package nl.nn.adapterframework.webcontrol;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import nl.nn.adapterframework.util.AppConstants;
import nl.nn.adapterframework.util.FileUtils;
import nl.nn.adapterframework.util.LogUtil;
import nl.nn.adapterframework.util.Misc;
import nl.nn.ibistesttool.LoggerProvider;
import org.apache.commons.codec.binary.Base64;
import org.apache.log4j.Logger;
import org.springframework.beans.factory.xml.BeanDefinitionParserDelegate;

/* loaded from: input_file:WEB-INF/lib/ibis-adapterframework-core-7.2.jar:nl/nn/adapterframework/webcontrol/LoginFilter.class */
public class LoginFilter implements Filter {
    protected static final String LDAP_AUTH_MODE_NONE_STR = "None";
    protected static final String LDAP_AUTH_MODE_BASIC_STR = "Basic";
    protected static final String LDAP_AUTH_MODE_FULL_STR = "Full";
    protected static final int LDAP_AUTH_MODE_NONE = 0;
    protected static final int LDAP_AUTH_MODE_SIMPLE = 1;
    protected static final int LDAP_AUTH_MODE_BASIC = 2;
    protected static final int LDAP_AUTH_MODE_FULL = 3;
    protected static final String AUTH_PATH_MODE_OBSERVER = "Observer";
    protected static final String AUTH_PATH_MODE_DATAADMIN = "DataAdmin";
    protected static final String AUTH_PATH_MODE_TESTER = "Tester";
    protected String otapStage;
    protected String instanceName;
    protected int ldapAuthModeNum;
    protected String ldapAuthUrl;
    protected String ldapAuthUserBase;
    protected String ldapAuthObserverBase;
    protected String ldapAuthDataAdminBase;
    protected String ldapAuthTesterBase;
    protected static final String LDAP_AUTH_MODE_SIMPLE_STR = "Simple";
    protected static final String[] ldapAuthModes = {"None", LDAP_AUTH_MODE_SIMPLE_STR, "Basic", "Full"};
    protected static final int[] ldapAuthModeNums = {0, 1, 2, 3};
    protected Logger log = LogUtil.getLogger(this);
    protected final List<String> allowedExtentions = new ArrayList();
    protected final List<String> allowedObserverPaths = new ArrayList();
    protected final List<String> allowedDataAdminPaths = new ArrayList();
    protected final List<String> allowedTesterPaths = new ArrayList();

    public void init(FilterConfig filterConfig) throws ServletException {
        AppConstants appConstants = AppConstants.getInstance();
        this.otapStage = appConstants.getResolvedProperty("otap.stage");
        this.instanceName = appConstants.getResolvedProperty(LoggerProvider.IBIS_INSTANCE_NAME_PROPERTY_KEY);
        String string = appConstants.getString("ldap.auth.mode", "None");
        this.ldapAuthModeNum = getLdapAuthModeNum(string);
        if (this.ldapAuthModeNum < 0) {
            this.log.warn("Unknown ldapAuthMode [" + string + "], will use [None]");
            this.ldapAuthModeNum = 0;
        }
        if (this.ldapAuthModeNum >= 1) {
            String initParameter = filterConfig.getInitParameter("allowedExtentions");
            if (initParameter != null) {
                this.allowedExtentions.addAll(Arrays.asList(initParameter.split("\\s+")));
            }
            String initParameter2 = filterConfig.getInitParameter("allowedObserverPaths");
            if (initParameter2 != null) {
                this.allowedObserverPaths.addAll(Arrays.asList(initParameter2.split("\\s+")));
            }
            String initParameter3 = filterConfig.getInitParameter("allowedDataAdminPaths");
            if (initParameter3 != null) {
                this.allowedDataAdminPaths.addAll(Arrays.asList(initParameter3.split("\\s+")));
            }
            String initParameter4 = filterConfig.getInitParameter("allowedTesterPaths");
            if (initParameter4 != null) {
                this.allowedTesterPaths.addAll(Arrays.asList(initParameter4.split("\\s+")));
            }
            if (this.ldapAuthModeNum >= 2) {
                this.ldapAuthUrl = appConstants.getResolvedProperty("ldap.auth.url");
                if (this.ldapAuthUrl == null) {
                    this.ldapAuthUrl = appConstants.getResolvedProperty("ldap.auth." + this.otapStage.toLowerCase() + ".url");
                }
                this.ldapAuthUserBase = appConstants.getResolvedProperty("ldap.auth.user.base");
                if (this.ldapAuthModeNum >= 3) {
                    this.ldapAuthObserverBase = appConstants.getResolvedProperty("ldap.auth.observer.base");
                    if (this.ldapAuthObserverBase == null) {
                        throw new ServletException("property [ldap.auth.observer.base] should be set");
                    }
                    this.ldapAuthDataAdminBase = appConstants.getResolvedProperty("ldap.auth.dataadmin.base");
                    if (this.ldapAuthDataAdminBase == null) {
                        throw new ServletException("property [ldap.auth.dataadmin.base] should be set");
                    }
                    this.ldapAuthTesterBase = appConstants.getResolvedProperty("ldap.auth.tester.base");
                    if (this.ldapAuthTesterBase == null) {
                        throw new ServletException("property [ldap.auth.tester.base] should be set");
                    }
                }
            }
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String pathInfo;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (this.ldapAuthModeNum < 1) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        String servletPath = httpServletRequest.getServletPath();
        if (hasAllowedExtension(servletPath)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if ("/rest-public".equals(servletPath)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if ("/rest".equals(servletPath) && (pathInfo = httpServletRequest.getPathInfo()) != null) {
            servletPath = servletPath + pathInfo;
            int ordinalIndexOf = ordinalIndexOf(servletPath, "/", 2);
            if (ordinalIndexOf > 0) {
                servletPath = servletPath.substring(0, ordinalIndexOf);
            }
        }
        boolean isAllowedPath = isAllowedPath(servletPath, this.allowedObserverPaths);
        boolean z = false;
        boolean z2 = false;
        String str = null;
        if (this.ldapAuthModeNum >= 3) {
            z = isAllowedPath(servletPath, this.allowedDataAdminPaths);
            z2 = isAllowedPath(servletPath, this.allowedTesterPaths);
            if (isAllowedPath) {
                str = AUTH_PATH_MODE_OBSERVER;
            } else if (z) {
                str = AUTH_PATH_MODE_DATAADMIN;
            } else if (z2) {
                str = AUTH_PATH_MODE_TESTER;
            }
        }
        if (!isAllowedPath && !z && !z2) {
            httpServletResponse.getWriter().write("<html>Not Allowed (" + servletPath + ")</html>");
            return;
        }
        if (this.ldapAuthModeNum < 2) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else if (askUsername(httpServletRequest, httpServletResponse, str) == null) {
            httpServletResponse.getWriter().write("<html>Not Allowed (" + servletPath + ")</html>");
        } else {
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    private boolean hasAllowedExtension(String str) {
        Iterator<String> it = this.allowedExtentions.iterator();
        while (it.hasNext()) {
            if (FileUtils.extensionEqualsIgnoreCase(str, it.next())) {
                return true;
            }
        }
        return false;
    }

    private boolean isAllowedPath(String str, List<String> list) {
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            if (str.equals(it.next())) {
                return true;
            }
        }
        return false;
    }

    private String askUsername(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        String str2 = null;
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            this.log.debug("no Authorization header found yet, getting credentials");
        } else {
            String str3 = new String(Base64.decodeBase64(header.substring(6)));
            if (str3 != null) {
                String substring = str3.substring(0, str3.indexOf(":"));
                if (checkUsernamePassword(substring, str3.substring(str3.indexOf(":") + 1), str)) {
                    str2 = substring;
                }
            }
        }
        if (header == null || str2 == null) {
            httpServletResponse.setHeader("WWW-Authenticate", "BASIC realm=\"" + this.instanceName + "\"");
            httpServletResponse.setStatus(401);
        }
        return str2;
    }

    private boolean checkUsernamePassword(String str, String str2, String str3) {
        String replace = Misc.replace(this.ldapAuthUserBase, "%UID%", str);
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.provider.url", this.ldapAuthUrl);
        hashtable.put("java.naming.security.authentication", BeanDefinitionParserDelegate.DEPENDENCY_CHECK_SIMPLE_ATTRIBUTE_VALUE);
        hashtable.put("java.naming.security.principal", replace);
        hashtable.put("java.naming.security.credentials", str2);
        InitialDirContext initialDirContext = null;
        try {
            try {
                try {
                    initialDirContext = new InitialDirContext(hashtable);
                } catch (CommunicationException e) {
                    this.log.info("cannot create constructor for DirContext (" + e.getMessage() + "], will try again with dummy SocketFactory");
                    hashtable.put("java.naming.ldap.factory.socket", DummySSLSocketFactory.class.getName());
                    initialDirContext = new InitialLdapContext(hashtable, (Control[]) null);
                }
                if (str3 == null) {
                    if (initialDirContext != null) {
                        try {
                            initialDirContext.close();
                        } catch (Exception e2) {
                            this.log.warn("LoginFilter caught Exception", e2);
                        }
                    }
                    return true;
                }
                if (str3.equals(AUTH_PATH_MODE_OBSERVER)) {
                    if (isMemberOf(initialDirContext, replace, this.ldapAuthObserverBase)) {
                        if (initialDirContext != null) {
                            try {
                                initialDirContext.close();
                            } catch (Exception e3) {
                                this.log.warn("LoginFilter caught Exception", e3);
                            }
                        }
                        return true;
                    }
                    if (isMemberOf(initialDirContext, replace, this.ldapAuthDataAdminBase)) {
                        if (initialDirContext != null) {
                            try {
                                initialDirContext.close();
                            } catch (Exception e4) {
                                this.log.warn("LoginFilter caught Exception", e4);
                            }
                        }
                        return true;
                    }
                }
                if (str3.equals(AUTH_PATH_MODE_DATAADMIN) && isMemberOf(initialDirContext, replace, this.ldapAuthDataAdminBase)) {
                    if (initialDirContext != null) {
                        try {
                            initialDirContext.close();
                        } catch (Exception e5) {
                            this.log.warn("LoginFilter caught Exception", e5);
                        }
                    }
                    return true;
                }
                if (str3.equals(AUTH_PATH_MODE_TESTER)) {
                    if (isMemberOf(initialDirContext, replace, this.ldapAuthTesterBase)) {
                        if (initialDirContext != null) {
                            try {
                                initialDirContext.close();
                            } catch (Exception e6) {
                                this.log.warn("LoginFilter caught Exception", e6);
                            }
                        }
                        return true;
                    }
                }
                if (initialDirContext == null) {
                    return false;
                }
                try {
                    initialDirContext.close();
                    return false;
                } catch (Exception e7) {
                    this.log.warn("LoginFilter caught Exception", e7);
                    return false;
                }
            } catch (Exception e8) {
                this.log.warn("LoginFilter caught Exception", e8);
                if (initialDirContext != null) {
                    try {
                        initialDirContext.close();
                    } catch (Exception e9) {
                        this.log.warn("LoginFilter caught Exception", e9);
                    }
                }
                return false;
            } catch (AuthenticationException e10) {
                if (initialDirContext != null) {
                    try {
                        initialDirContext.close();
                    } catch (Exception e11) {
                        this.log.warn("LoginFilter caught Exception", e11);
                    }
                }
                return false;
            }
        } catch (Throwable th) {
            if (initialDirContext != null) {
                try {
                    initialDirContext.close();
                } catch (Exception e12) {
                    this.log.warn("LoginFilter caught Exception", e12);
                }
            }
            throw th;
        }
    }

    private boolean isMemberOf(DirContext dirContext, String str, String str2) throws NamingException {
        Attribute attribute = ((DirContext) dirContext.lookup(str2)).getAttributes("").get("member");
        for (int i = 0; i < attribute.size(); i++) {
            if (((String) attribute.get(i)).equalsIgnoreCase(str)) {
                return true;
            }
        }
        return false;
    }

    private static int getLdapAuthModeNum(String str) {
        int length = ldapAuthModes.length - 1;
        while (length >= 0 && !ldapAuthModes[length].equalsIgnoreCase(str)) {
            length--;
        }
        return length >= 0 ? ldapAuthModeNums[length] : length;
    }

    private int ordinalIndexOf(String str, String str2, int i) {
        int i2;
        int indexOf = str.indexOf(str2, 0);
        while (true) {
            i2 = indexOf;
            int i3 = i;
            i--;
            if (i3 <= 0 || i2 == -1) {
                break;
            }
            indexOf = str.indexOf(str2, i2 + 1);
        }
        return i2;
    }

    public void destroy() {
    }
}
