package org.adullact.iparapheur.ws.security;

import java.io.IOException;
import java.security.cert.X509Certificate;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.transaction.UserTransaction;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.AuthenticationException;
import net.sf.acegisecurity.AuthenticationManager;
import net.sf.acegisecurity.BadCredentialsException;
import net.sf.acegisecurity.UserDetails;
import net.sf.acegisecurity.context.security.SecureContextUtils;
import net.sf.acegisecurity.intercept.web.AuthenticationEntryPoint;
import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import net.sf.acegisecurity.providers.anonymous.AnonymousAuthenticationToken;
import net.sf.acegisecurity.providers.dao.event.AuthenticationSuccessEvent;
import net.sf.acegisecurity.ui.WebAuthenticationDetails;
import net.sf.acegisecurity.ui.rememberme.RememberMeServices;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
import org.alfresco.service.transaction.TransactionService;
import org.alfresco.web.app.servlet.AbstractAuthenticationFilter;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oro.text.regex.MalformedPatternException;
import org.apache.oro.text.regex.MatchResult;
import org.apache.oro.text.regex.Pattern;
import org.apache.oro.text.regex.Perl5Compiler;
import org.apache.oro.text.regex.Perl5Matcher;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.extensions.surf.util.Base64;
import org.springframework.util.Assert;

/* loaded from: input_file:org/adullact/iparapheur/ws/security/X509AndBasicAuthenticationProcessingFilter.class */
public class X509AndBasicAuthenticationProcessingFilter extends AbstractAuthenticationFilter implements Filter, InitializingBean, ApplicationEventPublisherAware {
    private static final Log logger = LogFactory.getLog(X509AndBasicAuthenticationProcessingFilter.class);
    private ApplicationEventPublisher eventPublisher;
    private AuthenticationManager authenticationManager;
    private TransactionService transactionService;
    private AuthenticationComponent authenticationComponent;
    private AuthenticationEntryPoint basicAuthenticationEntryPoint;
    private RememberMeServices rememberMeServices;
    private String x509SubjectDNRegex;
    private String tokenSeparator;
    private Pattern subjectDNPattern;
    private boolean ignoreFailure = false;
    private boolean dealWithCertificate = true;

    /* loaded from: input_file:org/adullact/iparapheur/ws/security/X509AndBasicAuthenticationProcessingFilter$X509AndBasicAuthenticationException.class */
    class X509AndBasicAuthenticationException extends AuthenticationException {
        private static final long serialVersionUID = 1;

        public X509AndBasicAuthenticationException(String str) {
            super(str);
        }
    }

    public boolean isDealWithCertificate() {
        return this.dealWithCertificate;
    }

    public void setDealWithCertificate(boolean z) {
        this.dealWithCertificate = z;
    }

    public String getX509SubjectDNRegex() {
        return this.x509SubjectDNRegex;
    }

    public void setX509SubjectDNRegex(String str) {
        this.x509SubjectDNRegex = str;
    }

    public String getTokenSeparator() {
        return this.tokenSeparator;
    }

    public void setTokenSeparator(String str) {
        this.tokenSeparator = str;
    }

    public boolean isIgnoreFailure() {
        return this.ignoreFailure;
    }

    public void setIgnoreFailure(boolean z) {
        this.ignoreFailure = z;
    }

    public AuthenticationEntryPoint getBasicAuthenticationEntryPoint() {
        return this.basicAuthenticationEntryPoint;
    }

    public void setBasicAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint) {
        this.basicAuthenticationEntryPoint = authenticationEntryPoint;
    }

    public RememberMeServices getRememberMeServices() {
        return this.rememberMeServices;
    }

    public void setRememberMeServices(RememberMeServices rememberMeServices) {
        this.rememberMeServices = rememberMeServices;
    }

    public void destroy() {
    }

    public void afterPropertiesSet() throws Exception {
        Assert.notNull(this.authenticationManager, "An AuthenticationManager must be set");
        Assert.notNull(this.authenticationComponent, "An AuthenticationComponent must be set");
        Assert.notNull(this.transactionService, "There must be a transaction service");
        if (this.dealWithCertificate) {
            try {
                this.subjectDNPattern = new Perl5Compiler().compile(this.x509SubjectDNRegex, 32769);
            } catch (MalformedPatternException e) {
                throw new IllegalArgumentException("Malformed regular expression: " + this.x509SubjectDNRegex);
            }
        }
    }

    private String extractUserNameFromX509Certificate(X509Certificate x509Certificate) throws AuthenticationException {
        String name = x509Certificate.getSubjectDN().getName();
        Perl5Matcher perl5Matcher = new Perl5Matcher();
        if (!perl5Matcher.contains(name, this.subjectDNPattern)) {
            throw new BadCredentialsException("DaoX509AuthoritiesPopulator.noMatching: no matching pattern was found in subjectDN: {0}");
        }
        MatchResult match = perl5Matcher.getMatch();
        if (match.groups() != 2) {
            throw new IllegalArgumentException("Regular expression must contain a single group ");
        }
        return match.group(1);
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (!(servletRequest instanceof HttpServletRequest)) {
            throw new ServletException("Can only process HttpServletRequest");
        }
        if (!(servletResponse instanceof HttpServletResponse)) {
            throw new ServletException("Can only process HttpServletResponse");
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (logger.isInfoEnabled()) {
            logger.info("Authorization header: " + header);
        }
        if (header == null || !header.startsWith("Basic ")) {
            this.basicAuthenticationEntryPoint.commence(servletRequest, servletResponse, new X509AndBasicAuthenticationException("No authorization header, asking for one..."));
            return;
        }
        if (SecureContextUtils.getSecureContext().getAuthentication() == null) {
            String str = "";
            if (this.dealWithCertificate) {
                str = extractUserNameFromX509Certificate(extractClientCertificate(httpServletRequest)) + getTokenSeparator();
            }
            String str2 = new String(Base64.decode(header.substring(6)));
            String str3 = "";
            int indexOf = str2.indexOf(":");
            if (indexOf != -1) {
                str = str + str2.substring(0, indexOf);
                str3 = str2.substring(indexOf + 1);
            }
            if (authenticationIsRequired(str)) {
                new UsernamePasswordAuthenticationToken(str, str3).setDetails(new WebAuthenticationDetails((HttpServletRequest) servletRequest));
                if (logger.isDebugEnabled()) {
                    logger.debug(" username=" + str + " password=" + str3);
                }
                UserTransaction nonPropagatingUserTransaction = this.transactionService.getNonPropagatingUserTransaction();
                try {
                    nonPropagatingUserTransaction.begin();
                    this.authenticationComponent.authenticate(str, str3.toCharArray());
                    nonPropagatingUserTransaction.commit();
                } catch (org.alfresco.repo.security.authentication.AuthenticationException e) {
                    try {
                        if (nonPropagatingUserTransaction.getStatus() == 0) {
                            nonPropagatingUserTransaction.rollback();
                        }
                    } catch (Exception e2) {
                        logger.error("Failed to rollback transaction", e2);
                    }
                    filterChain.doFilter(servletRequest, servletResponse);
                    return;
                } catch (AuthenticationException e3) {
                    try {
                        if (nonPropagatingUserTransaction.getStatus() == 0) {
                            nonPropagatingUserTransaction.rollback();
                        }
                    } catch (Exception e4) {
                        logger.error("Failed to rollback transaction", e4);
                    }
                    if (logger.isDebugEnabled()) {
                        logger.debug("Authentication request for user: " + str + " failed: " + e3.toString());
                    }
                    SecureContextUtils.getSecureContext().setAuthentication((Authentication) null);
                    if (this.rememberMeServices != null) {
                        this.rememberMeServices.loginFail(httpServletRequest, httpServletResponse);
                    }
                    if (this.ignoreFailure) {
                        filterChain.doFilter(servletRequest, servletResponse);
                        return;
                    } else {
                        this.basicAuthenticationEntryPoint.commence(servletRequest, servletResponse, e3);
                        return;
                    }
                } catch (Throwable th) {
                    try {
                        if (nonPropagatingUserTransaction.getStatus() == 0) {
                            nonPropagatingUserTransaction.rollback();
                        }
                    } catch (Exception e5) {
                        logger.error("Failed to rollback transaction", e5);
                    }
                    if (th instanceof AuthenticationException) {
                        logger.error("Impossible d'authentifier l'utisateur");
                        throw new RuntimeException("Utilisateur inconnu", th);
                    }
                    if (th instanceof RuntimeException) {
                        logger.error(th);
                        throw ((RuntimeException) th);
                    }
                    logger.error(th);
                    throw new RuntimeException("Failed to set authenticated user", th);
                }
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    protected void successfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException {
        if (logger.isDebugEnabled()) {
            logger.debug("[successfulAuthentication]Authentication success: " + authentication);
        }
        SecureContextUtils.getSecureContext().setAuthentication(authentication);
        if (this.eventPublisher != null) {
            this.eventPublisher.publishEvent(new AuthenticationSuccessEvent(authentication, (UserDetails) authentication.getDetails()));
        }
    }

    protected void unsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) {
        SecureContextUtils.getSecureContext().setAuthentication((Authentication) null);
        if (logger.isDebugEnabled()) {
            logger.debug("Updated SecurityContextHolder to contain null Authentication");
        }
        httpServletRequest.getSession().setAttribute("ACEGI_SECURITY_LAST_EXCEPTION", authenticationException);
    }

    public AuthenticationManager getAuthenticationManager() {
        return this.authenticationManager;
    }

    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    public TransactionService gettransactionService() {
        return this.transactionService;
    }

    public AuthenticationComponent getAuthenticationComponent() {
        return this.authenticationComponent;
    }

    public void setAuthenticationComponent(AuthenticationComponent authenticationComponent) {
        this.authenticationComponent = authenticationComponent;
    }

    public void setTransactionService(TransactionService transactionService) {
        this.transactionService = transactionService;
    }

    private boolean authenticationIsRequired(String str) {
        Authentication authentication = SecureContextUtils.getSecureContext().getAuthentication();
        if (authentication == null || !authentication.isAuthenticated()) {
            return true;
        }
        return ((authentication instanceof UsernamePasswordAuthenticationToken) && !authentication.getName().equals(str)) || (authentication instanceof AnonymousAuthenticationToken);
    }

    private X509Certificate extractClientCertificate(HttpServletRequest httpServletRequest) {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
        if (x509CertificateArr != null && x509CertificateArr.length > 0) {
            return x509CertificateArr[0];
        }
        if (!logger.isDebugEnabled()) {
            return null;
        }
        logger.debug("No client certificate found in request.");
        return null;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.eventPublisher = applicationEventPublisher;
    }
}
