package org.nuxeo.ecm.platform.ui.web.auth;

import java.io.IOException;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jboss.seam.Seam;
import org.jboss.security.SecurityAssociation;
import org.nuxeo.ecm.core.api.event.impl.CoreEventImpl;
import org.nuxeo.ecm.platform.api.login.SystemSession;
import org.nuxeo.ecm.platform.api.login.UserIdentificationInfo;
import org.nuxeo.ecm.platform.events.api.DocumentMessageProducer;
import org.nuxeo.ecm.platform.events.api.impl.DocumentMessageImpl;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPluginLogoutExtension;
import org.nuxeo.ecm.platform.ui.web.auth.service.AuthenticationPluginDescriptor;
import org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService;
import org.nuxeo.ecm.platform.ui.web.util.BaseURL;
import org.nuxeo.runtime.api.Framework;

/* loaded from: input_file:org/nuxeo/ecm/platform/ui/web/auth/NuxeoAuthenticationFilter.class */
public class NuxeoAuthenticationFilter implements Filter {
    protected static final String EJB_LOGIN_DOMAIN = "nuxeo-system-login";
    protected static final String LOGIN_DOMAIN = "nuxeo-ecm-web";
    protected static final String START_PAGE_SAVE_KEY = "Nuxeo5_Start_Page";
    protected static final String DEFAULT_START_PAGE = "nxstartup.faces";
    protected static final String LOGIN_JMS_CATEGORY = "NuxeoAuthentication";
    private static final Log log = LogFactory.getLog(NuxeoAuthenticationFilter.class);
    protected final Boolean avoidReauthenticate = true;
    protected PluggableAuthenticationService service;
    protected List<String> unAuthenticatedURLPrefix;
    protected List<String> validStartURLs;

    public void destroy() {
    }

    protected DocumentMessageProducer getMessageProducer() throws Exception {
        return (DocumentMessageProducer) Framework.getService(DocumentMessageProducer.class);
    }

    protected Boolean sendAuthenticationEvent(UserIdentificationInfo userIdentificationInfo, String str, String str2) {
        SystemSession systemSession = new SystemSession();
        try {
            systemSession.login();
            try {
                DocumentMessageProducer messageProducer = getMessageProducer();
                HashMap hashMap = new HashMap();
                DocumentMessageImpl documentMessageImpl = new DocumentMessageImpl();
                hashMap.put("AuthenticationPlugin", userIdentificationInfo.getAuthPluginName());
                hashMap.put("LoginPlugin", userIdentificationInfo.getLoginPluginName());
                messageProducer.produce(new DocumentMessageImpl(documentMessageImpl, new CoreEventImpl(str, documentMessageImpl, hashMap, (Principal) systemSession.getLoginContext().getSubject().getPrincipals().toArray()[0], LOGIN_JMS_CATEGORY, str2)));
                try {
                    systemSession.logout();
                    return true;
                } catch (LoginException e) {
                    return false;
                }
            } catch (Exception e2) {
                log.error("Unable to get JMS message producer: " + e2.getMessage());
                try {
                    systemSession.logout();
                    return false;
                } catch (LoginException e3) {
                    return false;
                }
            }
        } catch (LoginException e4) {
            log.error("Unable to log in in order to log Login event" + e4.getMessage());
            return false;
        }
    }

    protected Boolean logAuthenticationAttempt(UserIdentificationInfo userIdentificationInfo, Boolean bool) {
        String str;
        String str2;
        String userName = userIdentificationInfo.getUserName();
        if (userName == null || userName.length() == 0) {
            userName = userIdentificationInfo.getToken();
        }
        if (bool.booleanValue()) {
            str = "loginSuccess";
            str2 = userName + " successfully logged in using " + userIdentificationInfo.getAuthPluginName() + "Authentication";
        } else {
            str = "loginFailed";
            str2 = userName + " failed to authenticate using " + userIdentificationInfo.getAuthPluginName() + "Authentication";
        }
        return sendAuthenticationEvent(userIdentificationInfo, str, str2);
    }

    protected Boolean logLogout(UserIdentificationInfo userIdentificationInfo) {
        String userName = userIdentificationInfo.getUserName();
        if (userName == null || userName.length() == 0) {
            userName = userIdentificationInfo.getToken();
        }
        return sendAuthenticationEvent(userIdentificationInfo, NXAuthContants.LOGOUT_PAGE, userName + " logged out");
    }

    protected Principal doAuthenticate(CachableUserIdentificationInfo cachableUserIdentificationInfo, HttpServletRequest httpServletRequest) {
        try {
            LoginContext loginContext = new LoginContext(LOGIN_DOMAIN, new JBossUserIdentificationInfoCallbackHandler(cachableUserIdentificationInfo.getUserInfo()));
            loginContext.login();
            Principal principal = (Principal) loginContext.getSubject().getPrincipals().toArray()[0];
            cachableUserIdentificationInfo.setPrincipal(principal);
            cachableUserIdentificationInfo.setAlreadyAuthenticated(true);
            cachableUserIdentificationInfo.getUserInfo().setUserName(principal.getName());
            logAuthenticationAttempt(cachableUserIdentificationInfo.getUserInfo(), true);
            httpServletRequest.setAttribute(NXAuthContants.LOGINCONTEXT_KEY, loginContext);
            HttpSession session = httpServletRequest.getSession(true);
            cachableUserIdentificationInfo.setLoginContext(loginContext);
            session.setAttribute(NXAuthContants.USERIDENT_KEY, cachableUserIdentificationInfo);
            return cachableUserIdentificationInfo.getPrincipal();
        } catch (LoginException e) {
            logAuthenticationAttempt(cachableUserIdentificationInfo.getUserInfo(), false);
            return null;
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        log.debug("Entering Nuxeo Authentication Filter");
        if (this.avoidReauthenticate.booleanValue()) {
            log.debug("Principal cache is activated");
        } else {
            log.debug("Principal cache is NOT activated");
        }
        String str = null;
        CachableUserIdentificationInfo cachableUserIdentificationInfo = null;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        Principal userPrincipal = httpServletRequest.getUserPrincipal();
        if (userPrincipal == null) {
            log.debug("Principal not found inside Request via getUserPrincipal");
            if (this.avoidReauthenticate.booleanValue()) {
                log.debug("Try getting authentication from cache");
                cachableUserIdentificationInfo = retrieveIdentityFromCache(httpServletRequest);
            }
            if (cachableUserIdentificationInfo == null || cachableUserIdentificationInfo.getUserInfo() == null) {
                UserIdentificationInfo handleRetrieveIdentity = handleRetrieveIdentity(httpServletRequest, httpServletResponse);
                if ((handleRetrieveIdentity != null && handleRetrieveIdentity.containsValidIdentity().booleanValue()) || bypassAuth(httpServletRequest)) {
                    str = getSavedRequestedURL(httpServletRequest);
                } else if (Boolean.valueOf(handleLoginPrompt(httpServletRequest, httpServletResponse, false)).booleanValue()) {
                    return;
                }
                if (handleRetrieveIdentity != null && handleRetrieveIdentity.containsValidIdentity().booleanValue()) {
                    CachableUserIdentificationInfo cachableUserIdentificationInfo2 = new CachableUserIdentificationInfo(handleRetrieveIdentity);
                    userPrincipal = doAuthenticate(cachableUserIdentificationInfo2, httpServletRequest);
                    if (userPrincipal != null) {
                        userPrincipal.getName();
                        propagateUserIdentificationInformation(cachableUserIdentificationInfo2);
                    } else {
                        httpServletRequest.setAttribute(NXAuthContants.LOGIN_ERROR, "authentication.failed");
                        if (Boolean.valueOf(handleLoginPrompt(httpServletRequest, httpServletResponse, true)).booleanValue()) {
                            return;
                        }
                    }
                }
            } else {
                log.debug("userIdent found in cache, get the Principal from it without reloggin");
                if (getRequestedPage(httpServletRequest).equals(NXAuthContants.LOGOUT_PAGE) && handleLogout(servletRequest, servletResponse, cachableUserIdentificationInfo).booleanValue()) {
                    return;
                }
                userPrincipal = cachableUserIdentificationInfo.getPrincipal();
                log.debug("Principal = " + userPrincipal.getName());
                propagateUserIdentificationInformation(cachableUserIdentificationInfo);
            }
        }
        if (userPrincipal == null) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            if (str != null) {
                httpServletResponse.sendRedirect(BaseURL.getBaseURL(httpServletRequest) + str);
                return;
            }
            filterChain.doFilter(new NuxeoSecuredRequestWrapper(httpServletRequest, userPrincipal), servletResponse);
        }
        if (!this.avoidReauthenticate.booleanValue()) {
            log.debug("Log out");
            LoginContext loginContext = (LoginContext) httpServletRequest.getAttribute("LoginContext");
            if (loginContext != null) {
                try {
                    loginContext.logout();
                } catch (LoginException e) {
                    e.printStackTrace();
                }
            }
        }
        log.debug("Exit Nuxeo Authentication filter");
    }

    protected CachableUserIdentificationInfo retrieveIdentityFromCache(HttpServletRequest httpServletRequest) {
        CachableUserIdentificationInfo cachableUserIdentificationInfo;
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null || (cachableUserIdentificationInfo = (CachableUserIdentificationInfo) session.getAttribute(NXAuthContants.USERIDENT_KEY)) == null) {
            return null;
        }
        return cachableUserIdentificationInfo;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.service = (PluggableAuthenticationService) Framework.getRuntime().getComponent(PluggableAuthenticationService.NAME);
        if (this.service == null) {
            log.error("Unable to get Service org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService");
            throw new ServletException("Can't initialize Nuxeo Pluggable Authentication Service");
        }
        this.unAuthenticatedURLPrefix = new ArrayList();
        Iterator<String> it = this.service.getAuthChain().iterator();
        while (it.hasNext()) {
            List<String> unAuthenticatedURLPrefix = this.service.getPlugin(it.next()).getUnAuthenticatedURLPrefix();
            if (unAuthenticatedURLPrefix != null && !unAuthenticatedURLPrefix.isEmpty()) {
                this.unAuthenticatedURLPrefix.addAll(unAuthenticatedURLPrefix);
            }
        }
        this.validStartURLs = this.service.getStartURLPatterns();
    }

    protected void saveRequestedURLBeforeRedirect(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        HttpSession session = httpServletResponse.isCommitted() ? httpServletRequest.getSession(false) : httpServletRequest.getSession(true);
        if (session == null) {
            return;
        }
        String requestURI = httpServletRequest.getRequestURI();
        String queryString = httpServletRequest.getQueryString();
        String substring = requestURI.substring((httpServletRequest.getContextPath() + '/').length());
        if (queryString != null && queryString.length() > 0) {
            if (queryString.contains("conversationId")) {
                queryString = queryString.replace("conversationId", "old_conversationId");
            }
            substring = substring + '?' + queryString;
        }
        if (!substring.equals(DEFAULT_START_PAGE) && isStartPageValid(substring).booleanValue()) {
            session.setAttribute(START_PAGE_SAVE_KEY, substring);
        }
    }

    protected String getSavedRequestedURL(HttpServletRequest httpServletRequest) {
        String str;
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null || (str = (String) session.getAttribute(START_PAGE_SAVE_KEY)) == null) {
            return null;
        }
        session.removeAttribute(START_PAGE_SAVE_KEY);
        return str;
    }

    protected Boolean isStartPageValid(String str) {
        Iterator<String> it = this.validStartURLs.iterator();
        while (it.hasNext()) {
            if (str.startsWith(it.next())) {
                return true;
            }
        }
        return false;
    }

    protected Boolean handleLogout(ServletRequest servletRequest, ServletResponse servletResponse, CachableUserIdentificationInfo cachableUserIdentificationInfo) {
        logLogout(cachableUserIdentificationInfo.getUserInfo());
        try {
            Seam.invalidateSession();
        } catch (IllegalStateException e) {
            HttpSession session = ((HttpServletRequest) servletRequest).getSession(false);
            if (session != null) {
                session.invalidate();
            }
        }
        NuxeoAuthenticationPlugin plugin = this.service.getPlugin(cachableUserIdentificationInfo.getUserInfo().getAuthPluginName());
        NuxeoAuthenticationPluginLogoutExtension nuxeoAuthenticationPluginLogoutExtension = null;
        if (plugin instanceof NuxeoAuthenticationPluginLogoutExtension) {
            nuxeoAuthenticationPluginLogoutExtension = (NuxeoAuthenticationPluginLogoutExtension) plugin;
        }
        Boolean bool = false;
        if (nuxeoAuthenticationPluginLogoutExtension != null) {
            bool = nuxeoAuthenticationPluginLogoutExtension.handleLogout((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse);
        }
        if (!bool.booleanValue()) {
            try {
                ((HttpServletResponse) servletResponse).sendRedirect(BaseURL.getBaseURL(servletRequest) + DEFAULT_START_PAGE);
                bool = true;
            } catch (IOException e2) {
                log.error("Unable to redirect to default start page after logout : " + e2.getMessage());
            }
        }
        try {
            cachableUserIdentificationInfo.getLoginContext().logout();
        } catch (LoginException e3) {
            log.error("Unable to logout " + e3.getMessage());
        }
        return bool;
    }

    protected void propagateUserIdentificationInformation(CachableUserIdentificationInfo cachableUserIdentificationInfo) {
        final UserIdentificationInfo userInfo = cachableUserIdentificationInfo.getUserInfo();
        final char[] charArray = userInfo.getPassword().toCharArray();
        final Boolean valueOf = Boolean.valueOf(userInfo.getLoginPluginName() != null);
        final Principal principal = cachableUserIdentificationInfo.getPrincipal();
        final Subject subject = cachableUserIdentificationInfo.getLoginContext().getSubject();
        AccessController.doPrivileged(new PrivilegedAction() { // from class: org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                if (valueOf.booleanValue()) {
                    SecurityAssociation.pushSubjectContext(subject, principal, userInfo);
                    return null;
                }
                SecurityAssociation.pushSubjectContext(subject, principal, charArray);
                return null;
            }
        });
    }

    protected boolean bypassAuth(HttpServletRequest httpServletRequest) {
        String requestedPage = getRequestedPage(httpServletRequest);
        Iterator<String> it = this.unAuthenticatedURLPrefix.iterator();
        while (it.hasNext()) {
            if (requestedPage.startsWith(it.next())) {
                return true;
            }
        }
        return false;
    }

    protected String getRequestedPage(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().substring((httpServletRequest.getContextPath() + '/').length());
    }

    protected boolean handleLoginPrompt(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Boolean bool) {
        String baseURL = BaseURL.getBaseURL(httpServletRequest);
        for (String str : this.service.getAuthChain()) {
            NuxeoAuthenticationPlugin plugin = this.service.getPlugin(str);
            AuthenticationPluginDescriptor descriptor = this.service.getDescriptor(str);
            if (plugin.needLoginPrompt(httpServletRequest).booleanValue()) {
                if (descriptor.getNeedStartingURLSaving().booleanValue()) {
                    saveRequestedURLBeforeRedirect(httpServletRequest, httpServletResponse);
                }
                return plugin.handleLoginPrompt(httpServletRequest, httpServletResponse, baseURL).booleanValue();
            }
        }
        log.error("No auth plugin can be found to do the Login Prompt");
        return false;
    }

    protected UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        CachableUserIdentificationInfo retrieveIdentityFromCache;
        UserIdentificationInfo userIdentificationInfo = null;
        Iterator<String> it = this.service.getAuthChain().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            String next = it.next();
            NuxeoAuthenticationPlugin plugin = this.service.getPlugin(next);
            if (plugin != null) {
                log.debug("Trying to retrieve userIndetification using plugin " + next);
                userIdentificationInfo = plugin.handleRetrieveIdentity(httpServletRequest, httpServletResponse);
                if (userIdentificationInfo != null && userIdentificationInfo.containsValidIdentity().booleanValue()) {
                    userIdentificationInfo.setAuthPluginName(next);
                    userIdentificationInfo.setLoginPluginName(this.service.getDescriptor(next).getLoginModulePlugin());
                    userIdentificationInfo.setLoginParameters(this.service.getDescriptor(next).getParameters());
                    break;
                }
            } else {
                log.error("Auth plugin " + next + " can not be retrieved from service");
            }
        }
        if (userIdentificationInfo == null || !userIdentificationInfo.containsValidIdentity().booleanValue()) {
            log.debug("user/password not found in request, try into identity cache");
            if (httpServletRequest.getSession(false) != null && (retrieveIdentityFromCache = retrieveIdentityFromCache(httpServletRequest)) != null) {
                log.debug("Found User identity in cache :" + retrieveIdentityFromCache.getUserInfo().getUserName() + '/' + retrieveIdentityFromCache.getUserInfo().getPassword());
                userIdentificationInfo = new UserIdentificationInfo(retrieveIdentityFromCache.getUserInfo());
                retrieveIdentityFromCache.setPrincipal(null);
            }
        } else {
            log.debug("User/Password found as parameter of the request");
        }
        return userIdentificationInfo;
    }
}
