package it.geosolutions.geostore.services.rest.security.oauth2;

import com.google.common.collect.Lists;
import it.geosolutions.geostore.core.model.User;
import it.geosolutions.geostore.core.model.UserAttribute;
import it.geosolutions.geostore.core.model.UserGroup;
import it.geosolutions.geostore.core.model.enums.Role;
import it.geosolutions.geostore.core.security.password.SecurityUtils;
import it.geosolutions.geostore.services.UserGroupService;
import it.geosolutions.geostore.services.UserService;
import it.geosolutions.geostore.services.exception.BadRequestServiceEx;
import it.geosolutions.geostore.services.exception.NotFoundServiceEx;
import it.geosolutions.geostore.services.rest.SessionServiceDelegate;
import it.geosolutions.geostore.services.rest.security.TokenAuthenticationCache;
import java.io.IOException;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.OAuth2ClientContext;
import org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter;
import org.springframework.security.oauth2.client.http.AccessTokenRequiredException;
import org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException;
import org.springframework.security.oauth2.client.resource.UserRedirectRequiredException;
import org.springframework.security.oauth2.client.token.AccessTokenRequest;
import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.web.client.ResourceAccessException;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

/* loaded from: input_file:WEB-INF/lib/geostore-rest-impl-2.2.0.jar:it/geosolutions/geostore/services/rest/security/oauth2/OAuth2GeoStoreAuthenticationFilter.class */
public abstract class OAuth2GeoStoreAuthenticationFilter extends OAuth2ClientAuthenticationProcessingFilter {
    public static final String OAUTH2_AUTHENTICATION_KEY = "oauth2.authentication";
    public static final String OAUTH2_AUTHENTICATION_TYPE_KEY = "oauth2.authenticationType";
    public static final String OAUTH2_ACCESS_TOKEN_CHECK_KEY = "oauth2.AccessTokenCheckResponse";
    private static final Logger LOGGER = LogManager.getLogger((Class<?>) OAuth2GeoStoreAuthenticationFilter.class);
    private final AuthenticationEntryPoint authEntryPoint;
    private final TokenAuthenticationCache cache;

    @Autowired
    protected UserService userService;

    @Autowired
    protected UserGroupService userGroupService;
    protected RemoteTokenServices tokenServices;
    protected OAuth2Configuration configuration;

    /* loaded from: input_file:WEB-INF/lib/geostore-rest-impl-2.2.0.jar:it/geosolutions/geostore/services/rest/security/oauth2/OAuth2GeoStoreAuthenticationFilter$OAuth2AuthenticationType.class */
    public enum OAuth2AuthenticationType {
        BEARER,
        USER
    }

    public OAuth2GeoStoreAuthenticationFilter(RemoteTokenServices remoteTokenServices, GeoStoreOAuthRestTemplate geoStoreOAuthRestTemplate, OAuth2Configuration oAuth2Configuration, TokenAuthenticationCache tokenAuthenticationCache) {
        super("/**");
        super.setTokenServices(remoteTokenServices);
        this.tokenServices = remoteTokenServices;
        this.restTemplate = geoStoreOAuthRestTemplate;
        this.configuration = oAuth2Configuration;
        this.authEntryPoint = oAuth2Configuration.getAuthenticationEntryPoint();
        this.cache = tokenAuthenticationCache;
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter, javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (this.configuration.isEnabled() && !this.configuration.isInvalid() && authentication == null) {
            super.doFilter(servletRequest, servletResponse, filterChain);
        } else if (servletRequest instanceof HttpServletRequest) {
            addRequestAttributes((HttpServletRequest) servletRequest, authentication);
        }
        if (this.configuration.isEnabled() && this.configuration.isInvalid() && LOGGER.isDebugEnabled()) {
            LOGGER.info("Skipping configured OAuth2 authentication. One or more mandatory properties are missing (clientId, clientSecret, authorizationUri, tokenUri");
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    @Override // org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter, org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
        Authentication authenticateAndUpdateCache;
        String str = OAuth2Utils.tokenFromParamsOrBearer("access_token", httpServletRequest);
        if (str != null) {
            httpServletRequest.setAttribute(OAUTH2_AUTHENTICATION_TYPE_KEY, OAuth2AuthenticationType.BEARER);
        } else {
            httpServletRequest.setAttribute(OAUTH2_AUTHENTICATION_TYPE_KEY, OAuth2AuthenticationType.USER);
        }
        if (str != null) {
            authenticateAndUpdateCache = this.cache.get(str);
            if (authenticateAndUpdateCache == null) {
                authenticateAndUpdateCache = authenticateAndUpdateCache(httpServletRequest, httpServletResponse, str, new DefaultOAuth2AccessToken(str));
            } else {
                TokenDetails tokenDetails = tokenDetails(authenticateAndUpdateCache);
                if (tokenDetails != null) {
                    OAuth2AccessToken accessToken = tokenDetails.getAccessToken();
                    if (accessToken.isExpired()) {
                        authenticateAndUpdateCache = authenticateAndUpdateCache(httpServletRequest, httpServletResponse, str, accessToken);
                    }
                }
            }
        } else {
            clearState();
            authenticateAndUpdateCache = authenticateAndUpdateCache(httpServletRequest, httpServletResponse, null, null);
            String str2 = (String) RequestContextHolder.getRequestAttributes().getAttribute("access_token", 0);
            if (str2 != null) {
                httpServletRequest.setAttribute("access_token", str2);
                httpServletRequest.setAttribute(OAUTH2_AUTHENTICATION_TYPE_KEY, OAuth2AuthenticationType.BEARER);
                httpServletRequest.setAttribute("id_token", RequestContextHolder.getRequestAttributes().getAttribute("id_token", 0));
                httpServletRequest.setAttribute("refresh_token", RequestContextHolder.getRequestAttributes().getAttribute("refresh_token", 0));
            }
        }
        return authenticateAndUpdateCache;
    }

    private TokenDetails tokenDetails(Authentication authentication) {
        TokenDetails tokenDetails = null;
        Object details = authentication.getDetails();
        if (details instanceof TokenDetails) {
            tokenDetails = (TokenDetails) details;
        }
        return tokenDetails;
    }

    private Authentication authenticateAndUpdateCache(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, OAuth2AccessToken oAuth2AccessToken) {
        Authentication performOAuthAuthentication = performOAuthAuthentication(httpServletRequest, httpServletResponse, oAuth2AccessToken);
        if (performOAuthAuthentication != null) {
            SecurityContextHolder.getContext().setAuthentication(performOAuthAuthentication);
            TokenDetails tokenDetails = tokenDetails(performOAuthAuthentication);
            if (tokenDetails != null) {
                OAuth2AccessToken accessToken = tokenDetails.getAccessToken();
                if (accessToken != null) {
                    str = accessToken.getValue();
                    RequestContextHolder.getRequestAttributes().setAttribute("access_token", accessToken.getValue(), 0);
                    if (accessToken != null && accessToken.getRefreshToken() != null && accessToken.getRefreshToken().getValue() != null) {
                        RequestContextHolder.getRequestAttributes().setAttribute("refresh_token", accessToken.getRefreshToken().getValue(), 0);
                    }
                }
                if (tokenDetails.getIdToken() != null) {
                    RequestContextHolder.getRequestAttributes().setAttribute("id_token", tokenDetails.getIdToken(), 0);
                }
            }
            this.cache.putCacheEntry(str, performOAuthAuthentication);
        }
        RequestContextHolder.getRequestAttributes().setAttribute(SessionServiceDelegate.PROVIDER_KEY, this.configuration.getProvider(), 0);
        return performOAuthAuthentication;
    }

    private void clearState() {
        OAuth2ClientContext oAuth2ClientContext = this.restTemplate.getOAuth2ClientContext();
        AccessTokenRequest accessTokenRequest = oAuth2ClientContext.getAccessTokenRequest();
        if (accessTokenRequest != null && accessTokenRequest.getStateKey() != null) {
            oAuth2ClientContext.removePreservedState(accessTokenRequest.getStateKey());
        }
        if (accessTokenRequest != null) {
            try {
                accessTokenRequest.remove("access_token");
                SecurityContextHolder.clearContext();
                HttpSession session = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest().getSession(false);
                if (session != null) {
                    session.invalidate();
                }
                LOGGER.debug("Cleaned out Session Access Token Request!");
            } catch (Throwable th) {
                SecurityContextHolder.clearContext();
                HttpSession session2 = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest().getSession(false);
                if (session2 != null) {
                    session2.invalidate();
                }
                LOGGER.debug("Cleaned out Session Access Token Request!");
                throw th;
            }
        }
    }

    protected Authentication performOAuthAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth2AccessToken oAuth2AccessToken) {
        String str;
        LOGGER.debug("About to perform remote authentication.");
        LOGGER.debug("Access Token: " + oAuth2AccessToken);
        PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = null;
        try {
            LOGGER.debug("Trying to get the preauthenticated principal.");
            str = getPreAuthenticatedPrincipal(httpServletRequest, httpServletResponse, oAuth2AccessToken);
        } catch (IOException e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            str = null;
        } catch (ServletException e2) {
            LOGGER.error(e2.getMessage(), (Throwable) e2);
            str = null;
        }
        LOGGER.debug("preAuthenticatedPrincipal = " + str + ", trying to authenticate");
        if (str != null && str.trim().length() > 0) {
            preAuthenticatedAuthenticationToken = createPreAuthentication(str, httpServletRequest, httpServletResponse);
        }
        return preAuthenticatedAuthenticationToken;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getPreAuthenticatedPrincipal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth2AccessToken oAuth2AccessToken) throws IOException, ServletException {
        LOGGER.debug("About to configure the REST Resource Template");
        configureRestTemplate();
        if (oAuth2AccessToken != null) {
            LOGGER.debug("Setting the access token on the OAuth2ClientContext");
            this.restTemplate.getOAuth2ClientContext().setAccessToken(oAuth2AccessToken);
        }
        LOGGER.debug("Setting up OAuth2 Filter services and resource template");
        setRestTemplate(this.restTemplate);
        setTokenServices(this.tokenServices);
        Authentication authentication = null;
        try {
            authentication = super.attemptAuthentication(httpServletRequest, httpServletResponse);
            httpServletRequest.setAttribute(OAUTH2_AUTHENTICATION_KEY, authentication);
            if (authentication instanceof OAuth2Authentication) {
                Serializable serializable = ((OAuth2Authentication) authentication).getOAuth2Request().getExtensions().get(OAUTH2_ACCESS_TOKEN_CHECK_KEY);
                if (serializable instanceof Map) {
                    httpServletRequest.setAttribute(OAUTH2_ACCESS_TOKEN_CHECK_KEY, serializable);
                }
            }
            if (authentication != null && LOGGER.isDebugEnabled()) {
                LOGGER.debug("Authenticated OAuth request for principal " + authentication.getPrincipal());
            }
        } catch (Exception e) {
            handleOAuthException(e, httpServletRequest, httpServletResponse);
        }
        String username = authentication != null ? SecurityUtils.getUsername(authentication.getPrincipal()) : null;
        if (username != null && username.trim().length() == 0) {
            username = null;
        }
        return username;
    }

    private void handleOAuthException(Exception exc, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        if ((exc instanceof UserRedirectRequiredException) && this.configuration.isEnableRedirectEntryPoint()) {
            handleUserRedirection(httpServletRequest, httpServletResponse);
            return;
        }
        if ((exc instanceof BadCredentialsException) || (exc instanceof ResourceAccessException)) {
            if (exc.getCause() instanceof OAuth2AccessDeniedException) {
                LOGGER.warn("Error while trying to authenticate to OAuth2 Provider with the following Exception cause:", exc.getCause());
                return;
            }
            if (exc instanceof ResourceAccessException) {
                LOGGER.error("Could not Authorize OAuth2 Resource due to the following exception:", (Throwable) exc);
                return;
            }
            if ((exc instanceof ResourceAccessException) || (exc.getCause() instanceof OAuth2AccessDeniedException)) {
                LOGGER.warn("It is worth notice that if you try to validate credentials against an SSH protected Endpoint, you need either your server exposed on a secure SSL channel or OAuth2 Provider Certificate to be trusted on your JVM!");
                LOGGER.info("Please refer to the GeoServer OAuth2 Plugin Documentation in order to find the steps for importing the SSH certificates.");
            } else if (LOGGER.isDebugEnabled()) {
                LOGGER.error("Could not Authorize OAuth2 Resource due to the following exception:", (Throwable) exc);
            }
        }
    }

    private void handleUserRedirection(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        if (httpServletRequest.getRequestURI().contains(this.configuration.getProvider() + DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL)) {
            this.authEntryPoint.commence(httpServletRequest, httpServletResponse, null);
            return;
        }
        if (httpServletResponse.getStatus() != 302) {
            AccessTokenRequest accessTokenRequest = this.restTemplate.getOAuth2ClientContext().getAccessTokenRequest();
            if (accessTokenRequest.getPreservedState() == null || accessTokenRequest.getStateKey() == null) {
                return;
            }
            accessTokenRequest.remove("state");
            accessTokenRequest.remove(accessTokenRequest.getStateKey());
            accessTokenRequest.setPreservedState(null);
        }
    }

    protected void configureRestTemplate() {
        AuthorizationCodeResourceDetails authorizationCodeResourceDetails = (AuthorizationCodeResourceDetails) this.restTemplate.getResource();
        authorizationCodeResourceDetails.setClientId(this.configuration.getClientId());
        authorizationCodeResourceDetails.setClientSecret(this.configuration.getClientSecret());
        this.tokenServices.setClientId(this.configuration.getClientId());
        this.tokenServices.setClientSecret(this.configuration.getClientSecret());
        authorizationCodeResourceDetails.setAccessTokenUri(this.configuration.getAccessTokenUri());
        authorizationCodeResourceDetails.setUserAuthorizationUri(this.configuration.getAuthorizationUri());
        authorizationCodeResourceDetails.setPreEstablishedRedirectUri(this.configuration.getRedirectUri());
        this.tokenServices.setCheckTokenEndpointUrl(this.configuration.getCheckTokenEndpointUrl());
        authorizationCodeResourceDetails.setScope(parseScopes((String) Stream.of(this.configuration.getScopes()).collect(Collectors.joining(","))));
    }

    protected List<String> parseScopes(String str) {
        ArrayList newArrayList = Lists.newArrayList();
        Collections.addAll(newArrayList, str.split(","));
        return newArrayList;
    }

    protected PreAuthenticatedAuthenticationToken createPreAuthentication(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        User retrieveUserWithAuthorities = retrieveUserWithAuthorities(str, httpServletRequest, httpServletResponse);
        if (retrieveUserWithAuthorities == null) {
            return null;
        }
        PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(retrieveUserWithAuthorities, null, Collections.singletonList(new SimpleGrantedAuthority("ROLE_" + retrieveUserWithAuthorities.getRole().toString())));
        String idToken = OAuth2Utils.getIdToken();
        if (retrieveUserWithAuthorities != null && (StringUtils.isNotBlank(this.configuration.getGroupsClaim()) || StringUtils.isNotBlank(this.configuration.getRolesClaim()))) {
            addAuthoritiesFromToken(retrieveUserWithAuthorities, idToken);
        }
        preAuthenticatedAuthenticationToken.setDetails(new TokenDetails(this.restTemplate.getOAuth2ClientContext().getAccessToken(), idToken, this.configuration.getBeanName()));
        return preAuthenticatedAuthenticationToken;
    }

    protected void addAuthoritiesFromToken(User user, String str) {
        JWTHelper jWTHelper = new JWTHelper(str);
        List claimAsList = this.configuration.getRolesClaim() != null ? jWTHelper.getClaimAsList(this.configuration.getRolesClaim(), String.class) : Collections.emptyList();
        List<String> claimAsList2 = this.configuration.getGroupsClaim() != null ? jWTHelper.getClaimAsList(this.configuration.getGroupsClaim(), String.class) : null;
        if (claimAsList2 == null) {
            claimAsList2 = Collections.emptyList();
        }
        Iterator it2 = claimAsList.iterator();
        while (it2.hasNext()) {
            if (((String) it2.next()).equals(Role.ADMIN.name())) {
                user.setRole(Role.ADMIN);
            }
        }
        for (String str2 : claimAsList2) {
            UserGroup userGroup = this.userGroupService != null ? this.userGroupService.get(str2) : null;
            if (userGroup == null) {
                userGroup = new UserGroup();
                userGroup.setGroupName(str2);
            }
            user.getGroups().add(userGroup);
        }
    }

    protected User retrieveUserWithAuthorities(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        User user = null;
        if (str != null && this.userService != null) {
            try {
                user = this.userService.get(str);
            } catch (NotFoundServiceEx e) {
                LOGGER.debug("User with username " + str + " not found.");
            }
        }
        if (user == null) {
            try {
                user = createUser(str, null, "");
            } catch (BadRequestServiceEx | NotFoundServiceEx e2) {
                LOGGER.error("Error while autocreating the user: " + str, e2);
            }
        }
        return user;
    }

    protected User createUser(String str, String str2, Object obj) throws BadRequestServiceEx, NotFoundServiceEx {
        User user = new User();
        user.setName(str);
        user.setNewPassword(str2);
        user.setEnabled(true);
        UserAttribute userAttribute = new UserAttribute();
        userAttribute.setName(OAuth2Configuration.CONFIGURATION_NAME);
        userAttribute.setValue(this.configuration.getBeanName());
        user.setAttribute(Collections.singletonList(userAttribute));
        user.setGroups(new HashSet());
        user.setRole(Role.USER);
        if (this.userService != null && this.configuration.isAutoCreateUser()) {
            long insert = this.userService.insert(user);
            user = new User(user);
            user.setId(Long.valueOf(insert));
        }
        return user;
    }

    @Override // org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter, org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter, org.springframework.web.filter.GenericFilterBean, org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter, org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public void successfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, Authentication authentication) throws IOException, ServletException {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Authentication success. Updating SecurityContextHolder to contain: " + authentication);
        }
        SecurityContextHolder.getContext().setAuthentication(authentication);
        addRequestAttributes(httpServletRequest, authentication);
        httpServletRequest.setAttribute(SessionServiceDelegate.PROVIDER_KEY, this.configuration.getProvider());
    }

    private void addRequestAttributes(HttpServletRequest httpServletRequest, Authentication authentication) {
        TokenDetails tokenDetails;
        if (authentication == null || (tokenDetails = tokenDetails(authentication)) == null || tokenDetails.getAccessToken() == null) {
            return;
        }
        OAuth2AccessToken accessToken = tokenDetails.getAccessToken();
        httpServletRequest.setAttribute("access_token", accessToken.getValue());
        if (tokenDetails.getIdToken() != null) {
            httpServletRequest.setAttribute("id_token", tokenDetails.getIdToken());
        }
        if (accessToken.getRefreshToken() != null) {
            httpServletRequest.setAttribute("refresh_token", accessToken.getRefreshToken().getValue());
        }
        httpServletRequest.setAttribute(SessionServiceDelegate.PROVIDER_KEY, this.configuration.getProvider());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter, org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public void unsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        if (authenticationException instanceof AccessTokenRequiredException) {
            SecurityContextHolder.clearContext();
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Authentication request failed: " + authenticationException, (Throwable) authenticationException);
                LOGGER.debug("Updated SecurityContextHolder to contain null Authentication");
            }
        }
    }
}
