package com.evolveum.midpoint.authentication.impl.filter.duo;

import com.duosecurity.Client;
import com.evolveum.midpoint.authentication.api.config.ModuleAuthentication;
import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.authentication.impl.filter.RemoteAuthenticationFilter;
import com.evolveum.midpoint.authentication.impl.filter.RemoteModuleAuthorizationFilter;
import com.evolveum.midpoint.authentication.impl.module.authentication.DuoModuleAuthentication;
import com.evolveum.midpoint.authentication.impl.util.RequestState;
import com.evolveum.midpoint.model.api.ModelAuditRecorder;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.9.4-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/filter/duo/DuoAuthorizationRequestRedirectFilter.class */
public class DuoAuthorizationRequestRedirectFilter extends RemoteModuleAuthorizationFilter<DuoAuthorizationRequestRedirectFilter> {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) RemoteAuthenticationFilter.class);
    private final Client duoClient;
    private final AntPathRequestMatcher authorizationRequestMatcher;

    public DuoAuthorizationRequestRedirectFilter(Client client, String str, ModelAuditRecorder modelAuditRecorder, SecurityContextRepository securityContextRepository) {
        super(modelAuditRecorder, securityContextRepository);
        this.duoClient = client;
        this.authorizationRequestMatcher = new AntPathRequestMatcher(str);
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (!this.authorizationRequestMatcher.matches(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        try {
            this.duoClient.healthCheck();
            ModuleAuthentication processingModuleIfExist = AuthUtil.getProcessingModuleIfExist();
            if (!(processingModuleIfExist instanceof DuoModuleAuthentication)) {
                LOGGER.error("Couldn't get processing duo module");
                throw new AuthenticationServiceException("web.security.provider.invalid");
            }
            String generateState = this.duoClient.generateState();
            ((DuoModuleAuthentication) processingModuleIfExist).setDuoState(generateState);
            String duoUsername = ((DuoModuleAuthentication) processingModuleIfExist).getDuoUsername();
            if (duoUsername == null) {
                LOGGER.error("Couldn't get principal username for duo module");
                throw new AuthenticationServiceException("web.security.provider.invalid");
            }
            String createAuthUrl = this.duoClient.createAuthUrl(duoUsername, generateState);
            getRequestCache().saveRequest(httpServletRequest, httpServletResponse);
            getSecurityContextRepository().saveContext(SecurityContextHolder.getContext(), httpServletRequest, httpServletResponse);
            getAuthorizationRedirectStrategy().sendRedirect(httpServletRequest, httpServletResponse, createAuthUrl);
            ((DuoModuleAuthentication) AuthUtil.getMidpointAuthentication().getProcessingModuleAuthentication()).setRequestState(RequestState.SENT);
        } catch (Exception e) {
            unsuccessfulAuthentication(httpServletRequest, httpServletResponse, new InternalAuthenticationServiceException("web.security.provider.invalid", e));
        }
    }

    @Override // com.evolveum.midpoint.authentication.impl.filter.RemoteModuleAuthorizationFilter
    protected String getAuthenticationType() {
        return "DUO";
    }
}
