore().getRequestToken(token);
        oAuthAccessor.requestToken = requestToken.getToken();
        oAuthAccessor.tokenSecret = requestToken.getTokenSecret();
        try {
            getValidator().validateMessage(message, oAuthAccessor);
            log.debug("OAuth access-token : generate a real token");
            String parameter = message.getParameter("oauth_verifier");
            message.getParameter("oauth_token");
            log.debug("OAuth verifier = " + parameter);
            boolean z = false;
            if (parameter == null) {
                z = consumer.allowBypassVerifier();
            }
            if (!requestToken.getVerifier().equals(parameter) && !z) {
                log.error("Verifier does not match : can not continue");
                httpServletResponse.sendError(401, "Verifier is not correct");
                return;
            }
            OAuthToken createAccessTokenFromRequestToken = getOAuthTokenStore().createAccessTokenFromRequestToken(requestToken);
            httpServletResponse.setContentType("application/x-www-form-urlencoded");
            httpServletResponse.setStatus(200);
            StringBuilder sb = new StringBuilder();
            sb.append("oauth_token");
            sb.append("=");
            sb.append(createAccessTokenFromRequestToken.getToken());
            sb.append("&");
            sb.append("oauth_token_secret");
            sb.append("=");
            sb.append(createAccessTokenFromRequestToken.getTokenSecret());
            log.debug("returning : " + sb.toString());
            httpServletResponse.getWriter().write(sb.toString());
        } catch (OAuthException | IOException | URISyntaxException e) {
            log.error("Error while validating OAuth signature", e);
            httpServletResponse.sendError(((Integer) OAuth.Problems.TO_HTTP_CODE.get("signature_invalid")).intValue(), "Can not validate signature");
        }
    }

    protected LoginContext processSignedRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        String signedFetchUser;
        OAuthMessage message = OAuthServlet.getMessage(httpServletRequest, getRequestURL(httpServletRequest));
        String consumerKey = message.getConsumerKey();
        String signatureMethod = message.getSignatureMethod();
        log.debug("Received OAuth signed request on " + httpServletRequest.getRequestURI() + " with consumerKey=" + consumerKey + " and signature method " + signatureMethod);
        NuxeoOAuthConsumer consumer = getOAuthConsumerRegistry().getConsumer(consumerKey, signatureMethod);
        if (consumer == null && consumerKey != null) {
            OAuthServerKeyManager oAuthServerKeyManager = (OAuthServerKeyManager) Framework.getService(OAuthServerKeyManager.class);
            if (consumerKey.equals(oAuthServerKeyManager.getInternalKey())) {
                consumer = oAuthServerKeyManager.getInternalConsumer();
            }
        }
        if (consumer == null) {
            int intValue = ((Integer) OAuth.Problems.TO_HTTP_CODE.get("consumer_key_unknown")).intValue();
            log.error("Consumer " + consumerKey + " is unknown, can not authenticated");
            httpServletResponse.sendError(intValue, "Consumer " + consumerKey + " is not registered");
            return null;
        }
        OAuthAccessor oAuthAccessor = new OAuthAccessor(consumer);
        OAuthValidator validator2 = getValidator();
        OAuthToken accessToken = getOAuthTokenStore().getAccessToken(message.getToken());
        if (accessToken != null) {
            oAuthAccessor.accessToken = accessToken.getToken();
            oAuthAccessor.tokenSecret = accessToken.getTokenSecret();
            signedFetchUser = accessToken.getNuxeoLogin();
        } else {
            if (!consumer.allowSignedFetch()) {
                httpServletResponse.sendError(401, "Signed fetch is not allowed");
                return null;
            }
            signedFetchUser = consumer.getSignedFetchUser();
            if (NuxeoOAuthConsumer.SIGNEDFETCH_OPENSOCIAL_VIEWER.equals(signedFetchUser)) {
                signedFetchUser = message.getParameter("opensocial_viewer_id");
            } else if (NuxeoOAuthConsumer.SIGNEDFETCH_OPENSOCIAL_OWNER.equals(signedFetchUser)) {
                signedFetchUser = message.getParameter("opensocial_owner_id");
            }
        }
        try {
            validator2.validateMessage(message, oAuthAccessor);
            if (signedFetchUser != null) {
                return NuxeoAuthenticationFilter.loginAs(signedFetchUser);
            }
            httpServletResponse.sendError(((Integer) OAuth.Problems.TO_HTTP_CODE.get("user_refused")).intValue(), "No configured login information");
            return null;
        } catch (OAuthException | IOException | URISyntaxException | LoginException e) {
            log.error("Error while validating OAuth signature", e);
            httpServletResponse.sendError(((Integer) OAuth.Problems.TO_HTTP_CODE.get("signature_invalid")).intValue(), "Can not validate signature");
            return null;
        }
    }

    public static String getRequestURL(HttpServletRequest httpServletRequest) {
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        String header = httpServletRequest.getHeader("X-Forwarded-Proto");
        if (header != null && !stringBuffer.startsWith(header)) {
            stringBuffer = header + stringBuffer.substring(stringBuffer.indexOf("://"));
        }
        return stringBuffer;
    }
}
