package com.evolveum.midpoint.authentication.impl.filter.oidc;

import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
import com.evolveum.midpoint.authentication.api.util.AuthenticationModuleNameConstants;
import com.evolveum.midpoint.authentication.impl.filter.RemoteAuthenticationFilter;
import com.evolveum.midpoint.model.api.ModelAuditRecorder;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import org.springframework.core.annotation.Order;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.AuthenticatedPrincipalOAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository;
import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizationRequestRepository;
import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.util.Assert;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;
import org.springframework.web.util.UriComponentsBuilder;

@Order
/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.10-M4.jar:com/evolveum/midpoint/authentication/impl/filter/oidc/OidcLoginAuthenticationFilter.class */
public class OidcLoginAuthenticationFilter extends OAuth2LoginAuthenticationFilter implements RemoteAuthenticationFilter {
    private static final String AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE = "authorization_request_not_found";
    private static final String CLIENT_REGISTRATION_NOT_FOUND_ERROR_CODE = "client_registration_not_found";
    private static final String INVALID_REQUEST_ERROR_CODE = "invalid_request";
    private final ClientRegistrationRepository clientRegistrationRepository;
    private final AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository;
    private final ModelAuditRecorder auditProvider;

    public OidcLoginAuthenticationFilter(ClientRegistrationRepository clientRegistrationRepository, String str, ModelAuditRecorder modelAuditRecorder) {
        super(clientRegistrationRepository, new AuthenticatedPrincipalOAuth2AuthorizedClientRepository(new InMemoryOAuth2AuthorizedClientService(clientRegistrationRepository)), str);
        this.authorizationRequestRepository = new HttpSessionOAuth2AuthorizationRequestRepository();
        Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null");
        this.clientRegistrationRepository = clientRegistrationRepository;
        this.auditProvider = modelAuditRecorder;
    }

    @Override // com.evolveum.midpoint.authentication.impl.filter.RemoteAuthenticationFilter
    public boolean requiresAuth(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return super.requiresAuthentication(httpServletRequest, httpServletResponse);
    }

    @Override // com.evolveum.midpoint.authentication.impl.filter.RemoteAuthenticationFilter
    public void unsuccessfulAuth(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        remoteUnsuccessfulAuthentication(httpServletRequest, httpServletResponse, authenticationException, getRememberMeServices(), getFailureHandler());
    }

    @Override // com.evolveum.midpoint.authentication.impl.filter.RemoteAuthenticationFilter
    public String getErrorMessageKeyNotResponse() {
        return "web.security.flexAuth.oidc.not.response";
    }

    @Override // com.evolveum.midpoint.authentication.impl.filter.RemoteAuthenticationFilter
    public void doAuth(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws ServletException, IOException {
        super.doFilter(servletRequest, servletResponse, filterChain);
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter, jakarta.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        doRemoteFilter(servletRequest, servletResponse, filterChain);
    }

    @Override // org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter, org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
        MultiValueMap<String, String> multiMap = toMultiMap(httpServletRequest.getParameterMap());
        if (!isAuthorizationResponse(multiMap)) {
            throw new OAuth2AuthenticationException(new OAuth2Error("invalid_request"), "web.security.provider.invalid");
        }
        OAuth2AuthorizationRequest removeAuthorizationRequest = this.authorizationRequestRepository.removeAuthorizationRequest(httpServletRequest, httpServletResponse);
        if (removeAuthorizationRequest == null) {
            throw new OAuth2AuthenticationException(new OAuth2Error(AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE), "web.security.provider.invalid");
        }
        String str = (String) removeAuthorizationRequest.getAttribute(OAuth2ParameterNames.REGISTRATION_ID);
        ClientRegistration findByRegistrationId = this.clientRegistrationRepository.findByRegistrationId(str);
        if (findByRegistrationId == null) {
            throw new OAuth2AuthenticationException(new OAuth2Error(CLIENT_REGISTRATION_NOT_FOUND_ERROR_CODE, "Client Registration not found with Id: " + str, null), "web.security.provider.invalid");
        }
        MidpointAuthentication midpointAuthentication = (MidpointAuthentication) getAuthenticationManager().authenticate(new OAuth2LoginAuthenticationToken(findByRegistrationId, new OAuth2AuthorizationExchange(removeAuthorizationRequest, convert(multiMap, UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(httpServletRequest)).replaceQuery((String) null).build().toUriString()))));
        Assert.notNull(midpointAuthentication, "authentication result cannot be null");
        return midpointAuthentication;
    }

    private boolean isAuthorizationResponse(MultiValueMap<String, String> multiValueMap) {
        return (StringUtils.hasText(multiValueMap.getFirst("code")) && StringUtils.hasText(multiValueMap.getFirst("state"))) || (StringUtils.hasText(multiValueMap.getFirst("error")) && StringUtils.hasText(multiValueMap.getFirst("state")));
    }

    private OAuth2AuthorizationResponse convert(MultiValueMap<String, String> multiValueMap, String str) {
        String first = multiValueMap.getFirst("code");
        String first2 = multiValueMap.getFirst("error");
        String first3 = multiValueMap.getFirst("state");
        if (StringUtils.hasText(first)) {
            return OAuth2AuthorizationResponse.success(first).redirectUri(str).state(first3).build();
        }
        String first4 = multiValueMap.getFirst(OAuth2ParameterNames.ERROR_DESCRIPTION);
        return OAuth2AuthorizationResponse.error(first2).redirectUri(str).errorDescription(first4).errorUri(multiValueMap.getFirst(OAuth2ParameterNames.ERROR_URI)).state(first3).build();
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    protected void unsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        remoteUnsuccessfulAuthentication(httpServletRequest, httpServletResponse, authenticationException, this.auditProvider, getRememberMeServices(), getFailureHandler(), AuthenticationModuleNameConstants.OIDC);
    }
}
