package com.adobe.idp.um.auth.filter;

import com.adobe.idp.Context;
import com.adobe.idp.dsc.registry.infomodel.Operation;
import com.adobe.idp.um.api.AuthenticationManager;
import com.adobe.idp.um.api.UMConstants;
import com.adobe.idp.um.api.UMException;
import com.adobe.idp.um.api.UMFactory;
import com.adobe.idp.um.api.infomodel.AuthResult;
import com.adobe.idp.um.api.infomodel.HttpRequestToken;
import com.adobe.logging.AdobeLogger;
import java.io.IOException;
import java.util.Calendar;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.logging.Level;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

/* loaded from: input_file:com/adobe/idp/um/auth/filter/SecurityFilter.class */
public class SecurityFilter extends AbstractSecurityFilter implements Filter {
    private static final String LAST_VALIDATION_TIMESTAMP = "um.auth.securityfilter.lastCheckTimeStamp";
    private static final int VALIDATION_CHECK_INTERVAL = 300;
    private static AdobeLogger logger = AdobeLogger.getAdobeLogger(SecurityFilter.class.getName());
    private boolean rememberUrl;
    private volatile boolean determineCtxPath;
    private boolean checkForExpiredSessions;
    private AssertionIdHolder assertionIdHolder;
    protected String umLoginUrl = "/um/login";
    protected String sourceUrl = "";
    protected String loginUrl = null;
    private boolean contextForwarding = true;
    private boolean passiveMode = false;
    private String encoding = null;
    private boolean useQueryString = true;

    public final void init(FilterConfig filterConfig) throws ServletException {
        this.sourceUrl = getParameter(filterConfig, UMConstants.SSOConstants.P_SOURCE_URL, this.sourceUrl, true);
        this.loginUrl = getParameter(filterConfig, "login_url", this.loginUrl, true);
        this.passiveMode = Boolean.valueOf(getParameter(filterConfig, "passive_mode", "false", false)).booleanValue();
        this.useQueryString = Boolean.valueOf(getParameter(filterConfig, "use_query_string", "true", false)).booleanValue();
        this.umLoginUrl = getParameter(filterConfig, "um_login_url", this.umLoginUrl, false);
        this.determineCtxPath = Boolean.valueOf(getParameter(filterConfig, "determine_ctx_path", "false", false)).booleanValue();
        doInit(filterConfig);
        this.rememberUrl = Boolean.valueOf(getParameter(filterConfig, "remember_url", "false", false)).booleanValue();
        this.checkForExpiredSessions = Boolean.valueOf(getParameter(filterConfig, "check_expired_sessions", "false", false)).booleanValue();
        this.assertionIdHolder = new AssertionIdHolder();
        if (this.checkForExpiredSessions) {
            filterConfig.getServletContext().setAttribute(AssertionIdHolder.ASSERTION_HOLDER_KEY, this.assertionIdHolder);
        }
        this.contextForwarding = Boolean.valueOf(getParameter(filterConfig, "context_forwarding", "true", false)).booleanValue();
        this.encoding = getParameter(filterConfig, "encoding", null, false);
        logConfig();
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String stringBuffer;
        boolean isLoggable = logger.isLoggable(Level.FINE);
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (this.determineCtxPath) {
            addContextPath(httpServletRequest);
        }
        if (this.encoding != null && !Operation.TX_TYPE_NONE.equals(this.encoding)) {
            httpServletRequest.setCharacterEncoding(this.encoding);
        }
        Cookie retrieveCookie = retrieveCookie(httpServletRequest, UMConstants.SSOConstants.LIVECYCLE_AUTH_TOKEN);
        String requestURI = httpServletRequest.getRequestURI();
        int authPhase = getAuthPhase(httpServletRequest);
        if (requestURI.endsWith("/login")) {
            Request fromHttpRequest = Request.fromHttpRequest(httpServletRequest);
            fromHttpRequest.addParam(UMConstants.SSOConstants.P_AUTH_PHASE, "1");
            String str = getLoginURL() + fromHttpRequest.getEncodedQueryString();
            stripNewLineChars(str);
            httpServletResponse.sendRedirect(str);
            if (isLoggable) {
                logger.debug(String.format("Received request for /login url hence redirecting to [%s]", str));
                return;
            }
            return;
        }
        if (this.passiveMode) {
            if (-1 == authPhase) {
                if (hasText(httpServletRequest.getQueryString())) {
                    httpServletRequest.getSession().setAttribute(UMConstants.SSOConstants.ATTR_SAVED_REQUEST, Request.fromHttpRequest(httpServletRequest));
                }
                if (isLoggable) {
                    logger.debug("(Passive mode) Redirecting request to UM after saving the current request ");
                }
                sendToAuthenticate(httpServletRequest, httpServletResponse);
                return;
            }
            Request request = null;
            HttpSession session = httpServletRequest.getSession(false);
            if (session != null) {
                request = (Request) session.getAttribute(UMConstants.SSOConstants.ATTR_SAVED_REQUEST);
                session.removeAttribute(UMConstants.SSOConstants.ATTR_SAVED_REQUEST);
                session.invalidate();
            }
            if (request == null) {
                if (isLoggable) {
                    logger.debug("(Passive mode) Received request after UM performed authentication hence allowing it");
                }
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
            if (this.useQueryString) {
                stringBuffer = httpServletRequest.getRequestURL().append("?").append(UMConstants.SSOConstants.P_AUTH_PHASE).append("=").append(Integer.toString(authPhase)).append('&').append(request.getQueryString()).toString();
            } else {
                request.addParam(UMConstants.SSOConstants.P_AUTH_PHASE, Integer.toString(authPhase));
                stringBuffer = httpServletRequest.getRequestURL().append(request.getEncodedQueryString()).toString();
            }
            httpServletResponse.addHeader("Cache-Control", "no-cache");
            httpServletResponse.addHeader("Expires", "Thu, 01 Dec 1994 16:00:00 GMT");
            stripNewLineChars(stringBuffer);
            httpServletResponse.sendRedirect(stringBuffer);
            if (isLoggable) {
                logger.debug(String.format("(Passive mode)Redirecting request back after receiving it from UM with the saved request [%s]", stringBuffer));
                return;
            }
            return;
        }
        if (allowUrl(requestURI)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        HttpSession session2 = httpServletRequest.getSession(false);
        boolean ignoreSSOCookie = ignoreSSOCookie(httpServletRequest);
        if (retrieveCookie == null || ignoreSSOCookie) {
            if (ignoreSSOCookie) {
                httpServletRequest.setAttribute(UMConstants.SSOConstants.P_IGNORE_COOKIE, Boolean.TRUE);
            }
            if (session2 != null) {
                session2.invalidate();
            }
            sendToAuthenticate(httpServletRequest, httpServletResponse);
            return;
        }
        if (authPhase == -1) {
            authPhase = 2;
        }
        String value = retrieveCookie.getValue();
        boolean z = false;
        boolean z2 = false;
        int i = -1;
        if (session2 == null) {
            i = createNewSession(httpServletRequest, httpServletResponse);
            if (this.checkForExpiredSessions && this.assertionIdHolder.hasExpired(value)) {
                this.assertionIdHolder.remove(value);
                logger.info(String.format("There existed a previous HTTP session for assertionId [%s] in webapp at [%s] which got expired. Forwarding the request to the welcome page", value, httpServletRequest.getContextPath()));
                i = 6;
            }
        } else {
            String str2 = (String) session2.getAttribute(UMConstants.SSOConstants.LIVECYCLE_AUTH_TOKEN);
            if (str2 == null || !str2.equals(value)) {
                i = createNewSession(httpServletRequest, httpServletResponse);
            } else if (str2 != null && str2.equals(value)) {
                z = true;
            }
        }
        if (z) {
            z2 = validateSession(httpServletRequest, session2);
            if (z2) {
                z2 = authenticateRequest(httpServletRequest);
            }
        }
        if (i == 6) {
            httpServletResponse.sendRedirect(createUrl(getSourceURL(), "login_result=" + i));
            return;
        }
        if (z2 || i == 0) {
            if (continueChain(httpServletRequest, httpServletResponse)) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
            return;
        }
        String createUrl = i != 5 ? createUrl(getLoginURL(), "login_result=" + i) : createUrl(getLoginURL(), new String[0]);
        deleteCookie(httpServletRequest, httpServletResponse, UMConstants.SSOConstants.LIVECYCLE_AUTH_DATA);
        if (authPhase != 2) {
            deleteCookie(httpServletRequest, httpServletResponse, UMConstants.SSOConstants.LIVECYCLE_AUTH_TOKEN);
        }
        if (session2 != null) {
            logger.debug("The existing session was found to be invalid hence the user would be redirected to login page. Invalidating the current session");
            session2.invalidate();
        }
        if (handleTokenExpiry(httpServletRequest, httpServletResponse)) {
            return;
        }
        httpServletResponse.sendRedirect(createUrl);
    }

    protected boolean handleTokenExpiry(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        return false;
    }

    public static String stripNewLineChars(String str) {
        return str.replace('\n', ' ').replace('\r', ' ');
    }

    protected boolean ignoreSSOCookie(HttpServletRequest httpServletRequest) {
        return false;
    }

    protected boolean validateSession(HttpServletRequest httpServletRequest, HttpSession httpSession) {
        Context context = (Context) httpSession.getAttribute(UMConstants.SESSION_PRINCIPAL_CONTEXT);
        if (context == null) {
            logger.debug("No context found in session hence session is not valid");
            return false;
        }
        Date date = new Date();
        if (date.after(context.getExpirationHint())) {
            logger.debug("Existing context was found to be expired [" + context.getExpirationHint() + "]. Hence session is not valid");
            return false;
        }
        Date date2 = (Date) httpSession.getAttribute(LAST_VALIDATION_TIMESTAMP);
        if (date2 == null) {
            return false;
        }
        Calendar gregorianCalendar = GregorianCalendar.getInstance();
        gregorianCalendar.add(13, -300);
        if (!date2.before(gregorianCalendar.getTime())) {
            return true;
        }
        try {
            getAuthenticationManager().validateAssertion(context);
            synchronized (httpSession) {
                httpSession.setAttribute(LAST_VALIDATION_TIMESTAMP, date);
            }
            return true;
        } catch (Exception e) {
            logger.log(Level.FINEST, "Following exception was received on validation of the context", (Throwable) e);
            logger.debug("The current assertion was found to be invalid - " + e.getMessage());
            return false;
        }
    }

    protected synchronized void addContextPath(HttpServletRequest httpServletRequest) {
        if (this.determineCtxPath) {
            String contextPath = httpServletRequest.getContextPath();
            if (this.sourceUrl != null) {
                this.sourceUrl = contextPath + this.sourceUrl;
            }
            if (this.loginUrl != null) {
                this.loginUrl = contextPath + this.loginUrl;
            }
            this.determineCtxPath = false;
        }
    }

    protected void sendToAuthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (this.contextForwarding) {
            forwardForAuthentication(httpServletRequest, httpServletResponse);
        } else {
            redirectForAuthentication(httpServletRequest, httpServletResponse);
        }
    }

    private int getAuthPhase(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(UMConstants.SSOConstants.P_AUTH_PHASE);
        if (parameter == null) {
            return -1;
        }
        int i = 1;
        try {
            i = Integer.parseInt(parameter.trim());
            if (i == -1) {
                return 1;
            }
        } catch (NumberFormatException e) {
            logger.warning("The AuthPhase parameter [ap] should be an integer. Instead it was [" + parameter.trim() + "]. Would consider it as AUTH_PHASE_GENRIC_AUTH ");
        }
        return i;
    }

    private void logConfig() {
        if (logger.isLoggable(Level.FINE)) {
            String format = String.format("The SecurityFilter is configured with SourceUrl [%s], LoginUrl [%s]. Following parts are enabled - ", getSourceURL(), getLoginURL());
            if (this.rememberUrl) {
                format = format + "Remembering the url,";
            }
            if (this.checkForExpiredSessions) {
                format = format + "Session timeout handling,";
            }
            logger.fine(format);
        }
    }

    protected boolean continueChain(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return true;
    }

    private int createNewSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        logger.fine("Creating new session");
        HttpRequestToken httpRequestToken = new HttpRequestToken(httpServletRequest);
        AuthResult authResult = getAuthResult(httpRequestToken);
        if (authResult == null) {
            return 5;
        }
        int allowUser = allowUser(authResult, httpServletRequest, httpServletResponse);
        if (allowUser != 0) {
            return allowUser;
        }
        HttpSession session = httpServletRequest.getSession(true);
        initializeUserIdentityInSession(httpRequestToken, authResult, session);
        processNewSession(session, authResult);
        return 0;
    }

    public Context initializeUserIdentityInSession(HttpRequestToken httpRequestToken, AuthResult authResult, HttpSession httpSession) {
        httpSession.setAttribute(UMConstants.SSOConstants.ASSERTION_EXPIRY_TIME, authResult.getExpirationHint());
        Context context = new Context();
        context.initPrincipal(authResult);
        httpSession.setAttribute(UMConstants.SESSION_PRINCIPAL_CONTEXT, context);
        httpSession.setAttribute(LAST_VALIDATION_TIMESTAMP, new Date());
        httpSession.setAttribute(UMConstants.SSOConstants.LIVECYCLE_AUTH_TOKEN, httpRequestToken.getAssertionId());
        return context;
    }

    protected AuthResult getAuthResult(HttpRequestToken httpRequestToken) {
        AuthResult authResult = null;
        try {
            authResult = getAuthenticationManager().authenticate(httpRequestToken);
        } catch (UMException e) {
            int errCode = e.getErrCode();
            if (errCode == 16436 || errCode == 16420 || errCode == 16386) {
                logger.log(Level.FINE, "Authentication failed. The failure is due to known reason as detailed in exception message [" + e.getMessage() + "]");
            } else {
                logger.log(Level.WARNING, "Error occured while performing authentication. Marking the authentication as failed.", (Throwable) e);
            }
        }
        if (authResult == null) {
            logger.fine("Cookie id not valid thus a login failure");
        }
        return authResult;
    }

    protected AuthenticationManager getAuthenticationManager() {
        return UMFactory.getInstance().getAuthenticationManager();
    }

    protected void processNewSession(HttpSession httpSession, AuthResult authResult) {
    }

    protected int allowUser(AuthResult authResult, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return 0;
    }

    protected void doInit(FilterConfig filterConfig) throws ServletException {
    }

    protected boolean allowUrl(String str) {
        return (getLoginURL() == null || str.indexOf(getLoginURL()) == -1) ? false : true;
    }

    protected boolean authenticateRequest(HttpServletRequest httpServletRequest) {
        return true;
    }

    protected void redirectForAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        addCookie(httpServletRequest, httpServletResponse);
        httpServletResponse.sendRedirect(createUrl(getActionURL(), "error_url=" + encode(getLoginURL())));
    }

    protected void forwardForAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        addCookie(httpServletRequest, httpServletResponse);
        SSORequestCreator sSORequestCreator = new SSORequestCreator(httpServletRequest, httpServletResponse);
        Context securityContext = getSecurityContext(httpServletRequest);
        if (securityContext != null) {
            String userAssertion = securityContext.getUserAssertion();
            if (userAssertion == null) {
                logger.warning("App name [" + getSourceURL() + "] Context obtained from request is not initialized ");
            } else {
                Boolean bool = (Boolean) httpServletRequest.getAttribute(UMConstants.SSOConstants.P_DEFAULT_ASSERTION);
                if (bool == null || !Boolean.TRUE.equals(bool)) {
                    sSORequestCreator.addBase64Encoded(UMConstants.SSOConstants.P_ASSERTION, userAssertion);
                } else {
                    sSORequestCreator.addBase64Encoded(UMConstants.SSOConstants.P_DEFAULT_ASSERTION, userAssertion);
                }
            }
        }
        sSORequestCreator.add(UMConstants.SSOConstants.P_SOURCE_URL, getSourceURL());
        sSORequestCreator.add("login_url", getLoginURL());
        sSORequestCreator.add(UMConstants.SSOConstants.P_INITIAL_REQUEST_TYPE, httpServletRequest.getMethod());
        if (Boolean.TRUE.equals(httpServletRequest.getAttribute(UMConstants.SSOConstants.P_IGNORE_COOKIE))) {
            sSORequestCreator.add(UMConstants.SSOConstants.P_IGNORE_COOKIE, "true");
        }
        sSORequestCreator.setActionUrl(getActionURL());
        sSORequestCreator.addReceivedParameters();
        sSORequestCreator.writeOutput();
    }

    private void addCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        SSOData sSOData = new SSOData(getSourceURL(), getLoginURL());
        if (this.rememberUrl) {
            sSOData.setSourceUrl(httpServletRequest.getRequestURI());
        }
        processSSOData(sSOData, httpServletRequest, httpServletResponse);
        addCookie(httpServletRequest, httpServletResponse, UMConstants.SSOConstants.LIVECYCLE_AUTH_DATA, sSOData.getEncodedValue());
    }

    protected String getLoginURL() {
        return this.loginUrl;
    }

    protected String getSourceURL() {
        return this.sourceUrl;
    }

    protected String getActionURL() {
        return this.umLoginUrl;
    }

    protected void processSSOData(SSOData sSOData, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
    }

    protected Context getSecurityContext(HttpServletRequest httpServletRequest) {
        return null;
    }
}
