package com.liferay.portal.servlet.filters.authverifier;

import com.liferay.portal.kernel.atom.AtomCollectionAdapter;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.security.access.control.AccessControlUtil;
import com.liferay.portal.kernel.security.auth.AccessControlContext;
import com.liferay.portal.kernel.security.auth.verifier.AuthVerifierResult;
import com.liferay.portal.kernel.servlet.ProtectedServletRequest;
import com.liferay.portal.kernel.util.GetterUtil;
import com.liferay.portal.kernel.util.Http;
import com.liferay.portal.kernel.util.HttpUtil;
import com.liferay.portal.kernel.util.MapUtil;
import com.liferay.portal.kernel.util.StringBundler;
import com.liferay.portal.kernel.util.StringUtil;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.security.auth.AuthVerifierPipeline;
import com.liferay.portal.servlet.filters.BasePortalFilter;
import com.liferay.portal.util.PropsUtil;
import java.io.IOException;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:com/liferay/portal/servlet/filters/authverifier/AuthVerifierFilter.class */
public class AuthVerifierFilter extends BasePortalFilter {
    private static final Log _log = LogFactoryUtil.getLog(AuthVerifierFilter.class.getName());
    private boolean _httpsRequired;
    private final Set<String> _hostsAllowed = new HashSet();
    private final Map<String, Object> _initParametersMap = new HashMap();

    public void init(FilterConfig filterConfig) {
        super.init(filterConfig);
        Enumeration initParameterNames = filterConfig.getInitParameterNames();
        while (initParameterNames.hasMoreElements()) {
            String str = (String) initParameterNames.nextElement();
            this._initParametersMap.put(str, filterConfig.getInitParameter(str));
        }
        String string = GetterUtil.getString(this._initParametersMap.get("portal_property_prefix"));
        if (Validator.isNotNull(string)) {
            for (Map.Entry entry : PropsUtil.getProperties(string, true).entrySet()) {
                this._initParametersMap.put((String) entry.getKey(), entry.getValue());
            }
        }
        if (this._initParametersMap.containsKey("hosts.allowed")) {
            for (String str2 : StringUtil.split((String) this._initParametersMap.get("hosts.allowed"))) {
                this._hostsAllowed.add(str2);
            }
            this._initParametersMap.remove("hosts.allowed");
        }
        if (this._initParametersMap.containsKey("https.required")) {
            this._httpsRequired = GetterUtil.getBoolean(this._initParametersMap.get("https.required"));
            this._initParametersMap.remove("https.required");
        }
        if (this._initParametersMap.containsKey("use_permission_checker")) {
            this._initParametersMap.remove("use_permission_checker");
            if (_log.isWarnEnabled()) {
                _log.warn("use_permission_checker is deprecated");
            }
        }
    }

    protected void processFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws Exception {
        if (_isAccessAllowed(httpServletRequest, httpServletResponse) && !_isApplySSL(httpServletRequest, httpServletResponse)) {
            AccessControlUtil.initAccessControlContext(httpServletRequest, httpServletResponse, this._initParametersMap);
            AuthVerifierResult.State verifyRequest = AccessControlUtil.verifyRequest();
            AccessControlContext accessControlContext = AccessControlUtil.getAccessControlContext();
            AuthVerifierResult authVerifierResult = accessControlContext.getAuthVerifierResult();
            if (_log.isDebugEnabled()) {
                _log.debug("Auth verifier result " + authVerifierResult);
            }
            if (verifyRequest == AuthVerifierResult.State.INVALID_CREDENTIALS) {
                if (_log.isDebugEnabled()) {
                    _log.debug("Result state doesn't allow us to continue.");
                }
            } else {
                if (verifyRequest == AuthVerifierResult.State.NOT_APPLICABLE) {
                    _log.error("Invalid state " + verifyRequest);
                    return;
                }
                if (verifyRequest != AuthVerifierResult.State.SUCCESS) {
                    _log.error("Unimplemented state " + verifyRequest);
                    return;
                }
                long userId = authVerifierResult.getUserId();
                AccessControlUtil.initContextUser(userId);
                ProtectedServletRequest protectedServletRequest = new ProtectedServletRequest(httpServletRequest, String.valueOf(userId), MapUtil.getString(accessControlContext.getSettings(), AuthVerifierPipeline.AUTH_TYPE));
                accessControlContext.setRequest(protectedServletRequest);
                processFilter(getClass().getName(), protectedServletRequest, httpServletResponse, filterChain);
            }
        }
    }

    private boolean _isAccessAllowed(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String remoteAddr = httpServletRequest.getRemoteAddr();
        if (AccessControlUtil.isAccessAllowed(httpServletRequest, this._hostsAllowed)) {
            if (!_log.isDebugEnabled()) {
                return true;
            }
            _log.debug("Access allowed for " + remoteAddr);
            return true;
        }
        if (_log.isWarnEnabled()) {
            _log.warn("Access denied for " + remoteAddr);
        }
        httpServletResponse.sendError(AtomCollectionAdapter.SC_FORBIDDEN, "Access denied for " + remoteAddr);
        return false;
    }

    private boolean _isApplySSL(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (!this._httpsRequired || httpServletRequest.isSecure()) {
            return false;
        }
        if (_log.isDebugEnabled()) {
            _log.debug("Securing " + HttpUtil.getCompleteURL(httpServletRequest));
        }
        StringBundler stringBundler = new StringBundler(5);
        stringBundler.append(Http.HTTPS_WITH_SLASH);
        stringBundler.append(httpServletRequest.getServerName());
        stringBundler.append(httpServletRequest.getServletPath());
        if (Validator.isNotNull(httpServletRequest.getQueryString())) {
            stringBundler.append("?");
            stringBundler.append(httpServletRequest.getQueryString());
        }
        if (_log.isDebugEnabled()) {
            _log.debug("Redirect to " + stringBundler.toString());
        }
        httpServletResponse.sendRedirect(stringBundler.toString());
        return true;
    }
}
