package org.geoserver.security.cas;

import java.io.IOException;
import java.net.URLEncoder;
import java.util.logging.Level;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.geoserver.platform.GeoServerExtensions;
import org.geoserver.security.config.SecurityNamedServiceConfig;
import org.geoserver.security.filter.GeoServerPreAuthenticatedUserNameFilter;
import org.jasig.cas.client.configuration.ConfigurationKeys;
import org.jasig.cas.client.proxy.ProxyGrantingTicketStorage;
import org.jasig.cas.client.session.SingleSignOutHandler;
import org.jasig.cas.client.util.CommonUtils;
import org.jasig.cas.client.validation.Assertion;
import org.jasig.cas.client.validation.Cas20ProxyTicketValidator;
import org.jasig.cas.client.validation.TicketValidationException;
import org.springframework.security.cas.ServiceProperties;
import org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/geoserver/security/cas/GeoServerCasAuthenticationFilter.class */
public class GeoServerCasAuthenticationFilter extends GeoServerPreAuthenticatedUserNameFilter implements LogoutHandler {
    protected Cas20ProxyTicketValidator validator;
    protected ServiceAuthenticationDetailsSource casAuthenticationDetailsSource;
    protected String casLogoutURL;
    protected String urlInCasLogoutPage;
    protected boolean singleSignOut;
    protected ProxyGrantingTicketStorage pgtStorageFilter;
    protected static boolean handlerInitialized = false;

    public GeoServerCasAuthenticationFilter(ProxyGrantingTicketStorage proxyGrantingTicketStorage) {
        this.pgtStorageFilter = proxyGrantingTicketStorage;
    }

    public void initializeFromConfig(SecurityNamedServiceConfig securityNamedServiceConfig) throws IOException {
        super.initializeFromConfig(securityNamedServiceConfig);
        CasAuthenticationFilterConfig casAuthenticationFilterConfig = (CasAuthenticationFilterConfig) securityNamedServiceConfig;
        ServiceProperties serviceProperties = new ServiceProperties();
        serviceProperties.setSendRenew(casAuthenticationFilterConfig.isSendRenew());
        this.casAuthenticationDetailsSource = new ServiceAuthenticationDetailsSource(serviceProperties, GeoServerCasConstants.ARTIFACT_PARAMETER);
        this.validator = new Cas20ProxyTicketValidator(casAuthenticationFilterConfig.getCasServerUrlPrefix());
        this.validator.setAcceptAnyProxy(true);
        this.validator.setProxyGrantingTicketStorage(this.pgtStorageFilter);
        this.validator.setRenew(casAuthenticationFilterConfig.isSendRenew());
        if (StringUtils.hasLength(casAuthenticationFilterConfig.getProxyCallbackUrlPrefix())) {
            this.validator.setProxyCallbackUrl(GeoServerCasConstants.createProxyCallBackURl(casAuthenticationFilterConfig.getProxyCallbackUrlPrefix()));
        }
        this.casLogoutURL = GeoServerCasConstants.createCasURl(casAuthenticationFilterConfig.getCasServerUrlPrefix(), GeoServerCasConstants.LOGOUT_URI);
        if (StringUtils.hasLength(casAuthenticationFilterConfig.getUrlInCasLogoutPage())) {
            this.casLogoutURL += "?url=" + URLEncoder.encode(casAuthenticationFilterConfig.getUrlInCasLogoutPage(), "utf-8");
        }
        this.singleSignOut = casAuthenticationFilterConfig.isSingleSignOut();
        this.aep = new GeoServerCasAuthenticationEntryPoint(casAuthenticationFilterConfig);
    }

    protected Assertion getCASAssertion(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(GeoServerCasConstants.ARTIFACT_PARAMETER);
        if (parameter == null) {
            return null;
        }
        if (!(parameter.startsWith(GeoServerCasConstants.PROXY_TICKET_PREFIX) || parameter.startsWith(GeoServerCasConstants.SERVICE_TICKET_PREFIX))) {
            return null;
        }
        try {
            return this.validator.validate(parameter, retrieveService(httpServletRequest));
        } catch (TicketValidationException e) {
            LOGGER.warning(e.getMessage());
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String retrieveService(HttpServletRequest httpServletRequest) {
        String property = GeoServerExtensions.getProperty("PROXY_BASE_URL");
        StringBuffer stringBuffer = new StringBuffer(StringUtils.hasLength(property) ? property : httpServletRequest.getRequestURL().toString());
        if (StringUtils.hasLength(httpServletRequest.getQueryString())) {
            boolean z = true;
            for (String str : httpServletRequest.getQueryString().split("&")) {
                String[] split = str.split("=");
                if (split.length != 0) {
                    String str2 = split[0];
                    if (!GeoServerCasConstants.ARTIFACT_PARAMETER.equals(str2.trim()) && !GeoServerCasAuthenticationEntryPoint.CAS_REDIRECT.equals(str2.trim())) {
                        if (z) {
                            stringBuffer.append("?");
                            z = false;
                        } else {
                            stringBuffer.append("&");
                        }
                        stringBuffer.append(str);
                    }
                }
            }
        }
        String stringBuffer2 = stringBuffer.toString();
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.fine("CAS Service URL: " + stringBuffer2);
        }
        return stringBuffer2;
    }

    protected String getPreAuthenticatedPrincipal(HttpServletRequest httpServletRequest) {
        String preAuthenticatedPrincipal = super.getPreAuthenticatedPrincipal(httpServletRequest);
        HttpSession session = httpServletRequest.getSession(false);
        if (preAuthenticatedPrincipal != null && session != null) {
            session.setAttribute(GeoServerCasConstants.CAS_ASSERTION_KEY, httpServletRequest.getAttribute(GeoServerCasConstants.CAS_ASSERTION_KEY));
            httpServletRequest.removeAttribute(GeoServerCasConstants.CAS_ASSERTION_KEY);
            getHandler().process(httpServletRequest, (HttpServletResponse) null);
        }
        if (preAuthenticatedPrincipal == null) {
            httpServletRequest.removeAttribute(GeoServerCasConstants.CAS_ASSERTION_KEY);
        }
        return preAuthenticatedPrincipal;
    }

    protected String getPreAuthenticatedPrincipalName(HttpServletRequest httpServletRequest) {
        Assertion cASAssertion = getCASAssertion(httpServletRequest);
        if (cASAssertion == null) {
            return null;
        }
        httpServletRequest.setAttribute(GeoServerCasConstants.CAS_ASSERTION_KEY, cASAssertion);
        return cASAssertion.getPrincipal().getName();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static SingleSignOutHandler getHandler() {
        SingleSignOutHandler singleSignOutHandler = (SingleSignOutHandler) GeoServerExtensions.bean(SingleSignOutHandler.class);
        if (!handlerInitialized) {
            singleSignOutHandler.init();
            handlerInitialized = true;
        }
        return singleSignOutHandler;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpSession session;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        SingleSignOutHandler handler = getHandler();
        if (isLogoutRequest(httpServletRequest)) {
            if (!this.singleSignOut) {
                LOGGER.info("Single Sign Out received from CAS server --> ignoring");
                return;
            }
            LOGGER.info("Single Sign Out received from CAS server --> starting log out");
            getSecurityManager().getSecurityConfig().getFilterChain().getRequestChainByName("webLogout").doLogout(getSecurityManager(), httpServletRequest, httpServletResponse, new String[]{getName()});
            handler.process(httpServletRequest, httpServletResponse);
            return;
        }
        super.doFilter(servletRequest, servletResponse, filterChain);
        if (SecurityContextHolder.getContext().getAuthentication() == null || (session = httpServletRequest.getSession(false)) == null || session.getAttribute(GeoServerCasConstants.CAS_ASSERTION_KEY) == null || !this.singleSignOut) {
            return;
        }
        handler.process(httpServletRequest, httpServletResponse);
        if (LOGGER.isLoggable(Level.INFO)) {
            LOGGER.info("Record HTTP Session " + session.getId() + " for CAS single sign out");
        }
    }

    public boolean isLogoutRequest(HttpServletRequest httpServletRequest) {
        return "POST".equals(httpServletRequest.getMethod()) && CommonUtils.isNotBlank(CommonUtils.safeGetParameter(httpServletRequest, (String) ConfigurationKeys.LOGOUT_PARAMETER_NAME.getDefaultValue()));
    }

    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        httpServletRequest.setAttribute("_logout_redirect", this.casLogoutURL);
    }
}
