package com.yonyou.yht.web.cas.sso;

import com.yonyou.yht.binary.Base64;
import com.yonyou.yht.sdk.ISessionStore;
import com.yonyou.yht.sdk.SessionStoreFactory;
import com.yonyou.yht.utils.SdkUtils;
import com.yonyou.yht.web.cas.sso.entity.TenantUser;
import com.yonyou.yht.web.cas.util.CasClientUtils;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import java.util.zip.Inflater;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.jasig.cas.client.session.HashMapBackedSessionMappingStorage;
import org.jasig.cas.client.session.SessionMappingStorage;
import org.jasig.cas.client.util.CommonUtils;
import org.jasig.cas.client.util.XmlUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yonyou/yht/web/cas/sso/SingleSignOutHandler.class */
public class SingleSignOutHandler {
    public static final String DEFAULT_ARTIFACT_PARAMETER_NAME = "ticket";
    public static final String DEFAULT_LOGOUT_PARAMETER_NAME = "logoutRequest";
    public static final String DEFAULT_LOGOUT_TOKEN_PARAMETER_NAME = "logoutTokenRequest";
    public static final String DEFAULT_FRONT_LOGOUT_PARAMETER_NAME = "SAMLRequest";
    public static final String DEFAULT_FRONT_LOGOUT_TOKEN_PARAMETER_NAME = "SAMLAccessToken";
    public static final String DEFAULT_RELAY_STATE_PARAMETER_NAME = "RelayState";
    public static final String DEFAULT_REDIRECR_URL_NAME = "service";
    public static final String DEFAULT_SESSION_EXPIRE_PARAMETER_NAME = "sessionExpire";
    public static final String SERVICE_SESSION_EXPIRE = "sessionExpire";
    public static final String SERVICE_SESSION_NOT_EXPIRE = "sessionNotExpire";
    private static final String CONST_CAS_ASSERTION = "_const_cas_assertion_";
    private static final int DECOMPRESSION_FACTOR = 10;
    private String casServerUrlPrefix;
    private List<String> safeParameters;
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private SessionMappingStorage sessionMappingStorage = new HashMapBackedSessionMappingStorage();
    private String artifactParameterName = DEFAULT_ARTIFACT_PARAMETER_NAME;
    private String logoutParameterName = DEFAULT_LOGOUT_PARAMETER_NAME;
    private String frontLogoutParameterName = DEFAULT_FRONT_LOGOUT_PARAMETER_NAME;
    private String frontLogoutTokenParameterName = DEFAULT_FRONT_LOGOUT_TOKEN_PARAMETER_NAME;
    private String relayStateParameterName = DEFAULT_RELAY_STATE_PARAMETER_NAME;
    private String redirectParameterName = DEFAULT_REDIRECR_URL_NAME;
    private String sessionExpireParameterName = "sessionExpire";
    private boolean artifactParameterOverPost = false;
    private boolean eagerlyCreateSessions = true;

    public void setSessionMappingStorage(SessionMappingStorage sessionMappingStorage) {
        this.sessionMappingStorage = sessionMappingStorage;
    }

    public void setArtifactParameterOverPost(boolean z) {
        this.artifactParameterOverPost = z;
    }

    public SessionMappingStorage getSessionMappingStorage() {
        return this.sessionMappingStorage;
    }

    public void setArtifactParameterName(String str) {
        this.artifactParameterName = str;
    }

    public void setLogoutParameterName(String str) {
        this.logoutParameterName = str;
    }

    public void setCasServerUrlPrefix(String str) {
        this.casServerUrlPrefix = str;
    }

    public void setFrontLogoutParameterName(String str) {
        this.frontLogoutParameterName = str;
    }

    public void setRelayStateParameterName(String str) {
        this.relayStateParameterName = str;
    }

    public void setEagerlyCreateSessions(boolean z) {
        this.eagerlyCreateSessions = z;
    }

    public synchronized void init() {
        if (this.safeParameters == null) {
            CommonUtils.assertNotNull(this.artifactParameterName, "artifactParameterName cannot be null.");
            CommonUtils.assertNotNull(this.logoutParameterName, "logoutParameterName cannot be null.");
            CommonUtils.assertNotNull(this.frontLogoutParameterName, "frontLogoutParameterName cannot be null.");
            CommonUtils.assertNotNull(this.sessionMappingStorage, "sessionMappingStorage cannot be null.");
            CommonUtils.assertNotNull(this.relayStateParameterName, "relayStateParameterName cannot be null.");
            CommonUtils.assertNotNull(this.casServerUrlPrefix, "casServerUrlPrefix cannot be null.");
            if (this.artifactParameterOverPost) {
                this.safeParameters = Arrays.asList(this.logoutParameterName, this.artifactParameterName, this.sessionExpireParameterName);
            } else {
                this.safeParameters = Arrays.asList(this.logoutParameterName, this.sessionExpireParameterName);
            }
        }
    }

    private boolean isTokenRequest(HttpServletRequest httpServletRequest) {
        return CommonUtils.isNotBlank(CommonUtils.safeGetParameter(httpServletRequest, this.artifactParameterName, this.safeParameters));
    }

    private boolean isSessionExpireRequest(HttpServletRequest httpServletRequest) {
        return "POST".equals(httpServletRequest.getMethod()) && !isMultipartRequest(httpServletRequest) && CommonUtils.isNotBlank(CommonUtils.safeGetParameter(httpServletRequest, this.sessionExpireParameterName, this.safeParameters));
    }

    private boolean isBackChannelLogoutRequest(HttpServletRequest httpServletRequest) {
        return "POST".equals(httpServletRequest.getMethod()) && !isMultipartRequest(httpServletRequest) && CommonUtils.isNotBlank(CommonUtils.safeGetParameter(httpServletRequest, this.logoutParameterName, this.safeParameters));
    }

    private boolean isFrontChannelLogoutRequest(HttpServletRequest httpServletRequest) {
        return "GET".equals(httpServletRequest.getMethod()) && CommonUtils.isNotBlank(CommonUtils.safeGetParameter(httpServletRequest, this.frontLogoutParameterName));
    }

    private boolean isFrontChannelAccessTokenLogoutRequest(HttpServletRequest httpServletRequest) {
        return "GET".equals(httpServletRequest.getMethod()) && CommonUtils.isNotBlank(CommonUtils.safeGetParameter(httpServletRequest, this.frontLogoutTokenParameterName));
    }

    public boolean process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (isSessionExpireRequest(httpServletRequest)) {
            this.logger.info("Received a session check request");
            checkExpire(httpServletRequest, httpServletResponse);
            return false;
        }
        if (isBackChannelLogoutRequest(httpServletRequest)) {
            this.logger.trace("Received a back channel logout request");
            destroyToken(httpServletRequest, httpServletResponse);
            return false;
        }
        if (isFrontChannelLogoutRequest(httpServletRequest)) {
            this.logger.error("Received a front channel logout request");
            destroyToken(httpServletRequest, httpServletResponse);
            String computeRedirectionToServer = computeRedirectionToServer(httpServletRequest);
            if (computeRedirectionToServer == null) {
                return false;
            }
            CommonUtils.sendRedirect(httpServletResponse, computeRedirectionToServer);
            return false;
        }
        if (!isFrontChannelAccessTokenLogoutRequest(httpServletRequest)) {
            if (!isBackChannelAccessTokenLogoutRequest(httpServletRequest)) {
                this.logger.trace("Ignoring URI for logout: {}", httpServletRequest.getRequestURI());
                return true;
            }
            this.logger.trace("Received a back channel access token logout request");
            destroyAccessToken(httpServletRequest, httpServletResponse);
            return false;
        }
        this.logger.error("Received a front channel access token logout request");
        destroyAccessToken(httpServletRequest, httpServletResponse);
        String computeLogoutAccessTokenRedirectionToServer = computeLogoutAccessTokenRedirectionToServer(httpServletRequest);
        if (computeLogoutAccessTokenRedirectionToServer == null) {
            return false;
        }
        CommonUtils.sendRedirect(httpServletResponse, computeLogoutAccessTokenRedirectionToServer);
        return false;
    }

    private void destroyAccessToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String accessToken = getAccessToken(httpServletRequest);
        this.logger.debug("Recording session for token {}", accessToken);
        ISessionStore sessionStore = SessionStoreFactory.getSessionStore();
        this.logger.info("Destory access token {} login info ", accessToken);
        sessionStore.invalidateAccessToken("accessToken_" + accessToken);
        this.logger.info("Success destory access token {} ", accessToken);
        if (isFrontChannelAccessTokenLogoutRequest(httpServletRequest)) {
            this.logger.info("Front channel logout accessToken");
            frontDestoryAppAccessToken(accessToken);
        } else {
            this.logger.info("Back channel logout accessToken");
            destoryAppAccessToken(accessToken);
        }
        this.logger.info("Finished Destroy accessToken in application");
    }

    private String getAccessToken(HttpServletRequest httpServletRequest) {
        return CommonUtils.safeGetParameter(httpServletRequest, "access_token", Arrays.asList("access_token"));
    }

    protected void destoryAppAccessToken(String str) {
    }

    protected void frontDestoryAppAccessToken(String str) {
    }

    private boolean isBackChannelAccessTokenLogoutRequest(HttpServletRequest httpServletRequest) {
        return "POST".equals(httpServletRequest.getMethod()) && !isMultipartRequest(httpServletRequest) && CommonUtils.isNotBlank(CommonUtils.safeGetParameter(httpServletRequest, DEFAULT_LOGOUT_TOKEN_PARAMETER_NAME, Arrays.asList(DEFAULT_LOGOUT_TOKEN_PARAMETER_NAME)));
    }

    private void checkExpire(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String safeGetParameter = CommonUtils.safeGetParameter(httpServletRequest, this.sessionExpireParameterName, this.safeParameters);
        this.logger.info("Session Alive request:\n{}", safeGetParameter);
        String textForElement = XmlUtils.getTextForElement(safeGetParameter, "SessionIndex");
        String textForElement2 = XmlUtils.getTextForElement(safeGetParameter, "UserId");
        if (CommonUtils.isBlank(textForElement) || CommonUtils.isBlank(textForElement2)) {
            this.logger.error("#######Can not find ticket or userId from msg [{}]", safeGetParameter);
            return;
        }
        long sessionAliveTime = getSessionAliveTime(textForElement);
        if (sessionAliveTime > 0) {
            reponseToCasServer(httpServletResponse, sessionAliveTime);
            return;
        }
        ISessionStore sessionStore = SessionStoreFactory.getSessionStore();
        String savedUserId = SdkUtils.getSavedUserId(textForElement, textForElement2);
        if (sessionAliveTime == -1) {
            this.logger.info("Check app session expire  ,so invalide ticket [{}]", textForElement);
            sessionStore.invalidate(savedUserId);
            this.logger.info("Check app session expire finished  [{}]", textForElement);
            reponseToCasServer(httpServletResponse, -1L);
            return;
        }
        this.logger.info("Check Session Expire recording session for ticket {}", textForElement);
        TenantUser user = sessionStore.getUser(savedUserId);
        if (user != null) {
            if (!SdkUtils.isTicketExpire(user)) {
                long ticketAliveTime = SdkUtils.getTicketAliveTime(user);
                this.logger.info("Session of ticket [{}] will alive [{}] milliseconds", textForElement, Long.valueOf(ticketAliveTime));
                reponseToCasServer(httpServletResponse, ticketAliveTime);
                return;
            } else {
                this.logger.info("Check expire ,Ticket [{}] is expired ,so invalide it", textForElement);
                sessionStore.invalidate(savedUserId);
                this.logger.info("Check expire Ticket [{}] invalide finished", textForElement);
            }
        }
        this.logger.info("session of ticket [{}] not alive ", textForElement);
        reponseToCasServer(httpServletResponse, -1L);
    }

    protected long getSessionAliveTime(String str) {
        return -100L;
    }

    private void reponseToCasServer(HttpServletResponse httpServletResponse, long j) {
        try {
            if (j > 0) {
                httpServletResponse.getWriter().write("" + j);
            } else {
                httpServletResponse.getWriter().write("Session TimeOut");
            }
            httpServletResponse.getWriter().flush();
        } catch (IOException e) {
            this.logger.error("reponse to cas server error", e);
        }
    }

    private String uncompressLogoutMessage(String str) {
        Inflater inflater = null;
        try {
            try {
                byte[] decodeBase64 = Base64.decodeBase64(str);
                inflater = new Inflater();
                inflater.setInput(decodeBase64);
                byte[] bArr = new byte[decodeBase64.length * DECOMPRESSION_FACTOR];
                String str2 = new String(bArr, 0, inflater.inflate(bArr), "UTF-8");
                if (inflater != null) {
                    inflater.end();
                }
                return str2;
            } catch (Exception e) {
                this.logger.error("Unable to decompress logout message", e);
                throw new RuntimeException(e);
            }
        } catch (Throwable th) {
            if (inflater != null) {
                inflater.end();
            }
            throw th;
        }
    }

    private void destroyToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        ISessionStore sessionStore = SessionStoreFactory.getSessionStore();
        try {
            if (isFrontChannelLogoutRequest(httpServletRequest)) {
                Cookie[] cookies = httpServletRequest.getCookies();
                sessionStore.invalidateByCookie(cookies);
                if (cookies != null) {
                    for (Cookie cookie : cookies) {
                        if (isProcess(cookie.getName())) {
                            cookie.setValue((String) null);
                            cookie.setMaxAge(-1);
                            cookie.setHttpOnly(true);
                            cookie.setPath("/");
                            httpServletResponse.addCookie(cookie);
                        }
                    }
                }
                frontLogout(httpServletRequest, httpServletResponse);
            } else {
                String safeGetParameter = CommonUtils.safeGetParameter(httpServletRequest, this.logoutParameterName, this.safeParameters);
                this.logger.trace("Logout request:\n{}", safeGetParameter);
                String textForElement = XmlUtils.getTextForElement(safeGetParameter, "SessionIndex");
                String textForElement2 = XmlUtils.getTextForElement(safeGetParameter, "UserId");
                if (!CommonUtils.isBlank(textForElement) && !CommonUtils.isBlank(textForElement2)) {
                    sessionStore.invalidate(textForElement + "__" + textForElement2);
                    backLogout(textForElement);
                }
            }
        } catch (Exception e) {
            this.logger.info("invalidateByCookie error : ", e);
        }
        this.logger.info("will invalidate session");
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            session.invalidate();
        }
        try {
            httpServletRequest.logout();
        } catch (Exception e2) {
            this.logger.debug("Error performing request.logout.");
        }
    }

    protected void frontLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
    }

    protected void backLogout(String str) {
    }

    private boolean isProcess(String str) {
        return CasClientUtils.COOKIE_TOKEN_KEY.equals(str) || CasClientUtils.COOKIE_USERNAME_KEY.equals(str) || CasClientUtils.COOKIE_TENANTINFO_KEY.equals(str);
    }

    private String computeRedirectionToServer(HttpServletRequest httpServletRequest) {
        StringBuilder sb = new StringBuilder();
        String casUrl = CasClientUtils.getCasUrl(httpServletRequest);
        int indexOf = casUrl.indexOf("/cas/login");
        if (indexOf == -1) {
            sb.append(casUrl);
        } else if (indexOf > 0) {
            sb.append(casUrl.substring(0, indexOf));
        }
        sb.append("/cas/logout?_eventId=next");
        String safeGetParameter = CommonUtils.safeGetParameter(httpServletRequest, this.relayStateParameterName);
        if (CommonUtils.isNotBlank(safeGetParameter)) {
            sb.append(this.relayStateParameterName);
            sb.append("=");
            sb.append(CommonUtils.urlEncode(safeGetParameter));
        }
        sb.append("&service=").append(CommonUtils.safeGetParameter(httpServletRequest, this.redirectParameterName));
        String sb2 = sb.toString();
        this.logger.debug("Redirection url to the CAS server: {}", sb2);
        return sb2;
    }

    private String computeLogoutAccessTokenRedirectionToServer(HttpServletRequest httpServletRequest) {
        StringBuilder sb = new StringBuilder();
        String casUrl = CasClientUtils.getCasUrl(httpServletRequest);
        int indexOf = casUrl.indexOf("/cas/login");
        if (indexOf == -1) {
            sb.append(casUrl);
        } else if (indexOf > 0) {
            sb.append(casUrl.substring(0, indexOf));
        }
        sb.append("/cas/oauth/logout?access_token=");
        String accessToken = getAccessToken(httpServletRequest);
        if (!CommonUtils.isNotBlank(accessToken)) {
            this.logger.error("can not find access Token");
            return null;
        }
        sb.append(accessToken);
        sb.append("&service=").append(CommonUtils.urlEncode(CommonUtils.safeGetParameter(httpServletRequest, this.redirectParameterName)));
        String sb2 = sb.toString();
        this.logger.debug("Redirection url to the CAS server: {}", sb2);
        return sb2;
    }

    private boolean isMultipartRequest(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getContentType() != null && httpServletRequest.getContentType().toLowerCase().startsWith("multipart");
    }

    public String getSessionExpireParameterName() {
        return this.sessionExpireParameterName;
    }

    public void setSessionExpireParameterName(String str) {
        this.sessionExpireParameterName = str;
    }
}
