package org.lamsfoundation.lams.integration.security;

import com.warrenstrange.googleauth.GoogleAuthenticator;
import io.undertow.Handlers;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.session.Session;
import io.undertow.servlet.ServletExtension;
import io.undertow.servlet.api.DeploymentInfo;
import io.undertow.servlet.handlers.ServletRequestContext;
import io.undertow.servlet.spec.HttpSessionImpl;
import io.undertow.util.Headers;
import java.io.IOException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Date;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.math.NumberUtils;
import org.lamsfoundation.lams.usermanagement.User;
import org.lamsfoundation.lams.usermanagement.dto.UserDTO;
import org.lamsfoundation.lams.usermanagement.service.IUserManagementService;
import org.lamsfoundation.lams.usermanagement.service.UserManagementService;
import org.lamsfoundation.lams.util.Configuration;
import org.lamsfoundation.lams.util.ConfigurationKeys;
import org.lamsfoundation.lams.util.audit.IAuditService;
import org.lamsfoundation.lams.web.session.SessionManager;
import org.springframework.web.context.support.WebApplicationContextUtils;

/* loaded from: input_file:org/lamsfoundation/lams/integration/security/SsoHandler.class */
public class SsoHandler implements ServletExtension {
    private static IAuditService auditService = null;
    private static IUserManagementService userManagementService = null;
    protected static final String SESSION_KEY = "io.undertow.servlet.form.auth.redirect.location";
    public static final String NO_FLUSH_FLAG = "noFlush";

    public void handleDeployment(DeploymentInfo deploymentInfo, ServletContext servletContext) {
        SessionManager.setServletContext(servletContext);
        deploymentInfo.addOuterHandlerChainWrapper(httpHandler -> {
            return Handlers.path().addPrefixPath("/", httpHandler).addExactPath("/j_security_check", httpServerExchange -> {
                ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
                HttpServletResponse servletResponse = servletRequestContext.getServletResponse();
                HttpServletRequest servletRequest = servletRequestContext.getServletRequest();
                if (SessionManager.getJvmRoute() == null) {
                    setJvmRoute(servletRequest);
                }
                HttpSession session = servletRequest.getSession();
                String parameter = servletRequest.getParameter("j_username");
                if (StringUtils.isBlank(parameter)) {
                    serveLoginPage(httpServerExchange, "/login.jsp?failed=true");
                    return;
                }
                User userByLogin = getUserManagementService(session.getServletContext()).getUserByLogin(parameter);
                if (userByLogin == null) {
                    serveLoginPage(httpServerExchange, "/login.jsp?failed=true");
                    return;
                }
                UserDTO userDTO = userByLogin.getUserDTO();
                String parameter2 = servletRequest.getParameter("j_password");
                if (userByLogin.getLockOutTime() != null && userByLogin.getLockOutTime().getTime() > System.currentTimeMillis() && parameter2 != null && !parameter2.startsWith("#LAMS")) {
                    serveLoginPage(httpServerExchange, "/login.jsp?lockedOut=true");
                    return;
                }
                String parameter3 = servletRequest.getParameter("redirectURL");
                if (!StringUtils.isBlank(parameter3)) {
                    handleRedirectBack(servletRequestContext, parameter3);
                }
                if (servletRequest.getRemoteUser() == null && userByLogin.isTwoFactorAuthenticationEnabled().booleanValue() && userByLogin.getTwoFactorAuthenticationSecret() != null) {
                    String parameter4 = servletRequest.getParameter("verificationCode");
                    if (!new GoogleAuthenticator().authorize(userByLogin.getTwoFactorAuthenticationSecret(), NumberUtils.toInt(parameter4))) {
                        session.setAttribute("login", parameter);
                        session.setAttribute("password", parameter2);
                        servletResponse.sendRedirect("/lams/loginTwoFactorAuth.jsp" + (parameter4 == null ? "" : "?failed=true"));
                        return;
                    }
                }
                HttpSession session2 = servletRequest.getSession();
                SessionManager.startSession(servletRequest);
                httpHandler.handleRequest(httpServerExchange);
                if (parameter.equals(servletRequest.getRemoteUser())) {
                    session2.setAttribute("user", userDTO);
                    HttpSession sessionForLogin = SessionManager.getSessionForLogin(parameter);
                    if (sessionForLogin != null) {
                        try {
                            sessionForLogin.setAttribute(NO_FLUSH_FLAG, true);
                        } catch (IllegalStateException e) {
                        }
                        SessionManager.removeSessionByLogin(parameter, true);
                    }
                    SessionManager.addSession(parameter, session2);
                    Integer failedAttempts = userByLogin.getFailedAttempts();
                    if (failedAttempts != null && failedAttempts.intValue() > 0 && parameter2 != null && !parameter2.startsWith("#LAMS")) {
                        userByLogin.setFailedAttempts(null);
                        userByLogin.setLockOutTime(null);
                        getUserManagementService(session2.getServletContext()).save(userByLogin);
                    }
                } else {
                    Integer failedAttempts2 = userByLogin.getFailedAttempts();
                    Integer valueOf = failedAttempts2 == null ? 1 : Integer.valueOf(failedAttempts2.intValue() + 1);
                    userByLogin.setFailedAttempts(valueOf);
                    if (valueOf.intValue() >= Integer.valueOf(Configuration.getAsInt(ConfigurationKeys.FAILED_ATTEMPTS)).intValue()) {
                        userByLogin.setLockOutTime(new Date(Long.valueOf(System.currentTimeMillis()).longValue() + Long.valueOf(Integer.valueOf(Configuration.getAsInt(ConfigurationKeys.LOCK_OUT_TIME)).intValue() * 60 * 1000).longValue()));
                        getAuditService(session2.getServletContext()).log(userDTO, "sso", "User is locked out for " + Configuration.getAsInt(ConfigurationKeys.LOCK_OUT_TIME) + " mins after " + valueOf + " failed attempts.");
                    }
                    getUserManagementService(session2.getServletContext()).save(userByLogin);
                }
                SessionManager.endSession();
            });
        });
    }

    protected Integer serveLoginPage(HttpServerExchange httpServerExchange, String str) throws ServletException, IOException {
        ServletRequestContext servletRequestContext = (ServletRequestContext) httpServerExchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY);
        HttpServletRequest servletRequest = servletRequestContext.getServletRequest();
        HttpServletResponse servletResponse = servletRequestContext.getServletResponse();
        httpServerExchange.getResponseHeaders().add(Headers.CACHE_CONTROL, "no-cache, no-store, must-revalidate");
        httpServerExchange.getResponseHeaders().add(Headers.PRAGMA, "no-cache");
        httpServerExchange.getResponseHeaders().add(Headers.EXPIRES, "0");
        servletRequest.getRequestDispatcher(str).forward(servletRequest, servletResponse);
        return null;
    }

    protected static void handleRedirectBack(ServletRequestContext servletRequestContext, String str) {
        if (str.contains("\n") || str.contains("\r")) {
            throw new SecurityException("redirectURL contains forbidden characters: \\n or \\r. Possible HTTP Response Splitting attack.");
        }
        HttpSessionImpl session = servletRequestContext.getCurrentServletContext().getSession(servletRequestContext.getExchange(), true);
        if (session != null) {
            (System.getSecurityManager() == null ? session.getSession() : (Session) AccessController.doPrivileged((PrivilegedAction) new HttpSessionImpl.UnwrapSessionAction(session))).setAttribute(SESSION_KEY, str);
        }
    }

    protected static void setJvmRoute(HttpServletRequest httpServletRequest) {
        int indexOf;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return;
        }
        for (Cookie cookie : cookies) {
            if (cookie.getName().equals(SessionManager.SYS_SESSION_COOKIE) && (indexOf = cookie.getValue().indexOf(46)) > 0) {
                SessionManager.setJvmRoute(cookie.getValue().substring(indexOf + 1));
                return;
            }
        }
    }

    protected IUserManagementService getUserManagementService(ServletContext servletContext) {
        if (userManagementService == null) {
            userManagementService = (UserManagementService) WebApplicationContextUtils.getWebApplicationContext(servletContext).getBean("userManagementService");
        }
        return userManagementService;
    }

    protected IAuditService getAuditService(ServletContext servletContext) {
        if (auditService == null) {
            auditService = (IAuditService) WebApplicationContextUtils.getWebApplicationContext(servletContext).getBean("auditService");
        }
        return auditService;
    }
}
