package weblogic.security.internal;

import java.io.IOException;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import weblogic.security.principal.IdentityDomainPrincipal;
import weblogic.security.providers.authentication.IDCSFilterAccess;
import weblogic.security.providers.authentication.IDCSFilterService;
import weblogic.security.shared.LoggerWrapper;
import weblogic.servlet.security.ServletAuthentication;

/* loaded from: input_file:weblogic/security/internal/IDCSSessionSynchronizationFilter.class */
public class IDCSSessionSynchronizationFilter implements Filter {
    private String idcsFilterServiceKey = null;
    private static LoggerWrapper LOGGER = LoggerWrapper.getInstance("SecurityAtn");
    public static final String IDCSFILTER_SERVICE_KEY_PARAM = "FilterServiceKey";
    private static final String USER_KEY = "USER";
    private static final String TENANT_KEY = "TENANT";

    private boolean isDebugEnabled() {
        if (LOGGER != null) {
            return LOGGER.isDebugEnabled();
        }
        return false;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.idcsFilterServiceKey = filterConfig.getInitParameter(IDCSFILTER_SERVICE_KEY_PARAM);
        if (this.idcsFilterServiceKey == null) {
            throw new ServletException("No FilterServiceKey parameter specified");
        }
        if (IDCSFilterAccess.getInstance().getFilterService(this.idcsFilterServiceKey) == null && isDebugEnabled()) {
            LOGGER.debug("No IDCSIntegratorProvider configured in realm " + this.idcsFilterServiceKey);
        }
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        IDCSFilterService filterService = IDCSFilterAccess.getInstance().getFilterService(this.idcsFilterServiceKey);
        if (filterService == null || !filterService.isSyncFilterEnabled()) {
            if (isDebugEnabled()) {
                LOGGER.debug("Ignoring synchronization check since IDCS sync filter is not enabled. ");
            }
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String str = null;
        String str2 = null;
        String str3 = null;
        boolean syncFilterClientCertOnly = filterService.getSyncFilterClientCertOnly();
        boolean isClientCert = isClientCert(httpServletRequest);
        if (syncFilterClientCertOnly && !isClientCert) {
            if (isDebugEnabled()) {
                LOGGER.debug("Ignoring synchronization check as request authentication type is not CLIENT CERT.");
            }
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        boolean syncFilterMatchCase = filterService.getSyncFilterMatchCase();
        boolean isAuthenticated = isAuthenticated(httpServletRequest);
        if (!isAuthenticated) {
            if (isDebugEnabled()) {
                LOGGER.debug("Ignoring synchronization check as request contains no authenticated Principal.");
            }
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        try {
            Map remoteUserTenant = filterService.getRemoteUserTenant(httpServletRequest);
            if (remoteUserTenant != null) {
                str2 = (String) remoteUserTenant.get(USER_KEY);
                str3 = (String) remoteUserTenant.get(TENANT_KEY);
            }
            if (isDebugEnabled()) {
                LOGGER.debug("IDCS remote user in the request: " + str2 + " remote tenant: " + str3);
            }
        } catch (Exception e) {
            if (isDebugEnabled()) {
                LOGGER.debug("Exception retrieving remote user from the request header: " + e.getMessage());
            }
        }
        if (null != str2) {
            IdentityDomainPrincipal userPrincipal = httpServletRequest.getUserPrincipal();
            String name = userPrincipal.getName();
            if (userPrincipal instanceof IdentityDomainPrincipal) {
                str = userPrincipal.getIdentityDomain();
            }
            if (isDebugEnabled()) {
                LOGGER.debug("Synchronization check on request, current user: " + name + " current user tenant: " + str);
            }
            if (str3 == null || str == null) {
                if (str3 != null || str != null) {
                    if (isDebugEnabled()) {
                        LOGGER.debug("remote user tenant " + str3 + " does not match current user tenant " + str);
                    }
                    invalidateSessionAndRedirect(httpServletRequest, servletResponse);
                    return;
                }
            } else if (!str3.equalsIgnoreCase(str)) {
                if (isDebugEnabled()) {
                    LOGGER.debug("remote user tenant " + str3 + " does not match current user tenant " + str);
                }
                invalidateSessionAndRedirect(httpServletRequest, servletResponse);
                return;
            }
            if (str2 != null && (!syncFilterMatchCase ? !str2.equalsIgnoreCase(name) : !str2.equals(name))) {
                if (isDebugEnabled()) {
                    LOGGER.debug("remote user " + str2 + " does not match current session user " + name);
                }
                invalidateSessionAndRedirect(httpServletRequest, servletResponse);
                return;
            }
        } else if (isAuthenticated && isClientCert && filterService.isIDCSSession(httpServletRequest)) {
            if (isDebugEnabled()) {
                LOGGER.debug("Authenticated and session available but remote user is null, invalidate session.");
            }
            invalidateSessionAndRedirect(httpServletRequest, servletResponse);
            return;
        }
        if (isDebugEnabled()) {
            LOGGER.debug("Request has valid session, exiting IDCS filter");
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private boolean isClientCert(HttpServletRequest httpServletRequest) {
        String authType = httpServletRequest.getAuthType();
        if (null == authType) {
            return false;
        }
        return authType.toUpperCase().contains("CLIENT_CERT") || authType.toUpperCase().contains("CLIENT-CERT");
    }

    private boolean isAuthenticated(HttpServletRequest httpServletRequest) {
        return null != httpServletRequest.getUserPrincipal();
    }

    private void invalidateSessionAndRedirect(HttpServletRequest httpServletRequest, ServletResponse servletResponse) throws IOException {
        String name = null == httpServletRequest.getUserPrincipal() ? null : httpServletRequest.getUserPrincipal().getName();
        HttpSession session = httpServletRequest.getSession(false);
        if (null == session) {
            if (isDebugEnabled()) {
                LOGGER.debug("Unexpected request with JSESSIONID, but no session. Invalidating the JSESSIONID cookie");
            }
            try {
                ServletAuthentication.killCookie(httpServletRequest);
            } catch (Exception e) {
                if (isDebugEnabled()) {
                    LOGGER.debug("Failed to invalidate JSESSIONID cookie " + e.getMessage());
                }
            }
        } else if (isDebugEnabled()) {
            LOGGER.debug("Invalidating Session = " + session.getId());
        }
        if (httpServletRequest.isRequestedSessionIdValid()) {
            if (ServletAuthentication.invalidateAll(httpServletRequest)) {
                if (isDebugEnabled()) {
                    LOGGER.debug("Invalidated the Lingering Session for user " + name);
                } else if (isDebugEnabled()) {
                    LOGGER.debug("Invalidating session failed for user " + name);
                }
            }
        } else if (isDebugEnabled()) {
            LOGGER.debug("Session already invalidated for user " + name);
        }
        String queryString = httpServletRequest.getQueryString();
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        if (null != queryString) {
            stringBuffer = stringBuffer + "?" + queryString;
        }
        if (isDebugEnabled()) {
            LOGGER.debug("Request URI: " + httpServletRequest.getRequestURI());
            LOGGER.debug("Request QueryString: " + httpServletRequest.getQueryString());
            LOGGER.debug("Redirecting to: " + stringBuffer);
        }
        ((HttpServletResponse) servletResponse).sendRedirect(stringBuffer);
    }
}
