package com.evolveum.midpoint.authentication.impl.filter;

import com.evolveum.midpoint.authentication.api.AuthModule;
import com.evolveum.midpoint.authentication.api.AuthenticationChannel;
import com.evolveum.midpoint.authentication.api.AuthenticationModuleState;
import com.evolveum.midpoint.authentication.api.RemoveUnusedSecurityFilterPublisher;
import com.evolveum.midpoint.authentication.api.config.MidpointAuthentication;
import com.evolveum.midpoint.authentication.api.config.ModuleAuthentication;
import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.authentication.impl.MidpointAutowiredBeanFactoryObjectPostProcessor;
import com.evolveum.midpoint.authentication.impl.MidpointProviderManager;
import com.evolveum.midpoint.authentication.impl.channel.IdentityRecoveryAuthenticationChannel;
import com.evolveum.midpoint.authentication.impl.factory.channel.AuthChannelRegistryImpl;
import com.evolveum.midpoint.authentication.impl.factory.module.AuthModuleRegistryImpl;
import com.evolveum.midpoint.authentication.impl.module.configurer.ModuleWebSecurityConfigurer;
import com.evolveum.midpoint.authentication.impl.util.AuthModuleImpl;
import com.evolveum.midpoint.authentication.impl.util.AuthSequenceUtil;
import com.evolveum.midpoint.model.api.ModelInteractionService;
import com.evolveum.midpoint.repo.common.SystemObjectCache;
import com.evolveum.midpoint.security.api.Authorization;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.task.api.TaskManager;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.ServiceType;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:com/evolveum/midpoint/authentication/impl/filter/MidpointAuthFilter.class */
public class MidpointAuthFilter extends GenericFilterBean {
    private static final Trace LOGGER = TraceManager.getTrace(MidpointAuthFilter.class);
    private final Map<Class<?>, Object> sharedObjects;

    @Autowired
    private ObjectPostProcessor<Object> objectObjectPostProcessor;

    @Autowired
    private SystemObjectCache systemObjectCache;

    @Autowired
    private AuthModuleRegistryImpl authModuleRegistry;

    @Autowired
    private AuthChannelRegistryImpl authChannelRegistry;

    @Autowired
    private MidpointProviderManager authenticationManager;

    @Autowired
    private TaskManager taskManager;

    @Autowired
    private RemoveUnusedSecurityFilterPublisher removeUnusedSecurityFilterPublisher;

    @Autowired
    private ModelInteractionService modelInteractionService;
    private final PreLogoutFilter preLogoutFilter = new PreLogoutFilter();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/evolveum/midpoint/authentication/impl/filter/MidpointAuthFilter$VirtualFilterChain.class */
    public static class VirtualFilterChain implements FilterChain {
        private final FilterChain originalChain;
        private final List<Filter> additionalFilters;
        private final int size;
        private int currentPosition = 0;

        private VirtualFilterChain(FilterChain filterChain, List<Filter> list) {
            this.originalChain = filterChain;
            this.additionalFilters = list;
            this.size = list.size();
        }

        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse) throws IOException, ServletException {
            if (this.currentPosition == this.size) {
                if (MidpointAuthFilter.LOGGER.isDebugEnabled()) {
                    MidpointAuthFilter.LOGGER.debug(UrlUtils.buildRequestUrl((HttpServletRequest) servletRequest) + " reached end of additional filter chain; proceeding with original chain, if url is permit all");
                }
                if (servletResponse.isCommitted()) {
                    return;
                }
                this.originalChain.doFilter(servletRequest, servletResponse);
                return;
            }
            this.currentPosition++;
            Filter filter = this.additionalFilters.get(this.currentPosition - 1);
            if (MidpointAuthFilter.LOGGER.isDebugEnabled()) {
                MidpointAuthFilter.LOGGER.debug(UrlUtils.buildRequestUrl((HttpServletRequest) servletRequest) + " at position " + this.currentPosition + " of " + this.size + " in additional filter chain; firing Filter: '" + filter.getClass().getSimpleName() + "'");
            }
            filter.doFilter(servletRequest, servletResponse, this);
        }
    }

    public MidpointAuthFilter(Map<Class<?>, Object> map) {
        this.sharedObjects = map;
    }

    public PreLogoutFilter getPreLogoutFilter() {
        return this.preLogoutFilter;
    }

    public void createFilterForAuthenticatedRequest() {
        ((ModuleWebSecurityConfigurer) this.objectObjectPostProcessor.postProcess(new ModuleWebSecurityConfigurer())).setObjectPostProcessor(this.objectObjectPostProcessor);
        ObjectPostProcessor<Object> objectPostProcessor = this.objectObjectPostProcessor;
        if (objectPostProcessor instanceof MidpointAutowiredBeanFactoryObjectPostProcessor) {
            ((MidpointAutowiredBeanFactoryObjectPostProcessor) objectPostProcessor).setAfterInitialization();
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        doFilterInternal(servletRequest, servletResponse, filterChain);
    }

    private void doFilterInternal(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        MidpointAuthentication midpointAuthentication = (MidpointAuthentication) SecurityContextHolder.getContext().getAuthentication();
        validateAuthenticationCanContinue(midpointAuthentication, httpServletRequest);
        if (isPermitAllPage(httpServletRequest) && (midpointAuthentication == null || !midpointAuthentication.isAuthenticated())) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        AuthenticationWrapper initAuthenticationWrapper = initAuthenticationWrapper(midpointAuthentication, httpServletRequest);
        initPrincipalService(midpointAuthentication, initAuthenticationWrapper);
        if (initAuthenticationWrapper.isIgnoredLocalPath(httpServletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (initAuthenticationWrapper.getSequence() == null) {
            IllegalArgumentException illegalArgumentException = new IllegalArgumentException(getMessageSequenceIsNull(httpServletRequest, initAuthenticationWrapper));
            LOGGER.error(illegalArgumentException.getMessage(), illegalArgumentException);
            ((HttpServletResponse) servletResponse).sendError(401, "web.security.provider.invalid");
            return;
        }
        setLogoutPath(servletRequest, servletResponse);
        try {
            if (isRequestAuthenticated(midpointAuthentication, initAuthenticationWrapper)) {
                processingOfAuthenticatedRequest(midpointAuthentication, httpServletRequest, servletResponse, filterChain);
                removingFiltersAfterProcessing(midpointAuthentication, initAuthenticationWrapper, httpServletRequest);
            } else {
                if (wasNotFoundAuthModule(initAuthenticationWrapper)) {
                    if (LOGGER.isDebugEnabled()) {
                        LOGGER.debug(UrlUtils.buildRequestUrl(httpServletRequest) + "has no authentication module");
                    }
                    throw new AuthenticationServiceException("Couldn't find authentication module for sequence " + initAuthenticationWrapper.getSequenceIdentifier());
                }
                resolveErrorWithMoreModules(midpointAuthentication, httpServletRequest);
                if (!servletResponse.isCommitted()) {
                    executeAuthenticationFilter(midpointAuthentication, initAuthenticationWrapper, httpServletRequest, servletResponse, filterChain);
                }
            }
        } finally {
            removingFiltersAfterProcessing(midpointAuthentication, initAuthenticationWrapper, httpServletRequest);
        }
    }

    private void resolveErrorWithWrongConfigurationOfModules(MidpointAuthentication midpointAuthentication, int i, HttpServletRequest httpServletRequest, ServletResponse servletResponse) {
        if (midpointAuthentication != null && midpointAuthentication.getAuthModules().stream().anyMatch(authModule -> {
            return AuthenticationModuleState.FAILURE_CONFIGURATION == authModule.getBaseModuleAuthentication().getState();
        }) && i != -1 && AuthenticationModuleState.FAILURE_CONFIGURATION == ((AuthModule) midpointAuthentication.getAuthModules().get(i)).getBaseModuleAuthentication().getState()) {
            InternalAuthenticationServiceException internalAuthenticationServiceException = new InternalAuthenticationServiceException("web.security.flexAuth.wrong.auth.modules.config");
            if (httpServletRequest.getSession(false) != null) {
                AuthSequenceUtil.saveException(httpServletRequest, internalAuthenticationServiceException);
            }
            if (i == 0) {
                try {
                    ((HttpServletResponse) servletResponse).sendError(401);
                } catch (IOException e) {
                }
                throw internalAuthenticationServiceException;
            }
        }
    }

    private void executeAuthenticationFilter(MidpointAuthentication midpointAuthentication, AuthenticationWrapper authenticationWrapper, HttpServletRequest httpServletRequest, ServletResponse servletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (midpointAuthentication != null && authenticationWrapper.getAuthModules().size() != midpointAuthentication.getAuthModules().size()) {
            midpointAuthentication.setAuthModules(authenticationWrapper.getAuthModules());
        }
        int indexOfCurrentProcessingModule = getIndexOfCurrentProcessingModule(midpointAuthentication, httpServletRequest);
        int i = indexOfCurrentProcessingModule;
        if (needCreateNewAuthenticationToken(midpointAuthentication, indexOfCurrentProcessingModule, httpServletRequest)) {
            indexOfCurrentProcessingModule = initNewAuthenticationToken(authenticationWrapper, httpServletRequest, (HttpServletResponse) servletResponse);
            midpointAuthentication = AuthUtil.getMidpointAuthentication();
        }
        if (i == -1) {
            i = indexOfCurrentProcessingModule;
        }
        resolveErrorWithWrongConfigurationOfModules(midpointAuthentication, i, httpServletRequest, servletResponse);
        setAuthenticationChanel(midpointAuthentication, authenticationWrapper);
        runFilters(authenticationWrapper, indexOfCurrentProcessingModule, filterChain, httpServletRequest, servletResponse);
    }

    private void validateAuthenticationCanContinue(MidpointAuthentication midpointAuthentication, HttpServletRequest httpServletRequest) {
        if (midpointAuthentication != null && midpointAuthentication.authenticationShouldBeAborted()) {
            clearAuthentication(httpServletRequest);
        }
    }

    private void removingFiltersAfterProcessing(MidpointAuthentication midpointAuthentication, AuthenticationWrapper authenticationWrapper, HttpServletRequest httpServletRequest) {
        if (AuthSequenceUtil.isClusterSequence(httpServletRequest) || !AuthSequenceUtil.isRecordSessionLessAccessChannel(httpServletRequest)) {
            return;
        }
        if (midpointAuthentication != null) {
            this.removeUnusedSecurityFilterPublisher.publishCustomEvent(midpointAuthentication.getAuthModules());
        } else {
            if (authenticationWrapper == null || authenticationWrapper.getAuthModules() == null) {
                return;
            }
            this.removeUnusedSecurityFilterPublisher.publishCustomEvent(authenticationWrapper.getAuthModules());
        }
    }

    private void clearAuthentication(HttpServletRequest httpServletRequest) {
        MidpointAuthentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (!AuthSequenceUtil.isClusterSequence(httpServletRequest) && (authentication instanceof MidpointAuthentication)) {
            this.removeUnusedSecurityFilterPublisher.publishCustomEvent(authentication.getAuthModules());
        }
        SecurityContextHolder.getContext().setAuthentication((Authentication) null);
    }

    private void runFilters(AuthenticationWrapper authenticationWrapper, int i, FilterChain filterChain, HttpServletRequest httpServletRequest, ServletResponse servletResponse) throws ServletException, IOException {
        new VirtualFilterChain(filterChain, ((AuthModuleImpl) authenticationWrapper.getAuthModules().get(i)).getSecurityFilterChain().getFilters()).doFilter(httpServletRequest, servletResponse);
    }

    private void setAuthenticationChanel(MidpointAuthentication midpointAuthentication, AuthenticationWrapper authenticationWrapper) {
        if (midpointAuthentication == null || midpointAuthentication.getAuthenticationChannel() != null) {
            return;
        }
        midpointAuthentication.setAuthenticationChannel(authenticationWrapper.getAuthenticationChannel());
    }

    private int initNewAuthenticationToken(AuthenticationWrapper authenticationWrapper, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!AuthSequenceUtil.isClusterSequence(httpServletRequest)) {
            return restartAuthFlow(httpServletRequest, authenticationWrapper, httpServletResponse);
        }
        createMpAuthentication(httpServletRequest, authenticationWrapper);
        return 0;
    }

    private boolean needCreateNewAuthenticationToken(MidpointAuthentication midpointAuthentication, int i, HttpServletRequest httpServletRequest) {
        boolean z = AuthSequenceUtil.isClusterSequence(httpServletRequest) || needRestartAuthFlow(i, midpointAuthentication);
        if (!z) {
            if (AuthenticationModuleState.FAILURE_CONFIGURATION == ((ModuleAuthentication) midpointAuthentication.getAuthentications().get(i)).getState()) {
                return true;
            }
        }
        return z;
    }

    private void setLogoutPath(ServletRequest servletRequest, ServletResponse servletResponse) {
        getPreLogoutFilter().doFilter(servletRequest, servletResponse);
    }

    private boolean wasNotFoundAuthModule(AuthenticationWrapper authenticationWrapper) {
        return authenticationWrapper.getAuthModules() == null || authenticationWrapper.getAuthModules().size() == 0;
    }

    private boolean isRequestAuthenticated(MidpointAuthentication midpointAuthentication, AuthenticationWrapper authenticationWrapper) {
        return midpointAuthentication != null && midpointAuthentication.isAuthenticated() && authenticationWrapper.sequenceIdentifiersMatch(midpointAuthentication.getSequence());
    }

    private String getMessageSequenceIsNull(HttpServletRequest httpServletRequest, AuthenticationWrapper authenticationWrapper) {
        String str = "Couldn't find sequence for URI '" + httpServletRequest.getRequestURI();
        return authenticationWrapper.getSecurityPolicy() != null ? str + "' in authentication of Security Policy with oid " + authenticationWrapper.getSecurityPolicy().getOid() : str + "' in default authentication.";
    }

    private AuthenticationWrapper initAuthenticationWrapper(MidpointAuthentication midpointAuthentication, HttpServletRequest httpServletRequest) {
        return new AuthenticationWrapper(this.authenticationManager, this.authModuleRegistry, this.sharedObjects, this.removeUnusedSecurityFilterPublisher, this.systemObjectCache, this.modelInteractionService).create(midpointAuthentication, httpServletRequest, this.taskManager, this.authChannelRegistry);
    }

    private void initPrincipalService(MidpointAuthentication midpointAuthentication, AuthenticationWrapper authenticationWrapper) {
        if (midpointAuthentication == null || authenticationWrapper == null) {
            return;
        }
        AuthenticationChannel authenticationChannel = authenticationWrapper.getAuthenticationChannel();
        if (authenticationChannel instanceof IdentityRecoveryAuthenticationChannel) {
            ServiceType identityRecoveryService = ((IdentityRecoveryAuthenticationChannel) authenticationChannel).getIdentityRecoveryService();
            MidPointPrincipal create = MidPointPrincipal.create(identityRecoveryService);
            identityRecoveryService.getAuthorization().forEach(authorizationType -> {
                create.addAuthorization(Authorization.create(authorizationType, "identity recovery service"));
            });
            midpointAuthentication.setPrincipal(create);
        }
    }

    private boolean isPermitAllPage(HttpServletRequest httpServletRequest) {
        return AuthSequenceUtil.isPermitAll(httpServletRequest) && !AuthSequenceUtil.isLoginPage(httpServletRequest);
    }

    private boolean needRestartAuthFlow(int i, MidpointAuthentication midpointAuthentication) {
        return (isNotIdentifiedFocus(midpointAuthentication) && isAlreadyAudited(midpointAuthentication)) || i == -1;
    }

    private boolean isAlreadyAudited(MidpointAuthentication midpointAuthentication) {
        if (midpointAuthentication == null) {
            return true;
        }
        return midpointAuthentication.isAlreadyAudited();
    }

    private boolean isNotIdentifiedFocus(MidpointAuthentication midpointAuthentication) {
        if (midpointAuthentication == null) {
            return true;
        }
        Object principal = midpointAuthentication.getPrincipal();
        return !(principal instanceof MidPointPrincipal) || ((MidPointPrincipal) principal).getFocus() == null;
    }

    private int restartAuthFlow(HttpServletRequest httpServletRequest, AuthenticationWrapper authenticationWrapper, HttpServletResponse httpServletResponse) {
        createMpAuthentication(httpServletRequest, authenticationWrapper);
        MidpointAuthentication midpointAuthentication = AuthUtil.getMidpointAuthentication();
        if (!AuthSequenceUtil.isRecordSessionLessAccessChannel(httpServletRequest)) {
            saveAuthenticationContext(httpServletRequest, httpServletResponse);
        }
        return midpointAuthentication.resolveParallelModules(httpServletRequest, 0);
    }

    private void saveAuthenticationContext(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        ((SecurityContextRepository) this.sharedObjects.get(SecurityContextRepository.class)).saveContext(SecurityContextHolder.getContext(), httpServletRequest, httpServletResponse);
    }

    private void createMpAuthentication(HttpServletRequest httpServletRequest, AuthenticationWrapper authenticationWrapper) {
        authenticationWrapper.buildMidPointAuthentication(httpServletRequest);
    }

    private void resolveErrorWithMoreModules(MidpointAuthentication midpointAuthentication, HttpServletRequest httpServletRequest) {
        if (existMoreAsOneAuthModule(midpointAuthentication)) {
            Exception exc = (Exception) httpServletRequest.getSession().getAttribute("SPRING_SECURITY_LAST_EXCEPTION");
            AuthSequenceUtil.saveException(httpServletRequest, new AuthenticationServiceException((exc == null || !StringUtils.isNotBlank(exc.getMessage())) ? "web.security.flexAuth.restart.flow" : exc.getMessage() + ";" + "web.security.flexAuth.restart.flow"));
        }
    }

    private boolean existMoreAsOneAuthModule(MidpointAuthentication midpointAuthentication) {
        return midpointAuthentication != null && midpointAuthentication.isAuthenticationFailed() && midpointAuthentication.getAuthModules().size() > 1;
    }

    private int getIndexOfCurrentProcessingModule(MidpointAuthentication midpointAuthentication, HttpServletRequest httpServletRequest) {
        int i = -1;
        if (SecurityContextHolder.getContext().getAuthentication() != null) {
            i = midpointAuthentication.resolveParallelModules(httpServletRequest, midpointAuthentication.getIndexOfProcessingModule(true));
        }
        return i;
    }

    private void processingOfAuthenticatedRequest(MidpointAuthentication midpointAuthentication, HttpServletRequest httpServletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (AuthSequenceUtil.isUrlForAuthProcessing(httpServletRequest)) {
            new DefaultRedirectStrategy().sendRedirect(httpServletRequest, (HttpServletResponse) servletResponse, "/");
            return;
        }
        int i = 1;
        for (ModuleAuthentication moduleAuthentication : midpointAuthentication.getAuthentications()) {
            if (AuthenticationModuleState.SUCCESSFULLY.equals(moduleAuthentication.getState())) {
                i = midpointAuthentication.getIndexOfModule(moduleAuthentication);
            }
        }
        new VirtualFilterChain(filterChain, ((AuthModuleImpl) midpointAuthentication.getAuthModules().get(i)).getSecurityFilterChain().getFilters()).doFilter(httpServletRequest, servletResponse);
    }
}
