package com.evolveum.midpoint.authentication.impl.filter;

import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
import com.evolveum.midpoint.authentication.impl.handler.BasicMidPointAuthenticationSuccessHandler;
import com.evolveum.midpoint.authentication.impl.session.MidpointHttpServletRequest;
import com.evolveum.midpoint.authentication.impl.util.AuthSequenceUtil;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import org.jetbrains.annotations.NotNull;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.NullRememberMeServices;
import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.util.Assert;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.10-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/filter/HttpAuthenticationFilter.class */
public abstract class HttpAuthenticationFilter<T> extends BasicAuthenticationFilter {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) HttpAuthenticationFilter.class);
    private final AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource;
    private RememberMeServices rememberMeServices;
    private final Charset credentialsCharset;
    private final AuthenticationSuccessHandler successHandler;

    public HttpAuthenticationFilter(AuthenticationManager authenticationManager, AuthenticationEntryPoint authenticationEntryPoint) {
        super(authenticationManager, authenticationEntryPoint);
        this.authenticationDetailsSource = new WebAuthenticationDetailsSource();
        this.rememberMeServices = new NullRememberMeServices();
        this.credentialsCharset = StandardCharsets.UTF_8;
        this.successHandler = new BasicMidPointAuthenticationSuccessHandler();
    }

    @Override // org.springframework.security.web.authentication.www.BasicAuthenticationFilter, org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        try {
            String header = httpServletRequest.getHeader("Authorization");
            if (header == null) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
            if (header.indexOf(" ") == -1) {
                throw new BadCredentialsException("Invalid authentication header, value of header don't contains delimiter ' '. Please use form 'Authorization: <type> <credentials>' for successful authentication");
            }
            if (skipFilterForAuthorizationHeader(header)) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
            T extractAndDecodeHeader = extractAndDecodeHeader(header, httpServletRequest);
            logFoundAuthorizationHeader(extractAndDecodeHeader, httpServletRequest);
            if (authenticationIsRequired((HttpAuthenticationFilter<T>) extractAndDecodeHeader, httpServletRequest)) {
                AbstractAuthenticationToken createAuthenticationToken = createAuthenticationToken(extractAndDecodeHeader, httpServletRequest);
                createAuthenticationToken.setDetails(getAuthenticationDetailsSource().buildDetails(httpServletRequest));
                Authentication authenticate = getAuthenticationManager().authenticate(createAuthenticationToken);
                LOGGER.debug("Authentication success: " + authenticate);
                AuthSequenceUtil.resolveProxyUserOidHeader(httpServletRequest);
                getRememberMeServices().loginSuccess(httpServletRequest, httpServletResponse, authenticate);
                onSuccessfulAuthentication(httpServletRequest, httpServletResponse, authenticate);
            }
            filterChain.doFilter(createWrapperOfRequest(httpServletRequest), httpServletResponse);
        } catch (AuthenticationException e) {
            LOGGER.debug("Authentication request for failed: " + e);
            getRememberMeServices().loginFail(httpServletRequest, httpServletResponse);
            onUnsuccessfulAuthentication(httpServletRequest, httpServletResponse, e);
        }
    }

    protected boolean skipFilterForAuthorizationHeader(String str) {
        return !str.toLowerCase().startsWith(getModuleIdentifier().toLowerCase() + " ");
    }

    protected abstract T extractAndDecodeHeader(String str, HttpServletRequest httpServletRequest);

    /* JADX INFO: Access modifiers changed from: protected */
    public String createCredentialsFromHeader(String str) {
        try {
            return new String(Base64.getDecoder().decode(str.substring(getModuleIdentifier().length() + 1).getBytes(this.credentialsCharset)), this.credentialsCharset);
        } catch (IllegalArgumentException e) {
            throw new BadCredentialsException("Failed to decode authentication credentials from header");
        }
    }

    protected HttpServletRequest createWrapperOfRequest(HttpServletRequest httpServletRequest) {
        return new MidpointHttpServletRequest(httpServletRequest);
    }

    protected abstract AbstractAuthenticationToken createAuthenticationToken(T t, HttpServletRequest httpServletRequest);

    protected abstract boolean authenticationIsRequired(T t, HttpServletRequest httpServletRequest);

    protected abstract void logFoundAuthorizationHeader(T t, HttpServletRequest httpServletRequest);

    @NotNull
    protected abstract String getModuleIdentifier();

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean authenticationIsRequired(String str, Class<? extends Authentication> cls) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null || !authentication.isAuthenticated()) {
            return true;
        }
        if ((authentication.getClass().isAssignableFrom(cls) || (authentication instanceof MidpointAuthentication)) && !authentication.getName().equals(str)) {
            return true;
        }
        return authentication instanceof AnonymousAuthenticationToken;
    }

    @Override // org.springframework.security.web.authentication.www.BasicAuthenticationFilter
    public void setRememberMeServices(RememberMeServices rememberMeServices) {
        Assert.notNull(rememberMeServices, "rememberMeServices cannot be null");
        this.rememberMeServices = rememberMeServices;
    }

    protected RememberMeServices getRememberMeServices() {
        return this.rememberMeServices;
    }

    protected AuthenticationDetailsSource<HttpServletRequest, ?> getAuthenticationDetailsSource() {
        return this.authenticationDetailsSource;
    }

    @Override // org.springframework.security.web.authentication.www.BasicAuthenticationFilter
    protected void onSuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException {
        try {
            this.successHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, authentication);
        } catch (ServletException e) {
            LOGGER.error("Couldn't execute post successful authentication method", (Throwable) e);
        }
    }

    @Override // org.springframework.security.web.authentication.www.BasicAuthenticationFilter
    protected void onUnsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        try {
            getAuthenticationEntryPoint().commence(httpServletRequest, httpServletResponse, authenticationException);
        } catch (ServletException e) {
            LOGGER.error("Couldn't execute post unsuccessful authentication method", (Throwable) e);
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication instanceof MidpointAuthentication) {
            ((MidpointAuthentication) authentication).getProcessingModuleAuthentication().recordFailure(authenticationException);
        }
    }
}
