package org.alfresco.web.site.servlet;

import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.alfresco.config.ConfigService;
import org.alfresco.connector.Connector;
import org.alfresco.connector.ConnectorContext;
import org.alfresco.connector.ConnectorService;
import org.alfresco.connector.Response;
import org.alfresco.connector.exception.ConnectorServiceException;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.jlan.server.auth.ntlm.NTLMLogonDetails;
import org.alfresco.jlan.server.auth.ntlm.NTLMMessage;
import org.alfresco.jlan.server.auth.ntlm.Type1NTLMMessage;
import org.alfresco.jlan.server.auth.ntlm.Type2NTLMMessage;
import org.alfresco.jlan.server.auth.ntlm.Type3NTLMMessage;
import org.alfresco.util.Base64;
import org.alfresco.util.log.NDC;
import org.alfresco.web.config.RemoteConfigElement;
import org.alfresco.web.framework.model.Page;
import org.alfresco.web.framework.resource.Resource;
import org.alfresco.web.scripts.Description;
import org.alfresco.web.site.AuthenticationUtil;
import org.alfresco.web.site.FrameworkHelper;
import org.alfresco.web.site.RequestContext;
import org.alfresco.web.site.RequestContextFactory;
import org.alfresco.web.site.UserFactory;
import org.alfresco.web.site.exception.RequestContextException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;

/* loaded from: input_file:WEB-INF/lib/alfresco-web-framework-3.2r2.jar:org/alfresco/web/site/servlet/NTLMAuthenticationFilter.class */
public class NTLMAuthenticationFilter implements Filter {
    private static Log logger = LogFactory.getLog(NTLMAuthenticationFilter.class);
    private static final String AUTH_NTLM = "NTLM";
    private static final String HEADER_WWWAUTHENTICATE = "WWW-Authenticate";
    private static final String NTLM_AUTH_SESSION = "_alfwfNTLMAuthSess";
    private static final String NTLM_AUTH_DETAILS = "_alfwfNTLMDetails";
    private static final String LOGIN_PAGE_PASSTHROUGH = "_alfwfLoginPassthrough";
    private RemoteConfigElement config;
    private ConnectorService connectorService;
    private String endpoint;

    public void init(FilterConfig filterConfig) throws ServletException {
        WebApplicationContext requiredWebApplicationContext = WebApplicationContextUtils.getRequiredWebApplicationContext(filterConfig.getServletContext());
        this.config = (RemoteConfigElement) ((ConfigService) requiredWebApplicationContext.getBean("web.config")).getConfig("Remote").getConfigElement("remote");
        this.connectorService = (ConnectorService) requiredWebApplicationContext.getBean("connector.service");
        this.endpoint = filterConfig.getInitParameter(Resource.ATTR_ENDPOINT);
        if (logger.isInfoEnabled()) {
            logger.info("NTLMAuthenticationFilter initialised.");
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        NDC.remove();
        NDC.push(Thread.currentThread().getName());
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpSession session = httpServletRequest.getSession();
        if (logger.isDebugEnabled()) {
            logger.debug("Processing request " + httpServletRequest.getRequestURI() + " SID:" + session.getId());
        }
        try {
            httpServletRequest.setAttribute(RequestContextFactory.SILENT_INIT, Boolean.TRUE);
            RequestContext initRequestContext = FrameworkHelper.initRequestContext(httpServletRequest);
            httpServletRequest.removeAttribute(RequestContextFactory.SILENT_INIT);
            Page page = initRequestContext.getPage();
            if (page != null && page.getAuthentication() == Description.RequiredAuthentication.none) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Unauthenticated page requested - skipping auth filter...");
                }
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }
            String header = httpServletRequest.getHeader("Authorization");
            if (!(header != null && header.startsWith("NTLM")) && session.getAttribute(NTLM_AUTH_DETAILS) != null) {
                try {
                    Connector connector = this.connectorService.getConnector(this.endpoint, session);
                    if (401 == connector.call("/touch", new ConnectorContext(null, getConnectionHeaders(connector)), httpServletRequest, (HttpServletResponse) null).getStatus().getCode()) {
                        if (logger.isDebugEnabled()) {
                            logger.debug("Repository session timed out - restarting auth process...");
                        }
                        restartAuthProcess(session, httpServletResponse);
                        return;
                    } else {
                        if (logger.isDebugEnabled()) {
                            logger.debug("Authentication not required, chaining ...");
                        }
                        filterChain.doFilter(servletRequest, servletResponse);
                        return;
                    }
                } catch (ConnectorServiceException e) {
                    throw new AlfrescoRuntimeException("Incorrectly configured endpoint ID: " + this.endpoint);
                }
            }
            if (session.getAttribute(LOGIN_PAGE_PASSTHROUGH) != null) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Login page requested, chaining ...");
                }
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }
            String header2 = httpServletRequest.getHeader("user-agent");
            if (header2 != null && header2.indexOf("Opera ") != -1) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Opera detected, redirecting to login page");
                }
                redirectToLoginPage(httpServletRequest, httpServletResponse);
                return;
            }
            if (header == null) {
                if (logger.isDebugEnabled()) {
                    logger.debug("New NTLM auth request from " + httpServletRequest.getRemoteHost() + " (" + httpServletRequest.getRemoteAddr() + ":" + httpServletRequest.getRemotePort() + ")");
                }
                restartAuthProcess(session, httpServletResponse);
                return;
            }
            byte[] decode = Base64.decode(header.substring(5).getBytes());
            int isNTLMType = NTLMMessage.isNTLMType(decode);
            if (isNTLMType == 1) {
                processType1(new Type1NTLMMessage(decode), httpServletRequest, httpServletResponse, session);
            } else {
                if (isNTLMType == 3) {
                    processType3(new Type3NTLMMessage(decode), httpServletRequest, httpServletResponse, session, filterChain);
                    return;
                }
                if (logger.isDebugEnabled()) {
                    logger.debug("NTLM not handled, redirecting to login page");
                }
                redirectToLoginPage(httpServletRequest, httpServletResponse);
            }
        } catch (RequestContextException e2) {
            throw new ServletException(e2);
        }
    }

    public void destroy() {
    }

    private Map<String, String> getConnectionHeaders(Connector connector) {
        HashMap hashMap = null;
        if (connector.getConnectorSession().getCookie("JSESSIONID") == null) {
            hashMap = new HashMap(1);
            hashMap.put("Cookie", "");
        }
        return hashMap;
    }

    private void restartAuthProcess(HttpSession httpSession, HttpServletResponse httpServletResponse) throws IOException {
        httpSession.removeAttribute(NTLM_AUTH_DETAILS);
        httpServletResponse.setHeader("WWW-Authenticate", "NTLM");
        httpServletResponse.setStatus(401);
        httpServletResponse.flushBuffer();
    }

    private void processType1(Type1NTLMMessage type1NTLMMessage, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession) throws IOException {
        if (logger.isDebugEnabled()) {
            logger.debug("Received type1 " + type1NTLMMessage);
        }
        NTLMLogonDetails nTLMLogonDetails = (NTLMLogonDetails) httpSession.getAttribute(NTLM_AUTH_DETAILS);
        if (nTLMLogonDetails != null && nTLMLogonDetails.hasType2Message() && nTLMLogonDetails.hasNTLMHashedPassword()) {
            Type2NTLMMessage type2Message = nTLMLogonDetails.getType2Message();
            String str = "NTLM " + new String(Base64.encodeBytes(type2Message.getBytes(), 8));
            if (logger.isDebugEnabled()) {
                logger.debug("Sending cached NTLM type2 to client - " + type2Message);
            }
            httpServletResponse.setHeader("WWW-Authenticate", str);
            httpServletResponse.setStatus(401);
            httpServletResponse.flushBuffer();
            return;
        }
        httpSession.removeAttribute(NTLM_AUTH_DETAILS);
        try {
            Connector connector = this.connectorService.getConnector(this.endpoint, httpSession);
            Response call = connector.call("/touch", new ConnectorContext(null, getConnectionHeaders(connector)), httpServletRequest, (HttpServletResponse) null);
            if (401 == call.getStatus().getCode()) {
                String str2 = call.getStatus().getHeaders().get("WWW-Authenticate");
                if (!str2.startsWith("NTLM") || str2.length() <= 4) {
                    if (logger.isDebugEnabled()) {
                        logger.debug("Unexpected response from repository: WWW-Authenticate:" + str2);
                    }
                    redirectToLoginPage(httpServletRequest, httpServletResponse);
                } else {
                    byte[] decode = Base64.decode(str2.substring(5).getBytes());
                    int isNTLMType = NTLMMessage.isNTLMType(decode);
                    if (isNTLMType == 2) {
                        Type2NTLMMessage type2NTLMMessage = new Type2NTLMMessage(decode);
                        NTLMLogonDetails nTLMLogonDetails2 = new NTLMLogonDetails();
                        nTLMLogonDetails2.setType2Message(type2NTLMMessage);
                        httpSession.setAttribute(NTLM_AUTH_DETAILS, nTLMLogonDetails2);
                        if (logger.isDebugEnabled()) {
                            logger.debug("Sending NTLM type2 to client - " + type2NTLMMessage);
                        }
                        httpServletResponse.setHeader("WWW-Authenticate", "NTLM " + new String(Base64.encodeBytes(type2NTLMMessage.getBytes(), 8)));
                        httpServletResponse.setStatus(401);
                        httpServletResponse.flushBuffer();
                    } else {
                        if (logger.isDebugEnabled()) {
                            logger.debug("Unexpected NTLM message type from repository: NTLMType" + isNTLMType);
                        }
                        redirectToLoginPage(httpServletRequest, httpServletResponse);
                    }
                }
            } else {
                if (logger.isDebugEnabled()) {
                    logger.debug("Unexpected response from repository: " + call.getStatus().getMessage());
                }
                redirectToLoginPage(httpServletRequest, httpServletResponse);
            }
        } catch (ConnectorServiceException e) {
            throw new AlfrescoRuntimeException("Incorrectly configured endpoint ID: " + this.endpoint);
        }
    }

    private void processType3(Type3NTLMMessage type3NTLMMessage, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession, FilterChain filterChain) throws IOException, ServletException {
        if (logger.isDebugEnabled()) {
            logger.debug("Received type3 " + type3NTLMMessage);
        }
        NTLMLogonDetails nTLMLogonDetails = (NTLMLogonDetails) httpSession.getAttribute(NTLM_AUTH_DETAILS);
        String userId = AuthenticationUtil.getUserId(httpServletRequest);
        String userName = type3NTLMMessage.getUserName();
        String workstation = type3NTLMMessage.getWorkstation();
        String domain = type3NTLMMessage.getDomain();
        boolean z = false;
        if (userId != null && nTLMLogonDetails != null && nTLMLogonDetails.hasNTLMHashedPassword()) {
            byte[] nTLMHash = type3NTLMMessage.getNTLMHash();
            byte[] nTLMHashedPassword = nTLMLogonDetails.getNTLMHashedPassword();
            if (nTLMHash != null && nTLMHash.length == nTLMHashedPassword.length) {
                z = true;
                int i = 0;
                while (true) {
                    if (i >= nTLMHash.length) {
                        break;
                    }
                    if (nTLMHash[i] != nTLMHashedPassword[i]) {
                        z = false;
                        break;
                    }
                    i++;
                }
            }
            if (logger.isDebugEnabled()) {
                logger.debug("Using cached NTLM hash, authenticated = " + z);
            }
            if (z) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            } else {
                restartAuthProcess(httpSession, httpServletResponse);
                return;
            }
        }
        try {
            Connector connector = this.connectorService.getConnector(this.endpoint, httpSession);
            Response call = connector.call("/touch", new ConnectorContext(null, getConnectionHeaders(connector)), httpServletRequest, (HttpServletResponse) null);
            if (401 == call.getStatus().getCode()) {
                String str = call.getStatus().getHeaders().get("WWW-Authenticate");
                if (str.equals("NTLM")) {
                    httpServletResponse.setHeader("WWW-Authenticate", "NTLM");
                    httpServletResponse.setStatus(401);
                    httpServletResponse.flushBuffer();
                } else {
                    if (logger.isDebugEnabled()) {
                        logger.debug("Unexpected response from repository: WWW-Authenticate:" + str);
                    }
                    redirectToLoginPage(httpServletRequest, httpServletResponse);
                }
            } else if (200 == call.getStatus().getCode() || 307 == call.getStatus().getCode()) {
                if (nTLMLogonDetails == null) {
                    nTLMLogonDetails = new NTLMLogonDetails(userName, workstation, domain, false, null);
                    nTLMLogonDetails.setNTLMHashedPassword(type3NTLMMessage.getNTLMHash());
                    httpSession.setAttribute(NTLM_AUTH_DETAILS, nTLMLogonDetails);
                    if (logger.isDebugEnabled()) {
                        logger.debug("No cached NTLM details, created");
                    }
                } else {
                    nTLMLogonDetails.setDetails(userName, workstation, domain, false, null);
                    nTLMLogonDetails.setNTLMHashedPassword(type3NTLMMessage.getNTLMHash());
                    if (logger.isDebugEnabled()) {
                        logger.debug("Updated cached NTLM details");
                    }
                }
                if (logger.isDebugEnabled()) {
                    logger.debug("User logged on via NTLM, " + nTLMLogonDetails);
                }
                httpSession.setAttribute(UserFactory.SESSION_ATTRIBUTE_KEY_USER_ID, userName);
                httpSession.setAttribute(UserFactory.SESSION_ATTRIBUTE_EXTERNAL_AUTH, Boolean.TRUE);
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            } else {
                if (logger.isDebugEnabled()) {
                    logger.debug("Unexpected response from repository: " + call.getStatus().getMessage());
                }
                redirectToLoginPage(httpServletRequest, httpServletResponse);
            }
        } catch (ConnectorServiceException e) {
            throw new AlfrescoRuntimeException("Incorrectly configured endpoint: " + this.endpoint);
        }
    }

    private void redirectToLoginPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        httpServletRequest.getSession().setAttribute(LOGIN_PAGE_PASSTHROUGH, Boolean.TRUE);
        httpServletResponse.sendRedirect(httpServletRequest.getContextPath());
    }
}
