package com.evolveum.midpoint.authentication.impl.filter.oidc;

import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.authentication.api.util.AuthenticationModuleNameConstants;
import com.evolveum.midpoint.authentication.impl.filter.RemoteModuleAuthorizationFilter;
import com.evolveum.midpoint.authentication.impl.module.authentication.OidcClientModuleAuthenticationImpl;
import com.evolveum.midpoint.authentication.impl.module.configuration.OidcAdditionalConfiguration;
import com.evolveum.midpoint.authentication.impl.util.RequestState;
import com.evolveum.midpoint.model.api.ModelAuditRecorder;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Map;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository;
import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver;
import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizationRequestRepository;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestCustomizers;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.util.ThrowableAnalyzer;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.10-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/filter/oidc/OidcAuthorizationRequestRedirectFilter.class */
public class OidcAuthorizationRequestRedirectFilter extends RemoteModuleAuthorizationFilter<OidcAuthorizationRequestRedirectFilter> {
    private final DefaultOAuth2AuthorizationRequestResolver authorizationRequestResolver;
    private final ThrowableAnalyzer throwableAnalyzer;
    private final AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository;

    /* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.10-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/filter/oidc/OidcAuthorizationRequestRedirectFilter$DefaultThrowableAnalyzer.class */
    private static final class DefaultThrowableAnalyzer extends ThrowableAnalyzer {
        private DefaultThrowableAnalyzer() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.springframework.security.web.util.ThrowableAnalyzer
        public void initExtractorMap() {
            super.initExtractorMap();
            registerExtractor(ServletException.class, th -> {
                ThrowableAnalyzer.verifyThrowableHierarchy(th, ServletException.class);
                return ((ServletException) th).getRootCause();
            });
        }
    }

    public OidcAuthorizationRequestRedirectFilter(ClientRegistrationRepository clientRegistrationRepository, Map<String, OidcAdditionalConfiguration> map, String str, ModelAuditRecorder modelAuditRecorder, SecurityContextRepository securityContextRepository) {
        super(modelAuditRecorder, securityContextRepository);
        this.throwableAnalyzer = new DefaultThrowableAnalyzer();
        this.authorizationRequestRepository = new HttpSessionOAuth2AuthorizationRequestRepository();
        this.authorizationRequestResolver = initRequestResolver(clientRegistrationRepository, map, str);
    }

    private DefaultOAuth2AuthorizationRequestResolver initRequestResolver(ClientRegistrationRepository clientRegistrationRepository, Map<String, OidcAdditionalConfiguration> map, String str) {
        DefaultOAuth2AuthorizationRequestResolver defaultOAuth2AuthorizationRequestResolver = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, str);
        defaultOAuth2AuthorizationRequestResolver.setAuthorizationRequestCustomizer(builder -> {
            OAuth2AuthorizationRequest build = builder.build();
            if (build == null || !build.getAttributes().containsKey(OAuth2ParameterNames.REGISTRATION_ID)) {
                return;
            }
            String str2 = (String) build.getAttributes().get(OAuth2ParameterNames.REGISTRATION_ID);
            if (map.containsKey(str2) && !build.getAdditionalParameters().containsKey(PkceParameterNames.CODE_CHALLENGE) && ((OidcAdditionalConfiguration) map.get(str2)).isUsePKCE()) {
                OAuth2AuthorizationRequestCustomizers.withPkce().accept(builder);
            }
        });
        return defaultOAuth2AuthorizationRequestResolver;
    }

    @Override // com.evolveum.midpoint.authentication.impl.filter.RemoteModuleAuthorizationFilter
    protected String getAuthenticationType() {
        return AuthenticationModuleNameConstants.OIDC;
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        OidcClientModuleAuthenticationImpl oidcClientModuleAuthenticationImpl = (OidcClientModuleAuthenticationImpl) AuthUtil.getMidpointAuthentication().getProcessingModuleAuthentication();
        try {
            OAuth2AuthorizationRequest resolve = this.authorizationRequestResolver.resolve(httpServletRequest);
            if (resolve != null) {
                getSecurityContextRepository().saveContext(SecurityContextHolder.getContext(), httpServletRequest, httpServletResponse);
                sendRedirectForAuthorization(httpServletRequest, httpServletResponse, resolve);
                oidcClientModuleAuthenticationImpl.setRequestState(RequestState.SENT);
                return;
            }
            try {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            } catch (IOException e) {
                throw e;
            } catch (Exception e2) {
                ClientAuthorizationRequiredException clientAuthorizationRequiredException = (ClientAuthorizationRequiredException) this.throwableAnalyzer.getFirstThrowableOfType(ClientAuthorizationRequiredException.class, this.throwableAnalyzer.determineCauseChain(e2));
                if (clientAuthorizationRequiredException == null) {
                    if (e2 instanceof ServletException) {
                        throw ((ServletException) e2);
                    }
                    if (!(e2 instanceof RuntimeException)) {
                        throw new RuntimeException(e2);
                    }
                    throw ((RuntimeException) e2);
                }
                try {
                    OAuth2AuthorizationRequest resolve2 = this.authorizationRequestResolver.resolve(httpServletRequest, clientAuthorizationRequiredException.getClientRegistrationId());
                    if (resolve2 == null) {
                        throw clientAuthorizationRequiredException;
                    }
                    getSecurityContextRepository().saveContext(SecurityContextHolder.getContext(), httpServletRequest, httpServletResponse);
                    sendRedirectForAuthorization(httpServletRequest, httpServletResponse, resolve2);
                    oidcClientModuleAuthenticationImpl.setRequestState(RequestState.SENT);
                    getRequestCache().saveRequest(httpServletRequest, httpServletResponse);
                } catch (Exception e3) {
                    unsuccessfulAuthentication(httpServletRequest, httpServletResponse, new InternalAuthenticationServiceException("web.security.provider.invalid", e3));
                }
            }
        } catch (Exception e4) {
            unsuccessfulAuthentication(httpServletRequest, httpServletResponse, new InternalAuthenticationServiceException("web.security.provider.invalid", e4));
        }
    }

    private void sendRedirectForAuthorization(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth2AuthorizationRequest oAuth2AuthorizationRequest) throws IOException {
        this.authorizationRequestRepository.saveAuthorizationRequest(oAuth2AuthorizationRequest, httpServletRequest, httpServletResponse);
        getAuthorizationRedirectStrategy().sendRedirect(httpServletRequest, httpServletResponse, oAuth2AuthorizationRequest.getAuthorizationRequestUri());
    }
}
