package org.wso2.carbon.identity.entitlement.filter;

import java.util.HashMap;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.util.AXIOMUtil;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.entitlement.filter.callback.BasicAuthCallBackHandler;
import org.wso2.carbon.identity.entitlement.filter.exception.EntitlementFilterException;
import org.wso2.carbon.identity.entitlement.proxy.PEPProxy;
import org.wso2.carbon.identity.entitlement.proxy.PEPProxyConfig;
import org.wso2.carbon.identity.entitlement.proxy.exception.EntitlementProxyException;

/* loaded from: input_file:org/wso2/carbon/identity/entitlement/filter/EntitlementFilter.class */
public class EntitlementFilter implements Filter {
    private static final Log log = LogFactory.getLog(EntitlementFilter.class);
    private FilterConfig filterConfig = null;
    private PEPProxy pepProxy;
    private String client;
    private String remoteServiceUrl;
    private String remoteServiceUserName;
    private String remoteServicePassword;
    private String thriftHost;
    private String thriftPort;
    private String reuseSession;
    private String cacheType;
    private int invalidationInterval;
    private int maxCacheEntries;
    private String subjectScope;
    private String subjectAttributeName;
    private String authRedirectURL;

    public void init(FilterConfig filterConfig) throws EntitlementFilterException {
        this.filterConfig = filterConfig;
        this.authRedirectURL = filterConfig.getInitParameter(EntitlementConstants.AUTH_REDIRECT_URL);
        this.remoteServiceUserName = filterConfig.getServletContext().getInitParameter("userName");
        this.remoteServicePassword = filterConfig.getServletContext().getInitParameter(EntitlementConstants.PASSWORD);
        this.remoteServiceUrl = filterConfig.getServletContext().getInitParameter(EntitlementConstants.REMOTE_SERVICE_URL);
        this.client = filterConfig.getServletContext().getInitParameter(EntitlementConstants.CLIENT);
        if (this.client == null) {
            this.client = "basicAuth";
        }
        this.subjectScope = filterConfig.getServletContext().getInitParameter(EntitlementConstants.SUBJECT_SCOPE);
        if (this.subjectScope == null) {
            this.subjectScope = "basicAuth";
        }
        this.subjectAttributeName = filterConfig.getServletContext().getInitParameter(EntitlementConstants.SUBJECT_ATTRIBUTE_NAME);
        if (this.subjectAttributeName == null) {
            this.subjectAttributeName = "userName";
        }
        this.cacheType = filterConfig.getInitParameter(EntitlementConstants.CACHE_TYPE);
        if (this.cacheType == null) {
            this.cacheType = EntitlementConstants.defaultCacheType;
        }
        if (filterConfig.getInitParameter(EntitlementConstants.MAX_CACHE_ENTRIES) != null) {
            this.maxCacheEntries = Integer.parseInt(filterConfig.getInitParameter(EntitlementConstants.MAX_CACHE_ENTRIES));
        } else {
            this.maxCacheEntries = 0;
        }
        if (filterConfig.getInitParameter(EntitlementConstants.INVALIDATION_INTERVAL) != null) {
            this.invalidationInterval = Integer.parseInt(filterConfig.getInitParameter(EntitlementConstants.INVALIDATION_INTERVAL));
        } else {
            this.invalidationInterval = 0;
        }
        if (filterConfig.getInitParameter(EntitlementConstants.THRIFT_HOST) != null) {
            this.thriftHost = filterConfig.getInitParameter(EntitlementConstants.THRIFT_HOST);
        } else {
            this.thriftHost = EntitlementConstants.defaultThriftHost;
        }
        if (filterConfig.getInitParameter(EntitlementConstants.THRIFT_PORT) != null) {
            this.thriftPort = filterConfig.getInitParameter(EntitlementConstants.THRIFT_PORT);
        } else {
            this.thriftPort = EntitlementConstants.defaultThriftPort;
        }
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        if (this.client != null && this.client.equals(EntitlementConstants.SOAP)) {
            hashMap2.put(EntitlementConstants.CLIENT, this.client);
            hashMap2.put(EntitlementConstants.SERVER_URL, this.remoteServiceUrl);
            hashMap2.put("userName", this.remoteServiceUserName);
            hashMap2.put(EntitlementConstants.PASSWORD, this.remoteServicePassword);
            hashMap2.put(EntitlementConstants.REUSE_SESSION, this.reuseSession);
        } else if (this.client != null && this.client.equals("basicAuth")) {
            hashMap2.put(EntitlementConstants.CLIENT, this.client);
            hashMap2.put(EntitlementConstants.SERVER_URL, this.remoteServiceUrl);
            hashMap2.put("userName", this.remoteServiceUserName);
            hashMap2.put(EntitlementConstants.PASSWORD, this.remoteServicePassword);
        } else if (this.client != null && this.client.equals(EntitlementConstants.THRIFT)) {
            hashMap2.put(EntitlementConstants.CLIENT, this.client);
            hashMap2.put(EntitlementConstants.SERVER_URL, this.remoteServiceUrl);
            hashMap2.put("userName", this.remoteServiceUserName);
            hashMap2.put(EntitlementConstants.PASSWORD, this.remoteServicePassword);
            hashMap2.put(EntitlementConstants.REUSE_SESSION, this.reuseSession);
            hashMap2.put(EntitlementConstants.THRIFT_HOST, this.thriftHost);
            hashMap2.put(EntitlementConstants.THRIFT_PORT, this.thriftPort);
        } else {
            if (this.client != null) {
                log.error("EntitlementMediator initialization error: Unsupported client");
                throw new EntitlementFilterException("EntitlementMediator initialization error: Unsupported client");
            }
            hashMap2.put(EntitlementConstants.SERVER_URL, this.remoteServiceUrl);
            hashMap2.put("userName", this.remoteServiceUserName);
            hashMap2.put(EntitlementConstants.PASSWORD, this.remoteServicePassword);
        }
        hashMap.put("EntitlementMediator", hashMap2);
        try {
            this.pepProxy = new PEPProxy(new PEPProxyConfig(hashMap, "EntitlementMediator", this.cacheType, this.invalidationInterval, this.maxCacheEntries));
        } catch (EntitlementProxyException e) {
            log.error("Error while initializing the PEP Proxy" + e);
            throw new EntitlementFilterException("Error while initializing the Entitlement PEP Proxy");
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws EntitlementFilterException {
        String str = EntitlementConstants.DENY;
        String findUserName = findUserName((HttpServletRequest) servletRequest, this.subjectScope, this.subjectAttributeName);
        String findResource = findResource((HttpServletRequest) servletRequest);
        String findAction = findAction((HttpServletRequest) servletRequest);
        if (((HttpServletRequest) servletRequest).getRequestURI().contains("/updateCacheAuth.do")) {
            try {
                this.pepProxy.clear();
            } catch (Exception e) {
                log.error("Error while Making the Decision ", e);
            }
        } else {
            try {
                OMElement stringToOM = AXIOMUtil.stringToOM(this.pepProxy.getDecision(findUserName, findResource, findAction, ""));
                String namespaceURI = stringToOM.getNamespace().getNamespaceURI() != null ? stringToOM.getNamespace().getNamespaceURI() : "";
                str = stringToOM.getFirstChildWithName(new QName(namespaceURI, "Result")).getFirstChildWithName(new QName(namespaceURI, "Decision")).getText();
            } catch (Exception e2) {
                e2.printStackTrace();
                throw new EntitlementFilterException("Exception while making the decision : " + e2);
            }
        }
        completeAuthorization(str, servletRequest, servletResponse, this.filterConfig, filterChain);
    }

    public void destroy() {
        this.filterConfig = null;
        this.pepProxy = null;
        this.client = null;
        this.remoteServiceUrl = null;
        this.remoteServiceUserName = null;
        this.remoteServicePassword = null;
        this.thriftHost = null;
        this.thriftPort = null;
        this.reuseSession = null;
        this.cacheType = null;
        this.invalidationInterval = 0;
        this.maxCacheEntries = 0;
        this.subjectScope = null;
        this.subjectAttributeName = null;
        this.authRedirectURL = null;
    }

    private String findUserName(HttpServletRequest httpServletRequest, String str, String str2) throws EntitlementFilterException {
        String userName;
        if (str.equals(EntitlementConstants.SESSION)) {
            userName = (String) httpServletRequest.getSession(false).getAttribute(str2);
        } else if (str.equals(EntitlementConstants.REQUEST_PARAM)) {
            userName = httpServletRequest.getParameter(str2);
        } else if (str.equals(EntitlementConstants.REQUEST_ATTIBUTE)) {
            userName = (String) httpServletRequest.getAttribute(str2);
        } else {
            if (!str.equals("basicAuth")) {
                log.error(str + " is an invalid configuration for subjectScope parameter in web.xml. Valid configurations are '" + EntitlementConstants.REQUEST_PARAM + "', " + EntitlementConstants.REQUEST_ATTIBUTE + "' and '" + EntitlementConstants.SESSION + "'");
                throw new EntitlementFilterException(str + " is an invalid configuration for subjectScope parameter in web.xml. Valid configurations are '" + EntitlementConstants.REQUEST_PARAM + "', " + EntitlementConstants.REQUEST_ATTIBUTE + "' and '" + EntitlementConstants.SESSION + "'");
            }
            userName = new BasicAuthCallBackHandler(httpServletRequest).getUserName();
        }
        if (userName != null && !userName.equals("null")) {
            return userName;
        }
        log.error("Username not provided in " + str);
        throw new EntitlementFilterException("Username not provided in " + str);
    }

    private String findResource(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI();
    }

    private String findAction(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getMethod();
    }

    private void completeAuthorization(String str, ServletRequest servletRequest, ServletResponse servletResponse, FilterConfig filterConfig, FilterChain filterChain) throws EntitlementFilterException {
        try {
            if (str.equals(EntitlementConstants.PERMIT)) {
                if (((HttpServletRequest) servletRequest).getRequestURI().contains("/updateCacheAuth.do")) {
                    this.pepProxy.clear();
                    log.info("PEP cache has been updated");
                    servletResponse.getWriter().print("PEP cache has been updated");
                } else {
                    filterChain.doFilter(servletRequest, servletResponse);
                }
            } else if (str.equals(EntitlementConstants.DENY)) {
                log.debug("User not authorized to perform the action");
                servletRequest.getRequestDispatcher(this.authRedirectURL).forward(servletRequest, servletResponse);
            } else if (str.equals(EntitlementConstants.NOT_APPLICABLE)) {
                log.debug("No applicable policies found");
                servletRequest.getRequestDispatcher(this.authRedirectURL).forward(servletRequest, servletResponse);
            } else if (str.equals(EntitlementConstants.INDETERMINATE)) {
                log.debug(EntitlementConstants.INDETERMINATE);
                servletRequest.getRequestDispatcher(this.authRedirectURL).forward(servletRequest, servletResponse);
            } else {
                log.error("Unrecognized decision returned from PDP");
                servletRequest.getRequestDispatcher(this.authRedirectURL).forward(servletRequest, servletResponse);
            }
        } catch (Exception e) {
            log.error("Error occurred while completing authorization", e);
            throw new EntitlementFilterException("Error occurred while completing authorization", e);
        }
    }
}
