package org.cloudfoundry.identity.uaa.security.web;

import com.google.common.net.HttpHeaders;
import java.io.IOException;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.http.HttpStatus;
import org.springframework.jmx.export.annotation.ManagedAttribute;
import org.springframework.jmx.export.annotation.ManagedResource;
import org.springframework.security.config.http.PortMappingsBeanDefinitionParser;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.RedirectUrlBuilder;
import org.springframework.util.Assert;
import org.springframework.web.util.WebUtils;

@ManagedResource
/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.3.0.2.jar:org/cloudfoundry/identity/uaa/security/web/SecurityFilterChainPostProcessor.class */
public class SecurityFilterChainPostProcessor implements BeanPostProcessor {
    private final Log logger = LogFactory.getLog(getClass());
    private boolean requireHttps = false;
    private List<String> redirectToHttps = Collections.emptyList();
    private List<String> ignore = Collections.emptyList();
    private boolean dumpRequests = false;
    private Map<Class<? extends Exception>, ReasonPhrase> errorMap = new HashMap();
    private Map<FilterPosition, Filter> additionalFilters;

    /* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.3.0.2.jar:org/cloudfoundry/identity/uaa/security/web/SecurityFilterChainPostProcessor$FilterPosition.class */
    public static class FilterPosition {
        private int position = Integer.MAX_VALUE;
        private PLACEMENT placement = PLACEMENT.POSITION;
        private Class<?> clazz;

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.3.0.2.jar:org/cloudfoundry/identity/uaa/security/web/SecurityFilterChainPostProcessor$FilterPosition$PLACEMENT.class */
        public enum PLACEMENT {
            POSITION,
            BEFORE,
            AFTER
        }

        public void setPosition(int i) {
            this.position = i;
            this.placement = PLACEMENT.POSITION;
        }

        public void setBefore(Class<?> cls) {
            this.clazz = cls;
            this.placement = PLACEMENT.BEFORE;
        }

        public void setAfter(Class<?> cls) {
            this.clazz = cls;
            this.placement = PLACEMENT.AFTER;
        }

        public int getPosition(SecurityFilterChain securityFilterChain) {
            int size = securityFilterChain.getFilters().size();
            if (this.clazz != null) {
                int i = 0;
                Iterator<Filter> it = securityFilterChain.getFilters().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (this.clazz.equals(it.next().getClass())) {
                        size = i;
                        break;
                    }
                    i++;
                }
            }
            switch (this.placement) {
                case POSITION:
                    return this.position;
                case BEFORE:
                    return size;
                case AFTER:
                    return Math.min(securityFilterChain.getFilters().size(), size + 1);
                default:
                    return size;
            }
        }

        public static FilterPosition position(int i) {
            FilterPosition filterPosition = new FilterPosition();
            filterPosition.setPosition(i);
            return filterPosition;
        }

        public static FilterPosition after(Class<?> cls) {
            FilterPosition filterPosition = new FilterPosition();
            filterPosition.setAfter(cls);
            return filterPosition;
        }

        public static FilterPosition before(Class<?> cls) {
            FilterPosition filterPosition = new FilterPosition();
            filterPosition.setBefore(cls);
            return filterPosition;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.3.0.2.jar:org/cloudfoundry/identity/uaa/security/web/SecurityFilterChainPostProcessor$HttpsEnforcementFilter.class */
    final class HttpsEnforcementFilter extends UaaLoggingFilter {
        private final int httpsPort = 443;
        private final boolean redirect;

        HttpsEnforcementFilter(String str, boolean z) {
            super(str);
            this.httpsPort = 443;
            this.redirect = z;
        }

        @Override // org.cloudfoundry.identity.uaa.security.web.SecurityFilterChainPostProcessor.UaaLoggingFilter
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            if (httpServletRequest.isSecure() || !SecurityFilterChainPostProcessor.this.requireHttps) {
                if (this.redirect) {
                    httpServletResponse.setHeader(HttpHeaders.STRICT_TRANSPORT_SECURITY, "max-age=31536000");
                }
                super.doFilter(servletRequest, httpServletResponse, filterChain);
                return;
            }
            this.logger.debug("Bad (non-https) request received from: " + httpServletRequest.getRemoteHost());
            if (SecurityFilterChainPostProcessor.this.dumpRequests) {
                this.logger.debug(dumpRequest(httpServletRequest));
            }
            if (!this.redirect) {
                httpServletResponse.setContentType("application/json");
                httpServletResponse.sendError(400, "{\"error\": \"request must be over https\"}");
                return;
            }
            RedirectUrlBuilder redirectUrlBuilder = new RedirectUrlBuilder();
            redirectUrlBuilder.setScheme(PortMappingsBeanDefinitionParser.ATT_HTTPS_PORT);
            redirectUrlBuilder.setPort(443);
            redirectUrlBuilder.setContextPath(httpServletRequest.getContextPath());
            redirectUrlBuilder.setServletPath(httpServletRequest.getServletPath());
            redirectUrlBuilder.setPathInfo(httpServletRequest.getPathInfo());
            redirectUrlBuilder.setQuery(httpServletRequest.getQueryString());
            redirectUrlBuilder.setServerName(httpServletRequest.getServerName());
            String url = redirectUrlBuilder.getUrl();
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Redirecting to " + url);
            }
            httpServletResponse.setHeader("Location", url);
            httpServletResponse.setStatus(301);
        }
    }

    /* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.3.0.2.jar:org/cloudfoundry/identity/uaa/security/web/SecurityFilterChainPostProcessor$ReasonPhrase.class */
    public static class ReasonPhrase {
        private int code;
        private String phrase;

        public ReasonPhrase(int i, String str) {
            this.code = i;
            this.phrase = str;
        }

        public int getCode() {
            return this.code;
        }

        public String getPhrase() {
            return this.phrase;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.3.0.2.jar:org/cloudfoundry/identity/uaa/security/web/SecurityFilterChainPostProcessor$UaaLoggingFilter.class */
    class UaaLoggingFilter implements Filter {
        final Log logger = LogFactory.getLog(getClass());
        protected final String name;

        UaaLoggingFilter(String str) {
            this.name = str;
        }

        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Filter chain '" + this.name + "' processing request " + httpServletRequest.getMethod() + " " + httpServletRequest.getRequestURI());
                if (SecurityFilterChainPostProcessor.this.dumpRequests) {
                    this.logger.debug(dumpRequest(httpServletRequest));
                }
            }
            try {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            } catch (Exception e) {
                this.logger.error("Uncaught Exception:", e);
                if (servletRequest.getAttribute(WebUtils.ERROR_EXCEPTION_ATTRIBUTE) == null) {
                    servletRequest.setAttribute(WebUtils.ERROR_EXCEPTION_ATTRIBUTE, e);
                }
                ReasonPhrase reasonPhrase = SecurityFilterChainPostProcessor.this.getErrorMap().get(e.getClass());
                if (null == reasonPhrase) {
                    Iterator<Class<? extends Exception>> it = SecurityFilterChainPostProcessor.this.getErrorMap().keySet().iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        Class<? extends Exception> next = it.next();
                        if (next.isAssignableFrom(e.getClass())) {
                            reasonPhrase = SecurityFilterChainPostProcessor.this.getErrorMap().get(next);
                            break;
                        }
                    }
                    if (null == reasonPhrase) {
                        reasonPhrase = new ReasonPhrase(HttpStatus.INTERNAL_SERVER_ERROR.value(), HttpStatus.INTERNAL_SERVER_ERROR.getReasonPhrase());
                    }
                }
                httpServletResponse.sendError(reasonPhrase.getCode(), reasonPhrase.getPhrase());
            }
        }

        protected final String dumpRequest(HttpServletRequest httpServletRequest) {
            StringBuilder sb = new StringBuilder(256);
            sb.append("\n    ").append(httpServletRequest.getMethod()).append(" ").append(httpServletRequest.getRequestURI()).append("\n");
            Enumeration headerNames = httpServletRequest.getHeaderNames();
            while (headerNames.hasMoreElements()) {
                String str = (String) headerNames.nextElement();
                Enumeration headers = httpServletRequest.getHeaders(str);
                while (headers.hasMoreElements()) {
                    sb.append("    ").append(str).append(": ").append((String) headers.nextElement()).append("\n");
                }
            }
            return sb.toString();
        }

        public void init(FilterConfig filterConfig) throws ServletException {
        }

        public void destroy() {
        }
    }

    public void setErrorMap(Map<Class<? extends Exception>, ReasonPhrase> map) {
        this.errorMap = map;
    }

    public Map<Class<? extends Exception>, ReasonPhrase> getErrorMap() {
        return this.errorMap;
    }

    @Override // org.springframework.beans.factory.config.BeanPostProcessor
    public Object postProcessAfterInitialization(Object obj, String str) throws BeansException {
        if ((obj instanceof SecurityFilterChain) && !this.ignore.contains(str)) {
            this.logger.info("Processing security filter chain " + str);
            SecurityFilterChain securityFilterChain = (SecurityFilterChain) obj;
            securityFilterChain.getFilters().add(0, new HttpsEnforcementFilter(str, this.redirectToHttps.contains(str)));
            if (this.additionalFilters != null) {
                for (Map.Entry<FilterPosition, Filter> entry : this.additionalFilters.entrySet()) {
                    int position = entry.getKey().getPosition(securityFilterChain);
                    if (position > securityFilterChain.getFilters().size()) {
                        securityFilterChain.getFilters().add(entry.getValue());
                    } else {
                        securityFilterChain.getFilters().add(position, entry.getValue());
                    }
                }
            }
        }
        return obj;
    }

    @Override // org.springframework.beans.factory.config.BeanPostProcessor
    public Object postProcessBeforeInitialization(Object obj, String str) throws BeansException {
        return obj;
    }

    public void setRequireHttps(boolean z) {
        this.requireHttps = z;
    }

    public boolean isRequireHttps() {
        return this.requireHttps;
    }

    @ManagedAttribute(description = "Enable dumping of incoming requests to the debug log")
    public void setDumpRequests(boolean z) {
        this.dumpRequests = z;
    }

    public void setRedirectToHttps(List<String> list) {
        Assert.notNull(list);
        this.redirectToHttps = list;
    }

    public void setIgnore(List<String> list) {
        Assert.notNull(list);
        this.ignore = list;
    }

    public void setAdditionalFilters(Map<FilterPosition, Filter> map) {
        this.additionalFilters = map;
    }
}
