package com.evolveum.midpoint.web.security.filter;

import com.evolveum.midpoint.model.api.authentication.AuthModule;
import com.evolveum.midpoint.model.api.authentication.AuthenticationChannel;
import com.evolveum.midpoint.model.api.authentication.MidpointAuthentication;
import com.evolveum.midpoint.model.api.authentication.ModuleAuthentication;
import com.evolveum.midpoint.model.api.authentication.StateOfModule;
import com.evolveum.midpoint.model.common.SystemObjectCache;
import com.evolveum.midpoint.prism.PrismContext;
import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.schema.util.SecurityPolicyUtil;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.exception.SchemaException;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.web.security.MidpointAuthenticationManager;
import com.evolveum.midpoint.web.security.RemoveUnusedSecurityFilterPublisher;
import com.evolveum.midpoint.web.security.factory.channel.AuthChannelRegistryImpl;
import com.evolveum.midpoint.web.security.factory.module.AuthModuleRegistryImpl;
import com.evolveum.midpoint.web.security.module.ModuleWebSecurityConfig;
import com.evolveum.midpoint.web.security.util.SecurityUtils;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationModulesType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationSequenceType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AuthenticationsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.CredentialsPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SecurityPolicyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.SelfRegistrationPolicyType;
import java.io.IOException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:com/evolveum/midpoint/web/security/filter/MidpointAuthFilter.class */
public class MidpointAuthFilter extends GenericFilterBean {
    private static final Trace LOGGER = TraceManager.getTrace(MidpointAuthFilter.class);
    private final Map<Class<?>, Object> sharedObjects;

    @Autowired
    private ObjectPostProcessor<Object> objectObjectPostProcessor;

    @Autowired
    private SystemObjectCache systemObjectCache;

    @Autowired
    private AuthModuleRegistryImpl authModuleRegistry;

    @Autowired
    private AuthChannelRegistryImpl authChannelRegistry;

    @Autowired
    private MidpointAuthenticationManager authenticationManager;

    @Autowired
    private PrismContext prismContext;

    @Autowired
    private TaskManager taskManager;

    @Autowired
    private RemoveUnusedSecurityFilterPublisher removeUnusedSecurityFilterPublisher;
    private volatile AuthenticationsPolicyType defaultAuthenticationPolicy;
    private final PreLogoutFilter preLogoutFilter = new PreLogoutFilter();
    private Map<String, List<AuthModule>> authModulesOfSpecificSequences = new HashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/evolveum/midpoint/web/security/filter/MidpointAuthFilter$VirtualFilterChain.class */
    public static class VirtualFilterChain implements FilterChain {
        private final FilterChain originalChain;
        private final List<Filter> additionalFilters;
        private final int size;
        private int currentPosition = 0;

        private VirtualFilterChain(FilterChain filterChain, List<Filter> list) {
            this.originalChain = filterChain;
            this.additionalFilters = list;
            this.size = list.size();
        }

        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse) throws IOException, ServletException {
            if (this.currentPosition == this.size) {
                if (MidpointAuthFilter.LOGGER.isDebugEnabled()) {
                    MidpointAuthFilter.LOGGER.debug(UrlUtils.buildRequestUrl((HttpServletRequest) servletRequest) + " reached end of additional filter chain; proceeding with original chain, if url is permit all");
                }
                if (servletResponse.isCommitted()) {
                    return;
                }
                this.originalChain.doFilter(servletRequest, servletResponse);
                return;
            }
            this.currentPosition++;
            Filter filter = this.additionalFilters.get(this.currentPosition - 1);
            if (MidpointAuthFilter.LOGGER.isDebugEnabled()) {
                MidpointAuthFilter.LOGGER.debug(UrlUtils.buildRequestUrl((HttpServletRequest) servletRequest) + " at position " + this.currentPosition + " of " + this.size + " in additional filter chain; firing Filter: '" + filter.getClass().getSimpleName() + "'");
            }
            filter.doFilter(servletRequest, servletResponse, this);
        }
    }

    public MidpointAuthFilter(Map<Class<?>, Object> map) {
        this.sharedObjects = map;
    }

    public PreLogoutFilter getPreLogoutFilter() {
        return this.preLogoutFilter;
    }

    public void createFilterForAuthenticatedRequest() {
        ((ModuleWebSecurityConfig) this.objectObjectPostProcessor.postProcess(new ModuleWebSecurityConfig(null))).setObjectPostProcessor(this.objectObjectPostProcessor);
    }

    private AuthenticationsPolicyType getDefaultAuthenticationPolicy(List<String> list) throws SchemaException {
        if (this.defaultAuthenticationPolicy == null) {
            this.defaultAuthenticationPolicy = SecurityPolicyUtil.createDefaultAuthenticationPolicy(list, this.prismContext.getSchemaRegistry());
        }
        return this.defaultAuthenticationPolicy;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        doFilterInternal(servletRequest, servletResponse, filterChain);
    }

    private void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        AuthenticationsPolicyType defaultAuthenticationPolicy;
        List<AuthModule> createAuthenticationModuleBySequence;
        int indexOfActualProcessingModule;
        ServletRequest servletRequest2 = (HttpServletRequest) servletRequest;
        if (SecurityUtils.isPermitAll(servletRequest2) && !SecurityUtils.isLoginPage(servletRequest2)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        MidpointAuthentication midpointAuthentication = (MidpointAuthentication) SecurityContextHolder.getContext().getAuthentication();
        CredentialsPolicyType credentialsPolicyType = null;
        PrismObject<SecurityPolicyType> prismObject = null;
        try {
            prismObject = getSecurityPolicy();
            defaultAuthenticationPolicy = getAuthenticationPolicy(prismObject);
            if (prismObject != null) {
                credentialsPolicyType = prismObject.asObjectable().getCredentials();
            }
        } catch (SchemaException e) {
            LOGGER.error("Couldn't load Authentication policy", e);
            try {
                defaultAuthenticationPolicy = getDefaultAuthenticationPolicy(SecurityPolicyUtil.NO_CUSTOM_IGNORED_LOCAL_PATH);
            } catch (SchemaException e2) {
                LOGGER.error("Couldn't get default authentication policy");
                throw new IllegalArgumentException("Couldn't get default authentication policy", e);
            }
        }
        if (SecurityUtils.isIgnoredLocalPath(defaultAuthenticationPolicy, servletRequest2)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        AuthenticationSequenceType authenticationSequence = getAuthenticationSequence(midpointAuthentication, servletRequest2, defaultAuthenticationPolicy);
        if (authenticationSequence == null) {
            IllegalArgumentException illegalArgumentException = new IllegalArgumentException("Couldn't find sequence for URI '" + servletRequest2.getRequestURI() + "' in authentication of Security Policy with oid " + prismObject.getOid());
            LOGGER.error(illegalArgumentException.getMessage(), illegalArgumentException);
            ((HttpServletResponse) servletResponse).sendRedirect(servletRequest2.getContextPath());
            return;
        }
        getPreLogoutFilter().doFilter(servletRequest, servletResponse);
        AuthenticationChannel buildAuthChannel = SecurityUtils.buildAuthChannel(this.authChannelRegistry, authenticationSequence);
        try {
            if (!SecurityUtils.isSpecificSequence(servletRequest2)) {
                createAuthenticationModuleBySequence = createAuthenticationModuleBySequence(midpointAuthentication, authenticationSequence, servletRequest2, defaultAuthenticationPolicy.getModules(), buildAuthChannel, credentialsPolicyType);
            } else if (this.authModulesOfSpecificSequences.keySet().contains(authenticationSequence.getName())) {
                createAuthenticationModuleBySequence = this.authModulesOfSpecificSequences.get(authenticationSequence.getName());
                if (createAuthenticationModuleBySequence != null) {
                    for (AuthModule authModule : createAuthenticationModuleBySequence) {
                        if (authModule != null && authModule.getConfiguration() != null) {
                            this.authenticationManager.getProviders().clear();
                            Iterator it = authModule.getConfiguration().getAuthenticationProviders().iterator();
                            while (it.hasNext()) {
                                this.authenticationManager.getProviders().add((AuthenticationProvider) it.next());
                            }
                        }
                    }
                }
            } else {
                createAuthenticationModuleBySequence = createAuthenticationModuleBySequence(midpointAuthentication, authenticationSequence, servletRequest2, defaultAuthenticationPolicy.getModules(), buildAuthChannel, credentialsPolicyType);
                this.authModulesOfSpecificSequences.put(authenticationSequence.getName(), createAuthenticationModuleBySequence);
            }
            if (midpointAuthentication != null && midpointAuthentication.isAuthenticated() && authenticationSequence.equals(midpointAuthentication.getSequence())) {
                processingOfAuthenticatedRequest(midpointAuthentication, servletRequest2, servletResponse, filterChain);
                if (!SecurityUtils.isSpecificSequence(servletRequest2) && servletRequest2.getSession(false) == null && (midpointAuthentication instanceof MidpointAuthentication)) {
                    this.removeUnusedSecurityFilterPublisher.publishCustomEvent(midpointAuthentication);
                    return;
                }
                return;
            }
            if (createAuthenticationModuleBySequence == null || createAuthenticationModuleBySequence.size() == 0) {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug(UrlUtils.buildRequestUrl(servletRequest2) + "has no filters");
                }
                throw new AuthenticationServiceException("Couldn't find filters for sequence " + authenticationSequence.getName());
            }
            resolveErrorWithMoreModules(midpointAuthentication, servletRequest2);
            if (SecurityUtils.isSpecificSequence(servletRequest2)) {
                indexOfActualProcessingModule = 0;
                createMpAuthentication(servletRequest2, authenticationSequence, createAuthenticationModuleBySequence);
                midpointAuthentication = (MidpointAuthentication) SecurityContextHolder.getContext().getAuthentication();
            } else {
                indexOfActualProcessingModule = getIndexOfActualProcessingModule(midpointAuthentication, servletRequest2);
                if (needRestartAuthFlow(indexOfActualProcessingModule)) {
                    indexOfActualProcessingModule = restartAuthFlow(servletRequest2, authenticationSequence, createAuthenticationModuleBySequence);
                    midpointAuthentication = (MidpointAuthentication) SecurityContextHolder.getContext().getAuthentication();
                }
            }
            if (midpointAuthentication.getAuthenticationChannel() == null) {
                midpointAuthentication.setAuthenticationChannel(buildAuthChannel);
            }
            new VirtualFilterChain(filterChain, createAuthenticationModuleBySequence.get(indexOfActualProcessingModule).getSecurityFilterChain().getFilters()).doFilter(servletRequest2, servletResponse);
            if (!SecurityUtils.isSpecificSequence(servletRequest2) && servletRequest2.getSession(false) == null && (midpointAuthentication instanceof MidpointAuthentication)) {
                this.removeUnusedSecurityFilterPublisher.publishCustomEvent(midpointAuthentication);
            }
        } catch (Throwable th) {
            if (!SecurityUtils.isSpecificSequence(servletRequest2) && servletRequest2.getSession(false) == null && (midpointAuthentication instanceof MidpointAuthentication)) {
                this.removeUnusedSecurityFilterPublisher.publishCustomEvent(midpointAuthentication);
            }
            throw th;
        }
    }

    private boolean needRestartAuthFlow(int i) {
        return i == -1;
    }

    private int restartAuthFlow(HttpServletRequest httpServletRequest, AuthenticationSequenceType authenticationSequenceType, List<AuthModule> list) {
        createMpAuthentication(httpServletRequest, authenticationSequenceType, list);
        return SecurityContextHolder.getContext().getAuthentication().resolveParallelModules(httpServletRequest, 0);
    }

    private void createMpAuthentication(HttpServletRequest httpServletRequest, AuthenticationSequenceType authenticationSequenceType, List<AuthModule> list) {
        MidpointAuthentication midpointAuthentication = new MidpointAuthentication(authenticationSequenceType);
        midpointAuthentication.setAuthModules(list);
        midpointAuthentication.setSessionId(httpServletRequest.getSession(false) != null ? httpServletRequest.getSession(false).getId() : RandomStringUtils.random(30, true, true).toUpperCase());
        midpointAuthentication.addAuthentications(list.get(0).getBaseModuleAuthentication());
        SecurityContextHolder.getContext().setAuthentication((Authentication) null);
        SecurityContextHolder.getContext().setAuthentication(midpointAuthentication);
    }

    private void resolveErrorWithMoreModules(MidpointAuthentication midpointAuthentication, HttpServletRequest httpServletRequest) {
        if (midpointAuthentication == null || !midpointAuthentication.isAuthenticationFailed() || midpointAuthentication.getAuthModules().size() <= 1) {
            return;
        }
        Exception exc = (Exception) httpServletRequest.getSession().getAttribute("SPRING_SECURITY_LAST_EXCEPTION");
        SecurityUtils.saveException(httpServletRequest, new AuthenticationServiceException((exc == null || !StringUtils.isNotBlank(exc.getMessage())) ? "web.security.flexAuth.restart.flow" : exc.getMessage() + ";" + "web.security.flexAuth.restart.flow"));
    }

    private int getIndexOfActualProcessingModule(MidpointAuthentication midpointAuthentication, HttpServletRequest httpServletRequest) {
        int i = -1;
        if (SecurityContextHolder.getContext().getAuthentication() != null) {
            i = midpointAuthentication.resolveParallelModules(httpServletRequest, midpointAuthentication.getIndexOfProcessingModule(true));
        }
        return i;
    }

    private List<AuthModule> createAuthenticationModuleBySequence(MidpointAuthentication midpointAuthentication, AuthenticationSequenceType authenticationSequenceType, HttpServletRequest httpServletRequest, AuthenticationModulesType authenticationModulesType, AuthenticationChannel authenticationChannel, CredentialsPolicyType credentialsPolicyType) {
        List<AuthModule> buildModuleFilters;
        if (midpointAuthentication == null || !authenticationSequenceType.equals(midpointAuthentication.getSequence())) {
            SecurityContextHolder.getContext().setAuthentication((Authentication) null);
            this.authenticationManager.getProviders().clear();
            buildModuleFilters = SecurityUtils.buildModuleFilters(this.authModuleRegistry, authenticationSequenceType, httpServletRequest, authenticationModulesType, credentialsPolicyType, this.sharedObjects, authenticationChannel);
        } else {
            buildModuleFilters = midpointAuthentication.getAuthModules();
        }
        return buildModuleFilters;
    }

    private AuthenticationSequenceType getAuthenticationSequence(MidpointAuthentication midpointAuthentication, HttpServletRequest httpServletRequest, AuthenticationsPolicyType authenticationsPolicyType) {
        AuthenticationSequenceType sequenceByPath;
        if (midpointAuthentication == null || !SecurityUtils.isLoginPage(httpServletRequest)) {
            sequenceByPath = SecurityUtils.getSequenceByPath(httpServletRequest, authenticationsPolicyType, this.taskManager.getLocalNodeGroups());
        } else {
            if (!existOldAuthConfigurationForSelfRegistration(httpServletRequest) && !midpointAuthentication.getAuthenticationChannel().getChannelId().equals(SecurityUtils.findChannelByRequest(httpServletRequest)) && SecurityUtils.getSequenceByPath(httpServletRequest, authenticationsPolicyType, this.taskManager.getLocalNodeGroups()) == null) {
                return null;
            }
            sequenceByPath = midpointAuthentication.getSequence();
        }
        if (midpointAuthentication != null && !midpointAuthentication.getSequence().equals(sequenceByPath) && midpointAuthentication.isAuthenticated() && ((sequenceByPath != null && sequenceByPath.getChannel() != null && midpointAuthentication.getAuthenticationChannel().matchChannel(sequenceByPath)) || midpointAuthentication.getAuthenticationChannel().getChannelId().equals(SecurityUtils.findChannelByRequest(httpServletRequest)))) {
            if (SecurityUtils.isBasePathForSequence(httpServletRequest, sequenceByPath)) {
                midpointAuthentication.getAuthenticationChannel().setPathAfterLogout(httpServletRequest.getServletPath());
                SecurityUtils.getAuthenticatedModule().setInternalLogout(true);
            }
            sequenceByPath = midpointAuthentication.getSequence();
        }
        return sequenceByPath;
    }

    private boolean existOldAuthConfigurationForSelfRegistration(HttpServletRequest httpServletRequest) {
        SelfRegistrationPolicyType selfRegistrationPolicy;
        if (!SchemaConstants.CHANNEL_SELF_REGISTRATION_URI.equals(SecurityUtils.findChannelByRequest(httpServletRequest))) {
            return false;
        }
        try {
            PrismObject<SecurityPolicyType> securityPolicy = getSecurityPolicy();
            if (securityPolicy == null || securityPolicy.asObjectable() == null || (selfRegistrationPolicy = SecurityPolicyUtil.getSelfRegistrationPolicy(securityPolicy.asObjectable())) == null || !StringUtils.isNotBlank(selfRegistrationPolicy.getAdditionalAuthenticationName())) {
                return false;
            }
            return SecurityPolicyUtil.getAuthenticationPolicy(selfRegistrationPolicy.getAdditionalAuthenticationName(), securityPolicy.asObjectable()) != null;
        } catch (SchemaException e) {
            LOGGER.error("Couldn't load Authentication policy", e);
            return false;
        }
    }

    private AuthenticationsPolicyType getAuthenticationPolicy(PrismObject<SecurityPolicyType> prismObject) throws SchemaException {
        return (prismObject == null || prismObject.asObjectable().getAuthentication() == null) ? getDefaultAuthenticationPolicy(SecurityPolicyUtil.NO_CUSTOM_IGNORED_LOCAL_PATH) : (prismObject.asObjectable().getAuthentication().getSequence() == null || prismObject.asObjectable().getAuthentication().getSequence().isEmpty()) ? getDefaultAuthenticationPolicy(prismObject.asObjectable().getAuthentication().getIgnoredLocalPath()) : prismObject.asObjectable().getAuthentication();
    }

    private PrismObject<SecurityPolicyType> getSecurityPolicy() throws SchemaException {
        return this.systemObjectCache.getSecurityPolicy();
    }

    private void processingOfAuthenticatedRequest(MidpointAuthentication midpointAuthentication, ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        for (ModuleAuthentication moduleAuthentication : midpointAuthentication.getAuthentications()) {
            if (StateOfModule.SUCCESSFULLY.equals(moduleAuthentication.getState())) {
                new VirtualFilterChain(filterChain, ((AuthModule) midpointAuthentication.getAuthModules().get(midpointAuthentication.getIndexOfModule(moduleAuthentication))).getSecurityFilterChain().getFilters()).doFilter(servletRequest, servletResponse);
            }
        }
    }
}
