package edu.yale.its.tp.cas.client.filter;

import com.tencent.android.tpush.common.Constants;
import edu.yale.its.tp.cas.client.CASAuthenticationException;
import edu.yale.its.tp.cas.client.CASReceipt;
import edu.yale.its.tp.cas.client.ProxyTicketValidator;
import edu.yale.its.tp.cas.client.SingleSignOutHandler;
import edu.yale.its.tp.cas.client.SingleSignOutHttpSessionListener;
import edu.yale.its.tp.cas.client.Util;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.List;
import java.util.StringTokenizer;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: classes.dex */
public class CASFilter implements Filter {
    public static final String AUTHORIZED_PROXY_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.authorizedProxy";
    private static final String CAS_FILTER_GATEWAYED = "edu.yale.its.tp.cas.client.filter.didGateway";
    private static final String CAS_FILTER_NEEDSSOLOGOUT = "edu.yale.its.tp.cas.client.filter.needSSOLogout";
    public static final String CAS_FILTER_RECEIPT = "edu.yale.its.tp.cas.client.filter.receipt";
    public static final String CAS_FILTER_USER = "edu.yale.its.tp.cas.client.filter.user";
    public static final String GATEWAY_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.gateway";
    public static final String LOGIN_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.loginUrl";
    public static final String PROXY_CALLBACK_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.proxyCallbackUrl";
    public static final String RENEW_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.renew";
    public static final String SERVERNAME_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.serverName";
    public static final String SERVICE_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.serviceUrl";
    public static final String VALIDATE_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.validateUrl";
    public static final String WRAP_REQUESTS_INIT_PARAM = "edu.yale.its.tp.cas.client.filter.wrapRequest";
    private static Log log = LogFactory.getLog(CASFilter.class);
    private String casLogin;
    private String casProxyCallbackUrl;
    private boolean casRenew;
    private String casServerName;
    private String casServiceUrl;
    private String casValidate;
    private boolean wrapRequest;
    private boolean casGateway = false;
    private boolean needSSOLogout = false;
    private List authorizedProxies = new ArrayList();

    private CASReceipt getAuthenticatedUser(HttpServletRequest httpServletRequest) throws ServletException, CASAuthenticationException {
        log.trace("entering getAuthenticatedUser()");
        ProxyTicketValidator proxyTicketValidator = new ProxyTicketValidator();
        proxyTicketValidator.setCasValidateUrl(this.casValidate);
        proxyTicketValidator.setServiceTicket(httpServletRequest.getParameter(Constants.FLAG_TICKET));
        proxyTicketValidator.setService(getService(httpServletRequest));
        proxyTicketValidator.setRenew(Boolean.valueOf(this.casRenew).booleanValue());
        if (this.casProxyCallbackUrl != null) {
            proxyTicketValidator.setProxyCallbackUrl(this.casProxyCallbackUrl);
        }
        if (log.isDebugEnabled()) {
            log.debug("about to validate ProxyTicketValidator: [" + proxyTicketValidator + "]");
        }
        return CASReceipt.getReceipt(proxyTicketValidator);
    }

    private String getService(HttpServletRequest httpServletRequest) throws ServletException {
        String str;
        log.trace("entering getService()");
        if (this.casServerName == null && this.casServiceUrl == null) {
            throw new ServletException("need one of the following configuration parameters: edu.yale.its.tp.cas.client.filter.serviceUrl or edu.yale.its.tp.cas.client.filter.serverName");
        }
        if (this.casServiceUrl != null) {
            try {
                str = URLEncoder.encode(this.casServiceUrl, "UTF-8");
            } catch (UnsupportedEncodingException e) {
                str = this.casServiceUrl;
            }
        } else {
            str = Util.getService(httpServletRequest, this.casServerName);
        }
        if (log.isTraceEnabled()) {
            log.trace("returning from getService() with service [" + str + "]");
        }
        return str;
    }

    private boolean isReceiptAcceptable(CASReceipt cASReceipt) {
        if (cASReceipt == null) {
            throw new IllegalArgumentException("Cannot evaluate a null receipt.");
        }
        if (!this.casRenew || cASReceipt.isPrimaryAuthentication()) {
            return !cASReceipt.isProxied() || this.authorizedProxies.contains(cASReceipt.getProxyingService());
        }
        return false;
    }

    private void redirectToCAS(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        if (log.isTraceEnabled()) {
            log.trace("entering redirectToCAS()");
        }
        String str = this.casLogin + "?service=" + getService(httpServletRequest) + (this.casRenew ? "&renew=true" : "") + (this.casGateway ? "&gateway=true" : "");
        if (log.isDebugEnabled()) {
            log.debug("Redirecting browser to [" + str + ")");
        }
        httpServletResponse.sendRedirect(str);
        if (log.isTraceEnabled()) {
            log.trace("returning from redirectToCAS()");
        }
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (log.isTraceEnabled()) {
            log.trace("entering doFilter()");
        }
        if (!(servletRequest instanceof HttpServletRequest) || !(servletResponse instanceof HttpServletResponse)) {
            log.error("doFilter() called on a request or response that was not an HttpServletRequest or response.");
            throw new ServletException("CASFilter protects only HTTP resources");
        }
        if (this.needSSOLogout) {
            SingleSignOutHandler singleSignOutHandler = SingleSignOutHttpSessionListener.getSingleSignOutHandler();
            if (singleSignOutHandler.isTokenRequest((HttpServletRequest) servletRequest)) {
                singleSignOutHandler.recordSession((HttpServletRequest) servletRequest);
            } else if (singleSignOutHandler.isLogoutRequest((HttpServletRequest) servletRequest)) {
                singleSignOutHandler.destroySession((HttpServletRequest) servletRequest);
                return;
            }
        }
        if (this.casProxyCallbackUrl != null && this.casProxyCallbackUrl.endsWith(((HttpServletRequest) servletRequest).getRequestURI()) && servletRequest.getParameter("pgtId") != null && servletRequest.getParameter("pgtIou") != null) {
            log.trace("passing through what we hope is CAS's request for proxy ticket receptor.");
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (this.wrapRequest) {
            log.trace("Wrapping request with CASFilterRequestWrapper.");
            servletRequest = new CASFilterRequestWrapper((HttpServletRequest) servletRequest);
        }
        HttpSession session = ((HttpServletRequest) servletRequest).getSession();
        CASReceipt cASReceipt = (CASReceipt) session.getAttribute("edu.yale.its.tp.cas.client.filter.receipt");
        if (cASReceipt != null && isReceiptAcceptable(cASReceipt)) {
            log.trace("CAS_FILTER_RECEIPT attribute was present and acceptable - passing  request through filter..");
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        String parameter = servletRequest.getParameter(Constants.FLAG_TICKET);
        if (parameter != null && !parameter.equals("")) {
            try {
                CASReceipt authenticatedUser = getAuthenticatedUser((HttpServletRequest) servletRequest);
                if (!isReceiptAcceptable(authenticatedUser)) {
                    throw new ServletException("Authentication was technically successful but rejected as a matter of policy. [" + authenticatedUser + "]");
                }
                if (session != null) {
                    session.setAttribute("edu.yale.its.tp.cas.client.filter.user", authenticatedUser.getUserName());
                    session.setAttribute("edu.yale.its.tp.cas.client.filter.receipt", authenticatedUser);
                    session.removeAttribute(CAS_FILTER_GATEWAYED);
                }
                if (log.isTraceEnabled()) {
                    log.trace("validated ticket to get authenticated receipt [" + authenticatedUser + "], now passing request along filter chain.");
                }
                filterChain.doFilter(servletRequest, servletResponse);
                log.trace("returning from doFilter()");
                return;
            } catch (CASAuthenticationException e) {
                log.error(e);
                throw new ServletException(e);
            }
        }
        log.trace("CAS ticket was not present on request.");
        boolean booleanValue = Boolean.valueOf((String) session.getAttribute(CAS_FILTER_GATEWAYED)).booleanValue();
        if (this.casLogin == null) {
            log.fatal("casLogin was not set, so filter cannot redirect request for authentication.");
            throw new ServletException("When CASFilter protects pages that do not receive a 'ticket' parameter, it needs a edu.yale.its.tp.cas.client.filter.loginUrl filter parameter");
        }
        if (!booleanValue) {
            log.trace("Did not previously gateway.  Setting session attribute to true.");
            session.setAttribute(CAS_FILTER_GATEWAYED, "true");
            redirectToCAS((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse);
            return;
        }
        log.trace("Previously gatewayed.");
        if (this.casGateway || session.getAttribute("edu.yale.its.tp.cas.client.filter.user") != null) {
            log.trace("casGateway was true and CAS_FILTER_USER set: passing request along filter chain.");
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            session.setAttribute(CAS_FILTER_GATEWAYED, "true");
            redirectToCAS((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse);
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.casLogin = filterConfig.getInitParameter(LOGIN_INIT_PARAM);
        this.casValidate = filterConfig.getInitParameter("edu.yale.its.tp.cas.client.filter.validateUrl");
        this.casServiceUrl = filterConfig.getInitParameter("edu.yale.its.tp.cas.client.filter.serviceUrl");
        String initParameter = filterConfig.getInitParameter(AUTHORIZED_PROXY_INIT_PARAM);
        this.casRenew = Boolean.valueOf(filterConfig.getInitParameter("edu.yale.its.tp.cas.client.filter.renew")).booleanValue();
        this.casServerName = filterConfig.getInitParameter("edu.yale.its.tp.cas.client.filter.serverName");
        this.casProxyCallbackUrl = filterConfig.getInitParameter("edu.yale.its.tp.cas.client.filter.proxyCallbackUrl");
        if (filterConfig.getInitParameter("edu.yale.its.tp.cas.client.filter.wrapRequest") == null) {
            this.wrapRequest = true;
        } else {
            this.wrapRequest = Boolean.valueOf(filterConfig.getInitParameter("edu.yale.its.tp.cas.client.filter.wrapRequest")).booleanValue();
        }
        this.casGateway = Boolean.valueOf(filterConfig.getInitParameter(GATEWAY_INIT_PARAM)).booleanValue();
        this.needSSOLogout = Boolean.valueOf(filterConfig.getInitParameter(CAS_FILTER_NEEDSSOLOGOUT)).booleanValue();
        if (this.casGateway && Boolean.valueOf(this.casRenew).booleanValue()) {
            throw new ServletException("gateway and renew cannot both be true in filter configuration");
        }
        if (this.casServerName != null && this.casServiceUrl != null) {
            throw new ServletException("serverName and serviceUrl cannot both be set: choose one.");
        }
        if (this.casServerName == null && this.casServiceUrl == null) {
            throw new ServletException("one of serverName or serviceUrl must be set.");
        }
        if (this.casServiceUrl != null && !this.casServiceUrl.startsWith("https://") && !this.casServiceUrl.startsWith("http://")) {
            throw new ServletException("service URL must start with http:// or https://; its current value is [" + this.casServiceUrl + "]");
        }
        if (this.casValidate == null) {
            throw new ServletException("validateUrl parameter must be set.");
        }
        if (!this.casValidate.startsWith("https://") && !this.casValidate.startsWith("http://")) {
            throw new ServletException("validateUrl must start with http:// or https://, its current value is [" + this.casValidate + "]");
        }
        if (initParameter != null) {
            StringTokenizer stringTokenizer = new StringTokenizer(initParameter);
            while (stringTokenizer.hasMoreTokens()) {
                String nextToken = stringTokenizer.nextToken();
                if (!nextToken.startsWith("https://") && !nextToken.startsWith("http://")) {
                    throw new ServletException("CASFilter initialization parameter for authorized proxies must be a whitespace delimited list of authorized proxies.  Authorized proxies must be (http https) addresses.  This one wasn't: [" + nextToken + "]");
                }
                this.authorizedProxies.add(nextToken);
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("CASFilter initialized as: [" + toString() + "]");
        }
    }

    public String toString() {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("[CASFilter:");
        stringBuffer.append(" casGateway=");
        stringBuffer.append(this.casGateway);
        stringBuffer.append(" wrapRequest=");
        stringBuffer.append(this.wrapRequest);
        stringBuffer.append(" casAuthorizedProxies=[");
        stringBuffer.append(this.authorizedProxies);
        stringBuffer.append("]");
        if (this.casLogin != null) {
            stringBuffer.append(" casLogin=[");
            stringBuffer.append(this.casLogin);
            stringBuffer.append("]");
        } else {
            stringBuffer.append(" casLogin=NULL!!!!!");
        }
        if (this.casProxyCallbackUrl != null) {
            stringBuffer.append(" casProxyCallbackUrl=[");
            stringBuffer.append(this.casProxyCallbackUrl);
            stringBuffer.append("]");
        }
        if (this.casRenew) {
            stringBuffer.append(" casRenew=true");
        }
        if (this.casServerName != null) {
            stringBuffer.append(" casServerName=[");
            stringBuffer.append(this.casServerName);
            stringBuffer.append("]");
        }
        if (this.casServiceUrl != null) {
            stringBuffer.append(" casServiceUrl=[");
            stringBuffer.append(this.casServiceUrl);
            stringBuffer.append("]");
        }
        if (this.casValidate != null) {
            stringBuffer.append(" casValidate=[");
            stringBuffer.append(this.casValidate);
            stringBuffer.append("]");
        } else {
            stringBuffer.append(" casValidate=NULL!!!");
        }
        return stringBuffer.toString();
    }
}
