package com.evolveum.midpoint.web.security.filter;

import com.evolveum.midpoint.model.api.authentication.AuthenticationModuleNameConstants;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.web.security.BasicMidPointAuthenticationSuccessHandler;
import com.evolveum.midpoint.web.security.module.authentication.ClusterAuthenticationToken;
import com.evolveum.midpoint.web.security.util.SecurityUtils;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.NullRememberMeServices;
import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;

/* loaded from: input_file:WEB-INF/classes/com/evolveum/midpoint/web/security/filter/HttpClusterAuthenticationFilter.class */
public class HttpClusterAuthenticationFilter extends HttpAuthenticationFilter {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) HttpClusterAuthenticationFilter.class);
    private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource;
    private RememberMeServices rememberMeServices;
    private String credentialsCharset;
    private AuthenticationSuccessHandler successHandler;

    public HttpClusterAuthenticationFilter(AuthenticationManager authenticationManager, AuthenticationEntryPoint authenticationEntryPoint) {
        super(authenticationManager, authenticationEntryPoint);
        this.authenticationDetailsSource = new WebAuthenticationDetailsSource();
        this.rememberMeServices = new NullRememberMeServices();
        this.credentialsCharset = "UTF-8";
        this.successHandler = new BasicMidPointAuthenticationSuccessHandler();
    }

    @Override // com.evolveum.midpoint.web.security.filter.HttpAuthenticationFilter, org.springframework.security.web.authentication.www.BasicAuthenticationFilter, org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.toLowerCase().startsWith(AuthenticationModuleNameConstants.CLUSTER.toLowerCase() + " ")) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        try {
            String extractAndDecodeHeader = extractAndDecodeHeader(header, httpServletRequest);
            String remoteAddr = httpServletRequest.getRemoteAddr();
            LOGGER.debug("Cluster Authentication - Authorization header found for remote address '" + remoteAddr + "'");
            if (authenticationIsRequired(remoteAddr, ClusterAuthenticationToken.class)) {
                ClusterAuthenticationToken clusterAuthenticationToken = new ClusterAuthenticationToken(remoteAddr, extractAndDecodeHeader);
                clusterAuthenticationToken.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
                Authentication authenticate = getAuthenticationManager().authenticate(clusterAuthenticationToken);
                LOGGER.debug("Authentication success: " + authenticate);
                SecurityUtils.resolveProxyUserOidHeader(httpServletRequest);
                this.rememberMeServices.loginSuccess(httpServletRequest, httpServletResponse, authenticate);
                onSuccessfulAuthentication(httpServletRequest, httpServletResponse, authenticate);
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } catch (AuthenticationException e) {
            LOGGER.debug("Authentication request for failed: " + e);
            this.rememberMeServices.loginFail(httpServletRequest, httpServletResponse);
            StringBuilder sb = new StringBuilder();
            sb.append(AuthenticationModuleNameConstants.CLUSTER).append(" realm=\"midpoint\"");
            httpServletResponse.setHeader("WWW-Authenticate", sb.toString());
            httpServletResponse.sendError(401);
            httpServletResponse.getWriter().write(" test error ");
            httpServletResponse.getWriter().flush();
            httpServletResponse.getWriter().close();
        }
    }

    private String extractAndDecodeHeader(String str, HttpServletRequest httpServletRequest) throws IOException {
        try {
            return new String(Base64.getDecoder().decode(str.substring(AuthenticationModuleNameConstants.CLUSTER.length() + 1).getBytes(StandardCharsets.UTF_8)), getCredentialsCharset(httpServletRequest));
        } catch (IllegalArgumentException e) {
            throw new BadCredentialsException("Failed to decode security question authentication token");
        }
    }
}
