package org.osivia.portal.identity.sso.cas;

import edu.yale.its.tp.cas.client.CASAuthenticationException;
import edu.yale.its.tp.cas.client.CASReceipt;
import edu.yale.its.tp.cas.client.ProxyTicketValidator;
import edu.yale.its.tp.cas.client.Util;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.catalina.Session;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
import org.apache.log4j.Logger;
import org.jboss.portal.identity.helper.IdentityTools;
import org.osivia.portal.api.customization.CustomizationContext;
import org.osivia.portal.api.locator.Locator;
import org.osivia.portal.core.customization.ICustomizationService;

/* loaded from: input_file:org/osivia/portal/identity/sso/cas/CASAuthenticationValve.class */
public class CASAuthenticationValve extends ValveBase {
    private static final int HTTPS_PORT = 443;
    private static final int HTTP_PORT = 80;
    private static final String UTF_8 = "UTF-8";
    public static final String VIRTUAL_HOST_REQUEST_HEADER = "osivia-virtual-host";
    private static final String SEP = ":";
    private static final Logger log = Logger.getLogger("valve");
    public static final String LOGIN_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.loginUrl";
    public static final String VALIDATE_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.validateUrl";
    public static final String SERVICE_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.serviceUrl";
    public static final String SERVERNAME_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.serverName";
    public static final String RENEW_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.renew";
    public static final String AUTHORIZED_PROXY_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.authorizedProxy";
    public static final String PROXY_CALLBACK_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.proxyCallbackUrl";
    public static final String WRAP_REQUESTS_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.wrapRequest";
    public static final String GATEWAY_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.gateway";
    public static final String CAS_FILTER_USER = "edu.yale.its.tp.cas.client.filter.user";
    public static final String CAS_FILTER_RECEIPT = "edu.yale.its.tp.cas.client.filter.receipt";
    private String casLogin;
    private String casLogout;
    private String casValidate;
    private String casServiceUrl;
    private String casServerName;
    private String casProxyCallbackUrl;
    private boolean casRenew;
    private Set urlPatterns;
    private String fileEncoding;
    private Boolean brokenSecurityMode = Boolean.FALSE;
    private final boolean casGateway = false;
    private final List authorizedProxies = new ArrayList();
    private String authType = null;
    private ICustomizationService customizationService = (ICustomizationService) Locator.findMBean(ICustomizationService.class, "osivia:service=CustomizationService");

    public CASAuthenticationValve() {
        this.fileEncoding = null;
        this.fileEncoding = System.getProperty("file.encoding");
    }

    public String getCasLogin() {
        return this.casLogin;
    }

    public void setCasLogin(String str) {
        this.casLogin = str;
    }

    public String getCasLogout() {
        return this.casLogout;
    }

    public void setCasLogout(String str) {
        this.casLogout = str;
    }

    public String getCasServerName() {
        return this.casServerName;
    }

    public void setCasServerName(String str) {
        this.casServerName = str;
    }

    public String getCasValidate() {
        return this.casValidate;
    }

    public void setCasValidate(String str) {
        this.casValidate = str;
    }

    public String getAuthType() {
        return this.authType;
    }

    public void setAuthType(String str) {
        this.authType = str;
    }

    public String getCasServiceUrl() {
        return this.casServiceUrl;
    }

    public void setCasServiceUrl(String str) {
        this.casServiceUrl = str;
    }

    public String getCasProxyCallbackUrl() {
        return this.casProxyCallbackUrl;
    }

    public void setCasProxyCallbackUrl(String str) {
        this.casProxyCallbackUrl = str;
    }

    public Boolean getBrokenSecurityMode() {
        return this.brokenSecurityMode;
    }

    public void setBrokenSecurityMode(Boolean bool) {
        this.brokenSecurityMode = bool;
    }

    public void invoke(Request request, Response response) throws IOException, ServletException {
        HttpSession session = request.getSession();
        request.setAttribute("ssoEnabled", "true");
        if (this.fileEncoding != null) {
            request.setCharacterEncoding(this.fileEncoding);
        }
        if (isSecuredURI(request.getRequestURI()) && request.getParameter("ticket") == null && session.getAttribute(CAS_FILTER_USER) == null) {
            redirectToCAS(request, response);
            return;
        }
        if (request.getParameter("ticket") != null && session.getAttribute(CAS_FILTER_USER) == null) {
            CASReceipt cASReceipt = null;
            boolean z = false;
            try {
                cASReceipt = getAuthenticatedUser(request);
            } catch (CASAuthenticationException e) {
                z = true;
                if (log.isDebugEnabled()) {
                    log.error("Authentification failed", e);
                }
            }
            if (!z && !isReceiptAcceptable(cASReceipt)) {
                z = true;
            }
            if (!z) {
                session.setAttribute(CAS_FILTER_USER, cASReceipt.getUserName());
                session.setAttribute(CAS_FILTER_RECEIPT, cASReceipt);
                session.setAttribute("edu.yale.its.tp.cas.client.filter.response", (String) request.getAttribute("casresponse"));
                String userName = cASReceipt.getUserName();
                request.setAttribute("ssoSuccess", new Boolean(true));
                HashMap hashMap = new HashMap();
                hashMap.put("request", request);
                this.customizationService.customize("osivia.customizer.feeder.id", new CustomizationContext(hashMap));
                Principal authenticate = this.container.getRealm().authenticate(userName, (String) null);
                if (authenticate != null) {
                    register(request, response, authenticate, this.authType, userName, (String) null);
                }
            }
        }
        getNext().invoke(request, response);
    }

    private void register(Request request, Response response, Principal principal, String str, String str2, String str3) {
        request.setAuthType(str);
        request.setUserPrincipal(principal);
        Session sessionInternal = request.getSessionInternal(false);
        if (sessionInternal != null) {
            sessionInternal.setAuthType(str);
            sessionInternal.setPrincipal(principal);
            if (str2 != null) {
                sessionInternal.setNote("org.apache.catalina.session.USERNAME", str2);
            } else {
                sessionInternal.removeNote("org.apache.catalina.session.USERNAME");
            }
            if (str3 != null) {
                sessionInternal.setNote("org.apache.catalina.session.PASSWORD", str3);
            } else {
                sessionInternal.removeNote("org.apache.catalina.session.PASSWORD");
            }
        }
    }

    private boolean isReceiptAcceptable(CASReceipt cASReceipt) {
        if (cASReceipt == null) {
            throw new IllegalArgumentException("Cannot evaluate a null receipt.");
        }
        if (!this.casRenew || cASReceipt.isPrimaryAuthentication()) {
            return !cASReceipt.isProxied() || this.authorizedProxies.contains(cASReceipt.getProxyingService());
        }
        return false;
    }

    private CASReceipt getAuthenticatedUser(HttpServletRequest httpServletRequest) throws ServletException, CASAuthenticationException {
        ProxyTicketValidator proxyTicketValidator = new ProxyTicketValidator();
        proxyTicketValidator.setCasValidateUrl(this.casValidate);
        proxyTicketValidator.setServiceTicket(httpServletRequest.getParameter("ticket"));
        proxyTicketValidator.setService(getService(httpServletRequest));
        proxyTicketValidator.setRenew(Boolean.valueOf(this.casRenew).booleanValue());
        if (this.casProxyCallbackUrl != null) {
            proxyTicketValidator.setProxyCallbackUrl(this.casProxyCallbackUrl);
        }
        if (log.isDebugEnabled()) {
            log.debug("getAuthenticatedUser -> try to validate the ticket " + proxyTicketValidator.toString());
        }
        if (this.brokenSecurityMode.booleanValue()) {
            proxyTicketValidator.setBrokenSecurityMode(true);
        }
        CASReceipt receipt = CASReceipt.getReceipt(proxyTicketValidator);
        httpServletRequest.setAttribute("casresponse", proxyTicketValidator.getResponse());
        return receipt;
    }

    private void redirectToCAS(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        httpServletResponse.sendRedirect(this.casLogin + "?service=" + getService(httpServletRequest) + (this.casRenew ? "&renew=true" : "") + "");
    }

    private String getService(HttpServletRequest httpServletRequest) throws ServletException {
        String service;
        if (log.isDebugEnabled()) {
            log.debug("redirectToCAS -> entering getService...");
        }
        String header = httpServletRequest.getHeader(VIRTUAL_HOST_REQUEST_HEADER);
        String serverName = httpServletRequest.getServerName();
        if (httpServletRequest.getServerPort() != HTTP_PORT && httpServletRequest.getServerPort() != HTTPS_PORT) {
            serverName = serverName.concat(SEP).concat(Integer.toString(httpServletRequest.getServerPort()));
        }
        if (this.casServerName == null && this.casServiceUrl == null) {
            throw new ServletException("need one of the following configuration parameters: edu.yale.its.tp.cas.client.filter.serviceUrl or edu.yale.its.tp.cas.client.filter.serverName");
        }
        try {
            if (this.casServiceUrl != null) {
                service = URLEncoder.encode(this.casServiceUrl, UTF_8);
                if (log.isDebugEnabled()) {
                    log.debug("use the given string casServiceUrl : " + service);
                }
            } else if (header != null) {
                service = URLEncoder.encode(header, UTF_8);
                if (log.isDebugEnabled()) {
                    log.debug("use the url given by front web server: " + service);
                }
            } else if (serverName != null) {
                service = Util.getService(httpServletRequest, serverName);
                if (log.isDebugEnabled()) {
                    log.debug("try to build service url with the request : " + service);
                }
            } else {
                service = Util.getService(httpServletRequest, this.casServerName);
                if (log.isDebugEnabled()) {
                    log.debug("default case, return our best guess at the service : " + service);
                }
            }
            return service;
        } catch (UnsupportedEncodingException e) {
            throw new ServletException(e);
        }
    }

    private boolean isSecuredURI(String str) {
        Set securedUrlPatterns = getSecuredUrlPatterns();
        if (log.isDebugEnabled()) {
            log.debug("Checking if requested uri '" + str + "' matches secured url patterns: " + securedUrlPatterns);
        }
        Iterator it = securedUrlPatterns.iterator();
        while (it.hasNext()) {
            if (str.indexOf((String) it.next()) != -1) {
                return true;
            }
        }
        return false;
    }

    public Set getSecuredUrlPatterns() {
        if (this.urlPatterns == null) {
            this.urlPatterns = IdentityTools.findSecuredURLs(this.container);
            HashSet hashSet = new HashSet();
            Iterator it = this.urlPatterns.iterator();
            while (it.hasNext()) {
                hashSet.add(((String) it.next()).replaceAll("\\*", ""));
            }
            this.urlPatterns = hashSet;
        }
        return this.urlPatterns;
    }
}
