package net.handle.server.servletcontainer.auth;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import net.cnri.util.ServletUtil;
import net.cnri.util.StringUtils;
import net.handle.hdllib.AbstractMessage;
import net.handle.hdllib.Util;
import net.handle.server.servletcontainer.HandleServerInterface;
import net.handle.server.servletcontainer.TlsRenegotiationRequestor;
import org.apache.commons.codec.binary.Base64;

/* loaded from: input_file:net/handle/server/servletcontainer/auth/StandardHandleAuthenticationFilter.class */
public class StandardHandleAuthenticationFilter implements Filter {
    private static final String WWW_AUTHENTICATE_HEADER = "WWW-Authenticate";
    private static final int MAX_CACHED_ENTITY_FOR_RENEGOTIATION = 200000;
    private HandleServerInterface handleServer;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/handle/server/servletcontainer/auth/StandardHandleAuthenticationFilter$ContentCachingRequestWrapper.class */
    public static class ContentCachingRequestWrapper extends HttpServletRequestWrapper {
        private BufferedReader reader;
        private boolean isTooLong;
        private boolean empty;

        public ContentCachingRequestWrapper(HttpServletRequest httpServletRequest) throws IOException {
            super(httpServletRequest);
            httpServletRequest.getParameter("foo");
            try {
                BufferedReader reader = httpServletRequest.getReader();
                StringWriter stringWriter = new StringWriter();
                char[] cArr = new char[4096];
                int i = 0;
                do {
                    int read = reader.read(cArr);
                    if (read <= 0) {
                        if (i == 0) {
                            this.empty = true;
                            return;
                        } else {
                            this.reader = new BufferedReader(new StringReader(stringWriter.toString()));
                            return;
                        }
                    }
                    stringWriter.write(cArr, 0, read);
                    i += read;
                } while (i <= StandardHandleAuthenticationFilter.MAX_CACHED_ENTITY_FOR_RENEGOTIATION);
                stringWriter.close();
                this.isTooLong = true;
            } catch (IllegalStateException e) {
            }
        }

        public BufferedReader getReader() throws IOException {
            if (this.reader == null) {
                throw new IllegalStateException("Already streamed entity as form parameters");
            }
            return this.reader;
        }

        public boolean isTooLong() {
            return this.isTooLong;
        }

        public boolean isEmpty() {
            return this.empty;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/handle/server/servletcontainer/auth/StandardHandleAuthenticationFilter$HeaderFixingResponseWrapper.class */
    public static class HeaderFixingResponseWrapper extends HttpServletResponseWrapper {
        private static final String ACCESS_CONTROL_EXPOSE_HEADERS = "Access-Control-Expose-Headers";
        private final HttpServletRequest request;
        private final Set<String> exposedHeaders;

        public HeaderFixingResponseWrapper(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
            super(httpServletResponse);
            this.request = httpServletRequest;
            if (httpServletRequest.getHeader("Origin") == null) {
                this.exposedHeaders = null;
                return;
            }
            this.exposedHeaders = new HashSet();
            this.exposedHeaders.add("Content-Length");
            fixResponseExposeHeaders();
        }

        private void fixResponseExposeHeaders() {
            Collection<String> headers = getHeaders(ACCESS_CONTROL_EXPOSE_HEADERS);
            if (headers == null) {
                return;
            }
            for (String str : headers) {
                if (str != null && !str.isEmpty()) {
                    for (String str2 : str.split(",")) {
                        this.exposedHeaders.add(str2);
                    }
                }
            }
            if (this.exposedHeaders.isEmpty()) {
                super.setHeader(ACCESS_CONTROL_EXPOSE_HEADERS, (String) null);
            } else {
                super.setHeader(ACCESS_CONTROL_EXPOSE_HEADERS, commify(this.exposedHeaders));
            }
        }

        public void setStatus(int i) {
            super.setStatus(i);
            addAuthenticateHeaders(i);
        }

        @Deprecated
        public void setStatus(int i, String str) {
            super.setStatus(i, str);
            addAuthenticateHeaders(i);
        }

        public void setDateHeader(String str, long j) {
            exposeHeader(str);
            super.setDateHeader(str, j);
        }

        public void addDateHeader(String str, long j) {
            exposeHeader(str);
            super.addDateHeader(str, j);
        }

        public void setHeader(String str, String str2) {
            exposeHeader(str);
            super.setHeader(str, str2);
        }

        public void addHeader(String str, String str2) {
            exposeHeader(str);
            super.addHeader(str, str2);
        }

        public void setIntHeader(String str, int i) {
            exposeHeader(str);
            super.setIntHeader(str, i);
        }

        public void addIntHeader(String str, int i) {
            exposeHeader(str);
            super.addIntHeader(str, i);
        }

        private boolean isSimpleHeader(String str) {
            return str.equalsIgnoreCase("Cache-Control") || str.equalsIgnoreCase("Content-Language") || str.equalsIgnoreCase("Content-Type") || str.equalsIgnoreCase("Expires") || str.equalsIgnoreCase("Last-Modified") || str.equalsIgnoreCase("Pragma");
        }

        private void exposeHeader(String str) {
            if (this.exposedHeaders == null || str.toLowerCase().startsWith("access-control-") || isSimpleHeader(str)) {
                return;
            }
            this.exposedHeaders.add(str);
            super.setHeader(ACCESS_CONTROL_EXPOSE_HEADERS, commify(this.exposedHeaders));
        }

        private String commify(Collection<String> collection) {
            StringBuilder sb = new StringBuilder();
            boolean z = true;
            for (String str : collection) {
                if (!z) {
                    sb.append(",");
                }
                z = false;
                sb.append(str);
            }
            return sb.toString();
        }

        private void addAuthenticateHeaders(int i) {
            if (i == 401) {
                if (!this.request.isSecure()) {
                    super.setStatus(AbstractMessage.RC_AUTHENTICATION_FAILED);
                } else {
                    if (containsHeader(StandardHandleAuthenticationFilter.WWW_AUTHENTICATE_HEADER)) {
                        return;
                    }
                    if (requestMayWantBasicAuth()) {
                        addHeader(StandardHandleAuthenticationFilter.WWW_AUTHENTICATE_HEADER, "Basic realm=\"handle\"");
                    }
                    addWwwAuthenticateHandleHeader();
                }
            }
        }

        private boolean requestMayWantBasicAuth() {
            String header = this.request.getHeader("Authorization");
            return header != null ? header.startsWith("Basic") : !"XMLHttpRequest".equals(this.request.getHeader("X-Requested-With"));
        }

        public void addWwwAuthenticateHandleHeader() {
            AuthenticationResponse authenticationResponse = (AuthenticationResponse) this.request.getAttribute(AuthenticationResponse.class.getName());
            if (authenticationResponse.getSessionId() == null) {
                addSessionInfo(authenticationResponse);
            }
            StringBuilder sb = new StringBuilder();
            sb.append("Handle sessionId=\"").append(authenticationResponse.getSessionId()).append("\"");
            sb.append(", nonce=\"").append(Base64.encodeBase64String(authenticationResponse.getNonce())).append("\"");
            if (authenticationResponse.getServerSignature() != null) {
                sb.append(", serverAlg=\"").append(authenticationResponse.getServerAlg()).append("\"");
                sb.append(", serverSignature=\"").append(Base64.encodeBase64String(authenticationResponse.getServerSignature())).append("\"");
            }
            if (!authenticationResponse.getErrors().isEmpty()) {
                sb.append(", error=\"").append(combineErrorsForHeader(authenticationResponse.getErrors())).append("\"");
            }
            addHeader(StandardHandleAuthenticationFilter.WWW_AUTHENTICATE_HEADER, sb.toString());
        }

        private void addSessionInfo(AuthenticationResponse authenticationResponse) {
            HandleAuthenticationStatus fromSession = HandleAuthenticationStatus.fromSession(this.request.getSession(), true);
            authenticationResponse.setSessionId(fromSession.getSessionId());
            authenticationResponse.setNonce(fromSession.getNonce());
        }

        private static String combineErrorsForHeader(Collection<String> collection) {
            StringBuilder sb = new StringBuilder();
            for (String str : collection) {
                if (sb.length() > 0) {
                    sb.append("; ");
                }
                escapeErrorForHeader(sb, str);
            }
            return sb.toString();
        }

        private static void escapeErrorForHeader(StringBuilder sb, String str) {
            for (byte b : Util.encodeString(str)) {
                if (b == 34) {
                    sb.append("\\\"");
                } else if (b == 92) {
                    sb.append("\\\\");
                } else if (b < 32 || b >= Byte.MAX_VALUE || b == 37) {
                    sb.append("%");
                    sb.append(StringUtils.encodeHexChar(b));
                } else {
                    sb.append((char) b);
                }
            }
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.handleServer = (HandleServerInterface) filterConfig.getServletContext().getAttribute("net.handle.server.HandleServer");
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if ((servletRequest instanceof HttpServletRequest) && (servletResponse instanceof HttpServletResponse)) {
            doHttpFilter((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
        } else {
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    private void doHttpFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        HandleAuthorizationHeader parseHandleAuthorizationHeader = parseHandleAuthorizationHeader(httpServletRequest);
        if (isAsyncTlsRenegotiate(parseHandleAuthorizationHeader, httpServletRequest, httpServletResponse)) {
            return;
        }
        AuthenticationResponse authenticationResponse = new AuthenticationResponse();
        httpServletRequest.setAttribute(AuthenticationResponse.class.getName(), authenticationResponse);
        HeaderFixingResponseWrapper headerFixingResponseWrapper = new HeaderFixingResponseWrapper(httpServletRequest, httpServletResponse);
        if (httpServletRequest.isSecure() && !sessionsApi(httpServletRequest)) {
            new StandardHandleAuthenticator(httpServletRequest, httpServletRequest.getSession(false), processAuthenticationResponse(httpServletRequest, (parseHandleAuthorizationHeader == null || !parseHandleAuthorizationHeader.requiresSession()) ? HandleAuthenticationStatus.fromSession(httpServletRequest.getSession(false), false) : HandleAuthenticationStatus.fromSession(httpServletRequest.getSession(), true), parseHandleAuthorizationHeader, authenticationResponse), authenticationResponse).authenticate();
            if (authenticationResponse.isAuthenticating() && !authenticationResponse.isAuthenticated()) {
                headerFixingResponseWrapper.setStatus(401);
                return;
            } else if (authenticationResponse.getServerSignature() != null) {
                headerFixingResponseWrapper.addWwwAuthenticateHandleHeader();
            }
        }
        filterChain.doFilter(httpServletRequest, headerFixingResponseWrapper);
    }

    private boolean isAsyncTlsRenegotiate(HandleAuthorizationHeader handleAuthorizationHeader, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (handleAuthorizationHeader == null || !httpServletRequest.isSecure()) {
            return false;
        }
        Boolean clientCertAsBooleanObject = handleAuthorizationHeader.getClientCertAsBooleanObject();
        if (clientCertAsBooleanObject == null && !handleAuthorizationHeader.isRequestingForceRenegotiate()) {
            return false;
        }
        TlsRenegotiationRequestor tlsRenegotiationRequestor = (TlsRenegotiationRequestor) httpServletRequest.getAttribute(TlsRenegotiationRequestor.class.getName());
        if (!tlsRenegotiationRequestor.isWantingTlsRenegotiation(clientCertAsBooleanObject, handleAuthorizationHeader.isRequestingForceRenegotiate())) {
            return false;
        }
        if (clientCertAsBooleanObject != null && !clientCertAsBooleanObject.booleanValue() && tlsRenegotiationRequestor.isNeedClientAuth()) {
            httpServletResponse.setStatus(AbstractMessage.RC_AUTHENTICATION_FAILED);
            return true;
        }
        if (httpServletRequest.getContentLength() == 0 || "GET".equals(httpServletRequest.getMethod()) || "HEAD".equals(httpServletRequest.getMethod())) {
            tlsRenegotiationRequestor.requestTlsRenegotiation(null, clientCertAsBooleanObject);
            return true;
        }
        if (httpServletRequest.getContentLength() > MAX_CACHED_ENTITY_FOR_RENEGOTIATION) {
            httpServletResponse.setStatus(413);
            return true;
        }
        ContentCachingRequestWrapper contentCachingRequestWrapper = new ContentCachingRequestWrapper(httpServletRequest);
        if (contentCachingRequestWrapper.isTooLong()) {
            httpServletResponse.setStatus(413);
            return true;
        }
        if (contentCachingRequestWrapper.isEmpty()) {
            tlsRenegotiationRequestor.requestTlsRenegotiation(null, clientCertAsBooleanObject);
            return true;
        }
        tlsRenegotiationRequestor.requestTlsRenegotiation(contentCachingRequestWrapper, clientCertAsBooleanObject);
        return true;
    }

    private HandleAuthorizationHeader parseHandleAuthorizationHeader(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            return null;
        }
        return HandleAuthorizationHeader.fromHeader(header);
    }

    private HandleAuthenticationStatus processAuthenticationResponse(HttpServletRequest httpServletRequest, HandleAuthenticationStatus handleAuthenticationStatus, HandleAuthorizationHeader handleAuthorizationHeader, AuthenticationResponse authenticationResponse) {
        if (handleAuthorizationHeader != null) {
            httpServletRequest.setAttribute(HandleAuthorizationHeader.class.getName(), handleAuthorizationHeader);
            if (handleAuthorizationHeader.requiresSession()) {
                authenticationResponse.setSessionId(handleAuthenticationStatus.getSessionId());
                authenticationResponse.setNonce(handleAuthenticationStatus.getNonce());
                if (handleAuthorizationHeader.isAuthenticating()) {
                    authenticationResponse.setAuthenticating(true);
                }
                handleAuthenticationStatus = HandleAuthenticationStatus.processServerSignature(handleAuthenticationStatus, this.handleServer, httpServletRequest.getSession(), handleAuthorizationHeader, authenticationResponse);
            }
        }
        return handleAuthenticationStatus;
    }

    private static boolean sessionsApi(HttpServletRequest httpServletRequest) {
        String path = getPath(httpServletRequest);
        return "/api/sessions".equals(path) || path.startsWith("/api/sessions/");
    }

    private static String getPath(HttpServletRequest httpServletRequest) {
        return StringUtils.decodeURLIgnorePlus(ServletUtil.pathExcluding(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
    }

    static String quote(String str) throws UnsupportedEncodingException {
        return "\"" + new String(Util.encodeString(str), "US-ASCII").replaceAll("\\p{Cntrl}", "").replace("\\", "\\\\").replace("\"", "\\\"") + "\"";
    }
}
