package com.neusoft.education.tp.sso.client.filter;

import com.neusoft.education.tp.sso.client.CASAuthenticationException;
import com.neusoft.education.tp.sso.client.CASReceipt;
import com.neusoft.education.tp.sso.client.ServiceValidator;
import com.neusoft.education.tp.sso.client.Util;
import com.neusoft.education.tp.sso.client.ValidatorFactory;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParserFactory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.xml.sax.Attributes;
import org.xml.sax.SAXException;
import org.xml.sax.helpers.DefaultHandler;

/* loaded from: input_file:com/neusoft/education/tp/sso/client/filter/AbstractCASFilter.class */
public abstract class AbstractCASFilter implements CASFilter {
    protected static Log log = LogFactory.getLog(CASFilter.class);
    protected static final String SSO_FILTER_GATEWAYED = "com.neusoft.education.tp.sso.client.filter.didGateway";
    protected String casLogin;
    protected String casValidate;
    private String casServiceUrl;
    protected String casServerName;
    private String casProxyCallbackUrl;
    private boolean casRenew;
    protected boolean wrapRequest;
    protected String casCheckAliveUrl;
    private boolean casGateway = false;
    protected boolean checkAlive = false;
    protected boolean hessian = false;
    protected List<Pattern> notForceAuthUrls = new ArrayList();
    private List<String> authorizedProxies = new ArrayList();

    /* loaded from: input_file:com/neusoft/education/tp/sso/client/filter/AbstractCASFilter$CasFilterConfigHandler.class */
    private class CasFilterConfigHandler extends DefaultHandler {
        private boolean notNeedAuth;
        private boolean isUrl;
        private boolean isLoginServer;
        private boolean isValidateServer;
        private boolean isThis;
        private boolean isWrap;
        private boolean isCheckAlive;
        private boolean isHessian;

        private CasFilterConfigHandler() {
            this.notNeedAuth = false;
            this.isUrl = false;
            this.isLoginServer = false;
            this.isValidateServer = false;
            this.isThis = false;
            this.isWrap = false;
            this.isCheckAlive = false;
            this.isHessian = false;
        }

        @Override // org.xml.sax.helpers.DefaultHandler, org.xml.sax.ContentHandler
        public void startElement(String str, String str2, String str3, Attributes attributes) throws SAXException {
            if ("notForceAuthUrls".equals(str3)) {
                this.notNeedAuth = true;
                return;
            }
            if ("url-pattern".equals(str3)) {
                this.isUrl = true;
                return;
            }
            if ("loginServer".equals(str3)) {
                this.isLoginServer = true;
                return;
            }
            if ("validateServer".equals(str3)) {
                this.isValidateServer = true;
                return;
            }
            if ("this".equals(str3)) {
                this.isThis = true;
                return;
            }
            if ("wrapRequest".equals(str3)) {
                this.isWrap = true;
            } else if ("checkAlive".equals(str3)) {
                this.isCheckAlive = true;
            } else if ("hessian".equals(str3)) {
                this.isHessian = true;
            }
        }

        @Override // org.xml.sax.helpers.DefaultHandler, org.xml.sax.ContentHandler
        public void characters(char[] cArr, int i, int i2) throws SAXException {
            if (this.isWrap) {
                AbstractCASFilter.this.wrapRequest = Boolean.parseBoolean(new String(cArr, i, i2));
            }
            if (this.isThis) {
                AbstractCASFilter.this.casServerName = new String(cArr, i, i2);
            }
            if (this.isLoginServer || this.isValidateServer) {
                String str = new String(cArr, i, i2);
                if (str.trim().length() == 0) {
                    throw new SAXException("cas服务器的地址没有指定");
                }
                if (str.endsWith("/")) {
                    str = new String(cArr, i, i2 - 1);
                }
                if (this.isLoginServer) {
                    AbstractCASFilter.this.casLogin = String.valueOf(str) + "/login";
                } else {
                    AbstractCASFilter.this.casValidate = str;
                    AbstractCASFilter.this.casCheckAliveUrl = str;
                }
            }
            if (this.isUrl) {
                Pattern compile = Pattern.compile(new String(cArr, i, i2).trim(), 2);
                if (this.notNeedAuth) {
                    AbstractCASFilter.this.notForceAuthUrls.add(compile);
                }
            }
            if (this.isCheckAlive) {
                AbstractCASFilter.this.checkAlive = Boolean.parseBoolean(new String(cArr, i, i2));
            }
            if (this.isHessian) {
                AbstractCASFilter.this.hessian = Boolean.parseBoolean(new String(cArr, i, i2));
            }
        }

        @Override // org.xml.sax.helpers.DefaultHandler, org.xml.sax.ContentHandler
        public void endElement(String str, String str2, String str3) throws SAXException {
            if ("notForceAuthUrls".equals(str3)) {
                this.notNeedAuth = false;
                return;
            }
            if ("url-pattern".equals(str3)) {
                this.isUrl = false;
                return;
            }
            if ("loginServer".equals(str3)) {
                this.isLoginServer = false;
                return;
            }
            if ("validateServer".equals(str3)) {
                this.isValidateServer = false;
                return;
            }
            if ("this".equals(str3)) {
                this.isThis = false;
                return;
            }
            if ("wrapRequest".equals(str3)) {
                this.isWrap = false;
            } else if ("checkAlive".equals(str3)) {
                this.isCheckAlive = false;
            } else if ("hessian".equals(str3)) {
                this.isHessian = false;
            }
        }

        /* synthetic */ CasFilterConfigHandler(AbstractCASFilter abstractCASFilter, CasFilterConfigHandler casFilterConfigHandler) {
            this();
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        InputStream resourceAsStream = DefaultCASFilter.class.getResourceAsStream("/casFilterConfig.xml");
        if (resourceAsStream != null) {
            try {
                SAXParserFactory.newInstance().newSAXParser().parse(resourceAsStream, new CasFilterConfigHandler(this, null));
            } catch (IOException e) {
                throw new ServletException(e);
            } catch (ParserConfigurationException e2) {
                throw new ServletException(e2);
            } catch (SAXException e3) {
                throw new ServletException(e3);
            }
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (log.isTraceEnabled()) {
            log.trace("entering doFilter()");
        }
        if (!(servletRequest instanceof HttpServletRequest) || !(servletResponse instanceof HttpServletResponse)) {
            log.error("doFilter() called on a request or response that was not an HttpServletRequest or response.");
            throw new ServletException("CASFilter protects only HTTP resources");
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpSession session = httpServletRequest.getSession();
        if (this.casProxyCallbackUrl != null && this.casProxyCallbackUrl.endsWith(httpServletRequest.getRequestURI()) && httpServletRequest.getParameter("pgtId") != null && httpServletRequest.getParameter("pgtIou") != null) {
            log.trace("passing through what we hope is CAS's request for proxy ticket receptor.");
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        if (this.wrapRequest) {
            log.trace("Wrapping request with CASFilterRequestWrapper.");
            httpServletRequest = new CASFilterRequestWrapper(httpServletRequest);
        }
        if (!isNeedCASLoginOrValidate(httpServletRequest, httpServletResponse, (CASReceipt) session.getAttribute(CASFilter.SSO_FILTER_RECEIPT))) {
            log.debug("isNeedCASLoginOrValidate() return false, do not check CAS.");
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        CASReceipt cASReceipt = (CASReceipt) session.getAttribute(CASFilter.SSO_FILTER_RECEIPT);
        String parameter = httpServletRequest.getParameter("ticket");
        if (parameter != null && !parameter.equals("")) {
            if (!isNeedValidate(httpServletRequest, httpServletResponse)) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
            try {
                cASReceipt = getAuthenticatedUser(httpServletRequest);
            } catch (CASAuthenticationException e) {
                log.warn("getAuthenticatedUser() error");
            }
            if (!isReceiptAcceptable(cASReceipt)) {
                throw new ServletException("Authentication was technically successful but rejected as a matter of policy. [" + cASReceipt + "]");
            }
            if (userLoginAndValidated(httpServletRequest, httpServletResponse, cASReceipt)) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                log.trace("returning from doFilter()");
                return;
            }
            return;
        }
        log.trace("CAS ticket was not present on request.");
        boolean booleanValue = Boolean.valueOf((String) session.getAttribute(SSO_FILTER_GATEWAYED)).booleanValue();
        if (this.casLogin == null) {
            log.fatal("casLogin was not set, so filter cannot redirect request for authentication.");
            throw new ServletException("When CASFilter protects pages that do not receive a 'ticket' parameter, it needs a com.neusoft.education.tp.sso.client.filter.loginUrl filter parameter");
        }
        if (!booleanValue) {
            log.trace("Did not previously gateway.  Setting session attribute to true.");
            session.setAttribute(SSO_FILTER_GATEWAYED, "true");
            if (isNeedRedirectToCAS(httpServletRequest, httpServletResponse)) {
                redirectToCAS(httpServletRequest, httpServletResponse);
                return;
            } else {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
        }
        log.trace("Previously gatewayed.");
        if (this.casGateway || session.getAttribute(CASFilter.SSO_FILTER_USER) != null) {
            log.trace("casGateway was true and SSO_FILTER_USER set: passing request along filter chain.");
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        session.setAttribute(SSO_FILTER_GATEWAYED, "true");
        if (isNeedRedirectToCAS(httpServletRequest, httpServletResponse)) {
            redirectToCAS(httpServletRequest, httpServletResponse);
        } else {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isReceiptAcceptable(CASReceipt cASReceipt) {
        if (cASReceipt == null) {
            throw new IllegalArgumentException("Cannot evaluate a null receipt.");
        }
        if (!this.casRenew || cASReceipt.isPrimaryAuthentication()) {
            return !cASReceipt.isProxied() || this.authorizedProxies.contains(cASReceipt.getProxyingService());
        }
        return false;
    }

    private CASReceipt getAuthenticatedUser(HttpServletRequest httpServletRequest) throws ServletException, CASAuthenticationException {
        log.trace("entering getAuthenticatedUser()");
        ServiceValidator serviceValidator = ValidatorFactory.factory(this.hessian).getServiceValidator();
        serviceValidator.setCasValidateUrl(this.casValidate);
        serviceValidator.setServiceTicket(httpServletRequest.getParameter("ticket"));
        serviceValidator.setService(getService(httpServletRequest, false));
        if (log.isDebugEnabled()) {
            log.debug("about to validate CheckAliveTicketValidator: [" + serviceValidator + "]");
        }
        serviceValidator.setNeedCheckAlive(this.checkAlive);
        return CASReceipt.getReceipt(serviceValidator);
    }

    protected String getService(HttpServletRequest httpServletRequest, boolean z) throws ServletException {
        log.trace("entering getService()");
        String str = null;
        if (this.casServerName == null && this.casServiceUrl == null) {
            throw new ServletException("need one of the following configuration parameters: com.neusoft.education.tp.sso.client.filter.serviceUrl or com.neusoft.education.tp.sso.client.filter.serverName");
        }
        if (this.casServiceUrl == null || !z) {
            str = this.casServiceUrl == null ? Util.getService(httpServletRequest, this.casServerName, z) : this.casServiceUrl;
        } else {
            try {
                str = URLEncoder.encode(this.casServiceUrl, System.getProperty("file.encoding"));
            } catch (UnsupportedEncodingException e) {
            }
        }
        if (log.isTraceEnabled()) {
            log.trace("returning from getService() with service [" + str + "]");
        }
        return str;
    }

    private void redirectToCAS(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        if (log.isTraceEnabled()) {
            log.trace("entering redirectToCAS()");
        }
        String str = String.valueOf(this.casLogin) + "?service=" + getService(httpServletRequest, true) + (this.casRenew ? "&renew=true" : "") + (this.casGateway ? "&gateway=true" : "");
        if (log.isDebugEnabled()) {
            log.debug("Redirecting browser to [" + str + ")");
        }
        httpServletResponse.sendRedirect(str);
        if (log.isTraceEnabled()) {
            log.trace("returning from redirectToCAS()");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isUrlMatch(String str, List<Pattern> list) {
        boolean z = false;
        Iterator<Pattern> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (it.next().matcher(str).find()) {
                z = true;
                break;
            }
        }
        return z;
    }

    public String toString() {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("[CASFilter:");
        stringBuffer.append(" casGateway=");
        stringBuffer.append(this.casGateway);
        stringBuffer.append(" wrapRequest=");
        stringBuffer.append(this.wrapRequest);
        stringBuffer.append(" casAuthorizedProxies=[");
        stringBuffer.append(this.authorizedProxies);
        stringBuffer.append("]");
        if (this.casLogin != null) {
            stringBuffer.append(" casLogin=[");
            stringBuffer.append(this.casLogin);
            stringBuffer.append("]");
        } else {
            stringBuffer.append(" casLogin=NULL!!!!!");
        }
        if (this.casProxyCallbackUrl != null) {
            stringBuffer.append(" casProxyCallbackUrl=[");
            stringBuffer.append(this.casProxyCallbackUrl);
            stringBuffer.append("]");
        }
        if (this.casRenew) {
            stringBuffer.append(" casRenew=true");
        }
        if (this.casServerName != null) {
            stringBuffer.append(" casServerName=[");
            stringBuffer.append(this.casServerName);
            stringBuffer.append("]");
        }
        if (this.casServiceUrl != null) {
            stringBuffer.append(" casServiceUrl=[");
            stringBuffer.append(this.casServiceUrl);
            stringBuffer.append("]");
        }
        if (this.casValidate != null) {
            stringBuffer.append(" casValidate=[");
            stringBuffer.append(this.casValidate);
            stringBuffer.append("]");
        } else {
            stringBuffer.append(" casValidate=NULL!!!");
        }
        return stringBuffer.toString();
    }

    public void destroy() {
    }
}
