package org.springframework.extensions.webscripts.servlet.mvc;

import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.StringTokenizer;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.httpclient.auth.AuthState;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.extensions.config.ConfigService;
import org.springframework.extensions.config.RemoteConfigElement;
import org.springframework.extensions.surf.exception.WebScriptsPlatformException;
import org.springframework.extensions.surf.util.Base64;
import org.springframework.extensions.surf.util.URLEncoder;
import org.springframework.extensions.webscripts.connector.Connector;
import org.springframework.extensions.webscripts.connector.ConnectorContext;
import org.springframework.extensions.webscripts.connector.ConnectorService;
import org.springframework.extensions.webscripts.connector.Credentials;
import org.springframework.extensions.webscripts.connector.CredentialsImpl;
import org.springframework.extensions.webscripts.connector.HttpMethod;
import org.springframework.extensions.webscripts.connector.Response;
import org.springframework.web.servlet.HandlerMapping;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.AbstractController;

/* loaded from: input_file:WEB-INF/lib/spring-webscripts-8.40.jar:org/springframework/extensions/webscripts/servlet/mvc/EndPointProxyController.class */
public class EndPointProxyController extends AbstractController {
    private static Log logger = LogFactory.getLog(EndPointProxyController.class);
    private static final long serialVersionUID = -176412355613122789L;
    private static final String JSESSIONID = ";jsessionid=";
    private static final String USER_ID = "_alf_USER_ID";
    private static final String ANY_URI_PATTERN = "^.*$";
    private static final String SOLR_PATTERN = "^.*/api/solr/.*$";
    private static final String ENCODED_CRLF = "%0d|%0a";
    private static final String ASCII_CRLF = "\\r|\\n";
    protected ConfigService configService;
    protected ConnectorService connectorService;
    protected RemoteConfigElement config;
    private List<Pattern> compiledPatternsBlacklist;
    private List<Pattern> compiledCRLFProtection;
    protected ProxyControllerInterceptor proxyControllerInterceptor = new ProxyControllerInterceptor() { // from class: org.springframework.extensions.webscripts.servlet.mvc.EndPointProxyController.1
        @Override // org.springframework.extensions.webscripts.servlet.mvc.ProxyControllerInterceptor
        public boolean exceptionOnError(RemoteConfigElement.EndpointDescriptor endpointDescriptor, String str) {
            return false;
        }

        @Override // org.springframework.extensions.webscripts.servlet.mvc.ProxyControllerInterceptor
        public boolean allowHttpBasicAuthentication(RemoteConfigElement.EndpointDescriptor endpointDescriptor, String str) {
            return false;
        }
    };
    private List<Pattern> compiledPatternsWhitelist = new ArrayList();

    public EndPointProxyController() {
        this.compiledPatternsWhitelist.add(Pattern.compile(ANY_URI_PATTERN));
        this.compiledPatternsBlacklist = new ArrayList();
        this.compiledPatternsBlacklist.add(Pattern.compile(SOLR_PATTERN));
        this.compiledCRLFProtection = new ArrayList();
        this.compiledCRLFProtection.add(Pattern.compile(ENCODED_CRLF));
        this.compiledCRLFProtection.add(Pattern.compile(ASCII_CRLF));
    }

    private void tryPopulateCompiledPatternsList(List<String> list, List<Pattern> list2) {
        for (String str : list) {
            if (str != null) {
                try {
                    list2.add(Pattern.compile(str));
                } catch (PatternSyntaxException e) {
                    if (logger.isDebugEnabled()) {
                        logger.debug("Invalid syntax expression: " + str);
                    }
                }
            }
        }
    }

    public void setUriWhitelist(List<String> list) {
        if (list == null || list.isEmpty()) {
            return;
        }
        this.compiledPatternsWhitelist.clear();
        tryPopulateCompiledPatternsList(list, this.compiledPatternsWhitelist);
        if (this.compiledPatternsWhitelist.isEmpty()) {
            this.compiledPatternsWhitelist.add(Pattern.compile(ANY_URI_PATTERN));
        }
    }

    public void setUriBlacklist(List<String> list) {
        if (list == null || list.isEmpty()) {
            return;
        }
        tryPopulateCompiledPatternsList(list, this.compiledPatternsBlacklist);
    }

    public void setConfigService(ConfigService configService) {
        this.configService = configService;
    }

    public void setConnectorService(ConnectorService connectorService) {
        this.connectorService = connectorService;
    }

    @Deprecated
    public void setBasicHttpAuthChallenge(boolean z) {
    }

    public void setProxyControllerInterceptor(ProxyControllerInterceptor proxyControllerInterceptor) {
        if (proxyControllerInterceptor == null) {
            throw new IllegalArgumentException("ProxyControllerInterceptor is mandatory");
        }
        this.proxyControllerInterceptor = proxyControllerInterceptor;
    }

    public RemoteConfigElement getRemoteConfig() {
        if (this.config == null) {
            this.config = (RemoteConfigElement) this.configService.getConfig("Remote").getConfigElement("remote");
        }
        return this.config;
    }

    @Override // org.springframework.web.servlet.mvc.AbstractController
    public ModelAndView handleRequestInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        RemoteConfigElement.EndpointDescriptor endpointDescriptor;
        Connector connector;
        String sanitizeUri = sanitizeUri((String) httpServletRequest.getAttribute(HandlerMapping.PATH_WITHIN_HANDLER_MAPPING_ATTRIBUTE));
        int indexOf = sanitizeUri.indexOf(JSESSIONID);
        if (indexOf != -1) {
            sanitizeUri = sanitizeUri.substring(0, indexOf);
        }
        StringTokenizer stringTokenizer = new StringTokenizer(URLEncoder.encodeUri(sanitizeUri), "/");
        if (!stringTokenizer.hasMoreTokens()) {
            throw new IllegalArgumentException("Proxy URL did not specify endpoint id.");
        }
        String nextToken = stringTokenizer.nextToken();
        StringBuilder sb = new StringBuilder(64);
        try {
            if (!stringTokenizer.hasMoreTokens()) {
                sb.append('/');
                endpointDescriptor = getRemoteConfig().getEndpointDescriptor(nextToken);
                if (endpointDescriptor != null || endpointDescriptor.getUnsecure()) {
                    throw new WebScriptsPlatformException("Invalid EndPoint Id: " + nextToken);
                }
                String str = null;
                HttpSession session = httpServletRequest.getSession(false);
                if (session != null) {
                    str = (String) session.getAttribute(USER_ID);
                }
                if (str != null && (this.connectorService.getCredentialVault(httpServletRequest.getSession(), str).hasCredentials(nextToken) || endpointDescriptor.getExternalAuth())) {
                    connector = this.connectorService.getConnector(nextToken, str, httpServletRequest.getSession());
                } else if (endpointDescriptor.getIdentity() == RemoteConfigElement.IdentityType.NONE || endpointDescriptor.getIdentity() == RemoteConfigElement.IdentityType.DECLARED || endpointDescriptor.getExternalAuth()) {
                    connector = this.connectorService.getConnector(nextToken, httpServletRequest.getSession());
                } else {
                    if (!endpointDescriptor.getBasicAuth() && !this.proxyControllerInterceptor.allowHttpBasicAuthentication(endpointDescriptor, sanitizeUri)) {
                        httpServletResponse.setStatus(401, "No USER_ID found in session and requested endpoint requires authentication.");
                        return null;
                    }
                    String header = httpServletRequest.getHeader("Authorization");
                    if (header == null || header.length() == 0) {
                        authorizedResponseStatus(httpServletResponse);
                        return null;
                    }
                    String[] split = header.split(StringUtils.SPACE);
                    if (split[0].equalsIgnoreCase("negotiate")) {
                        authorizedResponseStatus(httpServletResponse);
                        return null;
                    }
                    if (!split[0].equalsIgnoreCase(AuthState.PREEMPTIVE_AUTH_SCHEME)) {
                        throw new WebScriptsPlatformException("Authorization '" + split[0] + "' not supported.");
                    }
                    String[] split2 = new String(Base64.decode(split[1])).split(":");
                    if (split2.length != 2) {
                        authorizedResponseStatus(httpServletResponse);
                        return null;
                    }
                    if (logger.isDebugEnabled()) {
                        logger.debug("Authenticating (BASIC HTTP) user " + split2[0]);
                    }
                    connector = this.connectorService.getConnector(nextToken, split2[0], httpServletRequest.getSession());
                    CredentialsImpl credentialsImpl = new CredentialsImpl(nextToken);
                    credentialsImpl.setProperty(Credentials.CREDENTIAL_USERNAME, split2[0]);
                    credentialsImpl.setProperty(Credentials.CREDENTIAL_PASSWORD, split2[1]);
                    connector.setCredentials(credentialsImpl);
                }
                HashMap hashMap = new HashMap(1, 1.0f);
                hashMap.put("Authorization", null);
                ConnectorContext connectorContext = new ConnectorContext(HttpMethod.valueOf(httpServletRequest.getMethod().toUpperCase()), null, hashMap);
                connectorContext.setExceptionOnError(this.proxyControllerInterceptor.exceptionOnError(endpointDescriptor, sanitizeUri));
                connectorContext.setContentType(httpServletRequest.getContentType());
                String queryString = httpServletRequest.getQueryString();
                String str2 = sb.toString() + ((queryString == null || queryString.length() == 0) ? "" : "?" + queryString);
                if (logger.isDebugEnabled()) {
                    logger.debug("EndPointProxyController preparing to proxy:");
                    logger.debug(" - endpointId: " + nextToken);
                    logger.debug(" - userId: " + str);
                    logger.debug(" - connector: " + connector);
                    logger.debug(" - method: " + connectorContext.getMethod());
                    logger.debug(" - url: " + str2);
                }
                if (!isInWhitelist(sanitizeUri) || isInBlacklist(sanitizeUri)) {
                    if (isInBlacklist(sanitizeUri)) {
                        logger.warn("An attempt to access a forbidden resource was blocked: " + str2);
                    }
                    httpServletResponse.sendError(403, "Forbidden URI: " + sanitizeUri);
                    return null;
                }
                Response call = connector.call(str2, connectorContext, httpServletRequest, httpServletResponse);
                if (logger.isDebugEnabled()) {
                    logger.debug("Return code: " + call.getStatus().getCode());
                    if (call.getStatus().getCode() == 500) {
                        logger.debug("Error detected: " + call.getStatus().getMessage() + "\n" + call.getStatus().getException().toString());
                    }
                }
                return null;
            }
            endpointDescriptor = getRemoteConfig().getEndpointDescriptor(nextToken);
            if (endpointDescriptor != null) {
            }
            throw new WebScriptsPlatformException("Invalid EndPoint Id: " + nextToken);
        } catch (Throwable th) {
            throw new WebScriptsPlatformException("Error during endpoint proxy processing: " + th.getMessage(), th);
        }
        do {
            sb.append('/');
            sb.append(stringTokenizer.nextToken());
        } while (stringTokenizer.hasMoreTokens());
    }

    private String sanitizeUri(String str) throws URISyntaxException {
        Iterator<Pattern> it = this.compiledCRLFProtection.iterator();
        while (it.hasNext()) {
            str = it.next().matcher(str).replaceAll("");
        }
        return str;
    }

    private boolean isInWhitelist(String str) {
        return isMatchInList(str, this.compiledPatternsWhitelist);
    }

    private boolean isInBlacklist(String str) {
        return isMatchInList(str, this.compiledPatternsBlacklist);
    }

    private boolean isMatchInList(String str, List<Pattern> list) {
        if (list == null || list.isEmpty()) {
            return false;
        }
        for (Pattern pattern : list) {
            if (pattern != null && pattern.matcher(str).matches()) {
                return true;
            }
        }
        return false;
    }

    private void authorizedResponseStatus(HttpServletResponse httpServletResponse) {
        httpServletResponse.setStatus(401, "No USER_ID found in session and requested endpoint requires authentication.");
        httpServletResponse.setHeader("WWW-Authenticate", "Basic realm=\"Alfresco\"");
    }
}
