package com.evolveum.midpoint.web.security.filter;

import com.evolveum.midpoint.model.api.authentication.AuthenticationModuleNameConstants;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.web.security.module.authentication.SecurityQuestionsAuthenticationToken;
import com.evolveum.midpoint.web.security.util.MidpointHttpServletRequest;
import com.evolveum.midpoint.web.security.util.SecurityUtils;
import com.github.openjson.JSONObject;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;

/* loaded from: input_file:WEB-INF/classes/com/evolveum/midpoint/web/security/filter/HttpSecurityQuestionsAuthenticationFilter.class */
public class HttpSecurityQuestionsAuthenticationFilter extends HttpAuthenticationFilter {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) HttpSecurityQuestionsAuthenticationFilter.class);
    public static final String J_ANSWER = "answer";
    public static final String J_USER = "user";

    public HttpSecurityQuestionsAuthenticationFilter(AuthenticationManager authenticationManager, AuthenticationEntryPoint authenticationEntryPoint) {
        super(authenticationManager, authenticationEntryPoint);
    }

    @Override // com.evolveum.midpoint.web.security.filter.HttpAuthenticationFilter, org.springframework.security.web.authentication.www.BasicAuthenticationFilter, org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        ServletRequest servletRequest = httpServletRequest;
        try {
            String header = httpServletRequest.getHeader("Authorization");
            if (header.indexOf(" ") == -1) {
                throw new BadCredentialsException("Invalid authentication header, value of header don't contains delimiter ' '. Please use form 'Authorization: <type> <credentials>' for successful authentication");
            }
            if (header == null || !header.toLowerCase().startsWith(AuthenticationModuleNameConstants.SECURITY_QUESTIONS.toLowerCase() + " ")) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
            JSONObject extractAndDecodeHeader = extractAndDecodeHeader(header, httpServletRequest);
            if (!extractAndDecodeHeader.keySet().contains("user") || !extractAndDecodeHeader.keySet().contains(J_ANSWER)) {
                throw new AuthenticationServiceException("Authorization header doesn't contains attribute 'user' or 'answer'");
            }
            String string = extractAndDecodeHeader.getString("user");
            LOGGER.debug("Security Questions - Authentication Authorization header found for user '" + string + "'");
            if (authenticationIsRequired(string, SecurityQuestionsAuthenticationToken.class)) {
                SecurityQuestionsAuthenticationToken securityQuestionsAuthenticationToken = new SecurityQuestionsAuthenticationToken(string, SecurityUtils.obtainAnswers(extractAndDecodeHeader.get(J_ANSWER).toString(), SecurityQuestionsAuthenticationFilter.J_QID, SecurityQuestionsAuthenticationFilter.J_QANS));
                securityQuestionsAuthenticationToken.setDetails(getAuthenticationDetailsSource().buildDetails(httpServletRequest));
                Authentication authenticate = getAuthenticationManager().authenticate(securityQuestionsAuthenticationToken);
                SecurityUtils.resolveProxyUserOidHeader(httpServletRequest);
                onSuccessfulAuthentication(httpServletRequest, httpServletResponse, authenticate);
                LOGGER.debug("Authentication success: " + authenticate);
                getRememberMeServices().loginSuccess(httpServletRequest, httpServletResponse, authenticate);
                servletRequest = new MidpointHttpServletRequest(httpServletRequest);
            }
            filterChain.doFilter(servletRequest, httpServletResponse);
        } catch (AuthenticationException e) {
            LOGGER.debug("Authentication request for failed: " + e);
            getRememberMeServices().loginFail(httpServletRequest, httpServletResponse);
            getAuthenticationEntryPoint().commence(httpServletRequest, httpServletResponse, e);
        }
    }

    private JSONObject extractAndDecodeHeader(String str, HttpServletRequest httpServletRequest) throws IOException {
        try {
            return new JSONObject(new String(Base64.getDecoder().decode(str.substring(AuthenticationModuleNameConstants.SECURITY_QUESTIONS.length() + 1).getBytes(StandardCharsets.UTF_8)), getCredentialsCharset(httpServletRequest)));
        } catch (IllegalArgumentException e) {
            throw new BadCredentialsException("Failed to decode security question authentication token");
        }
    }
}
