package com.evolveum.midpoint.authentication.impl.oidc;

import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
import com.evolveum.midpoint.authentication.impl.module.authentication.OidcClientModuleAuthenticationImpl;
import com.evolveum.midpoint.authentication.impl.util.RequestState;
import com.evolveum.midpoint.model.api.ModelAuditRecorder;
import com.evolveum.midpoint.schema.constants.SchemaConstants;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository;
import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver;
import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizationRequestRepository;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.util.ThrowableAnalyzer;
import org.springframework.util.Assert;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:com/evolveum/midpoint/authentication/impl/oidc/OidcAuthorizationRequestRedirectFilter.class */
public class OidcAuthorizationRequestRedirectFilter extends OncePerRequestFilter {
    private final OAuth2AuthorizationRequestResolver authorizationRequestResolver;
    private final ModelAuditRecorder auditProvider;
    private AuthenticationFailureHandler failureHandler;
    private final ThrowableAnalyzer throwableAnalyzer = new DefaultThrowableAnalyzer();
    private final RedirectStrategy authorizationRedirectStrategy = new DefaultRedirectStrategy();
    private final AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository = new HttpSessionOAuth2AuthorizationRequestRepository();
    private RequestCache requestCache = new HttpSessionRequestCache();

    /* loaded from: input_file:com/evolveum/midpoint/authentication/impl/oidc/OidcAuthorizationRequestRedirectFilter$DefaultThrowableAnalyzer.class */
    private static final class DefaultThrowableAnalyzer extends ThrowableAnalyzer {
        private DefaultThrowableAnalyzer() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.springframework.security.web.util.ThrowableAnalyzer
        public void initExtractorMap() {
            super.initExtractorMap();
            registerExtractor(ServletException.class, th -> {
                ThrowableAnalyzer.verifyThrowableHierarchy(th, ServletException.class);
                return ((ServletException) th).getRootCause();
            });
        }
    }

    public OidcAuthorizationRequestRedirectFilter(ClientRegistrationRepository clientRegistrationRepository, String str, ModelAuditRecorder modelAuditRecorder) {
        this.authorizationRequestResolver = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, str);
        this.auditProvider = modelAuditRecorder;
    }

    public void setAuthenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) {
        Assert.notNull(authenticationFailureHandler, "failureHandler cannot be null");
        this.failureHandler = authenticationFailureHandler;
    }

    protected void unsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        this.auditProvider.auditLoginFailure("unknown user", null, ConnectionEnvironment.create((!(authentication instanceof MidpointAuthentication) || ((MidpointAuthentication) authentication).getAuthenticationChannel() == null) ? SchemaConstants.CHANNEL_USER_URI : ((MidpointAuthentication) authentication).getAuthenticationChannel().getChannelId()), "OIDC authentication module: " + authenticationException.getMessage());
        this.failureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, authenticationException);
    }

    public final void setRequestCache(RequestCache requestCache) {
        Assert.notNull(requestCache, "requestCache cannot be null");
        this.requestCache = requestCache;
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (!(authentication instanceof MidpointAuthentication)) {
            throw new AuthenticationServiceException("Unsupported type of Authentication");
        }
        OidcClientModuleAuthenticationImpl oidcClientModuleAuthenticationImpl = (OidcClientModuleAuthenticationImpl) ((MidpointAuthentication) authentication).getProcessingModuleAuthentication();
        try {
            OAuth2AuthorizationRequest resolve = this.authorizationRequestResolver.resolve(httpServletRequest);
            if (resolve != null) {
                sendRedirectForAuthorization(httpServletRequest, httpServletResponse, resolve);
                oidcClientModuleAuthenticationImpl.setRequestState(RequestState.SENDED);
                return;
            }
            try {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            } catch (IOException e) {
                throw e;
            } catch (Exception e2) {
                ClientAuthorizationRequiredException clientAuthorizationRequiredException = (ClientAuthorizationRequiredException) this.throwableAnalyzer.getFirstThrowableOfType(ClientAuthorizationRequiredException.class, this.throwableAnalyzer.determineCauseChain(e2));
                if (clientAuthorizationRequiredException == null) {
                    if (e2 instanceof ServletException) {
                        throw ((ServletException) e2);
                    }
                    if (!(e2 instanceof RuntimeException)) {
                        throw new RuntimeException(e2);
                    }
                    throw ((RuntimeException) e2);
                }
                try {
                    OAuth2AuthorizationRequest resolve2 = this.authorizationRequestResolver.resolve(httpServletRequest, clientAuthorizationRequiredException.getClientRegistrationId());
                    if (resolve2 == null) {
                        throw clientAuthorizationRequiredException;
                    }
                    sendRedirectForAuthorization(httpServletRequest, httpServletResponse, resolve2);
                    oidcClientModuleAuthenticationImpl.setRequestState(RequestState.SENDED);
                    this.requestCache.saveRequest(httpServletRequest, httpServletResponse);
                } catch (Exception e3) {
                    unsuccessfulAuthentication(httpServletRequest, httpServletResponse, new InternalAuthenticationServiceException("web.security.provider.invalid", e3));
                }
            }
        } catch (Exception e4) {
            unsuccessfulAuthentication(httpServletRequest, httpServletResponse, new InternalAuthenticationServiceException("web.security.provider.invalid", e4));
        }
    }

    private void sendRedirectForAuthorization(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth2AuthorizationRequest oAuth2AuthorizationRequest) throws IOException {
        this.authorizationRequestRepository.saveAuthorizationRequest(oAuth2AuthorizationRequest, httpServletRequest, httpServletResponse);
        this.authorizationRedirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, oAuth2AuthorizationRequest.getAuthorizationRequestUri());
    }
}
