package org.jasig.cas.security;

import java.io.IOException;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.logging.ConsoleHandler;
import java.util.logging.Formatter;
import java.util.logging.Handler;
import java.util.logging.Level;
import java.util.logging.LogRecord;
import java.util.logging.Logger;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.io.IOUtils;
import org.springframework.web.servlet.support.WebContentGenerator;

/* loaded from: input_file:WEB-INF/lib/cas-server-security-filter-2.0.3.jar:org/jasig/cas/security/RequestParameterPolicyEnforcementFilter.class */
public final class RequestParameterPolicyEnforcementFilter implements Filter {
    private static final Logger LOGGER = Logger.getLogger(RequestParameterPolicyEnforcementFilter.class.getName());
    public static final String DEFAULT_CHARACTERS_BLOCKED = "? & # %";
    public static final String PARAMETERS_TO_CHECK = "parametersToCheck";
    public static final String CHARACTERS_TO_FORBID = "charactersToForbid";
    public static final String ALLOW_MULTI_VALUED_PARAMETERS = "allowMultiValuedParameters";
    public static final String LOGGER_HANDLER_CLASS_NAME = "loggerHandlerClassName";
    public static final String ONLY_POST_PARAMETERS = "onlyPostParameters";
    private Set<String> parametersToCheck;
    private Set<Character> charactersToForbid;
    private boolean allowMultiValueParameters = false;
    private Set<String> onlyPostParameters;

    public void setParametersToCheck(Set<String> set) {
        this.parametersToCheck = set;
    }

    public void setCharactersToForbid(Set<Character> set) {
        this.charactersToForbid = set;
    }

    public void setAllowMultiValueParameters(boolean z) {
        this.allowMultiValueParameters = z;
    }

    public void setOnlyPostParameters(Set<String> set) {
        this.onlyPostParameters = set;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        configureLogging(filterConfig);
        throwIfUnrecognizedParamName(filterConfig.getInitParameterNames());
        String initParameter = filterConfig.getInitParameter(ALLOW_MULTI_VALUED_PARAMETERS);
        String initParameter2 = filterConfig.getInitParameter(PARAMETERS_TO_CHECK);
        String initParameter3 = filterConfig.getInitParameter(ONLY_POST_PARAMETERS);
        String initParameter4 = filterConfig.getInitParameter(CHARACTERS_TO_FORBID);
        try {
            this.allowMultiValueParameters = parseStringToBooleanDefaultingToFalse(initParameter);
        } catch (Exception e) {
            logExceptionAndThrow(new ServletException("Error parsing request parameter [allowMultiValuedParameters] with value [" + initParameter + "]", e));
        }
        try {
            this.parametersToCheck = parseParametersList(initParameter2, true);
        } catch (Exception e2) {
            logExceptionAndThrow(new ServletException("Error parsing request parameter parametersToCheck with value [" + initParameter2 + "]", e2));
        }
        try {
            this.onlyPostParameters = parseParametersList(initParameter3, false);
        } catch (Exception e3) {
            logExceptionAndThrow(new ServletException("Error parsing request parameter onlyPostParameters with value [" + initParameter3 + "]", e3));
        }
        try {
            this.charactersToForbid = parseCharactersToForbid(initParameter4);
        } catch (Exception e4) {
            logExceptionAndThrow(new ServletException("Error parsing request parameter charactersToForbid with value [" + initParameter4 + "]", e4));
        }
        if (this.allowMultiValueParameters && this.charactersToForbid.isEmpty()) {
            logExceptionAndThrow(new ServletException("Configuration to allow multi-value parameters and forbid no characters makes " + getClass().getSimpleName() + " a no-op, which is probably not what you want, so failing Filter init."));
        }
    }

    private void configureLogging(FilterConfig filterConfig) throws ServletException {
        for (Handler handler : LOGGER.getHandlers()) {
            LOGGER.removeHandler(handler);
        }
        LOGGER.setUseParentHandlers(false);
        try {
            Handler loadLoggerHandlerByClassName = loadLoggerHandlerByClassName(filterConfig.getInitParameter(LOGGER_HANDLER_CLASS_NAME));
            if (loadLoggerHandlerByClassName == null) {
                loadLoggerHandlerByClassName = loadLoggerHandlerByClassName("org.slf4j.bridge.SLF4JBridgeHandler");
            }
            if (loadLoggerHandlerByClassName == null) {
                ConsoleHandler consoleHandler = new ConsoleHandler();
                consoleHandler.setFormatter(new Formatter() { // from class: org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.1
                    @Override // java.util.logging.Formatter
                    public String format(LogRecord logRecord) {
                        StringBuffer stringBuffer = new StringBuffer();
                        stringBuffer.append("[");
                        stringBuffer.append(logRecord.getLevel().getName());
                        stringBuffer.append("]\t");
                        stringBuffer.append(formatMessage(logRecord));
                        stringBuffer.append(IOUtils.LINE_SEPARATOR_UNIX);
                        return stringBuffer.toString();
                    }
                });
                LOGGER.addHandler(consoleHandler);
            } else {
                LOGGER.addHandler(loadLoggerHandlerByClassName);
            }
        } catch (Exception e) {
            throw new ServletException("Could not identify the logging framework per the configuration specified.");
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        try {
            if (servletRequest instanceof HttpServletRequest) {
                HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
                Map parameterMap = httpServletRequest.getParameterMap();
                Set<String> keySet = this.parametersToCheck.isEmpty() ? parameterMap.keySet() : this.parametersToCheck;
                if (!this.allowMultiValueParameters) {
                    requireNotMultiValued(keySet, parameterMap);
                }
                enforceParameterContentCharacterRestrictions(keySet, this.charactersToForbid, parameterMap);
                checkOnlyPostParameters(httpServletRequest.getMethod(), parameterMap, this.onlyPostParameters);
            }
        } catch (Exception e) {
            logExceptionAndThrow(new ServletException(getClass().getSimpleName() + " is blocking this request.  Examine the cause in this stack trace to understand why.", e));
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    public void destroy() {
    }

    static void throwIfUnrecognizedParamName(Enumeration enumeration) throws ServletException {
        HashSet hashSet = new HashSet();
        hashSet.add(ALLOW_MULTI_VALUED_PARAMETERS);
        hashSet.add(PARAMETERS_TO_CHECK);
        hashSet.add(ONLY_POST_PARAMETERS);
        hashSet.add(CHARACTERS_TO_FORBID);
        hashSet.add(LOGGER_HANDLER_CLASS_NAME);
        while (enumeration.hasMoreElements()) {
            String str = (String) enumeration.nextElement();
            if (!hashSet.contains(str)) {
                logExceptionAndThrow(new ServletException("Unrecognized init parameter [" + str + "].  Failing safe.  Typo in the web.xml configuration?  Misunderstanding about the configuration " + RequestParameterPolicyEnforcementFilter.class.getSimpleName() + " expects?"));
            }
        }
    }

    Logger getLogger() {
        return LOGGER;
    }

    static boolean parseStringToBooleanDefaultingToFalse(String str) {
        if ("true".equals(str)) {
            return true;
        }
        if ("false".equals(str) || null == str) {
            return false;
        }
        logExceptionAndThrow(new IllegalArgumentException("String [" + str + "] could not parse to a boolean because it was not precisely 'true' or 'false'."));
        return false;
    }

    static Set<String> parseParametersList(String str, boolean z) {
        HashSet hashSet = new HashSet();
        if (null == str) {
            return hashSet;
        }
        String[] split = str.split("\\s+");
        if (0 == split.length) {
            logExceptionAndThrow(new IllegalArgumentException("[" + str + "] had no tokens but should have had at least one token."));
        }
        if (1 == split.length && "*".equals(split[0]) && z) {
            return hashSet;
        }
        for (String str2 : split) {
            if ("*".equals(str2)) {
                logExceptionAndThrow(new IllegalArgumentException("Star token encountered among other tokens in parsing [" + str + "]"));
            }
            hashSet.add(str2);
        }
        return hashSet;
    }

    static Set<Character> parseCharactersToForbid(String str) {
        HashSet hashSet = new HashSet();
        if (null == str) {
            str = DEFAULT_CHARACTERS_BLOCKED;
        }
        if ("none".equals(str)) {
            return hashSet;
        }
        String[] split = str.split("\\s+");
        if (0 == split.length) {
            logExceptionAndThrow(new IllegalArgumentException("Expected tokens when parsing [" + str + "] but found no tokens. If you really want to configure no characters, use the magic value 'none'."));
        }
        for (String str2 : split) {
            if (str2.length() > 1) {
                logExceptionAndThrow(new IllegalArgumentException("Expected tokens of length 1 but found [" + str2 + "] when parsing [" + str + "]"));
            }
            hashSet.add(Character.valueOf(str2.charAt(0)));
        }
        return hashSet;
    }

    static void requireNotMultiValued(Set<String> set, Map map) {
        for (String str : set) {
            if (map.containsKey(str)) {
                String[] strArr = (String[]) map.get(str);
                if (strArr.length > 1) {
                    logExceptionAndThrow(new IllegalStateException("Parameter [" + str + "] had multiple values [" + Arrays.toString(strArr) + "] but at most one value is allowable."));
                }
            }
        }
    }

    static void enforceParameterContentCharacterRestrictions(Set<String> set, Set<Character> set2, Map map) {
        if (set2.isEmpty()) {
            return;
        }
        for (String str : set) {
            String[] strArr = (String[]) map.get(str);
            if (null != strArr) {
                for (String str2 : strArr) {
                    for (Character ch : set2) {
                        StringBuilder sb = new StringBuilder();
                        sb.append(ch);
                        if (str2.contains(sb)) {
                            logExceptionAndThrow(new IllegalArgumentException("Disallowed character [" + ch + "] found in value [" + str2 + "] of parameter named [" + str + "]"));
                        }
                    }
                }
            }
        }
    }

    static void checkOnlyPostParameters(String str, Map map, Set<String> set) {
        if (WebContentGenerator.METHOD_POST.equals(str)) {
            return;
        }
        Set keySet = map.keySet();
        for (String str2 : set) {
            if (keySet.contains(str2)) {
                logExceptionAndThrow(new IllegalArgumentException(str2 + " parameter should only be used in POST requests"));
            }
        }
    }

    private static void logExceptionAndThrow(Exception exc) {
        LOGGER.log(Level.SEVERE, exc.getMessage(), (Throwable) exc);
        throw new RuntimeException(exc.getMessage(), exc);
    }

    private static Handler loadLoggerHandlerByClassName(String str) throws Exception {
        if (str == null) {
            return null;
        }
        try {
            Class<?> loadClass = RequestParameterPolicyEnforcementFilter.class.getClassLoader().loadClass(str);
            if (loadClass != null) {
                return (Handler) loadClass.newInstance();
            }
            return null;
        } catch (Exception e) {
            LOGGER.log(Level.FINE, e.getMessage(), (Throwable) e);
            return null;
        }
    }
}
