package pl.edu.icm.unity.webui.authn;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.LoginSession;
import pl.edu.icm.unity.engine.api.authn.UnsuccessfulAuthenticationCounter;
import pl.edu.icm.unity.engine.api.server.HTTPRequestContext;
import pl.edu.icm.unity.engine.api.session.LoginToHttpSessionBinder;
import pl.edu.icm.unity.engine.api.session.SessionManagement;
import pl.edu.icm.unity.engine.api.utils.HiddenResourcesFilter;
import pl.edu.icm.unity.types.authn.AuthenticationRealm;
import pl.edu.icm.unity.webui.CookieHelper;
import pl.edu.icm.unity.webui.common.attributes.TextOnlyAttributeHandler;
import pl.edu.icm.unity.webui.idpcommon.EopException;

/* loaded from: input_file:pl/edu/icm/unity/webui/authn/AuthenticationFilter.class */
public class AuthenticationFilter implements Filter {
    private static final Logger log = Log.getLogger("unity.server.web", AuthenticationFilter.class);
    private List<String> protectedServletPaths;
    private String authnServletPath;
    private final String sessionCookie;
    private UnsuccessfulAuthenticationCounter dosGauard;
    private SessionManagement sessionMan;
    private LoginToHttpSessionBinder sessionBinder;
    private RememberMeProcessor rememberMeHelper;
    private AuthenticationRealm realm;

    public AuthenticationFilter(List<String> list, String str, AuthenticationRealm authenticationRealm, SessionManagement sessionManagement, LoginToHttpSessionBinder loginToHttpSessionBinder, RememberMeProcessor rememberMeProcessor) {
        this.protectedServletPaths = new ArrayList(list);
        this.authnServletPath = str;
        this.dosGauard = new UnsuccessfulAuthenticationCounter(authenticationRealm.getBlockAfterUnsuccessfulLogins(), authenticationRealm.getBlockFor() * TextOnlyAttributeHandler.LARGE_STRING);
        this.sessionCookie = StandardWebAuthenticationProcessor.getSessionCookieName(authenticationRealm.getName());
        this.sessionMan = sessionManagement;
        this.sessionBinder = loginToHttpSessionBinder;
        this.rememberMeHelper = rememberMeProcessor;
        this.realm = authenticationRealm;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String clientIP = HTTPRequestContext.getCurrent().getClientIP();
        try {
            handleNotProtectedResource(httpServletRequest, httpServletResponse, filterChain);
            handleBoundSession(httpServletRequest, httpServletResponse, filterChain, clientIP);
            handleBlockedIP(httpServletResponse, clientIP);
            handleSessionFromCookie(httpServletRequest, httpServletResponse, filterChain, clientIP);
            handleRememberMe(httpServletRequest, httpServletResponse, filterChain, clientIP);
            forwardtoAuthn(httpServletRequest, httpServletResponse);
        } catch (EopException e) {
        }
    }

    private void handleNotProtectedResource(HttpServletRequest httpServletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException, EopException {
        if (HiddenResourcesFilter.hasPathPrefix(httpServletRequest.getServletPath(), this.protectedServletPaths)) {
            return;
        }
        gotoNotProtectedResource(httpServletRequest, servletResponse, filterChain);
        throw new EopException();
    }

    private void handleBoundSession(HttpServletRequest httpServletRequest, ServletResponse servletResponse, FilterChain filterChain, String str) throws IOException, ServletException, EopException {
        LoginSession loginSession;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null || (loginSession = (LoginSession) session.getAttribute("pl.edu.icm.unity.web.WebSession")) == null || loginSession.isExpiredAt(System.currentTimeMillis())) {
            return;
        }
        this.dosGauard.successfulAttempt(str);
        if (loginSession.isUsedOutdatedCredential()) {
            log.trace("Outdated credential used - redirect to authN");
            forwardtoAuthn(httpServletRequest, httpServletResponse);
            throw new EopException();
        }
        String id = loginSession.getId();
        try {
            if (!HiddenResourcesFilter.hasPathPrefix(httpServletRequest.getPathInfo(), "HEARTBEAT/")) {
                log.trace("Update session activity for " + id);
                this.sessionMan.updateSessionActivity(id);
            }
            gotoProtectedResource(httpServletRequest, servletResponse, filterChain);
            throw new EopException();
        } catch (IllegalArgumentException e) {
            log.debug("Can't update session activity ts for " + id + " - expired(?), HTTP session " + session.getId(), e);
        }
    }

    private void handleBlockedIP(HttpServletResponse httpServletResponse, String str) throws IOException, EopException {
        long remainingBlockedTime = this.dosGauard.getRemainingBlockedTime(str);
        if (remainingBlockedTime > 0) {
            log.debug("Blocked potential DoS/brute force authN attack from " + str);
            httpServletResponse.sendError(403, "Access is blocked for " + TimeUnit.MILLISECONDS.toSeconds(remainingBlockedTime) + "s more, due to sending too many invalid session cookies.");
            throw new EopException();
        }
    }

    private void handleSessionFromCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, String str) throws IOException, ServletException, EopException {
        String cookie = CookieHelper.getCookie(httpServletRequest, this.sessionCookie);
        if (cookie == null) {
            return;
        }
        try {
            bindSessionAndGotoProtectedResource(httpServletRequest, httpServletResponse, filterChain, this.sessionMan.getSession(cookie), str);
            throw new EopException();
        } catch (IllegalArgumentException e) {
            log.trace("Got request with invalid login session id " + cookie + " to " + httpServletRequest.getRequestURI());
            this.dosGauard.unsuccessfulAttempt(str);
            clearSessionCookie(httpServletResponse);
        }
    }

    private void handleRememberMe(HttpServletRequest httpServletRequest, ServletResponse servletResponse, FilterChain filterChain, String str) throws IOException, ServletException, EopException {
        ServletResponse servletResponse2 = (HttpServletResponse) servletResponse;
        Optional<LoginSession> processRememberedWholeAuthn = this.rememberMeHelper.processRememberedWholeAuthn(httpServletRequest, servletResponse2, str, this.realm, this.dosGauard);
        if (!processRememberedWholeAuthn.isPresent()) {
            forwardtoAuthn(httpServletRequest, servletResponse2);
            throw new EopException();
        }
        log.debug("Whole authn is remembered by entity " + processRememberedWholeAuthn.get().getEntityId() + ", skipping it");
        bindSessionAndGotoProtectedResource(httpServletRequest, servletResponse2, filterChain, processRememberedWholeAuthn.get(), str);
        throw new EopException();
    }

    private void forwardtoAuthn(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        String str = this.authnServletPath;
        if (httpServletRequest.getPathInfo() != null) {
            str = str + httpServletRequest.getPathInfo();
        }
        if (log.isTraceEnabled()) {
            log.trace("Request to protected address, forward: " + httpServletRequest.getRequestURI() + " -> " + httpServletRequest.getContextPath() + str);
        }
        httpServletRequest.getRequestDispatcher(str).forward(httpServletRequest, httpServletResponse);
    }

    private void bindSessionAndGotoProtectedResource(HttpServletRequest httpServletRequest, ServletResponse servletResponse, FilterChain filterChain, LoginSession loginSession, String str) throws IOException, ServletException {
        this.dosGauard.successfulAttempt(str);
        this.sessionBinder.bindHttpSession(httpServletRequest.getSession(true), loginSession);
        gotoProtectedResource(httpServletRequest, servletResponse, filterChain);
    }

    private void gotoProtectedResource(HttpServletRequest httpServletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (log.isTraceEnabled()) {
            log.trace("Request to protected address, user is authenticated: " + httpServletRequest.getRequestURI());
        }
        filterChain.doFilter(httpServletRequest, servletResponse);
    }

    private void gotoNotProtectedResource(HttpServletRequest httpServletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (log.isTraceEnabled()) {
            log.trace("Request to not protected address: " + httpServletRequest.getRequestURI());
        }
        filterChain.doFilter(httpServletRequest, servletResponse);
    }

    private void clearSessionCookie(HttpServletResponse httpServletResponse) {
        httpServletResponse.addCookie(CookieHelper.setupHttpCookie(this.sessionCookie, "", 0));
    }

    public void destroy() {
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void addProtectedPath(String str) {
        this.protectedServletPaths.add(str);
    }
}
