package it.geosolutions.geostore.services.rest.security.keycloak;

import it.geosolutions.geostore.services.UserService;
import it.geosolutions.geostore.services.rest.SessionServiceDelegate;
import it.geosolutions.geostore.services.rest.security.TokenAuthenticationCache;
import it.geosolutions.geostore.services.rest.security.oauth2.OAuth2Utils;
import it.geosolutions.geostore.services.rest.utils.GeoStoreContext;
import java.io.IOException;
import java.util.Date;
import java.util.Objects;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.RequestAuthenticator;
import org.keycloak.adapters.authorization.util.KeycloakSecurityContextPlaceHolderResolver;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.context.request.RequestAttributes;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:WEB-INF/lib/geostore-rest-impl-2.2.0.jar:it/geosolutions/geostore/services/rest/security/keycloak/KeyCloakFilter.class */
public class KeyCloakFilter extends GenericFilterBean {
    private static final Logger LOGGER = LogManager.getLogger((Class<?>) KeyCloakFilter.class);
    private final GeoStoreKeycloakAuthProvider authenticationProvider;
    private final KeyCloakHelper helper;
    private final KeyCloakConfiguration configuration;
    private final TokenAuthenticationCache cache;

    @Autowired
    protected UserService userService;

    public KeyCloakFilter(KeyCloakHelper keyCloakHelper, TokenAuthenticationCache tokenAuthenticationCache, KeyCloakConfiguration keyCloakConfiguration, GeoStoreKeycloakAuthProvider geoStoreKeycloakAuthProvider) {
        this.helper = keyCloakHelper;
        this.authenticationProvider = geoStoreKeycloakAuthProvider;
        this.cache = tokenAuthenticationCache;
        this.configuration = keyCloakConfiguration;
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (enabledAndValid() && SecurityContextHolder.getContext().getAuthentication() == null) {
            Authentication authenticate = authenticate((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse);
            if (authenticate != null) {
                SecurityContextHolder.getContext().setAuthentication(authenticate);
                if (authenticate.getDetails() instanceof KeycloakTokenDetails) {
                    KeycloakTokenDetails keycloakTokenDetails = (KeycloakTokenDetails) authenticate.getDetails();
                    if (keycloakTokenDetails.getAccessToken() != null) {
                        RequestContextHolder.getRequestAttributes().setAttribute("access_token", keycloakTokenDetails.getAccessToken(), 0);
                    }
                    if (keycloakTokenDetails.getRefreshToken() != null) {
                        RequestContextHolder.getRequestAttributes().setAttribute("refresh_token", keycloakTokenDetails.getRefreshToken(), 0);
                    }
                }
            }
            RequestContextHolder.getRequestAttributes().setAttribute(SessionServiceDelegate.PROVIDER_KEY, KeycloakSecurityContextPlaceHolderResolver.NAME, 0);
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private boolean enabledAndValid() {
        return this.configuration.isEnabled() && this.configuration.getJsonConfig() != null;
    }

    protected Authentication authenticateAndUpdateCache(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        KeycloakDeployment deployment = this.helper.getDeployment(httpServletRequest, httpServletResponse);
        RequestAuthenticator authenticator = this.helper.getAuthenticator(httpServletRequest, httpServletResponse, deployment);
        AuthOutcome authenticate = authenticator.authenticate();
        Authentication authentication = null;
        if (authenticate.equals(AuthOutcome.AUTHENTICATED)) {
            authentication = this.authenticationProvider.authenticate(SecurityContextHolder.getContext().getAuthentication());
            updateCache(authentication);
        } else if (authenticate.equals(AuthOutcome.NOT_ATTEMPTED)) {
            ((RequestAttributes) Objects.requireNonNull(RequestContextHolder.getRequestAttributes())).setAttribute(KeyCloakLoginService.KEYCLOAK_REDIRECT, deployment.isBearerOnly() ? new KeycloakAuthenticationEntryPoint(null) : new KeycloakAuthenticationEntryPoint(authenticator.getChallenge()), 0);
        } else {
            LOGGER.warn("Failed to authentication and to redirect the user.");
        }
        return authentication;
    }

    protected void updateCache(Authentication authentication) {
        Object details = authentication.getDetails();
        if (details instanceof KeycloakTokenDetails) {
            KeyCloakHelper keyCloakHelper = (KeyCloakHelper) GeoStoreContext.bean(KeyCloakHelper.class);
            KeycloakTokenDetails keycloakTokenDetails = (KeycloakTokenDetails) details;
            String accessToken = keycloakTokenDetails.getAccessToken();
            if (accessToken != null) {
                this.cache.putCacheEntry(accessToken, authentication);
                if (keyCloakHelper != null) {
                    SimpleHttpFacade simpleHttpFacade = new SimpleHttpFacade(OAuth2Utils.getRequest(), OAuth2Utils.getResponse());
                    KeycloakCookieUtils.setTokenCookie(keyCloakHelper.getDeployment(simpleHttpFacade), simpleHttpFacade, keycloakTokenDetails);
                }
            }
        }
    }

    protected Authentication authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Authentication authenticateAndUpdateCache;
        String str = OAuth2Utils.tokenFromParamsOrBearer("access_token", httpServletRequest);
        if (str != null) {
            authenticateAndUpdateCache = this.cache.get(str);
            if (authenticateAndUpdateCache != null && (authenticateAndUpdateCache.getDetails() instanceof KeycloakTokenDetails)) {
                KeycloakTokenDetails keycloakTokenDetails = (KeycloakTokenDetails) authenticateAndUpdateCache.getDetails();
                if (keycloakTokenDetails.getExpiration().before(new Date())) {
                    LOGGER.warn("Token has expired and the refresh token endpoint has not been called. The request will not be authorized by the keycloak filter");
                    this.cache.removeEntry(keycloakTokenDetails.getAccessToken());
                    authenticateAndUpdateCache = null;
                }
            }
            if (authenticateAndUpdateCache == null) {
                authenticateAndUpdateCache = authenticateAndUpdateCache(httpServletRequest, httpServletResponse);
            }
        } else {
            authenticateAndUpdateCache = authenticateAndUpdateCache(httpServletRequest, httpServletResponse);
        }
        return authenticateAndUpdateCache;
    }
}
