package com.terracotta.management.security.shiro.web.filter;

import com.terracotta.management.keychain.URIKeyName;
import com.terracotta.management.security.HMACBuilder;
import com.terracotta.management.security.IACredentials;
import com.terracotta.management.security.InvalidIAInteractionException;
import com.terracotta.management.security.KeyChainAccessor;
import com.terracotta.management.security.SSLContextFactory;
import com.terracotta.management.security.shiro.IdentityAssertionToken;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.MediaType;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.codec.Base64;
import org.apache.shiro.config.Ini;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.terracotta.management.ServiceLocator;
import org.terracotta.management.resource.ErrorEntity;
import org.terracotta.management.resource.exceptions.ExceptionUtils;

/* loaded from: input_file:ehcache/ehcache-ee-2.10.2.2.15.jar/rest-management-private-classpath/com/terracotta/management/security/shiro/web/filter/TCIdentityAssertionFilter.class_terracotta */
public final class TCIdentityAssertionFilter extends AuthenticatingFilter {
    private static final Logger LOG = LoggerFactory.getLogger(TCIdentityAssertionFilter.class);
    private static final String INVALID_IA_REQ = "Request received from host '%s' is missing the required IA parameters. This services has security enabled and thus requires communications partners with security enabled (e.g. an unlicensed TMS cannot connect to Enterprise Ehcache REST Agent with security enabled). Connection refused.";
    private final Map<String, IACredentials> credentialsByReqTicket = new ConcurrentHashMap();
    private final KeyChainAccessor keyChainAccessor = (KeyChainAccessor) ServiceLocator.locate(KeyChainAccessor.class);
    private final boolean usingClientAuth;

    public TCIdentityAssertionFilter() throws MalformedURLException, URISyntaxException {
        SSLContextFactory sSLContextFactory = (SSLContextFactory) ServiceLocator.locate(SSLContextFactory.class);
        this.usingClientAuth = sSLContextFactory == null ? false : sSLContextFactory.isUsingClientAuth();
    }

    @Override // org.apache.shiro.web.filter.authc.AuthenticatingFilter
    protected AuthenticationToken createToken(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
        String header = ((HttpServletRequest) servletRequest).getHeader(IACredentials.REQ_TICKET);
        IACredentials remove = this.credentialsByReqTicket.remove(header);
        if (remove == null) {
            throw new RuntimeException(String.format("BUG Alert! No credentials found for security service authentication for request ticket '%s'.", header));
        }
        return new IdentityAssertionToken(remove);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.shiro.web.filter.AccessControlFilter
    public boolean onAccessDenied(ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        boolean z = true;
        try {
            validateInitialRequest(httpServletRequest);
        } catch (InvalidIAInteractionException e) {
            setResponse401(servletResponse, e);
            z = false;
        }
        if (z) {
            IACredentials iACredentials = new IACredentials();
            iACredentials.setRequestTicket(httpServletRequest.getHeader(IACredentials.REQ_TICKET));
            iACredentials.setIdentityToken(httpServletRequest.getHeader(IACredentials.TC_ID_TOKEN));
            iACredentials.setRequestAlias(httpServletRequest.getHeader(IACredentials.ALIAS));
            iACredentials.setUsingClientCertAuth(this.usingClientAuth);
            this.credentialsByReqTicket.put(iACredentials.getRequestTicket(), iACredentials);
            z = executeLogin(servletRequest, servletResponse);
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.shiro.web.filter.authc.AuthenticatingFilter, org.apache.shiro.web.filter.authc.AuthenticationFilter, org.apache.shiro.web.filter.AccessControlFilter
    public boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object obj) {
        return false;
    }

    @Override // org.apache.shiro.web.filter.authc.AuthenticatingFilter
    protected boolean onLoginSuccess(AuthenticationToken authenticationToken, Subject subject, ServletRequest servletRequest, ServletResponse servletResponse) throws Exception {
        return true;
    }

    @Override // org.apache.shiro.web.filter.authc.AuthenticatingFilter
    protected boolean onLoginFailure(AuthenticationToken authenticationToken, AuthenticationException authenticationException, ServletRequest servletRequest, ServletResponse servletResponse) {
        setResponse401(servletResponse, authenticationException);
        return false;
    }

    private void validateInitialRequest(HttpServletRequest httpServletRequest) throws InvalidIAInteractionException {
        String header = httpServletRequest.getHeader(IACredentials.REQ_TICKET);
        String header2 = httpServletRequest.getHeader(IACredentials.TC_ID_TOKEN);
        if (header == null || header2 == null) {
            throw new InvalidIAInteractionException(String.format(INVALID_IA_REQ, httpServletRequest.getRemoteAddr()));
        }
        if (this.usingClientAuth) {
            return;
        }
        String header3 = httpServletRequest.getHeader(IACredentials.SIGNATURE);
        String header4 = httpServletRequest.getHeader(IACredentials.ALIAS);
        if (header4 == null || header3 == null) {
            throw new InvalidIAInteractionException(String.format(INVALID_IA_REQ, httpServletRequest.getRemoteAddr()));
        }
        byte[] decode = Base64.decode(header3);
        try {
            URIKeyName uRIKeyName = new URIKeyName(header4);
            byte[] retrieveSecret = this.keyChainAccessor.retrieveSecret(uRIKeyName);
            if (retrieveSecret == null) {
                throw new InvalidIAInteractionException("Missing keychain entry for URL [" + uRIKeyName + Ini.SECTION_SUFFIX);
            }
            if (!MessageDigest.isEqual(decode, HMACBuilder.getInstance(retrieveSecret).addMessageComponent(header).addMessageComponent(header2).addMessageComponent(header4).build())) {
                throw new InvalidIAInteractionException(String.format("Possible IA request forgery detected from %s!", httpServletRequest.getRemoteAddr()));
            }
        } catch (URISyntaxException e) {
            throw new RuntimeException("BUG Alert! Unable to determine uri alias for obtaining the key material to sign the hash.", e);
        } catch (InvalidKeyException e2) {
            throw new RuntimeException("BUG Alert! Failed to create signed hash.", e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new RuntimeException("BUG Alert! Failed to create signed hash.", e3);
        }
    }

    private void setResponse401(ServletResponse servletResponse, Throwable th) {
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        ErrorEntity errorEntity = ExceptionUtils.toErrorEntity(th);
        try {
            httpServletResponse.setContentType(MediaType.APPLICATION_JSON);
            httpServletResponse.getWriter().print(errorEntity.toJSON());
        } catch (IOException e) {
            LOG.warn("Unable to add error message '{}' to HTTP 401 response: {}", errorEntity, e.getMessage());
        }
        httpServletResponse.setStatus(401);
    }
}
