package ru.org.openam.servlets;

import ch.qos.logback.classic.spi.CallerData;
import com.iplanet.dpro.session.Session;
import com.iplanet.dpro.session.SessionID;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdUtils;
import com.sun.xml.rpc.processor.modeler.rmi.RmiConstants;
import java.io.IOException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.security.Principal;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.openam.session.service.access.persistence.caching.InMemoryInternalSessionCacheStep;
import org.ntlmv2.liferay.util.HttpHeaders;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import ru.org.openam.geo.Client;
import ru.org.openam.web.UIRequestWrapper;

/* loaded from: input_file:WEB-INF/lib/web-14.8.1.0.jar:ru/org/openam/servlets/Authentificate.class */
public class Authentificate extends BaseServlet {
    private static final long serialVersionUID = 1;
    static final Logger logger = LoggerFactory.getLogger(Authentificate.class.getName());

    public String getLoginURL(ServletRequest servletRequest) {
        throw new RuntimeException("need ovveride: public String getLoginURL(ServletRequest req)");
    }

    public static String getRequestURL(ServletRequest servletRequest) {
        return ((HttpServletRequest) servletRequest).getRequestURL().toString() + (((HttpServletRequest) servletRequest).getQueryString() == null ? "" : CallerData.NA + ((HttpServletRequest) servletRequest).getQueryString());
    }

    public static Set<SSOToken> getTokens(ServletRequest servletRequest) {
        Set<SSOToken> set = (Set) servletRequest.getAttribute(SSOToken.class.getName().concat(".set"));
        if (set == null) {
            set = new HashSet();
            servletRequest.setAttribute(SSOToken.class.getName().concat(".set"), set);
        }
        return set;
    }

    public static SSOToken getToken(ServletRequest servletRequest) {
        return getToken(servletRequest, false);
    }

    public static SSOToken getToken(ServletRequest servletRequest, Boolean bool) {
        if (servletRequest == null) {
            return null;
        }
        if (servletRequest.getAttribute(SSOToken.class.getName() + ".tested") == null || bool.booleanValue()) {
            try {
                servletRequest.setAttribute(SSOToken.class.getName() + ".tested", true);
                servletRequest.removeAttribute(SSOToken.class.getName());
                try {
                    if (bool.booleanValue()) {
                        ((InMemoryInternalSessionCacheStep) InjectorHolder.getInstance(InMemoryInternalSessionCacheStep.class)).invalidateCache(new SessionID((HttpServletRequest) servletRequest));
                    }
                    setToken(servletRequest, SSOTokenManager.getInstance().createSSOToken((HttpServletRequest) servletRequest));
                } catch (Exception e) {
                    String header = ((HttpServletRequest) servletRequest).getHeader("Authorization");
                    if (StringUtils.isNotBlank(header)) {
                        Iterator it = new HashSet(Arrays.asList(header.split(",|;"))).iterator();
                        while (it.hasNext()) {
                            String stripToEmpty = StringUtils.stripToEmpty((String) it.next());
                            if (!StringUtils.startsWithIgnoreCase(stripToEmpty, "Bearer")) {
                                throw new SSOException("unknown " + stripToEmpty);
                            }
                            String replace = URLDecoder.decode(stripToEmpty.replaceFirst("Bearer\\s+", ""), "UTF-8").replace("%2A", "*");
                            if (bool.booleanValue()) {
                                ((InMemoryInternalSessionCacheStep) InjectorHolder.getInstance(InMemoryInternalSessionCacheStep.class)).invalidateCache(new SessionID(replace));
                            }
                            setToken(servletRequest, SSOTokenManager.getInstance().createSSOToken(replace, servletRequest.getRemoteAddr()));
                        }
                    }
                    if (getTokens(servletRequest).isEmpty()) {
                        throw e;
                    }
                }
                if (logger.isDebugEnabled()) {
                    logger.debug("authentificate as {}", getUserPrincipal(servletRequest));
                }
            } catch (Exception e2) {
                servletRequest.setAttribute(SSOToken.class.getName() + ".error.sid", (Object) null);
                servletRequest.setAttribute(SSOToken.class.getName() + ".error", e2);
                try {
                    Session session = Session.getSession(0 != 0 ? new SessionID((String) null) : new SessionID((HttpServletRequest) servletRequest));
                    if (session != null) {
                        servletRequest.setAttribute(SSOToken.class.getName() + ".bad", SSOTokenManager.getInstance().createSSOToken(session.getID().toString()));
                    }
                } catch (Exception e3) {
                }
            }
        }
        return (SSOToken) servletRequest.getAttribute(SSOToken.class.getName());
    }

    public static SSOToken getTokenBad(ServletRequest servletRequest) {
        return getToken(servletRequest) != null ? getToken(servletRequest) : (SSOToken) servletRequest.getAttribute(SSOToken.class.getName() + ".bad");
    }

    public static Exception getError(ServletRequest servletRequest) {
        if (servletRequest == null) {
            return null;
        }
        if (servletRequest.getAttribute(SSOToken.class.getName() + ".tested") == null) {
            getToken(servletRequest);
        }
        return (Exception) servletRequest.getAttribute(SSOToken.class.getName() + ".error");
    }

    public static String whois(ServletRequest servletRequest) {
        String str;
        Principal userPrincipal = ((HttpServletRequest) servletRequest).getUserPrincipal();
        Principal userPrincipal2 = getUserPrincipal(servletRequest);
        if (userPrincipal != null) {
            str = userPrincipal.getName().concat(userPrincipal2 != null ? " behalf " : "");
        } else {
            str = userPrincipal2 == null ? "anonymous" : "";
        }
        return RmiConstants.SIG_METHOD.concat(str).concat((userPrincipal2 == null || userPrincipal2.getName() == null) ? "" : userPrincipal2.getName()).concat("/").concat(Client.get((HttpServletRequest) servletRequest).toString()).concat(RmiConstants.SIG_ENDMETHOD);
    }

    public static AMIdentity getIdentity(ServletRequest servletRequest) {
        SSOToken token = getToken(servletRequest);
        if (token == null) {
            return null;
        }
        try {
            return IdUtils.getIdentity(token);
        } catch (Exception e) {
            logger.warn("getIdentity ", (Throwable) e);
            return null;
        }
    }

    public static String getService(ServletRequest servletRequest) {
        return UIRequestWrapper.getService(servletRequest);
    }

    public static void setToken(ServletRequest servletRequest, SSOToken sSOToken) {
        if (servletRequest == null || sSOToken == null) {
            return;
        }
        servletRequest.setAttribute(SSOToken.class.getName(), sSOToken);
        getTokens(servletRequest).add(sSOToken);
        servletRequest.setAttribute(SSOToken.class.getName() + ".bad", (Object) null);
    }

    public static Principal getUserPrincipal(ServletRequest servletRequest) {
        try {
            if (getToken(servletRequest) == null) {
                return null;
            }
            return getToken(servletRequest).getPrincipal();
        } catch (SSOException e) {
            return null;
        }
    }

    public boolean isValid(ServletRequest servletRequest) {
        try {
            SSOToken token = getToken(servletRequest);
            if (token != null) {
                if (SSOTokenManager.getInstance().isValidToken(token)) {
                    return true;
                }
            }
            return false;
        } catch (Throwable th) {
            return false;
        }
    }

    public boolean authentificate(ServletRequest servletRequest, ServletResponse servletResponse) throws IOException {
        if (servletResponse != null) {
            ((HttpServletResponse) servletResponse).setHeader("Cache-Control", "no-cache,no-store,must-revalidate");
            ((HttpServletResponse) servletResponse).setHeader("Pragma", HttpHeaders.PRAGMA_NO_CACHE_VALUE);
            ((HttpServletResponse) servletResponse).setDateHeader("Expires", -1L);
        }
        if (isValid(servletRequest)) {
            return true;
        }
        On401(servletRequest, servletResponse);
        return false;
    }

    public void On401(ServletRequest servletRequest, ServletResponse servletResponse) throws IOException {
        clearCache(servletResponse);
        try {
            String loginURL = getLoginURL(servletRequest);
            if (!loginURL.contains("goto=")) {
                loginURL = (loginURL.contains(CallerData.NA) ? loginURL + "&goto=" : loginURL + "?goto=") + URLEncoder.encode(getRequestURL(servletRequest), "UTF-8");
            }
            if (logger.isDebugEnabled()) {
                logger.debug("send for login to {}", loginURL);
            }
            ((HttpServletResponse) servletResponse).setStatus(401);
            ((HttpServletResponse) servletResponse).sendRedirect(loginURL);
        } catch (Throwable th) {
            ((HttpServletResponse) servletResponse).sendError(401, th.getMessage());
        }
    }

    public static void clearCache(ServletResponse servletResponse) {
        ((HttpServletResponse) servletResponse).setHeader("Cache-Control", "no-cache, no-store");
        ((HttpServletResponse) servletResponse).setHeader("Pragma", HttpHeaders.PRAGMA_NO_CACHE_VALUE);
        ((HttpServletResponse) servletResponse).setDateHeader("Expires", -1L);
    }

    public void service(ServletRequest servletRequest, ServletResponse servletResponse) throws ServletException, IOException {
        if (authentificate(servletRequest, servletResponse)) {
            super.service(servletRequest, servletResponse);
        }
    }
}
