package com.ibm.isclite.service.security.filter;

import com.ibm.isclite.common.util.AuthzFilterUtil;
import com.ibm.isclite.common.util.CheckReferrer;
import com.ibm.isclite.common.util.ISCAppUtil;
import com.ibm.isclite.common.util.SecurityUtil;
import com.ibm.isclite.common.util.SessionUtil;
import com.ibm.isclite.service.security.roles.RoleServiceUtil;
import com.ibm.websphere.security.WSSecurityHelper;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Locale;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:com/ibm/isclite/service/security/filter/TIPAuthorizationFilter.class */
public class TIPAuthorizationFilter implements Filter {
    private static final String CLASS_NAME = TIPAuthorizationFilter.class.getName();
    private static Logger logger = Logger.getLogger(TIPAuthorizationFilter.class.getName());
    public static final String FILTER_ID_PARAM = "FILTER_ID";
    public static final String ALLOWED_ROLES_PARAM = "ALLOWED_ROLES";
    public static final String EXCLUDE_REGEXP_PARAM = "EXCLUDE_REGEXP";
    public static final String REQUIRE_CONSOLE_SESSION_PARAM = "REQUIRE_CONSOLE_SESSION";
    public static final String NON_BROWSER_PARAM = "NO_LOGIN_PROMPT";
    public static final String CONSOLE_LOGIN_COOKIE = "CONSOLE_LOGOUT_CHECK";
    public static final String POST_LOGIN_REDIRECT_COOKIE = "DASHPOSTLOGINREDIRECT";
    private String _filterID;
    private String _excludeRegexp;
    public final Set<String> _allowedRolesSet = new HashSet();
    private boolean _requireConsoleSession;
    private boolean _nonBrowser;
    private CheckReferrer checkReferrer;

    /* loaded from: input_file:com/ibm/isclite/service/security/filter/TIPAuthorizationFilter$DummyHttpServletResponse.class */
    protected final class DummyHttpServletResponse implements HttpServletResponse {
        protected DummyHttpServletResponse() {
        }

        public void addCookie(Cookie cookie) {
        }

        public void addDateHeader(String str, long j) {
        }

        public void addHeader(String str, String str2) {
        }

        public void addIntHeader(String str, int i) {
        }

        public boolean containsHeader(String str) {
            return false;
        }

        public String encodeRedirectURL(String str) {
            return null;
        }

        public String encodeRedirectUrl(String str) {
            return null;
        }

        public String encodeURL(String str) {
            return null;
        }

        public String encodeUrl(String str) {
            return null;
        }

        public String getHeader(String str) {
            return null;
        }

        public Collection getHeaderNames() {
            return null;
        }

        public Collection getHeaders(String str) {
            return null;
        }

        public int getStatus() {
            return 0;
        }

        public void sendError(int i) throws IOException {
        }

        public void sendError(int i, String str) throws IOException {
        }

        public void sendRedirect(String str) throws IOException {
        }

        public void setDateHeader(String str, long j) {
        }

        public void setHeader(String str, String str2) {
        }

        public void setIntHeader(String str, int i) {
        }

        public void setStatus(int i) {
        }

        public void setStatus(int i, String str) {
        }

        public void flushBuffer() throws IOException {
        }

        public int getBufferSize() {
            return 0;
        }

        public String getCharacterEncoding() {
            return null;
        }

        public String getContentType() {
            return null;
        }

        public Locale getLocale() {
            return null;
        }

        public ServletOutputStream getOutputStream() throws IOException {
            return null;
        }

        public PrintWriter getWriter() throws IOException {
            return null;
        }

        public boolean isCommitted() {
            return false;
        }

        public void reset() {
        }

        public void resetBuffer() {
        }

        public void setBufferSize(int i) {
        }

        public void setCharacterEncoding(String str) {
        }

        public void setContentLength(int i) {
        }

        public void setContentType(String str) {
        }

        public void setLocale(Locale locale) {
        }
    }

    public void destroy() {
        this._allowedRolesSet.clear();
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (logger.isLoggable(Level.FINER)) {
            logger.entering(CLASS_NAME, "doFilter");
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (!this.checkReferrer.checkReferrer((HttpServletRequest) servletRequest)) {
            httpServletResponse.sendError(403, "NOT AUTHORIZED");
            System.out.println("Kesh - Entering TIP Authorization - invalid request");
            return;
        }
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        if (httpServletRequest.getQueryString() != null) {
            requestURL.append("?").append(httpServletRequest.getQueryString());
        }
        if (logger.isLoggable(Level.FINE)) {
            logger.logp(Level.FINE, CLASS_NAME, "doFilter", "Incoming request URL: " + ((Object) requestURL));
        }
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        if (stringBuffer.endsWith(new StringBuilder().append(ISCAppUtil.getContextRoot()).append("logout.do").toString()) || stringBuffer.endsWith(new StringBuilder().append(ISCAppUtil.getContextRoot()).append("/logout.do").toString())) {
            if (logger.isLoggable(Level.FINE)) {
                logger.logp(Level.FINE, CLASS_NAME, "doFilter", "Doing logout, continuing with filter chain and aborting.");
            }
            try {
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            } catch (FileNotFoundException e) {
                ((HttpServletResponse) servletResponse).sendError(404);
                return;
            }
        }
        if (this._excludeRegexp != null) {
            String queryString = httpServletRequest.getQueryString();
            StringBuffer stringBuffer2 = new StringBuffer(httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length()));
            if (queryString != null) {
                stringBuffer2.append('?').append(queryString);
            }
            if (logger.isLoggable(Level.FINER)) {
                logger.logp(Level.FINER, CLASS_NAME, "doFilter", "requestURL: " + stringBuffer2.toString());
            }
            if (logger.isLoggable(Level.FINER)) {
                logger.logp(Level.FINER, CLASS_NAME, "doFilter", "exclude pattern: " + this._excludeRegexp);
            }
            if (stringBuffer2.toString().matches(this._excludeRegexp)) {
                if (logger.isLoggable(Level.FINE)) {
                    logger.logp(Level.FINE, CLASS_NAME, "doFilter", "Request matches the filter's EXCLUDE_REGEXP pattern, continuing with filter chain and aborting.");
                }
                try {
                    filterChain.doFilter(servletRequest, servletResponse);
                    return;
                } catch (FileNotFoundException e2) {
                    ((HttpServletResponse) servletResponse).sendError(404);
                    return;
                }
            }
        }
        if (logger.isLoggable(Level.FINER)) {
            logger.logp(Level.FINER, CLASS_NAME, "doFilter", "Session: " + httpServletRequest.getSession(true));
        }
        if (logger.isLoggable(Level.FINE)) {
            logger.logp(Level.FINE, CLASS_NAME, "doFilter", "Is user logged in at this point? SessionUtil says: " + SessionUtil.isSessionValid(httpServletRequest.getSession(true).getId()));
        }
        boolean z = true;
        boolean z2 = false;
        if (this._requireConsoleSession) {
            if (!httpServletRequest.authenticate(new DummyHttpServletResponse())) {
                if (logger.isLoggable(Level.FINE)) {
                    logger.logp(Level.FINE, CLASS_NAME, "doFilter", "User is not authenticated, challenging for authentication....");
                }
                z = false;
            }
            z2 = true;
            if (!SessionUtil.isSessionValid(httpServletRequest.getSession(true).getId()) || !z) {
                if (this._nonBrowser) {
                    if (logger.isLoggable(Level.FINE)) {
                        logger.logp(Level.FINE, CLASS_NAME, "doFilter", "NonBrowser: User is not logged into console, rejecting request with error 4xx...");
                    }
                    httpServletResponse.sendError(403, "NOT AUTHORIZED");
                    return;
                }
                if (logger.isLoggable(Level.FINE)) {
                    logger.logp(Level.FINE, CLASS_NAME, "doFilter", "User is not logged into console, redirecting to console URL with PostLoginRedirect URL set...");
                }
                Cookie cookie = new Cookie(POST_LOGIN_REDIRECT_COOKIE, requestURL.toString());
                cookie.setPath("/");
                if (httpServletRequest.isSecure()) {
                    cookie.setSecure(true);
                }
                httpServletResponse.addCookie(cookie);
                Cookie cookie2 = new Cookie("WASReqURL", "DEL");
                cookie2.setMaxAge(0);
                cookie2.setPath("/");
                cookie2.setSecure(true);
                httpServletResponse.addCookie(cookie2);
                Cookie[] cookies = httpServletRequest.getCookies();
                int i = 0;
                while (true) {
                    if (cookies == null || i >= cookies.length) {
                        break;
                    }
                    Cookie cookie3 = cookies[i];
                    if (!CONSOLE_LOGIN_COOKIE.equals(cookie3.getName()) || "DEL".equals(cookie3.getValue())) {
                        i++;
                    } else {
                        if (logger.isLoggable(Level.FINE)) {
                            logger.logp(Level.FINE, CLASS_NAME, "doFilter", "CONSOLE_LOGIN_COOKIE found, user was previously logged into DASH but now has an invalid session.  Invalidating authentication and deleting cookie.");
                        }
                        Cookie cookie4 = new Cookie(CONSOLE_LOGIN_COOKIE, "DEL");
                        cookie4.setPath("/");
                        cookie4.setMaxAge(0);
                        httpServletResponse.addCookie(cookie4);
                        WSSecurityHelper.revokeSSOCookies(httpServletRequest, httpServletResponse);
                    }
                }
                httpServletResponse.sendRedirect(ISCAppUtil.getContextRoot());
                return;
            }
        }
        if (this._nonBrowser && !z2) {
            if (!httpServletRequest.authenticate(new DummyHttpServletResponse())) {
                if (logger.isLoggable(Level.FINE)) {
                    logger.logp(Level.FINE, CLASS_NAME, "doFilter", "User is not authenticated, challenging for authentication....");
                }
                z = false;
            }
            z2 = true;
        }
        if (this._nonBrowser && !z) {
            if (logger.isLoggable(Level.FINE)) {
                logger.logp(Level.FINE, CLASS_NAME, "doFilter", "NonBrowser: User is authenticated, rejecting request with error 4xx...");
            }
            httpServletResponse.sendError(403, "NOT AUTHORIZED");
        } else if ((z2 && z) || httpServletRequest.authenticate(httpServletResponse)) {
            if (_isUserAuthorized(httpServletRequest)) {
                if (logger.isLoggable(Level.FINE)) {
                    logger.logp(Level.FINE, CLASS_NAME, "doFilter", "User is authenticated and authorized, continuing the filter chain...");
                }
                try {
                    filterChain.doFilter(new TIPServletRequestWrapper((HttpServletRequest) servletRequest), servletResponse);
                } catch (FileNotFoundException e3) {
                    ((HttpServletResponse) servletResponse).sendError(404);
                }
            } else {
                if (logger.isLoggable(Level.FINE)) {
                    logger.logp(Level.FINE, CLASS_NAME, "doFilter", "User is authenticated but not authorized, returning FORBIDDEN http status code...");
                }
                httpServletResponse.sendError(403, "NOT AUTHORIZED");
            }
        } else if (logger.isLoggable(Level.FINE)) {
            logger.logp(Level.FINE, CLASS_NAME, "doFilter", "User is not authenticated, challenging for authentication....");
        }
        if (logger.isLoggable(Level.FINER)) {
            logger.exiting(CLASS_NAME, "doFilter");
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.checkReferrer = new CheckReferrer();
        if (logger.isLoggable(Level.FINER)) {
            logger.entering(CLASS_NAME, "init");
        }
        String initParameter = filterConfig.getInitParameter(FILTER_ID_PARAM);
        if (initParameter == null || initParameter.isEmpty()) {
            logger.logp(Level.WARNING, CLASS_NAME, "init", "Filter ID is null");
        } else {
            this._filterID = initParameter;
        }
        String initParameter2 = filterConfig.getInitParameter(ALLOWED_ROLES_PARAM);
        if (initParameter2 == null || initParameter2.isEmpty()) {
            this._allowedRolesSet.add(SecurityUtil.ISCUSERS_ROLE);
        } else {
            _parseAndAddRoles(initParameter2);
        }
        String initParameter3 = filterConfig.getInitParameter(EXCLUDE_REGEXP_PARAM);
        if (initParameter3 != null && !initParameter3.isEmpty()) {
            this._excludeRegexp = initParameter3;
        } else if (logger.isLoggable(Level.FINE)) {
            logger.logp(Level.FINE, CLASS_NAME, "init", "No exclusion regexp is specified.  This is normal.");
        }
        if (filterConfig.getInitParameter(REQUIRE_CONSOLE_SESSION_PARAM) != null) {
            this._requireConsoleSession = true;
        }
        if (logger.isLoggable(Level.FINE)) {
            logger.logp(Level.FINE, CLASS_NAME, "init", "Console session required: " + this._requireConsoleSession);
        }
        if (filterConfig.getInitParameter(NON_BROWSER_PARAM) != null) {
            this._nonBrowser = true;
        }
        if (logger.isLoggable(Level.FINE)) {
            logger.logp(Level.FINE, CLASS_NAME, "init", "Non_Browser: " + this._nonBrowser);
        }
        if (logger.isLoggable(Level.FINER)) {
            logger.exiting(CLASS_NAME, "init");
        }
    }

    private void _parseAndAddRoles(String str) {
        if (logger.isLoggable(Level.FINER)) {
            logger.entering(CLASS_NAME, "_parseAndAddRoles");
        }
        for (String str2 : str.split(",")) {
            if (!str2.isEmpty()) {
                this._allowedRolesSet.add(str2.trim());
            }
        }
        this._allowedRolesSet.addAll(AuthzFilterUtil.getRolesByFilter(this._filterID));
        if (logger.isLoggable(Level.FINER)) {
            logger.exiting(CLASS_NAME, "_parseAndAddRoles", this._allowedRolesSet);
        }
    }

    private boolean _isUserAuthorized(HttpServletRequest httpServletRequest) {
        if (logger.isLoggable(Level.FINER)) {
            logger.entering(CLASS_NAME, "_isUserAuthorized");
        }
        Iterator<String> it = this._allowedRolesSet.iterator();
        while (it.hasNext()) {
            if (RoleServiceUtil.isUserInRole(it.next(), httpServletRequest)) {
                if (!logger.isLoggable(Level.FINER)) {
                    return true;
                }
                logger.exiting(CLASS_NAME, "_isUserAuthorized", Boolean.TRUE);
                return true;
            }
        }
        if (!logger.isLoggable(Level.FINER)) {
            return false;
        }
        logger.exiting(CLASS_NAME, "_isUserAuthorized", Boolean.FALSE);
        return false;
    }
}
