package fi.vm.sade.authentication.cas;

import fi.vm.sade.authentication.cas.TicketCachePolicy;
import fi.vm.sade.haku.virkailija.lomakkeenhallinta.util.OppijaConstants;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;

/* loaded from: input_file:WEB-INF/lib/generic-common-9.4-SNAPSHOT.jar:fi/vm/sade/authentication/cas/CasApplicationAsAUserInterceptor.class */
public class CasApplicationAsAUserInterceptor extends AbstractPhaseInterceptor<Message> {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) CasApplicationAsAUserInterceptor.class);
    private static final Integer HTTP_401_UNAUTHORIZED = 401;
    private String webCasUrl;
    private String targetService;
    private String appClientUsername;
    private String appClientPassword;

    @Value("${auth.mode:cas}")
    private String authMode;
    private TicketCachePolicy ticketCachePolicy;

    public CasApplicationAsAUserInterceptor() {
        super("pre-protocol");
        this.ticketCachePolicy = new DefaultTicketCachePolicy();
    }

    private static Set<GrantedAuthority> buildMockAuthorities() {
        HashSet hashSet = new HashSet();
        String[] strArr = {"READ", "READ_UPDATE", "CRUD"};
        for (String str : new String[]{"ANOMUSTENHALLINTA", "ORGANISAATIOHALLINTA", "HENKILONHALLINTA", "KOODISTO", "KOOSTEROOLIENHALLINTA", "OID", "OMATTIEDOT", "ORGANISAATIOHALLINTA", "TARJONTA", "SIJOITTELU", "VALINTAPERUSTEET", "VALINTOJENTOTEUTTAMINEN", "HAKEMUS"}) {
            for (String str2 : strArr) {
                SimpleGrantedAuthority simpleGrantedAuthority = new SimpleGrantedAuthority("ROLE_APP_" + str + "_" + str2);
                SimpleGrantedAuthority simpleGrantedAuthority2 = new SimpleGrantedAuthority("ROLE_APP_" + str + "_" + str2 + "_" + OppijaConstants.ROOT_ORGANIZATION_OID);
                hashSet.add(simpleGrantedAuthority);
                hashSet.add(simpleGrantedAuthority2);
            }
        }
        return hashSet;
    }

    public void handleMessage(Message message) throws Fault {
        if (((Boolean) message.get("org.apache.cxf.message.inbound")).booleanValue()) {
            handleInbound(message);
        } else {
            handleOutbound(message);
        }
    }

    public void handleInbound(Message message) throws Fault {
        Integer num = (Integer) message.get(Message.RESPONSE_CODE);
        if (HTTP_401_UNAUTHORIZED.equals(num)) {
            logger.warn("Got response code " + num + " -> removing ticket from cache");
            this.ticketCachePolicy.clearTicket(this.targetService, this.appClientUsername);
            return;
        }
        List list = (List) ((Map) message.get(Message.PROTOCOL_HEADERS)).get("Location");
        if (list == null || list.size() <= 0) {
            return;
        }
        try {
            if (new URL((String) list.get(0)).getPath().startsWith("/cas/login")) {
                logger.warn("Got redirect to cas -> removing ticket from cache");
                this.ticketCachePolicy.clearTicket(this.targetService, this.appClientUsername);
            }
        } catch (Exception e) {
            logger.warn("Error while parsing redirect location", (Throwable) e);
        }
    }

    public void handleOutbound(Message message) throws Fault {
        String cachedTicket = this.ticketCachePolicy.getCachedTicket(this.targetService, this.appClientUsername, new TicketCachePolicy.TicketLoader() { // from class: fi.vm.sade.authentication.cas.CasApplicationAsAUserInterceptor.1
            @Override // fi.vm.sade.authentication.cas.TicketCachePolicy.TicketLoader
            public String loadTicket() {
                return CasClient.getTicket(CasApplicationAsAUserInterceptor.this.webCasUrl, CasApplicationAsAUserInterceptor.this.appClientUsername, CasApplicationAsAUserInterceptor.this.appClientPassword, CasApplicationAsAUserInterceptor.this.targetService);
            }
        });
        HttpURLConnection httpURLConnection = (HttpURLConnection) message.get("http.connection");
        if (cachedTicket != null || !"dev".equals(this.authMode)) {
            httpURLConnection.setRequestProperty("CasSecurityTicket", cachedTicket);
            logger.info("CasApplicationAsAUserInterceptor, targetService: {}, endpoint: {}, serviceuser: {}, CasSecurityTicket: {}", this.targetService, message.get(Message.ENDPOINT_ADDRESS), this.appClientUsername, cachedTicket);
            return;
        }
        Set<GrantedAuthority> buildMockAuthorities = buildMockAuthorities();
        logger.warn("building mock user: 1.2.246.562.24.00000000001, authorities: " + buildMockAuthorities);
        TestingAuthenticationToken testingAuthenticationToken = new TestingAuthenticationToken("1.2.246.562.24.00000000001", "1.2.246.562.24.00000000001", new ArrayList(buildMockAuthorities));
        httpURLConnection.setRequestProperty("CasSecurityTicket", "oldDeprecatedSecurity_REMOVE");
        String name = testingAuthenticationToken.getName();
        httpURLConnection.setRequestProperty("oldDeprecatedSecurity_REMOVE_username", name);
        httpURLConnection.setRequestProperty("oldDeprecatedSecurity_REMOVE_authorities", toString(buildMockAuthorities));
        logger.info("DEV Proxy ticket! user: " + name + ", authorities: " + buildMockAuthorities);
    }

    public void setWebCasUrl(String str) {
        this.webCasUrl = str;
    }

    public void setTargetService(String str) {
        this.targetService = str;
    }

    public void setAppClientUsername(String str) {
        this.appClientUsername = str;
    }

    public void setAppClientPassword(String str) {
        this.appClientPassword = str;
    }

    private String toString(Collection<? extends GrantedAuthority> collection) {
        StringBuilder sb = new StringBuilder();
        Iterator<? extends GrantedAuthority> it = collection.iterator();
        while (it.hasNext()) {
            sb.append(it.next().getAuthority()).append(",");
        }
        return sb.toString();
    }

    public TicketCachePolicy getTicketCachePolicy() {
        return this.ticketCachePolicy;
    }

    public void setTicketCachePolicy(TicketCachePolicy ticketCachePolicy) {
        this.ticketCachePolicy = ticketCachePolicy;
    }
}
