package org.apache.knox.gateway.pac4j.filter;

import java.io.IOException;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.pac4j.Pac4jMessages;
import org.apache.knox.gateway.pac4j.config.ClientConfigurationDecorator;
import org.apache.knox.gateway.pac4j.config.Pac4jClientConfigurationDecorator;
import org.apache.knox.gateway.pac4j.session.KnoxSessionStore;
import org.apache.knox.gateway.services.GatewayServices;
import org.apache.knox.gateway.services.ServiceType;
import org.apache.knox.gateway.services.security.AliasService;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.services.security.CryptoService;
import org.apache.knox.gateway.services.security.KeystoreService;
import org.apache.knox.gateway.services.security.MasterService;
import org.pac4j.config.client.PropertiesConfigFactory;
import org.pac4j.core.client.Client;
import org.pac4j.core.config.Config;
import org.pac4j.core.context.session.JEESessionStore;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.http.client.indirect.IndirectBasicAuthClient;
import org.pac4j.http.credentials.authenticator.test.SimpleTestUsernamePasswordAuthenticator;
import org.pac4j.jee.filter.CallbackFilter;
import org.pac4j.jee.filter.SecurityFilter;
import org.pac4j.oidc.client.AzureAdClient;
import org.pac4j.saml.client.SAML2Client;

/* loaded from: input_file:org/apache/knox/gateway/pac4j/filter/Pac4jDispatcherFilter.class */
public class Pac4jDispatcherFilter implements Filter {
    private static final String ALIAS_PREFIX = "${ALIAS=";
    private static Pac4jMessages log = (Pac4jMessages) MessagesFactory.get(Pac4jMessages.class);
    private static final ClientConfigurationDecorator PAC4J_CLIENT_CONFIGURATION_DECORATOR = new Pac4jClientConfigurationDecorator();
    public static final String TEST_BASIC_AUTH = "testBasicAuth";
    public static final String PAC4J_CALLBACK_URL = "pac4j.callbackUrl";
    public static final String PAC4J_CALLBACK_PARAMETER = "pac4jCallback";
    public static final String PAC4J_OICD_TYPE_AZURE = "azure";
    public static final String URL_PATH_SEPARATOR = "/";
    private static final String PAC4J_COOKIE_DOMAIN_SUFFIX_PARAM = "pac4j.cookie.domain.suffix";
    private static final String PAC4J_CONFIG = "pac4j.config";
    private static final String PAC4J_SESSION_STORE = "pac4j.session.store";
    public static final String PAC4J_SESSION_STORE_EXCLUDE_GROUPS = "pac4j.session.store.exclude.groups";
    public static final String PAC4J_SESSION_STORE_EXCLUDE_ROLES = "pac4j.session.store.exclude.roles";
    public static final String PAC4J_SESSION_STORE_EXCLUDE_PERMISSIONS = "pac4j.session.store.exclude.permissions";
    public static final String PAC4J_SESSION_STORE_EXCLUDE_GROUPS_DEFAULT = "true";
    public static final String PAC4J_SESSION_STORE_EXCLUDE_ROLES_DEFAULT = "true";
    public static final String PAC4J_SESSION_STORE_EXCLUDE_PERMISSIONS_DEFAULT = "true";
    private static final String PAC4J_CLIENT_NAME_PARAM = "clientName";
    private static final String PAC4J_OIDC_TYPE = "oidc.type";
    private CallbackFilter callbackFilter;
    private SecurityFilter securityFilter;
    private MasterService masterService;
    private KeystoreService keystoreService;
    private AliasService aliasService;
    private Map<String, String> sessionStoreConfigs = new HashMap();

    public void init(FilterConfig filterConfig) throws ServletException {
        Config build;
        String name;
        ServletContext servletContext = filterConfig.getServletContext();
        CryptoService cryptoService = null;
        String str = null;
        if (servletContext != null) {
            GatewayServices gatewayServices = (GatewayServices) servletContext.getAttribute("org.apache.knox.gateway.gateway.services");
            str = (String) servletContext.getAttribute("org.apache.knox.gateway.gateway.cluster");
            if (gatewayServices != null) {
                this.keystoreService = (KeystoreService) gatewayServices.getService(ServiceType.KEYSTORE_SERVICE);
                cryptoService = (CryptoService) gatewayServices.getService(ServiceType.CRYPTO_SERVICE);
                this.aliasService = (AliasService) gatewayServices.getService(ServiceType.ALIAS_SERVICE);
                this.masterService = (MasterService) gatewayServices.getService(ServiceType.MASTER_SERVICE);
            }
        }
        if (cryptoService == null || this.aliasService == null || str == null) {
            log.cryptoServiceAndAliasServiceAndClusterNameRequired();
            throw new ServletException("The crypto service, alias service and cluster name are required.");
        }
        try {
            this.aliasService.getPasswordFromAliasForCluster(str, KnoxSessionStore.PAC4J_PASSWORD, true);
            String initParameter = filterConfig.getInitParameter(PAC4J_CALLBACK_URL);
            if (initParameter == null) {
                log.ssoAuthenticationProviderUrlRequired();
                throw new ServletException("Required pac4j callback URL is missing.");
            }
            String initParameter2 = filterConfig.getInitParameter(PAC4J_CLIENT_NAME_PARAM);
            if (initParameter2 == null) {
                log.clientNameParameterRequired();
                throw new ServletException("Required pac4j clientName parameter is missing.");
            }
            String initParameter3 = filterConfig.getInitParameter(PAC4J_OIDC_TYPE);
            String addParameter = (AzureAdClient.class.getSimpleName().equals(initParameter2) || (!StringUtils.isBlank(initParameter3) && PAC4J_OICD_TYPE_AZURE.equals(initParameter3))) ? String.valueOf(initParameter) + URL_PATH_SEPARATOR + PAC4J_CALLBACK_PARAMETER : CommonHelper.addParameter(initParameter, PAC4J_CALLBACK_PARAMETER, "true");
            if (TEST_BASIC_AUTH.equalsIgnoreCase(initParameter2)) {
                IndirectBasicAuthClient indirectBasicAuthClient = new IndirectBasicAuthClient(new SimpleTestUsernamePasswordAuthenticator());
                indirectBasicAuthClient.setRealmName("Knox TEST");
                build = new Config(addParameter, indirectBasicAuthClient);
                name = "IndirectBasicAuthClient";
            } else {
                HashMap hashMap = new HashMap();
                Enumeration initParameterNames = filterConfig.getInitParameterNames();
                addDefaultConfig(initParameter2, hashMap);
                while (initParameterNames.hasMoreElements()) {
                    String str2 = (String) initParameterNames.nextElement();
                    hashMap.put(str2, resolveAlias(str, str2, filterConfig.getInitParameter(str2)));
                }
                build = new PropertiesConfigFactory(addParameter, hashMap).build(new Object[0]);
                List<Client> clients = build.getClients().getClients();
                if (clients == null || clients.isEmpty()) {
                    log.atLeastOnePac4jClientMustBeDefined();
                    throw new ServletException("At least one pac4j client must be defined.");
                }
                name = CommonHelper.isBlank(initParameter2) ? clients.get(0).getName() : initParameter2;
                setSessionStoreConfig(filterConfig, PAC4J_SESSION_STORE_EXCLUDE_GROUPS, "true");
                setSessionStoreConfig(filterConfig, PAC4J_SESSION_STORE_EXCLUDE_ROLES, "true");
                setSessionStoreConfig(filterConfig, PAC4J_SESSION_STORE_EXCLUDE_PERMISSIONS, "true");
                PAC4J_CLIENT_CONFIGURATION_DECORATOR.decorateClients(clients, hashMap);
            }
            this.callbackFilter = new CallbackFilter();
            this.callbackFilter.init(filterConfig);
            this.callbackFilter.setConfigOnly(build);
            this.securityFilter = new SecurityFilter();
            this.securityFilter.setClients(name);
            this.securityFilter.setConfigOnly(build);
            String initParameter4 = filterConfig.getInitParameter(PAC4J_COOKIE_DOMAIN_SUFFIX_PARAM);
            String initParameter5 = filterConfig.getInitParameter(PAC4J_SESSION_STORE);
            build.setSessionStore((StringUtils.isBlank(initParameter5) || !JEESessionStore.class.getName().contains(initParameter5)) ? new KnoxSessionStore(cryptoService, str, initParameter4, this.sessionStoreConfigs) : new JEESessionStore());
        } catch (AliasServiceException e) {
            log.unableToGenerateAPasswordForEncryption(e);
            throw new ServletException("Unable to generate a password for encryption.");
        }
    }

    private void setSessionStoreConfig(FilterConfig filterConfig, String str, String str2) {
        String initParameter = filterConfig.getInitParameter(str);
        this.sessionStoreConfigs.put(str, initParameter == null ? str2 : initParameter);
    }

    private String resolveAlias(String str, String str2, String str3) throws ServletException {
        if (!str3.startsWith(ALIAS_PREFIX) || !str3.endsWith("}")) {
            return str3;
        }
        try {
            return new String(this.aliasService.getPasswordFromAliasForCluster(str, str3.substring(ALIAS_PREFIX.length(), str3.length() - 1)));
        } catch (AliasServiceException e) {
            throw new ServletException("Unable to retrieve alias for config: " + str2, e);
        }
    }

    private void addDefaultConfig(String str, Map<String, String> map) {
        if (str.contains(SAML2Client.class.getSimpleName())) {
            map.put("saml.keystorePath", this.keystoreService.getKeystorePath());
            char[] cArr = null;
            try {
                cArr = this.aliasService.getGatewayIdentityKeystorePassword();
            } catch (AliasServiceException e) {
                log.noKeystorePasswordProvisioned(e);
            }
            if (cArr == null) {
                cArr = this.masterService.getMasterSecret();
            }
            map.put("saml.keystorePassword", new String(cArr));
            char[] cArr2 = null;
            try {
                cArr2 = this.aliasService.getGatewayIdentityPassphrase();
            } catch (AliasServiceException e2) {
                log.noPrivateKeyPasshraseProvisioned(e2);
            }
            if (cArr2 == null) {
                cArr2 = this.masterService.getMasterSecret();
            }
            map.put("saml.privateKeyPassword", new String(cArr2));
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        httpServletRequest.setAttribute(PAC4J_CONFIG, this.securityFilter.getSharedConfig());
        if (httpServletRequest.getParameter(PAC4J_CALLBACK_PARAMETER) != null || (httpServletRequest.getContextPath() != null && httpServletRequest.getRequestURI().contains(PAC4J_CALLBACK_PARAMETER))) {
            this.callbackFilter.doFilter(servletRequest, servletResponse, filterChain);
        } else {
            this.securityFilter.doFilter(servletRequest, servletResponse, filterChain);
        }
    }

    public void destroy() {
    }
}
