package de.bos_bremen.gov.autent.requester.auth;

import de.bos_bremen.gov.autent.common.HttpRedirectUtils;
import de.bos_bremen.gov.autent.common.HttpServerUtils;
import de.bos_bremen.gov.autent.common.Utils;
import de.bos_bremen.gov.autent.requester.ParsedResponse;
import de.bos_bremen.gov.autent.requester.RequestGenerator;
import de.bos_bremen.gov.autent.requester.ResponseParser;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URLEncoder;
import java.security.GeneralSecurityException;
import java.security.KeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.bind.DatatypeConverter;
import org.apache.catalina.authenticator.AuthenticatorBase;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.core.config.InitializationException;
import org.opensaml.core.config.InitializationService;

/* loaded from: input_file:de/bos_bremen/gov/autent/requester/auth/AutentAuthenticator.class */
public class AutentAuthenticator extends AuthenticatorBase {
    private static final Log LOG = LogFactory.getLog(AutentAuthenticator.class);
    private static final String FORWARD_HTML = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\n\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n<title>Weiterleitung zu Governikus Autent</title>\n</head>\n<body onload=\"document.forms[0].submit()\" style=\"background-color: #F0EEEE; font-size: 0.75em; font-family: Verdana, sans-serif, Arial\">\n<h1>Weiterleitung zu Governikus Autent</h1>\n<noscript>\n<p>\nDer SAML-Request soll nun per HTTP Post an den Server Governikus Autent &uuml;bertragen werden. Da Ihr\n Browser kein Java Script ausf&uuml;hrt, klicken Sie bitte auf den folgenden Button, um fortzufahren.\n</p>\n</noscript>\n<form action=\"${ACTION}\" method=\"post\">\n<div>\n<input type=\"hidden\" name=\"SAMLRequest\" value=\"${SAML}\"/>\n<input type=\"submit\" value=\"Weiter\"/>\n</div>\n</form>\n</body>\n</html>";
    private static final String NAME;
    private String providerName;
    private String providerAddress;
    private String assertionConsumerURL;
    private boolean assertionConsumerUrlFromRequest;
    private String appletURL;
    private X509Certificate encCert;
    private X509Certificate sigCert;
    private PrivateKey sigKey;
    private boolean sigInclCert;
    private String sigAlg;
    private boolean redirect = false;
    private X509Certificate decCert;
    private PrivateKey decKey;
    private boolean nPADummyMode;
    private String attributeAsUserName;

    private void init() throws IOException {
        this.providerName = this.context.getServletContext().getInitParameter(NAME + ".providerName");
        this.providerAddress = this.context.getServletContext().getInitParameter(NAME + ".providerAddress");
        if (this.providerAddress == null || this.providerName == null) {
            throw new IOException("\"" + NAME + ".providerName\" or \"" + NAME + ".providerAddress\" was not provided");
        }
        this.assertionConsumerURL = this.context.getServletContext().getInitParameter(NAME + ".assertionConsumerURL");
        this.assertionConsumerUrlFromRequest = Boolean.parseBoolean(this.context.getServletContext().getInitParameter(NAME + ".assertionConsumerUrlFromRequest"));
        this.appletURL = this.context.getServletContext().getInitParameter(NAME + ".appletURL");
        this.redirect = Boolean.parseBoolean(this.context.getServletContext().getInitParameter(NAME + ".redirect"));
        this.nPADummyMode = Boolean.parseBoolean(this.context.getServletContext().getInitParameter(NAME + ".dummyMode"));
        this.attributeAsUserName = this.context.getServletContext().getInitParameter(NAME + ".attributeAsUserName");
        boolean parseBoolean = Boolean.parseBoolean(this.context.getServletContext().getInitParameter(NAME + ".searchInClasspath"));
        String initParameter = this.context.getServletContext().getInitParameter(NAME + ".encCertPath");
        if (initParameter != null) {
            try {
                if (parseBoolean) {
                    this.encCert = (X509Certificate) Utils.readCert(AutentAuthenticator.class.getResourceAsStream(initParameter), "x509");
                } else {
                    this.encCert = (X509Certificate) Utils.readCert(new FileInputStream(initParameter), "x509");
                }
            } catch (CertificateException e) {
                throw new IOException(e.getMessage(), e);
            }
        }
        this.sigAlg = this.context.getServletContext().getInitParameter(NAME + ".sigAlg");
        this.sigInclCert = Boolean.parseBoolean(this.context.getServletContext().getInitParameter(NAME + ".sigInclCert"));
        Utils.X509KeyPair readKey = readKey(".sigKey");
        if (readKey != null) {
            this.sigKey = readKey.getKey();
            this.sigCert = readKey.getCert();
        }
        Utils.X509KeyPair readKey2 = readKey(".decKey");
        if (readKey2 != null) {
            this.decKey = readKey2.getKey();
            this.decCert = readKey2.getCert();
        }
        Object initParameter2 = this.context.getServletContext().getInitParameter(NAME + ".sigKeyPath");
        Object initParameter3 = this.context.getServletContext().getInitParameter(NAME + ".decKeyPath");
        if (LOG.isDebugEnabled()) {
            logOption("providerName", this.providerName, null);
            logOption("providerAddress", this.providerAddress, null);
            logOption("assertionConsumerURL", this.assertionConsumerURL, null);
            logOption("assertionConsumerUrlFromRequest", Boolean.valueOf(this.assertionConsumerUrlFromRequest), null);
            logOption("appletURL", this.appletURL, null);
            logOption("nPADummyMode", Boolean.valueOf(this.nPADummyMode), null);
            logOption("attributeAsUserName", this.attributeAsUserName, null);
            logOption("redirect", Boolean.valueOf(this.redirect), null);
            logOption("encCertPath", initParameter, this.encCert);
            logOption("sigKeyPath", initParameter2, this.sigCert);
            logOption("sigAlg", this.sigAlg, null);
            logOption("sigInclCert", Boolean.valueOf(this.sigInclCert), null);
            logOption("decKeyPath", initParameter3, this.decCert);
        }
    }

    private void logOption(String str, Object obj, X509Certificate x509Certificate) {
        StringBuilder sb = new StringBuilder("Found option: " + NAME + ".");
        sb.append(str);
        sb.append(": \"");
        sb.append(obj);
        sb.append('\"');
        if (x509Certificate != null) {
            sb.append(", certificate subject: \"");
            sb.append(x509Certificate.getSubjectDN());
            sb.append("\", certificate serial: \"");
            sb.append(x509Certificate.getSerialNumber());
            sb.append('\"');
        }
        LOG.debug(sb);
    }

    private Utils.X509KeyPair readKey(String str) throws IOException {
        String initParameter = this.context.getServletContext().getInitParameter(NAME + str + "Path");
        String initParameter2 = this.context.getServletContext().getInitParameter(NAME + str + "Type");
        String initParameter3 = this.context.getServletContext().getInitParameter(NAME + str + "Pin");
        String initParameter4 = this.context.getServletContext().getInitParameter(NAME + str + "Alias");
        boolean parseBoolean = Boolean.parseBoolean(this.context.getServletContext().getInitParameter(NAME + ".searchInClasspath"));
        if (initParameter == null || initParameter2 == null) {
            return null;
        }
        try {
            InputStream resourceAsStream = parseBoolean ? AutentAuthenticator.class.getResourceAsStream(initParameter) : new FileInputStream(initParameter);
            Throwable th = null;
            try {
                try {
                    Utils.X509KeyPair readKeyAndCert = Utils.readKeyAndCert(resourceAsStream, initParameter2, initParameter3.toCharArray(), initParameter4);
                    if (resourceAsStream != null) {
                        if (0 != 0) {
                            try {
                                resourceAsStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            resourceAsStream.close();
                        }
                    }
                    return readKeyAndCert;
                } finally {
                }
            } finally {
            }
        } catch (GeneralSecurityException e) {
            throw new IOException(e.getMessage(), e);
        }
    }

    public String getInfo() {
        return NAME;
    }

    private void createSAMLRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        try {
            LOG.debug("create SAML Request and forward to IdP page \"" + this.providerAddress + "\"");
            byte[] createSAMLRequest = prepareGenerator(httpServletRequest).createSAMLRequest();
            if (this.redirect) {
                String createQueryString = HttpRedirectUtils.createQueryString(this.providerAddress, createSAMLRequest, true, (String) null, (PrivateKey) null, "SHA256");
                httpServletResponse.setHeader("Cache-Control", "no-cache, no-store");
                httpServletResponse.setHeader("Pragma", "no-cache");
                httpServletResponse.sendRedirect(httpServletResponse.encodeRedirectURL(createQueryString));
            } else {
                httpServletResponse.setContentType("text/html");
                httpServletResponse.setCharacterEncoding("UTF-8");
                httpServletResponse.getWriter().write(FORWARD_HTML.replace("${ACTION}", this.providerAddress).replace("${SAML}", Utils.breakAfter76Chars(DatatypeConverter.printBase64Binary(createSAMLRequest))));
            }
        } catch (Exception e) {
            LOG.error("An error occurred while creating and sending SAML request", e);
            httpServletResponse.sendError(500, Utils.replaceHTMLSymbols(e.getMessage()));
        }
    }

    private RequestGenerator prepareGenerator(HttpServletRequest httpServletRequest) throws NoSuchAlgorithmException, KeyException {
        RequestGenerator requestGenerator = new RequestGenerator(this.providerName, this.providerAddress);
        if (this.assertionConsumerURL != null) {
            requestGenerator.setAssertionConsumerURL(this.assertionConsumerURL);
        } else if (this.assertionConsumerUrlFromRequest) {
            requestGenerator.setAssertionConsumerURL(httpServletRequest.getRequestURL().toString());
        }
        if (this.encCert != null) {
            requestGenerator.setEncrypter(this.encCert);
        }
        if (this.sigKey != null && this.sigCert != null) {
            requestGenerator.setSigner(this.sigInclCert, this.sigKey, this.sigCert, this.sigAlg);
        }
        return requestGenerator;
    }

    protected boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException {
        return authenticate(request, (HttpServletResponse) response, loginConfig);
    }

    protected boolean authenticate(Request request, HttpServletResponse httpServletResponse, LoginConfig loginConfig) throws IOException {
        init();
        if (isAuthenticated(request)) {
            return true;
        }
        Map<String, String[]> parameterMap = HttpServerUtils.getParameterMap(request);
        if (!parameterMap.containsKey("SAMLResponse")) {
            sendSAMLRequest(parameterMap, request, httpServletResponse);
            return false;
        }
        String str = parameterMap.get("SAMLResponse")[0];
        if (LOG.isDebugEnabled()) {
            LOG.debug("SAMLResponse was: " + str);
        }
        ResponseParser responseParser = new ResponseParser();
        if (this.decCert != null && this.decKey != null) {
            responseParser.addDecryptionKey(this.decKey, this.decCert);
        }
        try {
            if ("GET".equals(request.getMethod())) {
                str = Utils.breakAfter76Chars(DatatypeConverter.printBase64Binary(HttpRedirectUtils.inflate(str)));
            }
            String username = getUsername(responseParser.parse(DatatypeConverter.parseBase64Binary(str)));
            if (username == null) {
                forwardToErrorpage(request, httpServletResponse, loginConfig);
                return false;
            }
            Principal authenticate = this.context.getRealm().authenticate(username, str);
            LOG.debug("Authenticated as " + authenticate);
            if (authenticate != null) {
                register(request, httpServletResponse, authenticate, "AUTENT", null, null);
                return true;
            }
            forwardToErrorpage(request, httpServletResponse, loginConfig);
            return false;
        } catch (Exception e) {
            LOG.warn("can not parse SAML response", e);
            httpServletResponse.sendError(500, Utils.replaceHTMLSymbols(e.getMessage()));
            return false;
        }
    }

    private void sendSAMLRequest(Map<String, String[]> map, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (this.appletURL != null && !map.containsKey("getSAMLRequest")) {
            String stringBuffer = httpServletRequest.getRequestURL().append("?getSAMLRequest=true").toString();
            StringBuilder sb = new StringBuilder(this.appletURL);
            sb.append("?SAMLRequestUrl=");
            sb.append(URLEncoder.encode(stringBuffer, "UTF-8"));
            if (this.nPADummyMode) {
                sb.append("&dummyMode=true&hideDummyDialog=true");
            }
            httpServletResponse.setHeader("Cache-Control", "no-cache, no-store");
            httpServletResponse.setHeader("Pragma", "no-cache");
            httpServletResponse.sendRedirect(httpServletResponse.encodeRedirectURL(sb.toString()));
        }
        createSAMLRequest(httpServletRequest, httpServletResponse);
    }

    private boolean isAuthenticated(Request request) {
        Principal userPrincipal = request.getUserPrincipal();
        String str = (String) request.getNote("org.apache.catalina.request.SSOID");
        if (userPrincipal != null) {
            LOG.debug("Already authenticated " + userPrincipal.getName());
            if (str != null) {
                associate(str, request.getSessionInternal(true));
                return true;
            }
        }
        if (str == null) {
            return false;
        }
        LOG.debug("SSO ID " + str + "set");
        return reauthenticateFromSSO(str, request);
    }

    private void forwardToErrorpage(Request request, HttpServletResponse httpServletResponse, LoginConfig loginConfig) throws IOException {
        try {
            if (loginConfig.getErrorPage() != null) {
                this.context.getServletContext().getRequestDispatcher(loginConfig.getErrorPage()).forward(request, httpServletResponse);
                return;
            }
        } catch (ServletException e) {
            LOG.trace(e.getMessage(), e);
            LOG.error("can not forward to " + loginConfig.getErrorPage());
        }
        httpServletResponse.sendError(401);
    }

    private String getUsername(ParsedResponse parsedResponse) {
        if (this.attributeAsUserName == null) {
            return parsedResponse.getSubjectName();
        }
        String[] split = this.attributeAsUserName.split("\\.");
        if (parsedResponse.getAttributeValue(this.attributeAsUserName) != null) {
            Object[] attributeValue = parsedResponse.getAttributeValue(this.attributeAsUserName);
            if (attributeValue == null || attributeValue.length == 0) {
                LOG.error("no attribute " + this.attributeAsUserName + " in SAML Response");
                return null;
            }
            if (attributeValue[0] instanceof String) {
                return (String) attributeValue[0];
            }
            LOG.error("returned attribute not of expected type String, but " + attributeValue[0].getClass());
            return null;
        }
        if (parsedResponse.getAttributeValue(split[0]) == null) {
            LOG.error("Attribute " + this.attributeAsUserName + " not found in SAML Response");
            return null;
        }
        Object[] attributeValue2 = parsedResponse.getAttributeValue(split[0]);
        if (attributeValue2 == null || attributeValue2.length == 0) {
            LOG.error("no attribute " + split[0] + " in SAML Response");
            return null;
        }
        if (!(attributeValue2[0] instanceof Map)) {
            LOG.error("returned attribute not of expected type Map, but " + attributeValue2[0].getClass());
            return null;
        }
        Map map = (Map) attributeValue2[0];
        if (map.get(split[1]) instanceof String) {
            return (String) map.get(split[1]);
        }
        LOG.error("returned attribute not of expected type String, but " + map.get(split[1]).getClass());
        return null;
    }

    static {
        try {
            InitializationService.initialize();
        } catch (InitializationException e) {
            LOG.fatal("can not init OpenSAML", e);
        }
        NAME = AutentAuthenticator.class.getCanonicalName();
    }
}
