package com.github.farmgeek4life.jenkins.negotiatesso;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.UnmodifiableIterator;
import hudson.Functions;
import java.io.IOException;
import java.net.URL;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import jenkins.model.Jenkins;
import org.acegisecurity.context.SecurityContextHolder;
import waffle.servlet.NegotiateSecurityFilter;

/* loaded from: input_file:WEB-INF/lib/NegotiateSSO.jar:com/github/farmgeek4life/jenkins/negotiatesso/NegSecFilter.class */
public final class NegSecFilter extends NegotiateSecurityFilter {
    public static final String BYPASS_HEADER = "Bypass_Kerberos";
    private boolean redirectEnabled = false;
    private String redirect = "yourdomain.com";
    private boolean allowLocalhost = true;
    private static final Logger LOGGER = Logger.getLogger(NegotiateSSO.class.getName());
    private static final ImmutableSet<String> ALWAYS_READABLE_PATHS = ImmutableSet.of("/login", "/logout", "/accessDenied", "/adjuncts/", "/error", "/oops", "/signup", "/tcpSlaveAgentListener", "/federatedLoginService/", "/securityRealm", "/userContent");

    @Override // waffle.servlet.NegotiateSecurityFilter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!(servletRequest instanceof HttpServletRequest) || !(servletResponse instanceof HttpServletResponse) || containsBypassHeader(servletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String requestURI = httpServletRequest.getRequestURI();
        LOGGER.log(Level.FINEST, "Request URI: " + requestURI);
        if (!shouldAttemptAuthentication(Jenkins.getInstance(), httpServletRequest, requestURI)) {
            LOGGER.log(Level.FINER, "Bypassing authentication for " + requestURI);
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (this.allowLocalhost && httpServletRequest.getLocalAddr().equals(httpServletRequest.getRemoteAddr())) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (this.redirectEnabled && !httpServletRequest.getLocalAddr().equals(httpServletRequest.getRemoteAddr())) {
            String stringBuffer = httpServletRequest.getRequestURL().toString();
            String host = new URL(stringBuffer).getHost();
            if (!host.toLowerCase().contains(this.redirect.toLowerCase())) {
                ((HttpServletResponse) servletResponse).sendRedirect(stringBuffer.replaceFirst(host, host + "." + this.redirect));
                return;
            }
        }
        if (SecurityContextHolder.getContext().getAuthentication() != null && SecurityContextHolder.getContext().getAuthentication().isAuthenticated() && !Functions.isAnonymous()) {
            LOGGER.log(Level.FINER, "Bypassing filter - already authenticated: " + requestURI);
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            Functions.advertiseHeaders((HttpServletResponse) servletResponse);
            LOGGER.log(Level.FINE, "Filtering request: " + requestURI);
            super.doFilter(servletRequest, servletResponse, filterChain);
        }
    }

    @VisibleForTesting
    static String cleanRequest(String str) {
        return str.replaceAll("^https?://[^/]+/", "/").replaceAll("\\?.*$", "");
    }

    @VisibleForTesting
    static boolean shouldAttemptAuthentication(Jenkins jenkins, ServletRequest servletRequest, String str) {
        String cleanRequest = cleanRequest(str);
        UnmodifiableIterator<String> it = ALWAYS_READABLE_PATHS.iterator();
        while (it.hasNext()) {
            if (cleanRequest.startsWith(it.next())) {
                LOGGER.log(Level.FINEST, "NoAuthRequired: Always readable path: " + cleanRequest);
                return false;
            }
        }
        if (cleanRequest.matches("/computer/[^/]+/slave-agent[.]jnlp") && "true".equals(servletRequest.getParameter("encrypt"))) {
            LOGGER.log(Level.FINEST, "NoAuthRequired: Slave agent jnlp: " + cleanRequest);
            return false;
        }
        if (jenkins == null) {
            return true;
        }
        for (String str2 : jenkins.getUnprotectedRootActions()) {
            if (cleanRequest.startsWith("/" + str2 + "/") || cleanRequest.equals("/" + str2)) {
                LOGGER.log(Level.FINEST, "NoAuthRequired: Unprotected root action: " + cleanRequest);
                return false;
            }
        }
        return true;
    }

    private static boolean containsBypassHeader(ServletRequest servletRequest) {
        return (servletRequest instanceof HttpServletRequest) && ((HttpServletRequest) servletRequest).getHeader(BYPASS_HEADER) != null;
    }

    public void setRedirect(boolean z, String str) {
        this.redirectEnabled = z;
        this.redirect = str;
    }

    public void setAllowLocalhost(boolean z) {
        this.allowLocalhost = z;
    }
}
