package com.atolcd.parapheur.web.servlet;

import com.atolcd.parapheur.repo.ParapheurService;
import com.atolcd.parapheur.web.bean.ClientCertificateBean;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import java.util.Locale;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.transaction.UserTransaction;
import org.adullact.iparapheur.domain.CertificatesDAO;
import org.adullact.iparapheur.domain.CertificatesEntity;
import org.adullact.iparapheur.repo.jscript.JsKeyMaterial;
import org.adullact.iparapheur.util.X509Util;
import org.adullact.libersign.util.signature.PKCS7VerUtil;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.service.ServiceRegistry;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.search.SearchService;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.transaction.TransactionService;
import org.alfresco.web.app.Application;
import org.alfresco.web.app.servlet.AbstractAuthenticationFilter;
import org.alfresco.web.app.servlet.FacesHelper;
import org.alfresco.web.bean.repository.User;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.extensions.config.ConfigService;
import org.springframework.extensions.surf.util.I18NUtil;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;

/* loaded from: input_file:com/atolcd/parapheur/web/servlet/ClientCertificateFilter.class */
public final class ClientCertificateFilter extends AbstractAuthenticationFilter implements Filter {
    private static Log logger = LogFactory.getLog(ClientCertificateFilter.class);
    private ServletContext context = null;
    private static final String LOCALE = "locale";
    public static final String MESSAGE_BUNDLE = "alfresco.messages.webclient";
    private AuthenticationComponent authComponent;
    private AuthenticationService authService;
    private TransactionService transactionService;
    private PersonService personService;
    private NodeService nodeService;
    private SearchService searchService;
    private List<String> m_languages;
    private CertificatesDAO certificatesDAO;
    private ParapheurService parapheurService;

    public void init(FilterConfig filterConfig) throws ServletException {
        this.context = filterConfig.getServletContext();
        WebApplicationContext requiredWebApplicationContext = WebApplicationContextUtils.getRequiredWebApplicationContext(this.context);
        ServiceRegistry serviceRegistry = (ServiceRegistry) requiredWebApplicationContext.getBean("ServiceRegistry");
        this.transactionService = serviceRegistry.getTransactionService();
        this.nodeService = serviceRegistry.getNodeService();
        this.authComponent = (AuthenticationComponent) requiredWebApplicationContext.getBean("authenticationComponent");
        this.authService = (AuthenticationService) requiredWebApplicationContext.getBean("authenticationService");
        this.personService = (PersonService) requiredWebApplicationContext.getBean("personService");
        this.searchService = (SearchService) requiredWebApplicationContext.getBean("searchService");
        this.certificatesDAO = (CertificatesDAO) requiredWebApplicationContext.getBean("certificatesDAOWithTransactionInterceptor");
        this.parapheurService = (ParapheurService) requiredWebApplicationContext.getBean("parapheurService");
        this.m_languages = ((ConfigService) requiredWebApplicationContext.getBean("webClientConfigService")).getConfig("Languages").getConfigElement("languages").getLanguages();
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (servletRequest.isSecure()) {
            logger.debug("Connexion sécurisée, récupération du certificat client");
            X509Certificate[] x509Certificates = getX509Certificates(servletRequest);
            if (x509Certificates != null && x509Certificates.length > 0) {
                String uniqueId = JsKeyMaterial.getUniqueId(x509Certificates);
                if (!uniqueId.equals(BigInteger.ZERO.toString())) {
                    logger.debug(" client utilise le certificat d'ID= " + uniqueId);
                    ((ClientCertificateBean) FacesHelper.getManagedBean(FacesHelper.getFacesContext(servletRequest, servletResponse, this.context), "ClientCertificateBean")).setX509Certificate(x509Certificates);
                    AuthenticationUtil.setRunAsUserSystem();
                    String str = null;
                    CertificatesEntity certificatesById = this.certificatesDAO.getCertificatesById(uniqueId);
                    if (certificatesById != null) {
                        str = certificatesById.getUsername();
                    }
                    if (str == null) {
                        throw new RuntimeException("Utilisateur inconnu");
                    }
                    HttpSession session = httpServletRequest.getSession(true);
                    User user = (User) session.getAttribute("_alfAuthTicket");
                    if (user == null) {
                        logger.debug("User == null.");
                        setAuthenticatedUser(httpServletRequest, session, str);
                        httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + "/faces/jsp/parapheur/parapheurs.jsp");
                        return;
                    } else if (user.getUserName().equals(str)) {
                        logger.debug("L'utilisateur est le même: " + str);
                        setAuthenticatedUser(httpServletRequest, session, str);
                        filterChain.doFilter(servletRequest, servletResponse);
                        return;
                    } else {
                        logger.debug("Nouveau login.");
                        setAuthenticatedUser(httpServletRequest, session, str);
                        httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + "/faces/jsp/parapheur/parapheurs.jsp");
                        return;
                    }
                }
            } else if (!"blex".equals(this.parapheurService.getHabillage())) {
                throw new RuntimeException("Certificat Client requis pour accéder à iParapheur.");
            }
        } else if (logger.isDebugEnabled()) {
            logger.debug("Connexion non HTTPS... on continue");
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private X509Certificate[] getX509Certificates(ServletRequest servletRequest) {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) servletRequest.getAttribute("javax.servlet.request.X509Certificate");
        if (x509CertificateArr == null) {
            try {
                Collection<? extends Certificate> generateCertificates = CertificateFactory.getInstance("X.509").generateCertificates(new ByteArrayInputStream(PKCS7VerUtil.pem2der(((String) ((HttpServletRequest) servletRequest).getHeaders("ssl_client_cert").nextElement()).replace('\t', '\n').getBytes(), X509Util.beginString.getBytes(), X509Util.endString.getBytes())));
                if (generateCertificates != null && generateCertificates.size() > 0) {
                    x509CertificateArr = new X509Certificate[generateCertificates.size()];
                    generateCertificates.toArray(x509CertificateArr);
                }
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
        return x509CertificateArr;
    }

    public void destroy() {
        this.context = null;
    }

    private void setAuthenticatedUser(HttpServletRequest httpServletRequest, HttpSession httpSession, String str) {
        UserTransaction userTransaction = this.transactionService.getUserTransaction();
        try {
            userTransaction.begin();
            this.authComponent.setCurrentUser(str);
            User user = new User(str, this.authService.getCurrentTicket(), this.personService.getPerson(str));
            user.setHomeSpaceId(this.nodeService.getProperty(this.personService.getPerson(str), ContentModel.PROP_HOMEFOLDER).getId());
            userTransaction.commit();
            httpSession.setAttribute("_alfAuthTicket", user);
            httpSession.setAttribute("_alfExternalAuth", Boolean.TRUE);
            httpSession.setAttribute("_adlCertAuth", Boolean.TRUE);
            Locale parseAcceptLanguageHeader = parseAcceptLanguageHeader(httpServletRequest, this.m_languages);
            if (parseAcceptLanguageHeader != null) {
                httpSession.setAttribute(LOCALE, parseAcceptLanguageHeader);
                httpSession.removeAttribute("alfresco.messages.webclient");
            }
            I18NUtil.setLocale(Application.getLanguage(httpSession));
        } catch (Throwable th) {
            try {
                userTransaction.rollback();
            } catch (Exception e) {
                logger.error("Failed to rollback transaction", e);
            }
            if (th instanceof AuthenticationException) {
                logger.error("Impossible d'authentifier l'utilisateur : " + str);
                throw new RuntimeException("Utilisateur inconnu");
            }
            if (th instanceof RuntimeException) {
                logger.error(th);
                throw ((RuntimeException) th);
            }
            logger.error(th);
            throw new RuntimeException("Failed to set authenticated user", th);
        }
    }
}
