package ru.org.openam.web;

import ch.qos.logback.classic.spi.CallerData;
import com.iplanet.am.util.SystemProperties;
import com.iplanet.dpro.session.SessionID;
import com.iplanet.dpro.session.service.InternalSession;
import com.iplanet.dpro.session.service.SessionState;
import com.iplanet.services.util.Crypt;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.authentication.service.AuthD;
import com.sun.identity.authentication.service.AuthUtils;
import com.sun.identity.shared.encode.CookieUtils;
import java.io.IOException;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.Comparator;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.TreeSet;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.MediaType;
import jcifs.util.Base64;
import net.sf.ehcache.config.TimeoutBehaviorConfiguration;
import net.sf.ehcache.constructs.CacheDecoratorFactory;
import org.apache.batik.constants.XMLConstants;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.xalan.templates.Constants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.Marker;
import ru.org.openam.auth.modules.Ntlm;
import ru.org.openam.httpdump.Dump;
import ru.org.openam.idm.User;
import ru.org.openam.servlets.Authentificate;

/* loaded from: input_file:WEB-INF/lib/web-14.8.2.1.jar:ru/org/openam/web/UIFilter.class */
public class UIFilter implements Filter {
    static final Logger logger = LoggerFactory.getLogger(UIFilter.class.getName());
    final Set<String> hide_hosts = new TreeSet(String.CASE_INSENSITIVE_ORDER);
    final Set<String> hide_hosts_getParameter = new TreeSet(String.CASE_INSENSITIVE_ORDER);
    final Set<String> hide_login_get_field = new TreeSet(String.CASE_INSENSITIVE_ORDER);
    final Set<String> hide_login_get_exclude_service = new TreeSet(String.CASE_INSENSITIVE_ORDER);
    final Set<String> hide_login_get_exclude_org = new TreeSet(String.CASE_INSENSITIVE_ORDER);
    final Set<String> restrict_paths = new TreeSet();
    final Map<String, Map<String, ExcludeData>> excludeHeaders = new TreeMap(String.CASE_INSENSITIVE_ORDER);
    final Map<String, String> host2service = new TreeMap(String.CASE_INSENSITIVE_ORDER);
    boolean client302 = false;

    /* loaded from: input_file:WEB-INF/lib/web-14.8.2.1.jar:ru/org/openam/web/UIFilter$ExcludeData.class */
    class ExcludeData {
        public Set<String> ip_prefix = new TreeSet(String.CASE_INSENSITIVE_ORDER);

        ExcludeData() {
        }

        public String toString() {
            return MessageFormat.format("cidr=[{0}]", this.ip_prefix);
        }
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String header = httpServletRequest.getHeader("Authorization");
        if (StringUtils.startsWith(header, "NTLM ") && StringUtils.equalsIgnoreCase(httpServletRequest.getHeader("Content-Length"), "0") && StringUtils.equalsIgnoreCase(httpServletRequest.getHeader("Content-Type"), MediaType.APPLICATION_FORM_URLENCODED)) {
            byte[] decode = Base64.decode(header.substring(5));
            if (decode[8] == 1) {
                byte[] bArr = new byte[8];
                Ntlm.rnd.nextBytes(bArr);
                if (Ntlm.ntlmManager != null) {
                    httpServletResponse.setHeader("WWW-Authenticate", "NTLM " + Base64.encode(Ntlm.ntlmManager.negotiateType2Message(decode, bArr).toByteArray()));
                }
                httpServletResponse.setStatus(401);
                httpServletResponse.setContentLength(0);
                httpServletResponse.flushBuffer();
                return;
            }
        }
        UIRequestWrapper uIRequestWrapper = new UIRequestWrapper(this, httpServletRequest);
        try {
        } catch (Throwable th) {
            logger.error("doFilter " + servletRequest, th);
        }
        if ("/".equals(httpServletRequest.getPathInfo()) || "/null".equals(httpServletRequest.getPathInfo())) {
            try {
                httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + httpServletRequest.getServletPath() + "/Login" + (httpServletRequest.getQueryString() == null ? "" : CallerData.NA + httpServletRequest.getQueryString()));
                return;
            } catch (IOException e) {
                return;
            }
        }
        if ("/Login".equals(httpServletRequest.getPathInfo()) || "/cdcservlet".equals(httpServletRequest.getServletPath())) {
            if (!StringUtils.contains(httpServletRequest.getQueryString(), "monitoring")) {
                httpServletResponse.setStatus(401);
            }
            Exception error = Authentificate.getError(httpServletRequest);
            if (error != null && (error instanceof SSOException) && !StringUtils.equalsIgnoreCase(servletRequest.getParameter(Constants.ELEMNAME_ARG_STRING), "newsession") && StringUtils.contains(error.getMessage(), "IP address")) {
                logger.warn("ip change: {}", User.debug(Authentificate.getTokenBad(httpServletRequest), httpServletRequest));
                httpServletResponse.sendError(403, error.getMessage());
                return;
            }
            if (("POST".equals(httpServletRequest.getMethod()) || httpServletRequest.getAttribute("POST2GET") != null) && (StringUtils.containsIgnoreCase(httpServletRequest.getContentType(), MediaType.APPLICATION_FORM_URLENCODED) || StringUtils.containsIgnoreCase(httpServletRequest.getContentType(), MediaType.MULTIPART_FORM_DATA))) {
                if (httpServletRequest.getCookies() == null || httpServletRequest.getCookies().length == 0) {
                    httpServletResponse.sendError(406, "cookie required");
                    return;
                }
                if (StringUtils.isBlank(httpServletRequest.getHeader("User-Agent"))) {
                    httpServletResponse.sendError(406, "User-Agent required");
                    return;
                } else if (StringUtils.isBlank(httpServletRequest.getHeader("Referer")) && StringUtils.isBlank(httpServletRequest.getHeader("Accept-Language"))) {
                    httpServletResponse.sendError(406, "Referer required");
                    return;
                } else if (httpServletRequest.getParameter("test.noscript") != null) {
                    httpServletResponse.sendError(406, "JavaScript required");
                    return;
                }
            }
            String parameter = httpServletRequest.getParameter("s.pt");
            if (parameter != null) {
                try {
                    String decryptLocal = Crypt.decryptLocal(base64_url_decode(parameter));
                    if (decryptLocal != null) {
                        SessionID sessionID = new SessionID(decryptLocal);
                        InternalSession session = AuthD.getSession(sessionID);
                        if (session != null && session.getState() == SessionState.INVALID) {
                            uIRequestWrapper.setAttribute(AuthUtils.getAuthCookieName(), decryptLocal);
                            logger.info("found s.pt={} sid={}", httpServletRequest.getParameter("s.pt"), decryptLocal);
                        } else {
                            if (!StringUtils.equalsIgnoreCase(CookieUtils.getCookieValueFromReq(httpServletRequest, AuthUtils.getlbCookieName()), sessionID.getSessionServerID())) {
                                logger.info("re-route request s.pt={} sid={} {}->{}", httpServletRequest.getParameter("s.pt"), decryptLocal, CookieUtils.getCookieValueFromReq(httpServletRequest, AuthUtils.getlbCookieName()), sessionID.getSessionServerID());
                                httpServletResponse.addCookie(new Cookie(AuthUtils.getlbCookieName(), sessionID.getSessionServerID()));
                                httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + httpServletRequest.getServletPath() + "/Login" + (httpServletRequest.getQueryString() == null ? "" : CallerData.NA + httpServletRequest.getQueryString()));
                                return;
                            }
                            logger.warn("expired s.pt={} sid={}", httpServletRequest.getParameter("s.pt"), decryptLocal);
                        }
                    } else {
                        logger.error("bad {}:{}", httpServletRequest.getParameter("s.pt"), Dump.toString(httpServletRequest));
                    }
                } catch (Exception e2) {
                    logger.error("{}", Dump.toString(httpServletRequest), e2);
                }
            }
            if ("GET".equals(httpServletRequest.getMethod()) && httpServletRequest.getAttribute("POST2GET") == null && httpServletRequest.getParameter(Constants.ELEMNAME_ARG_STRING) == null && httpServletRequest.getParameter("ForceAuth") == null && SystemProperties.getAsBoolean("com.iplanet.am.clientIPCheckEnabled") && Authentificate.getToken(httpServletRequest) != null) {
                int length = StringUtils.length(Authentificate.getToken(httpServletRequest).getProperty("am.protected.get")) + 1;
                Authentificate.getToken(httpServletRequest).setProperty("am.protected.get", StringUtils.repeat("0", length));
                if (length > 7) {
                    logger.warn("recycle: destroy token: {}", User.debug(Authentificate.getToken(httpServletRequest), httpServletRequest));
                    SSOTokenManager.getInstance().destroyToken(Authentificate.getToken(httpServletRequest));
                } else if (length > 5) {
                    logger.warn("recycle: disable ip: {}", User.debug(Authentificate.getToken(httpServletRequest), httpServletRequest));
                    Authentificate.getToken(httpServletRequest).setProperty("Host", "127.127.127.127");
                }
            }
        } else if (httpServletRequest.getPathInfo() != null && CollectionUtils.isNotEmpty(this.restrict_paths) && !this.restrict_paths.contains(httpServletRequest.getPathInfo())) {
            httpServletResponse.sendError(403, "wrong UI request path");
            return;
        }
        UIResponseWrapper uIResponseWrapper = new UIResponseWrapper(this, uIRequestWrapper, httpServletResponse);
        uIRequestWrapper.setAttribute(UIRequestWrapper.class.getName(), uIRequestWrapper);
        uIRequestWrapper.setAttribute(UIResponseWrapper.class.getName(), uIResponseWrapper);
        filterChain.doFilter(uIRequestWrapper, uIResponseWrapper);
    }

    public static String base64_url_encode(String str) {
        return str.replace(Marker.ANY_NON_NULL_MARKER, CacheDecoratorFactory.DASH).replace("/", "_").replace(XMLConstants.XML_EQUAL_SIGN, "~");
    }

    public static String base64_url_decode(String str) {
        return str.replace(CacheDecoratorFactory.DASH, Marker.ANY_NON_NULL_MARKER).replace("_", "/").replace("~", XMLConstants.XML_EQUAL_SIGN);
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.hide_hosts.addAll(Arrays.asList((filterConfig.getInitParameter("hide.hosts") != null ? filterConfig.getInitParameter("hide.hosts") : "").toLowerCase().split(TimeoutBehaviorConfiguration.DEFAULT_PROPERTY_SEPARATOR)));
        this.hide_hosts_getParameter.addAll(Arrays.asList((filterConfig.getInitParameter("hide.hosts.getParameter") != null ? filterConfig.getInitParameter("hide.hosts.getParameter") : "realm,user,module,org,authLevel,role,domain").toLowerCase().split(TimeoutBehaviorConfiguration.DEFAULT_PROPERTY_SEPARATOR)));
        this.hide_login_get_field.addAll(Arrays.asList((filterConfig.getInitParameter("hide.LoginServlet.params") != null ? filterConfig.getInitParameter("hide.LoginServlet.params") : "idbutton,idtoken").toLowerCase().split(TimeoutBehaviorConfiguration.DEFAULT_PROPERTY_SEPARATOR)));
        this.hide_login_get_exclude_service.addAll(Arrays.asList((filterConfig.getInitParameter("hide.LoginServlet.excludeService") != null ? filterConfig.getInitParameter("hide.LoginServlet.excludeService") : "monitoring").toLowerCase().split(TimeoutBehaviorConfiguration.DEFAULT_PROPERTY_SEPARATOR)));
        this.hide_login_get_exclude_org.addAll(Arrays.asList((filterConfig.getInitParameter("hide.LoginServlet.excludeOrg") != null ? filterConfig.getInitParameter("hide.LoginServlet.excludeOrg") : "clients").toLowerCase().split(TimeoutBehaviorConfiguration.DEFAULT_PROPERTY_SEPARATOR)));
        if (!"*".equals(filterConfig.getInitParameter("restrict.paths")) && StringUtils.isNotBlank(filterConfig.getInitParameter("restrict.paths"))) {
            this.restrict_paths.addAll(Arrays.asList(StringUtils.split(filterConfig.getInitParameter("restrict.paths"), TimeoutBehaviorConfiguration.DEFAULT_PROPERTY_SEPARATOR)));
        }
        this.client302 = "true".equals(filterConfig.getInitParameter("client302"));
        String initParameter = filterConfig.getInitParameter("hide.hosts.getParameter.exclude");
        if (initParameter != null) {
            for (String str : initParameter.trim().split("\\\\n")) {
                String[] split = str.trim().split(";");
                TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
                for (String str2 : split) {
                    String[] split2 = str2.trim().split(XMLConstants.XML_EQUAL_SIGN);
                    if (split2.length > 1) {
                        TreeSet treeSet = new TreeSet(String.CASE_INSENSITIVE_ORDER);
                        treeSet.addAll(Arrays.asList(split2[1].trim().split(TimeoutBehaviorConfiguration.DEFAULT_PROPERTY_SEPARATOR)));
                        treeMap.put(split2[0].trim(), treeSet);
                    } else {
                        logger.warn("error parse: {}", str);
                    }
                }
                if (treeMap.size() > 0) {
                    logger.info("new ignore rule: {}", treeMap);
                    ExcludeData excludeData = new ExcludeData();
                    if (treeMap.get(Constants.ELEMNAME_PARAMVARIABLE_STRING) == null || ((Set) treeMap.get(Constants.ELEMNAME_PARAMVARIABLE_STRING)).size() <= 0) {
                        logger.warn("missing [param] ignore rule: {}", str);
                    } else if (treeMap.get("value") == null || ((Set) treeMap.get("value")).size() <= 0) {
                        logger.warn("missing [value] ignore rule: {}", str);
                    } else {
                        Map<String, ExcludeData> map = this.excludeHeaders.get(((String[]) ((Set) treeMap.get(Constants.ELEMNAME_PARAMVARIABLE_STRING)).toArray(new String[0]))[0]);
                        if (map == null) {
                            map = new TreeMap((Comparator<? super String>) String.CASE_INSENSITIVE_ORDER);
                            this.excludeHeaders.put(((String[]) ((Set) treeMap.get(Constants.ELEMNAME_PARAMVARIABLE_STRING)).toArray(new String[0]))[0], map);
                        }
                        if (treeMap.get("net") != null) {
                            excludeData.ip_prefix = (Set) treeMap.get("net");
                        }
                        map.put(((String[]) ((Set) treeMap.get("value")).toArray(new String[0]))[0], excludeData);
                    }
                } else {
                    logger.warn("empty ignore rule: {}", str);
                }
            }
        }
        String initParameter2 = filterConfig.getInitParameter("host2service");
        if (initParameter2 != null) {
            for (String str3 : initParameter2.trim().split("\\\\n")) {
                for (String str4 : str3.trim().split(";")) {
                    String[] split3 = str4.trim().split(XMLConstants.XML_EQUAL_SIGN);
                    if (split3.length > 1) {
                        this.host2service.put(split3[0].trim(), split3[1].trim());
                    } else {
                        logger.warn("error parse: {}", str3);
                    }
                }
            }
        }
    }
}
