package org.alfresco.repo.webdav.auth;

import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Random;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.transaction.UserTransaction;
import net.sf.acegisecurity.Authentication;
import org.alfresco.filesys.server.auth.PasswordEncryptor;
import org.alfresco.filesys.server.auth.ntlm.NTLMLogonDetails;
import org.alfresco.filesys.server.auth.ntlm.NTLMMessage;
import org.alfresco.filesys.server.auth.ntlm.TargetInfo;
import org.alfresco.filesys.server.auth.ntlm.Type1NTLMMessage;
import org.alfresco.filesys.server.auth.ntlm.Type2NTLMMessage;
import org.alfresco.filesys.server.auth.ntlm.Type3NTLMMessage;
import org.alfresco.filesys.server.config.ServerConfiguration;
import org.alfresco.filesys.util.DataPacker;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.MD4PasswordEncoder;
import org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl;
import org.alfresco.repo.security.authentication.NTLMMode;
import org.alfresco.repo.security.authentication.ntlm.NTLMPassthruToken;
import org.alfresco.service.ServiceRegistry;
import org.alfresco.service.cmr.repository.InvalidNodeRefException;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.transaction.TransactionService;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;

/* loaded from: input_file:org/alfresco/repo/webdav/auth/NTLMAuthenticationFilter.class */
public class NTLMAuthenticationFilter implements Filter {
    public static final String NTLM_AUTH_SESSION = "_alfNTLMAuthSess";
    public static final String NTLM_AUTH_DETAILS = "_alfNTLMDetails";
    public static final String AUTHENTICATION_USER = "_alfDAVAuthTicket";
    private static final String ARG_TICKET = "ticket";
    private static final int NTLM_FLAGS = -2147483005;
    private static Log logger = LogFactory.getLog(NTLMAuthenticationFilter.class);
    private ServletContext m_context;
    private ServerConfiguration m_srvConfig;
    private AuthenticationService m_authService;
    private AuthenticationComponent m_authComponent;
    private PersonService m_personService;
    private NodeService m_nodeService;
    private TransactionService m_transactionService;
    private boolean m_allowGuest;
    private String m_srvName;
    private PasswordEncryptor m_encryptor = new PasswordEncryptor();
    private Random m_random = new Random(System.currentTimeMillis());
    private MD4PasswordEncoder m_md4Encoder = new MD4PasswordEncoderImpl();

    public void init(FilterConfig filterConfig) throws ServletException {
        this.m_context = filterConfig.getServletContext();
        WebApplicationContext requiredWebApplicationContext = WebApplicationContextUtils.getRequiredWebApplicationContext(this.m_context);
        ServiceRegistry serviceRegistry = (ServiceRegistry) requiredWebApplicationContext.getBean("ServiceRegistry");
        this.m_nodeService = serviceRegistry.getNodeService();
        this.m_transactionService = serviceRegistry.getTransactionService();
        this.m_authService = (AuthenticationService) requiredWebApplicationContext.getBean("authenticationService");
        this.m_authComponent = (AuthenticationComponent) requiredWebApplicationContext.getBean("authenticationComponent");
        this.m_personService = (PersonService) requiredWebApplicationContext.getBean("personService");
        this.m_srvConfig = (ServerConfiguration) requiredWebApplicationContext.getBean("fileServerConfiguration");
        if (this.m_authComponent.getNTLMMode() != NTLMMode.MD4_PROVIDER && this.m_authComponent.getNTLMMode() != NTLMMode.PASS_THROUGH) {
            throw new ServletException("Required authentication mode not available");
        }
        if (this.m_srvConfig != null) {
            this.m_srvName = this.m_srvConfig.getLocalServerName(true);
        } else {
            try {
                this.m_srvName = InetAddress.getLocalHost().getHostName();
                int indexOf = this.m_srvName.indexOf(".");
                if (indexOf != -1) {
                    this.m_srvName = this.m_srvName.substring(0, indexOf - 1);
                }
            } catch (UnknownHostException e) {
                if (logger.isErrorEnabled()) {
                    logger.error("NTLM filter, error getting local host name", e);
                }
            }
        }
        if (this.m_srvName == null || this.m_srvName.length() == 0) {
            throw new ServletException("Failed to get local server name");
        }
        String initParameter = filterConfig.getInitParameter("AllowGuest");
        if (initParameter != null) {
            this.m_allowGuest = Boolean.parseBoolean(initParameter);
            if (logger.isDebugEnabled() && this.m_allowGuest) {
                logger.debug("NTLM filter guest access allowed");
            }
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpSession session = httpServletRequest.getSession(true);
        String header = httpServletRequest.getHeader("Authorization");
        boolean z = false;
        if (header != null && header.startsWith("NTLM")) {
            z = true;
        }
        WebDAVUser webDAVUser = (WebDAVUser) session.getAttribute("_alfDAVAuthTicket");
        if (webDAVUser != null && !z) {
            try {
                if (logger.isDebugEnabled()) {
                    logger.debug("User " + webDAVUser.getUserName() + " validate ticket");
                }
                this.m_authService.validate(webDAVUser.getTicket());
                z = false;
            } catch (AuthenticationException e) {
                if (logger.isErrorEnabled()) {
                    logger.error("Failed to validate user " + webDAVUser.getUserName(), e);
                }
                z = true;
            }
        }
        if (!z && webDAVUser != null) {
            if (logger.isDebugEnabled()) {
                logger.debug("Authentication not required, chaining ...");
            }
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (header != null) {
            byte[] decodeBase64 = Base64.decodeBase64(header.substring(5).getBytes());
            int isNTLMType = NTLMMessage.isNTLMType(decodeBase64);
            if (isNTLMType == 1) {
                processType1(new Type1NTLMMessage(decodeBase64), httpServletRequest, httpServletResponse, session);
                return;
            }
            if (isNTLMType == 3) {
                processType3(new Type3NTLMMessage(decodeBase64), httpServletRequest, httpServletResponse, session, filterChain);
            }
            session.removeAttribute(NTLM_AUTH_SESSION);
            session.removeAttribute(NTLM_AUTH_DETAILS);
            httpServletResponse.setHeader("WWW-Authenticate", "NTLM");
            httpServletResponse.setStatus(401);
            httpServletResponse.flushBuffer();
            return;
        }
        String parameter = httpServletRequest.getParameter(ARG_TICKET);
        if (parameter != null && parameter.length() > 0) {
            if (logger.isDebugEnabled()) {
                logger.debug("Logon via ticket from " + httpServletRequest.getRemoteHost() + " (" + httpServletRequest.getRemoteAddr() + ":" + httpServletRequest.getRemotePort() + ") ticket=" + parameter);
            }
            UserTransaction userTransaction = null;
            try {
                this.m_authService.validate(parameter);
                String currentUserName = this.m_authService.getCurrentUserName();
                UserTransaction userTransaction2 = this.m_transactionService.getUserTransaction();
                userTransaction2.begin();
                NodeRef person = this.m_personService.getPerson(currentUserName);
                WebDAVUser webDAVUser2 = new WebDAVUser(currentUserName, this.m_authService.getCurrentTicket(), person);
                NodeRef nodeRef = (NodeRef) this.m_nodeService.getProperty(person, ContentModel.PROP_HOMEFOLDER);
                if (!this.m_nodeService.exists(nodeRef)) {
                    throw new InvalidNodeRefException(nodeRef);
                }
                webDAVUser2.setHomeNode(nodeRef);
                userTransaction2.commit();
                UserTransaction userTransaction3 = null;
                httpServletRequest.getSession().setAttribute("_alfDAVAuthTicket", webDAVUser2);
                filterChain.doFilter(servletRequest, servletResponse);
                if (0 != 0) {
                    try {
                        userTransaction3.rollback();
                    } catch (Exception e2) {
                        return;
                    }
                }
                return;
            } catch (AuthenticationException e3) {
                if (0 != 0) {
                    try {
                        userTransaction.rollback();
                    } catch (Exception e4) {
                    }
                }
            } catch (Throwable th) {
                if (0 != 0) {
                    try {
                        userTransaction.rollback();
                    } catch (Exception e5) {
                    }
                }
            }
        }
        if (logger.isDebugEnabled()) {
            logger.debug("New NTLM auth request from " + httpServletRequest.getRemoteHost() + " (" + httpServletRequest.getRemoteAddr() + ":" + httpServletRequest.getRemotePort() + ")");
        }
        httpServletResponse.setHeader("WWW-Authenticate", "NTLM");
        httpServletResponse.setStatus(401);
        httpServletResponse.flushBuffer();
    }

    public void destroy() {
    }

    private void processType1(Type1NTLMMessage type1NTLMMessage, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession) throws IOException {
        if (logger.isDebugEnabled()) {
            logger.debug("Received type1 " + type1NTLMMessage);
        }
        NTLMLogonDetails nTLMLogonDetails = null;
        if (httpSession != null) {
            nTLMLogonDetails = (NTLMLogonDetails) httpSession.getAttribute(NTLM_AUTH_DETAILS);
        }
        if (nTLMLogonDetails != null && nTLMLogonDetails.hasType2Message() && nTLMLogonDetails.hasNTLMHashedPassword() && nTLMLogonDetails.hasAuthenticationToken()) {
            Type2NTLMMessage type2Message = nTLMLogonDetails.getType2Message();
            String str = "NTLM " + new String(Base64.encodeBase64(type2Message.getBytes()));
            if (logger.isDebugEnabled()) {
                logger.debug("Sending cached NTLM type2 to client - " + type2Message);
            }
            httpServletResponse.setHeader("WWW-Authenticate", str);
            httpServletResponse.setStatus(401);
            httpServletResponse.flushBuffer();
            return;
        }
        httpSession.removeAttribute(NTLM_AUTH_DETAILS);
        byte[] bArr = null;
        Authentication authentication = null;
        if (this.m_authComponent.getNTLMMode() == NTLMMode.MD4_PROVIDER) {
            bArr = new byte[8];
            DataPacker.putIntelLong(this.m_random.nextLong(), bArr, 0);
        } else {
            authentication = new NTLMPassthruToken();
            this.m_authComponent.authenticate(authentication);
            if (authentication.getChallenge() != null) {
                bArr = authentication.getChallenge().getBytes();
            }
        }
        int flags = type1NTLMMessage.getFlags() & NTLM_FLAGS;
        ArrayList arrayList = new ArrayList();
        arrayList.add(new TargetInfo(1, this.m_srvName));
        Type2NTLMMessage type2NTLMMessage = new Type2NTLMMessage();
        type2NTLMMessage.buildType2(flags, this.m_srvName, bArr, (int[]) null, arrayList);
        NTLMLogonDetails nTLMLogonDetails2 = new NTLMLogonDetails();
        nTLMLogonDetails2.setType2Message(type2NTLMMessage);
        nTLMLogonDetails2.setAuthenticationToken(authentication);
        httpSession.setAttribute(NTLM_AUTH_DETAILS, nTLMLogonDetails2);
        if (logger.isDebugEnabled()) {
            logger.debug("Sending NTLM type2 to client - " + type2NTLMMessage);
        }
        httpServletResponse.setHeader("WWW-Authenticate", "NTLM " + new String(Base64.encodeBase64(type2NTLMMessage.getBytes())));
        httpServletResponse.setStatus(401);
        httpServletResponse.flushBuffer();
    }

    private void processType3(Type3NTLMMessage type3NTLMMessage, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession, FilterChain filterChain) throws IOException, ServletException {
        if (logger.isDebugEnabled()) {
            logger.debug("Received type3 " + type3NTLMMessage);
        }
        NTLMLogonDetails nTLMLogonDetails = null;
        WebDAVUser webDAVUser = null;
        if (httpSession != null) {
            nTLMLogonDetails = (NTLMLogonDetails) httpSession.getAttribute(NTLM_AUTH_DETAILS);
            webDAVUser = (WebDAVUser) httpSession.getAttribute("_alfDAVAuthTicket");
        }
        String userName = type3NTLMMessage.getUserName();
        String workstation = type3NTLMMessage.getWorkstation();
        String domain = type3NTLMMessage.getDomain();
        boolean z = false;
        if (webDAVUser != null && nTLMLogonDetails != null && nTLMLogonDetails.hasNTLMHashedPassword()) {
            byte[] nTLMHash = type3NTLMMessage.getNTLMHash();
            byte[] nTLMHashedPassword = nTLMLogonDetails.getNTLMHashedPassword();
            if (nTLMHash != null && nTLMHash.length == nTLMHashedPassword.length) {
                z = true;
                for (int i = 0; i < nTLMHash.length; i++) {
                    if (nTLMHash[i] != nTLMHashedPassword[i]) {
                        z = false;
                    }
                }
            }
            if (logger.isDebugEnabled()) {
                logger.debug("Using cached NTLM hash, authenticated = " + z);
            }
            try {
                if (logger.isDebugEnabled()) {
                    logger.debug("User " + webDAVUser.getUserName() + " validate ticket");
                }
                this.m_authService.validate(webDAVUser.getTicket());
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            } catch (AuthenticationException e) {
                if (logger.isErrorEnabled()) {
                    logger.error("Failed to validate user " + webDAVUser.getUserName(), e);
                }
                httpSession.removeAttribute(NTLM_AUTH_SESSION);
                httpSession.removeAttribute(NTLM_AUTH_DETAILS);
                httpServletResponse.setHeader("WWW-Authenticate", "NTLM");
                httpServletResponse.setStatus(401);
                httpServletResponse.flushBuffer();
                return;
            }
        }
        if (this.m_authComponent.getNTLMMode() == NTLMMode.MD4_PROVIDER) {
            String mD4HashedPassword = this.m_authComponent.getMD4HashedPassword(userName);
            if (mD4HashedPassword != null) {
                byte[] bArr = new byte[21];
                System.arraycopy(this.m_md4Encoder.decodeHash(mD4HashedPassword), 0, bArr, 0, 16);
                byte[] bArr2 = null;
                try {
                    bArr2 = this.m_encryptor.doNTLM1Encryption(bArr, nTLMLogonDetails.getChallengeKey());
                } catch (NoSuchAlgorithmException e2) {
                }
                byte[] nTLMHash2 = type3NTLMMessage.getNTLMHash();
                if (nTLMHash2 != null && bArr2 != null && nTLMHash2.length == bArr2.length) {
                    int i2 = 0;
                    while (i2 < nTLMHash2.length && nTLMHash2[i2] == bArr2[i2]) {
                        i2++;
                    }
                    if (i2 == nTLMHash2.length) {
                        z = true;
                    }
                }
            } else {
                if (logger.isDebugEnabled()) {
                    logger.debug("User " + userName + " does not have Alfresco account");
                }
                z = false;
            }
        } else {
            NTLMPassthruToken authenticationToken = nTLMLogonDetails.getAuthenticationToken();
            authenticationToken.setUserAndPassword(type3NTLMMessage.getUserName(), type3NTLMMessage.getNTLMHash(), 1);
            try {
                try {
                    this.m_authComponent.authenticate(authenticationToken);
                    z = true;
                    nTLMLogonDetails.setAuthenticationToken((Authentication) null);
                } catch (Throwable th) {
                    nTLMLogonDetails.setAuthenticationToken((Authentication) null);
                    throw th;
                }
            } catch (AuthenticationException e3) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Authentication failed, " + e3.getMessage());
                }
                nTLMLogonDetails.setAuthenticationToken((Authentication) null);
            }
        }
        if (!z) {
            httpSession.removeAttribute(NTLM_AUTH_SESSION);
            httpSession.removeAttribute(NTLM_AUTH_DETAILS);
            httpServletResponse.setHeader("WWW-Authenticate", "NTLM");
            httpServletResponse.setStatus(401);
            httpServletResponse.flushBuffer();
            return;
        }
        UserTransaction userTransaction = this.m_transactionService.getUserTransaction();
        try {
            userTransaction.begin();
            this.m_authComponent.setCurrentUser(userName.toLowerCase());
            String currentUserName = this.m_authComponent.getCurrentUserName();
            NodeRef person = this.m_personService.getPerson(currentUserName);
            WebDAVUser webDAVUser2 = new WebDAVUser(currentUserName, this.m_authService.getCurrentTicket(), person);
            webDAVUser2.setHomeNode((NodeRef) this.m_nodeService.getProperty(person, ContentModel.PROP_HOMEFOLDER));
            userTransaction.commit();
            httpSession.setAttribute("_alfDAVAuthTicket", webDAVUser2);
            if (nTLMLogonDetails == null) {
                nTLMLogonDetails = new NTLMLogonDetails(currentUserName, workstation, domain, false, this.m_srvName);
                httpSession.setAttribute(NTLM_AUTH_DETAILS, nTLMLogonDetails);
                if (logger.isDebugEnabled()) {
                    logger.debug("No cached NTLM details, created");
                }
            } else {
                nTLMLogonDetails.setDetails(currentUserName, workstation, domain, false, this.m_srvName);
                nTLMLogonDetails.setNTLMHashedPassword(type3NTLMMessage.getNTLMHash());
                if (logger.isDebugEnabled()) {
                    logger.debug("Updated cached NTLM details");
                }
            }
            if (logger.isDebugEnabled()) {
                logger.debug("User logged on via NTLM, " + nTLMLogonDetails);
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } catch (Throwable th2) {
            try {
                userTransaction.rollback();
            } catch (Exception e4) {
                logger.error("Failed to rollback transaction", e4);
            }
            if (th2 instanceof RuntimeException) {
                throw ((RuntimeException) th2);
            }
            if (th2 instanceof IOException) {
                throw ((IOException) th2);
            }
            if (!(th2 instanceof ServletException)) {
                throw new RuntimeException("Authentication setup failed", th2);
            }
            throw th2;
        }
    }
}
