package com.evolveum.midpoint.authentication.impl.filter.duo;

import com.evolveum.midpoint.authentication.api.config.ModuleAuthentication;
import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.authentication.impl.filter.RemoteAuthenticationFilter;
import com.evolveum.midpoint.authentication.impl.module.authentication.DuoModuleAuthentication;
import com.evolveum.midpoint.authentication.impl.module.authentication.token.DuoRequestToken;
import com.evolveum.midpoint.model.api.ModelAuditRecorder;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import org.apache.commons.lang3.StringUtils;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.util.MultiValueMap;

@Order
/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.9.2-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/filter/duo/DuoAuthenticationFilter.class */
public class DuoAuthenticationFilter extends AbstractAuthenticationProcessingFilter implements RemoteAuthenticationFilter {
    private static final String DUO_CODE = "duo_code";
    private static final String STATE = "state";
    private final ModelAuditRecorder auditProvider;

    public DuoAuthenticationFilter(String str, ModelAuditRecorder modelAuditRecorder) {
        super(str);
        this.auditProvider = modelAuditRecorder;
    }

    @Override // com.evolveum.midpoint.authentication.impl.filter.RemoteAuthenticationFilter
    public boolean requiresAuth(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return super.requiresAuthentication(httpServletRequest, httpServletResponse);
    }

    @Override // com.evolveum.midpoint.authentication.impl.filter.RemoteAuthenticationFilter
    public void unsuccessfulAuth(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        remoteUnsuccessfulAuthentication(httpServletRequest, httpServletResponse, authenticationException, getRememberMeServices(), getFailureHandler());
    }

    @Override // com.evolveum.midpoint.authentication.impl.filter.RemoteAuthenticationFilter
    public String getErrorMessageKeyNotResponse() {
        return "web.security.flexAuth.duo.not.response";
    }

    @Override // com.evolveum.midpoint.authentication.impl.filter.RemoteAuthenticationFilter
    public void doAuth(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws ServletException, IOException {
        super.doFilter(servletRequest, servletResponse, filterChain);
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter, jakarta.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        doRemoteFilter(servletRequest, servletResponse, filterChain);
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
        MultiValueMap<String, String> multiMap = toMultiMap(httpServletRequest.getParameterMap());
        if (!isAuthorizationResponse(multiMap)) {
            LOGGER.error("Parameters from request doesn't contain duo_code and state");
            throw new AuthenticationServiceException("web.security.provider.invalid");
        }
        ModuleAuthentication processingModuleIfExist = AuthUtil.getProcessingModuleIfExist();
        if (!(processingModuleIfExist instanceof DuoModuleAuthentication)) {
            LOGGER.error("Couldn't get processing duo module");
            throw new AuthenticationServiceException("web.security.provider.invalid");
        }
        if (StringUtils.isEmpty(((DuoModuleAuthentication) processingModuleIfExist).getDuoState()) || !((DuoModuleAuthentication) processingModuleIfExist).getDuoState().equals(multiMap.getFirst("state"))) {
            LOGGER.error("State from received request and state saved in authentication module do not match.");
            throw new AuthenticationServiceException("web.security.provider.invalid");
        }
        return getAuthenticationManager().authenticate(new DuoRequestToken(multiMap.getFirst(DUO_CODE), ((DuoModuleAuthentication) processingModuleIfExist).getDuoUsername()));
    }

    private boolean isAuthorizationResponse(MultiValueMap<String, String> multiValueMap) {
        return StringUtils.isNotEmpty(multiValueMap.getFirst(DUO_CODE)) && StringUtils.isNotEmpty(multiValueMap.getFirst("state"));
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    protected void unsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        remoteUnsuccessfulAuthentication(httpServletRequest, httpServletResponse, authenticationException, this.auditProvider, getRememberMeServices(), getFailureHandler(), "DUO");
    }
}
