package edu.uiuc.ncsa.myproxy.oa4mp.server.servlet;

import edu.uiuc.ncsa.myproxy.MyProxyServiceFacade;
import edu.uiuc.ncsa.myproxy.oa4mp.server.ServiceConstantKeys;
import edu.uiuc.ncsa.myproxy.oa4mp.server.util.JGlobusUtil;
import edu.uiuc.ncsa.myproxy.oa4mp.server.util.OA4MPIdentifierProvider;
import edu.uiuc.ncsa.security.core.exceptions.GeneralException;
import edu.uiuc.ncsa.security.core.util.DateUtils;
import edu.uiuc.ncsa.security.delegation.server.ServiceTransaction;
import edu.uiuc.ncsa.security.delegation.server.request.IssuerResponse;
import edu.uiuc.ncsa.security.delegation.servlet.TransactionState;
import edu.uiuc.ncsa.security.delegation.token.MyX509Certificates;
import edu.uiuc.ncsa.security.servlet.JSPUtil;
import edu.uiuc.ncsa.security.servlet.Presentable;
import edu.uiuc.ncsa.security.servlet.PresentableState;
import edu.uiuc.ncsa.security.util.pkcs.CertUtil;
import edu.uiuc.ncsa.security.util.pkcs.MyPKCS10CertRequest;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import java.util.LinkedList;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringEscapeUtils;

/* loaded from: input_file:WEB-INF/lib/oa4mp-server-api-1.1.3.jar:edu/uiuc/ncsa/myproxy/oa4mp/server/servlet/AbstractAuthorizationServlet.class */
public abstract class AbstractAuthorizationServlet extends MyProxyDelegationServlet implements Presentable, AuthorizationHandler {
    public static final String AUTHORIZATION_ACTION_KEY = "action";
    public static final String AUTHORIZATION_USER_NAME_KEY = "AuthUserName";
    public static final String AUTHORIZATION_USER_NAME_VALUE = "userName";
    public static final String AUTHORIZATION_PASSWORD_KEY = "AuthPassword";
    public static final String AUTHORIZATION_ACTION_OK_VALUE = "ok";
    public static final int AUTHORIZATION_ACTION_OK = 1;
    public static final int AUTHORIZATION_ACTION_START = 0;
    public static final String RETRY_MESSAGE = "retryMessage";
    public static String INITIAL_PAGE = "/authorize-init.jsp";
    public static String OK_PAGE = "/authorize-ok.jsp";
    public static String ERROR_PAGE = "/authorize-error.jsp";

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:WEB-INF/lib/oa4mp-server-api-1.1.3.jar:edu/uiuc/ncsa/myproxy/oa4mp/server/servlet/AbstractAuthorizationServlet$AuthorizedState.class */
    public class AuthorizedState extends PresentationState {
        ServiceTransaction transaction;

        public AuthorizedState(int i, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ServiceTransaction serviceTransaction) {
            super(i, httpServletRequest, httpServletResponse);
            this.transaction = serviceTransaction;
        }

        public ServiceTransaction getTransaction() {
            return this.transaction;
        }
    }

    @Override // edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.MyProxyDelegationServlet
    public ServiceTransaction verifyAndGet(IssuerResponse issuerResponse) throws IOException {
        return null;
    }

    public abstract String createCallback(ServiceTransaction serviceTransaction);

    @Override // edu.uiuc.ncsa.security.servlet.Presentable
    public void prepare(PresentableState presentableState) throws Throwable {
        AuthorizedState authorizedState = (AuthorizedState) presentableState;
        switch (authorizedState.getState()) {
            case 0:
                info("3.a. Starting authorization for grant =" + authorizedState.getTransaction().getIdentifierString());
                HttpServletRequest request = presentableState.getRequest();
                request.setAttribute("AuthUserName", "AuthUserName");
                request.setAttribute("AuthPassword", "AuthPassword");
                request.setAttribute("action", "action");
                request.setAttribute("actionOk", "ok");
                request.setAttribute("authorizationGrant", authorizedState.getTransaction().getIdentifierString());
                request.setAttribute("tokenKey", CONST(ServiceConstantKeys.TOKEN_KEY));
                request.setAttribute("clientHome", StringEscapeUtils.escapeHtml(authorizedState.getTransaction().getClient().getHomeUri()));
                request.setAttribute(RegistrationServlet.CLIENT_NAME, StringEscapeUtils.escapeHtml(authorizedState.getTransaction().getClient().getName()));
                request.setAttribute("actionToTake", request.getContextPath() + "/authorize");
                return;
            case 1:
                return;
            default:
                return;
        }
    }

    @Override // edu.uiuc.ncsa.security.servlet.Presentable
    public void present(PresentableState presentableState) throws Throwable {
        String header;
        AuthorizedState authorizedState = (AuthorizedState) presentableState;
        postprocess(new TransactionState(presentableState.getRequest(), authorizedState.getResponse(), null, authorizedState.getTransaction()));
        switch (authorizedState.getState()) {
            case 0:
                String str = INITIAL_PAGE;
                info("*** STARTING present");
                if (getServiceEnvironment().getAuthorizationServletConfig().isUseHeader()) {
                    info("*** PRESENT: Use headers enabled.");
                    if (getServiceEnvironment().getAuthorizationServletConfig().getHeaderFieldName().equals("REMOTE_USER")) {
                        header = authorizedState.getRequest().getRemoteUser();
                        info("*** got user name from request = " + header);
                    } else {
                        header = authorizedState.getRequest().getHeader(getServiceEnvironment().getAuthorizationServletConfig().getHeaderFieldName());
                        info("Got username from header \"" + getServiceEnvironment().getAuthorizationServletConfig().getHeaderFieldName() + "\" + directly: " + header);
                    }
                    if (!isEmpty(header)) {
                        authorizedState.getTransaction().setUsername(header);
                        info("*** storing user name = " + header);
                        getTransactionStore().save(authorizedState.getTransaction());
                        authorizedState.getRequest().setAttribute("userName", StringEscapeUtils.escapeHtml(header));
                    } else if (getServiceEnvironment().getAuthorizationServletConfig().isRequireHeader()) {
                        throw new GeneralException("Error: configuration required using the header \"" + getServiceEnvironment().getAuthorizationServletConfig().getHeaderFieldName() + "\" but this was not set. Cannot continue.");
                    }
                } else {
                    info("*** PRESENT: Use headers DISABLED.");
                }
                JSPUtil.fwd(presentableState.getRequest(), presentableState.getResponse(), str);
                info("3.a. User information obtained for grant = " + authorizedState.getTransaction().getAuthorizationGrant());
                return;
            case 1:
                JSPUtil.fwd(presentableState.getRequest(), presentableState.getResponse(), OK_PAGE);
                return;
            default:
                debug("Hit default case in AbstractAuthZ servlet");
                return;
        }
    }

    @Override // edu.uiuc.ncsa.security.servlet.Presentable
    public void handleError(PresentableState presentableState, Throwable th) throws IOException, ServletException {
        presentableState.getResponse().setHeader("X-Frame-Options", "DENY");
        presentableState.getRequest().setAttribute(OA4MPIdentifierProvider.CLIENT_ID, ((AuthorizedState) presentableState).getTransaction().getClient());
        JSPUtil.handleException(th, presentableState.getRequest(), presentableState.getResponse(), ERROR_PAGE);
    }

    @Override // edu.uiuc.ncsa.security.servlet.AbstractServlet
    public void doIt(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable {
        info("*** STARTING request");
        String parameter = httpServletRequest.getParameter(CONST(ServiceConstantKeys.TOKEN_KEY));
        if (parameter == null) {
            throw new GeneralException("Error: Invalid request -- no token. Request rejected.");
        }
        ServiceTransaction andCheckTransaction = getAndCheckTransaction(parameter);
        AuthorizedState authorizedState = new AuthorizedState(getState(httpServletRequest), httpServletRequest, httpServletResponse, andCheckTransaction);
        prepare(authorizedState);
        preprocess(new TransactionState(httpServletRequest, httpServletResponse, null, andCheckTransaction));
        switch (authorizedState.getState()) {
            case 1:
                andCheckTransaction.setAuthGrantValid(true);
                getTransactionStore().save(andCheckTransaction);
                try {
                    if (andCheckTransaction.getClient().isProxyLimited()) {
                        doCertRequestLimited(httpServletRequest, httpServletResponse);
                        return;
                    } else {
                        doCertRequest(httpServletRequest, httpServletResponse);
                        return;
                    }
                } catch (GeneralSecurityException e) {
                    info("**** AuthZServlet, got GSX");
                    httpServletRequest.setAttribute("retryMessage", getServiceEnvironment().getMessages().get("retryMessage"));
                    authorizedState.setState(0);
                    prepare(authorizedState);
                    break;
                }
        }
        present(authorizedState);
    }

    public int getState(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("action");
        log("action = " + parameter);
        if (parameter == null || parameter.length() == 0) {
            return 0;
        }
        if (parameter.equals("ok")) {
            return 1;
        }
        throw new GeneralException("Error: unknown authorization request action = \"" + parameter + "\"");
    }

    protected ServiceTransaction getAndCheckTransaction(String str) throws IOException {
        DateUtils.checkTimestamp(str);
        ServiceTransaction serviceTransaction = MyProxyDelegationServlet.getServiceEnvironment().getTransactionStore().get(MyProxyDelegationServlet.getServiceEnvironment().getTokenForge().getAuthorizationGrant(str));
        if (serviceTransaction == null) {
            warn("Error: no delegation request found for " + str);
            throw new GeneralException("Error: no delegation request found.");
        }
        checkClient(serviceTransaction.getClient());
        return serviceTransaction;
    }

    protected void doCertRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable {
        ServiceTransaction andCheckTransaction = getAndCheckTransaction(httpServletRequest.getParameter(CONST(ServiceConstantKeys.TOKEN_KEY)));
        String username = andCheckTransaction.getUsername();
        String str = null;
        info("*** stored transaction username = " + username);
        if (isEmpty(username)) {
            username = httpServletRequest.getParameter("AuthUserName");
            info("got user name from form = " + username);
            if (isEmpty(username)) {
                throw new GeneralException("Error: No user name found");
            }
            str = httpServletRequest.getParameter("AuthPassword");
        }
        info("3.b. transaction has user name = " + username);
        preprocess(new TransactionState(httpServletRequest, httpServletResponse, null, andCheckTransaction));
        String str2 = " transaction =" + andCheckTransaction.getIdentifierString() + " and client=" + andCheckTransaction.getClient().getIdentifierString();
        info("3.b. " + str2);
        info("3.b. MP facade #=" + MyProxyDelegationServlet.getServiceEnvironment().getMyProxyServices().size());
        String createMyProxyUsername = getServiceEnvironment().getUsernameTransformer().createMyProxyUsername(httpServletRequest);
        String str3 = createMyProxyUsername != null ? createMyProxyUsername : username;
        info("3.b. Starting call to MyProxy with (transformed) username = " + str3);
        MyX509Certificates myX509Certificates = new MyX509Certificates(getX509Certificates(andCheckTransaction, str2, str3, str, andCheckTransaction.getCertReq()));
        andCheckTransaction.setProtectedAsset(myX509Certificates);
        if (getServiceEnvironment().getAuthorizationServletConfig().isReturnDnAsUsername()) {
            if (myX509Certificates.getX509Certificates().length > 0) {
                str3 = myX509Certificates.getX509Certificates()[0].getSubjectX500Principal().getName();
                if (getServiceEnvironment().getAuthorizationServletConfig().isConvertDNToGlobusID()) {
                    str3 = JGlobusUtil.toGlobusID(str3);
                }
            } else {
                str3 = "no_certificates_found";
            }
            andCheckTransaction.setUsername(str3);
            info("3.c. Set username returned to client to first certificate's DN: " + str3);
        }
        andCheckTransaction.setUsername(str3);
        andCheckTransaction.setVerifier(MyProxyDelegationServlet.getServiceEnvironment().getTokenForge().getVerifier(new String[0]));
        MyProxyDelegationServlet.getServiceEnvironment().getTransactionStore().save(andCheckTransaction);
        debug("4.a. verifier = " + andCheckTransaction.getVerifier() + ", " + str2);
        String createCallback = createCallback(andCheckTransaction);
        info("4.a. starting redirect to " + createCallback + ", " + str2);
        httpServletResponse.sendRedirect(createCallback);
        info("4.b. Redirect to callback " + createCallback + " ok, " + str2);
    }

    protected void doCertRequestLimited(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable {
        ServiceTransaction andCheckTransaction = getAndCheckTransaction(httpServletRequest.getParameter(CONST(ServiceConstantKeys.TOKEN_KEY)));
        String str = " transaction =" + andCheckTransaction.getIdentifier() + " and client=" + andCheckTransaction.getClient().getIdentifier();
        String username = andCheckTransaction.getUsername();
        String str2 = null;
        info("*** stored transaction username = " + username);
        if (isEmpty(username)) {
            username = httpServletRequest.getParameter("AuthUserName");
            info("got user name from form = " + username);
            if (isEmpty(username)) {
                throw new GeneralException("Error: No user name found");
            }
            str2 = httpServletRequest.getParameter("AuthPassword");
        }
        info("3.b. transaction has user name = " + username);
        info("3.b. " + str);
        KeyPair keyPair = null;
        MyPKCS10CertRequest myPKCS10CertRequest = null;
        try {
            keyPair = getServiceEnvironment().getKeyPair();
            myPKCS10CertRequest = CertUtil.createCertRequest(keyPair);
        } catch (GeneralSecurityException e) {
            error("3.b. " + e.getMessage());
        }
        debug("3.b. " + CertUtil.fromCertReqToString(andCheckTransaction.getCertReq()));
        debug("3.b. " + CertUtil.fromCertReqToString(myPKCS10CertRequest));
        info("3.b. MP facade #=" + MyProxyDelegationServlet.getServiceEnvironment().getMyProxyServices().size());
        String createMyProxyUsername = getServiceEnvironment().getUsernameTransformer().createMyProxyUsername(httpServletRequest);
        info("3.b. Starting call to MyProxy with (transformed) username = " + createMyProxyUsername);
        LinkedList<X509Certificate> x509Certificates = getX509Certificates(andCheckTransaction, str, createMyProxyUsername, str2, myPKCS10CertRequest);
        x509Certificates.addFirst(JGlobusUtil.createProxyCertificate(x509Certificates.getLast(), keyPair.getPrivate(), andCheckTransaction.getCertReq().getPublicKey(), (int) (andCheckTransaction.getLifetime() / 1000)));
        MyX509Certificates myX509Certificates = new MyX509Certificates(x509Certificates);
        andCheckTransaction.setProtectedAsset(myX509Certificates);
        if (getServiceEnvironment().getAuthorizationServletConfig().isReturnDnAsUsername()) {
            if (myX509Certificates.getX509Certificates().length > 0) {
                createMyProxyUsername = myX509Certificates.getX509Certificates()[0].getSubjectX500Principal().getName();
                if (getServiceEnvironment().getAuthorizationServletConfig().isConvertDNToGlobusID()) {
                    createMyProxyUsername = JGlobusUtil.toGlobusID(createMyProxyUsername);
                }
            } else {
                createMyProxyUsername = "no_certificates_found";
            }
            andCheckTransaction.setUsername(createMyProxyUsername);
            info("3.c. Set username returned to client to first certificate's DN: " + createMyProxyUsername);
        }
        andCheckTransaction.setUsername(createMyProxyUsername);
        andCheckTransaction.setVerifier(MyProxyDelegationServlet.getServiceEnvironment().getTokenForge().getVerifier(new String[0]));
        MyProxyDelegationServlet.getServiceEnvironment().getTransactionStore().save(andCheckTransaction);
        debug("4.a. verifier = " + andCheckTransaction.getVerifier() + ", " + str);
        String createCallback = createCallback(andCheckTransaction);
        info("4.a. starting redirect to " + createCallback + ", " + str);
        httpServletResponse.sendRedirect(createCallback);
        info("4.b. Redirect to callback " + createCallback + " ok, " + str);
    }

    protected LinkedList<X509Certificate> getX509Certificates(ServiceTransaction serviceTransaction, String str, String str2, String str3, MyPKCS10CertRequest myPKCS10CertRequest) throws GeneralSecurityException {
        Throwable th = null;
        LinkedList<X509Certificate> linkedList = new LinkedList<>();
        for (MyProxyServiceFacade myProxyServiceFacade : MyProxyDelegationServlet.getServiceEnvironment().getMyProxyServices()) {
            info("3.b. myproxy is " + myProxyServiceFacade.getFacadeConfiguration().getHostname() + ":" + myProxyServiceFacade.getFacadeConfiguration().getPort());
            try {
                linkedList.addAll(myProxyServiceFacade.getCerts(str2, str3, myPKCS10CertRequest.getEncoded(), serviceTransaction.getLifetime()));
                break;
            } catch (GeneralSecurityException e) {
                error("failed to get cert for token " + str + ", message = " + e.getMessage());
                throw e;
            } catch (Throwable th2) {
                th = th2;
                error("3.b. returned exception is " + th2.getClass().getName());
            }
        }
        if (linkedList.isEmpty()) {
            info("Error: No usable MyProxy service found." + str);
            throw new GeneralException("Error: No usable MyProxy service found.", th);
        }
        info("3.c. Got cert from MyProxy, issuing a limited proxy & storing it, " + str);
        return linkedList;
    }
}
