package com.rsmart.kuali.coeus.hr.rest.authn;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.HashSet;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.bind.DatatypeConverter;
import org.kuali.coeus.sys.framework.service.KcServiceLocator;
import org.kuali.rice.core.api.CoreApiServiceLocator;
import org.kuali.rice.core.api.config.property.ConfigContext;
import org.kuali.rice.kim.api.identity.IdentityService;
import org.kuali.rice.kim.api.identity.principal.Principal;
import org.kuali.rice.kim.api.permission.PermissionService;
import org.kuali.rice.kim.api.services.KimApiServiceLocator;
import org.kuali.rice.krad.UserSession;
import org.kuali.rice.krad.service.LegacyDataAdapter;
import org.kuali.rice.krad.util.GlobalVariables;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/rsmart/kuali/coeus/hr/rest/authn/KCBasicAuthFilter.class */
public class KCBasicAuthFilter implements Filter {
    private static final Logger LOG = LoggerFactory.getLogger(KCBasicAuthFilter.class);
    private static final String IMPORT_AUTHN_USER = "hrimport.authn.username";
    private static final String IMPORT_AUTHN_PASS = "hrimport.authn.password";
    private static final String IMPORT_AUTHN_RUN_AS = "hrimport.authn.runas";
    private static final String CORE_AUTH_ENABLED = "auth.core.enabled";
    private static final String PERMISSION_NAMESPACE = "KR-IDM";
    private static final String PERMISSION_NAME = "Modify Entity";
    private static final String AUTH_HEADER = "Authorization";
    protected LegacyDataAdapter legacyDataAdapter = null;
    protected IdentityService identityService = null;
    protected PermissionService permissionService = null;
    protected HashSet<String> authorizedUsers = null;
    protected String username = null;
    protected String password = null;
    protected String runAs = null;

    public LegacyDataAdapter getLegacyDataAdapter() {
        if (this.legacyDataAdapter == null) {
            this.legacyDataAdapter = (LegacyDataAdapter) KcServiceLocator.getService("legacyDataAdapter");
        }
        return this.legacyDataAdapter;
    }

    public void setLegacyDataAdapter(LegacyDataAdapter legacyDataAdapter) {
        this.legacyDataAdapter = legacyDataAdapter;
    }

    public IdentityService getIdentityService() {
        if (this.identityService == null) {
            this.identityService = KimApiServiceLocator.getIdentityService();
        }
        return this.identityService;
    }

    public void setIdentityService(IdentityService identityService) {
        this.identityService = identityService;
    }

    protected String getUsername() {
        return ConfigContext.getCurrentContextConfig().getProperty(IMPORT_AUTHN_USER);
    }

    protected String getPassword() {
        return ConfigContext.getCurrentContextConfig().getProperty(IMPORT_AUTHN_PASS);
    }

    protected String getRunAsUser() {
        return ConfigContext.getCurrentContextConfig().getProperty(IMPORT_AUTHN_RUN_AS);
    }

    protected Boolean isCoreAuthEnabled() {
        return ConfigContext.getCurrentContextConfig().getBooleanProperty(CORE_AUTH_ENABLED);
    }

    protected Boolean doesUserHavePermission(String str) {
        return Boolean.valueOf(getPermissionService().hasPermission(str, PERMISSION_NAMESPACE, PERMISSION_NAME));
    }

    protected UserSession authenticateKCUser(String str, String str2) throws GeneralSecurityException {
        Principal principal = null;
        String username = getUsername();
        String password = getPassword();
        String runAsUser = getRunAsUser();
        if (username == null || password == null) {
            LOG.debug("no fixed username and password configured: authenticating against KIM\n configure hrimport.authn.username, hrimport.authn.password, and hrimport.authn.runas to authentication against fixed credentials");
        } else if (runAsUser == null) {
            LOG.error("no runas user set! Fixed credentials cannot be used without it. Please configure hrimport.authn.runas to indicate the valid KIM user to use for import");
        } else {
            if (!username.equals(str) || !password.equals(str2)) {
                return null;
            }
            LOG.debug("user authenticated against fixed username and password");
            principal = getIdentityService().getPrincipalByPrincipalName(runAsUser);
            if (principal == null) {
                LOG.error("could not retrieve runas user '" + runAsUser + "' -- user cannot authenitcate!");
                return null;
            }
        }
        if (principal == null) {
            if (this.authorizedUsers != null && !this.authorizedUsers.contains(str)) {
                LOG.debug(str + " is not in the authorized users list: aborting authentication");
                return null;
            }
            principal = getIdentityService().getPrincipalByPrincipalNameAndPassword(str, CoreApiServiceLocator.getEncryptionService().hash(str2));
        }
        if (principal == null) {
            LOG.debug("unable to retrieve user " + str + " with the supplied password");
            return null;
        }
        UserSession userSession = new UserSession(principal.getPrincipalName());
        GlobalVariables.setUserSession(userSession);
        return userSession;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String str;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String header = httpServletRequest.getHeader(AUTH_HEADER);
        if (isCoreAuthEnabled().booleanValue()) {
            if (doesUserHavePermission(GlobalVariables.getUserSession().getPrincipalId()).booleanValue()) {
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            } else {
                LOG.error("user does not have approriate permission for access the hr-import server");
                ((HttpServletResponse) servletResponse).sendError(401);
                return;
            }
        }
        UserSession userSession = null;
        if (header != null) {
            String[] split = header.split("\\s+");
            if (split.length == 2 && "basic".equalsIgnoreCase(split[0]) && (str = new String(DatatypeConverter.parseBase64Binary(split[1]))) != null && str.length() > 0) {
                String[] split2 = str.split(":");
                try {
                    userSession = authenticateKCUser(split2[0], split2[1]);
                } catch (GeneralSecurityException e) {
                    LOG.error("security exception encountered during authentication", e);
                    ((HttpServletResponse) servletResponse).sendError(500);
                    return;
                }
            }
        }
        if (userSession != null) {
            LOG.debug("authenticated user: '" + userSession.getPrincipalName() + "'");
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            LOG.debug("user is not authenticated");
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            httpServletResponse.setHeader("WWW-Authentication", "Basic realm=\"" + httpServletRequest.getRequestURI() + "\"");
            httpServletResponse.sendError(401);
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        String initParameter = filterConfig.getInitParameter("hrUsers");
        if (initParameter == null || initParameter.isEmpty()) {
            return;
        }
        String[] split = initParameter.split(",");
        if (split.length > 0) {
            StringBuffer stringBuffer = new StringBuffer("HR import authorized users resricted to: ");
            String str = "";
            this.authorizedUsers = new HashSet<>(split.length);
            for (String str2 : split) {
                stringBuffer.append(str).append(str2);
                str = ",";
                this.authorizedUsers.add(str2);
            }
            LOG.debug(stringBuffer.toString());
        }
    }

    public void destroy() {
    }

    public PermissionService getPermissionService() {
        if (this.permissionService == null) {
            this.permissionService = (PermissionService) KcServiceLocator.getService(PermissionService.class);
        }
        return this.permissionService;
    }

    public void setPermissionService(PermissionService permissionService) {
        this.permissionService = permissionService;
    }
}
