package org.hippoecm.hst.core.container;

import com.google.common.net.HttpHeaders;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.SignatureException;
import javax.jcr.Credentials;
import javax.jcr.LoginException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.httpclient.HttpStatus;
import org.apache.commons.lang.StringUtils;
import org.hippoecm.hst.core.internal.HstMutableRequestContext;
import org.hippoecm.hst.core.jcr.SessionSecurityDelegation;
import org.hippoecm.hst.core.request.HstRequestContext;
import org.onehippo.sso.CredentialCipher;

/* loaded from: input_file:WEB-INF/lib/hst-core-2.28.07.jar:org/hippoecm/hst/core/container/CmsSecurityValve.class */
public class CmsSecurityValve extends AbstractBaseOrderableValve {
    private static final String HSTSESSIONID_COOKIE_NAME = "HSTSESSIONID";
    private SessionSecurityDelegation sessionSecurityDelegation;

    public void setSessionSecurityDelegation(SessionSecurityDelegation sessionSecurityDelegation) {
        this.sessionSecurityDelegation = sessionSecurityDelegation;
    }

    @Override // org.hippoecm.hst.core.container.AbstractBaseOrderableValve, org.hippoecm.hst.container.valves.AbstractValve, org.hippoecm.hst.core.container.Valve
    public void invoke(ValveContext valveContext) throws ContainerException {
        String currentCmsUser;
        HttpServletRequest servletRequest = valveContext.getServletRequest();
        HttpServletResponse servletResponse = valveContext.getServletResponse();
        HstRequestContext requestContext = valveContext.getRequestContext();
        if (servletRequest.getHeader("CMS-User") == null && !requestContext.isCmsRequest()) {
            String matchingIgnoredPrefix = requestContext.getResolvedMount().getMatchingIgnoredPrefix();
            if (StringUtils.isEmpty(matchingIgnoredPrefix) || !matchingIgnoredPrefix.equals(requestContext.getResolvedMount().getMount().getVirtualHost().getVirtualHosts().getCmsPreviewPrefix())) {
                valveContext.invokeNext();
                return;
            }
            try {
                servletResponse.sendError(HttpStatus.SC_FORBIDDEN);
                return;
            } catch (IOException e) {
                log.error("Exception while sending error response", e);
                return;
            }
        }
        log.debug("Request '{}' is invoked from CMS context. Check whether the SSO handshake is done.", servletRequest.getRequestURL());
        HttpSession session = servletRequest.getSession(true);
        String header = servletRequest.getHeader("CMS-User");
        if (header != null && (currentCmsUser = getCurrentCmsUser(session)) != null && !currentCmsUser.equals(header)) {
            resetAuthentication(session);
        }
        if (authenticate(servletRequest, servletResponse, requestContext, session)) {
            updateHstSessionCookie(servletRequest, servletResponse, session);
            synchronized (session) {
                Session session2 = null;
                try {
                    try {
                        if (isCmsRestOrPageComposerRequest(servletRequest)) {
                            session2 = createCmsChannelManagerRestSession(session);
                        } else if (this.sessionSecurityDelegation.sessionSecurityDelegationEnabled()) {
                            session2 = createCmsPreviewSession(session);
                        }
                        if (session2 != null) {
                            ((HstMutableRequestContext) requestContext).setSession(session2);
                        }
                        valveContext.invokeNext();
                        if (session2 != null) {
                            session2.logout();
                        }
                    } catch (Throwable th) {
                        if (0 != 0) {
                            session2.logout();
                        }
                        throw th;
                    }
                } catch (LoginException e2) {
                    log.info("Credentials of CMS user '{}' are no longer valid, resetting its HTTP session and starting the SSO handshake again.", getCurrentCmsUser(session));
                    resetAuthentication(session);
                    authenticate(servletRequest, servletResponse, requestContext, session);
                    if (session2 != null) {
                        session2.logout();
                    }
                }
            }
        }
    }

    private static String getCurrentCmsUser(HttpSession httpSession) {
        return (String) httpSession.getAttribute(ContainerConstants.CMS_USER_ID_ATTR);
    }

    private static boolean authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HstRequestContext hstRequestContext, HttpSession httpSession) throws ContainerException {
        if (isAuthenticated(httpSession)) {
            return true;
        }
        String id = httpSession.getId();
        String parameter = httpServletRequest.getParameter("cred");
        if (parameter != null) {
            log.debug("EncryptedCredentials found.");
            storeAuthentication(httpSession, id, parameter);
            return true;
        }
        log.debug("No encryptedCredentials found. Redirect to the CMS");
        String method = httpServletRequest.getMethod();
        if ("GET".equals(method) || "HEAD".equals(method)) {
            redirectToCms(httpServletRequest, httpServletResponse, hstRequestContext, id);
            return false;
        }
        try {
            httpServletResponse.sendError(HttpStatus.SC_UNAUTHORIZED);
            return false;
        } catch (IOException e) {
            log.error("Unable to send unauthorized (404) response to client", e);
            return false;
        }
    }

    private static boolean isAuthenticated(HttpSession httpSession) {
        return httpSession.getAttribute("org.hippoecm.hst.security.servlet.subject.repo.creds") != null;
    }

    private static void storeAuthentication(HttpSession httpSession, String str, String str2) throws ContainerException {
        try {
            SimpleCredentials decryptFromString = CredentialCipher.getInstance().decryptFromString(str, str2);
            httpSession.setAttribute(ContainerConstants.CMS_USER_ID_ATTR, decryptFromString.getUserID());
            httpSession.setAttribute("org.hippoecm.hst.security.servlet.subject.repo.creds", decryptFromString);
            httpSession.setAttribute(ContainerConstants.CMS_SSO_AUTHENTICATED, true);
        } catch (SignatureException e) {
            if (log.isDebugEnabled()) {
                log.error("SignatureException while decrypting credentials : ", e);
            } else {
                log.error("SignatureException while decrypting credentials : {} ", e.toString());
            }
            throw new ContainerException(e);
        }
    }

    private static void resetAuthentication(HttpSession httpSession) {
        httpSession.removeAttribute(ContainerConstants.CMS_USER_ID_ATTR);
        httpSession.removeAttribute("org.hippoecm.hst.security.servlet.subject.repo.creds");
        httpSession.removeAttribute(ContainerConstants.CMS_SSO_AUTHENTICATED);
    }

    private static void redirectToCms(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HstRequestContext hstRequestContext, String str) throws ContainerException {
        try {
            httpServletResponse.sendRedirect(createCmsAuthenticationUrl(httpServletRequest, hstRequestContext, str));
        } catch (UnsupportedEncodingException e) {
            log.error("Unable to encode the destination url with UTF8 encoding " + e.getMessage(), e);
        } catch (IOException e2) {
            log.error("Something gone wrong so stopping valve invocation fall through: " + e2.getMessage(), e2);
        }
    }

    private static String createCmsAuthenticationUrl(HttpServletRequest httpServletRequest, HstRequestContext hstRequestContext, String str) throws ContainerException {
        String header = httpServletRequest.getHeader(HttpHeaders.REFERER);
        if (header == null) {
            throw new ContainerException("Could not establish a SSO between CMS & site application because there is no 'Referer' header on the request");
        }
        if (header.indexOf("?") > -1) {
            header = header.substring(0, header.indexOf("?"));
        }
        if (!header.endsWith("/")) {
            header = header + "/";
        }
        StringBuilder sb = new StringBuilder();
        sb.append(getBaseUrl(header));
        sb.append(httpServletRequest.getRequestURI());
        if (hstRequestContext.getPathSuffix() != null) {
            sb.append(hstRequestContext.getVirtualHost().getVirtualHosts().getHstManager().getPathSuffixDelimiter()).append(hstRequestContext.getPathSuffix());
        }
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null) {
            sb.append("?").append(queryString);
        }
        return header + "auth?destinationUrl=" + sb.toString() + "&key=" + str;
    }

    private static void updateHstSessionCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                if (HSTSESSIONID_COOKIE_NAME.equals(cookie.getName()) && httpSession.getId().equals(cookie.getValue())) {
                    return;
                }
            }
        }
        Cookie cookie2 = new Cookie(HSTSESSIONID_COOKIE_NAME, httpSession.getId());
        cookie2.setMaxAge(-1);
        httpServletResponse.addCookie(cookie2);
    }

    private static boolean isCmsRestOrPageComposerRequest(HttpServletRequest httpServletRequest) {
        return Boolean.TRUE.equals(httpServletRequest.getAttribute(ContainerConstants.CMS_REST_REQUEST_CONTEXT));
    }

    private static String getBaseUrl(String str) throws ContainerException {
        int indexOf = str.indexOf("//");
        if (indexOf == -1) {
            throw new ContainerException("Could not establish a SSO between CMS & site application because cannot get a cms url from the referer '" + str + "'");
        }
        int indexOf2 = str.substring(indexOf + 2).indexOf("/") + indexOf + 2;
        if (indexOf2 == -1) {
            throw new ContainerException("Could not establish a SSO between CMS & site application because cannot get a cms url from the referer '" + str + "'");
        }
        return str.substring(0, indexOf2);
    }

    private Session createCmsChannelManagerRestSession(HttpSession httpSession) throws LoginException, ContainerException {
        long currentTimeMillis = System.currentTimeMillis();
        try {
            Session delegatedSession = this.sessionSecurityDelegation.getDelegatedSession((Credentials) httpSession.getAttribute("org.hippoecm.hst.security.servlet.subject.repo.creds"));
            log.debug("Acquiring cms rest session took '{}' ms.", Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
            return delegatedSession;
        } catch (Exception e) {
            throw new ContainerException("Failed to create session based on SSO.", e);
        } catch (LoginException e2) {
            throw e2;
        }
    }

    private Session createCmsPreviewSession(HttpSession httpSession) throws LoginException, ContainerException {
        long currentTimeMillis = System.currentTimeMillis();
        try {
            Session createPreviewSecurityDelegate = this.sessionSecurityDelegation.createPreviewSecurityDelegate((Credentials) httpSession.getAttribute("org.hippoecm.hst.security.servlet.subject.repo.creds"), false);
            log.debug("Acquiring security delegate session took '{}' ms.", Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
            return createPreviewSecurityDelegate;
        } catch (Exception e) {
            throw new ContainerException("Failed to create Session based on SSO.", e);
        } catch (LoginException e2) {
            throw e2;
        }
    }
}
