package org.apereo.portal.spring.security.preauth;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.StringUtils;
import org.apereo.portal.layout.profile.ProfileSelectionEvent;
import org.apereo.portal.portlets.swapper.IdentitySwapperPrincipal;
import org.apereo.portal.portlets.swapper.IdentitySwapperSecurityContext;
import org.apereo.portal.security.IPerson;
import org.apereo.portal.security.IPersonManager;
import org.apereo.portal.security.ISecurityContextFactory;
import org.apereo.portal.security.IdentitySwapperManager;
import org.apereo.portal.security.oauth.IdTokenFactory;
import org.apereo.portal.services.Authentication;
import org.apereo.portal.services.PersonService;
import org.apereo.portal.spring.security.PortalPersonUserDetails;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;

/* loaded from: input_file:org/apereo/portal/spring/security/preauth/PortalPreAuthenticatedProcessingFilter.class */
public class PortalPreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter {
    private static final String SWAPPER_LOG_NAME = "org.jasig.portal.portlets.swapper";
    private HashMap<String, String> credentialTokens;
    private HashMap<String, String> principalTokens;
    private IPersonManager personManager;
    private PersonService personService;
    private IdentitySwapperManager identitySwapperManager;
    private ApplicationEventPublisher eventPublisher;
    private IdTokenFactory idTokenFactory;
    private final Logger swapperLog = LoggerFactory.getLogger(SWAPPER_LOG_NAME);
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private String loginPath = "/Login";
    private String logoutPath = "/Logout";
    private Authentication authenticationService = null;
    private boolean clearSecurityContextPriorToPortalAuthentication = true;
    private Set<ISecurityContextFactory> securityContextFactories = Collections.emptySet();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apereo/portal/spring/security/preauth/PortalPreAuthenticatedProcessingFilter$IdentitySwapHelper.class */
    public class IdentitySwapHelper {
        private String originalUsername;
        private String personName;
        private String targetProfile;
        private String targetUsername;
        private org.springframework.security.core.Authentication originalAuthenticationForSwap;
        private org.springframework.security.core.Authentication originalAuthenticationForUnswap;

        IdentitySwapHelper(HttpSession httpSession, String str) {
            this.originalAuthenticationForUnswap = PortalPreAuthenticatedProcessingFilter.this.identitySwapperManager.getOriginalAuthentication(httpSession);
            this.originalUsername = PortalPreAuthenticatedProcessingFilter.this.identitySwapperManager.getOriginalUsername(httpSession);
            this.personName = str;
            this.targetUsername = PortalPreAuthenticatedProcessingFilter.this.identitySwapperManager.getTargetUsername(httpSession);
            this.targetProfile = PortalPreAuthenticatedProcessingFilter.this.identitySwapperManager.getTargetProfile(httpSession);
        }

        public boolean isSwapRequest() {
            return this.originalUsername == null && this.targetUsername != null;
        }

        public boolean isUnswapRequest() {
            return this.originalUsername != null;
        }

        public boolean isSwapOrUnswapRequest() {
            return isSwapRequest() || isUnswapRequest();
        }

        public org.springframework.security.core.Authentication getOriginalAuthenticationForSwap() {
            return this.originalAuthenticationForSwap;
        }

        public org.springframework.security.core.Authentication getOriginalAuthenticationForUnswap() {
            return this.originalAuthenticationForUnswap;
        }

        public String getSwapFromUid() {
            if (isSwapRequest()) {
                return this.personName;
            }
            if (isUnswapRequest()) {
                return this.targetUsername;
            }
            return null;
        }

        public String getSwapToUid() {
            if (isSwapRequest()) {
                return this.targetUsername;
            }
            if (isUnswapRequest()) {
                return this.originalUsername;
            }
            return null;
        }

        public String getTargetProfile() {
            return this.targetProfile;
        }

        public void setOriginalAuthenticationForSwap(org.springframework.security.core.Authentication authentication) {
            this.originalAuthenticationForSwap = authentication;
        }
    }

    @Autowired
    public void setIdentitySwapperManager(IdentitySwapperManager identitySwapperManager) {
        this.identitySwapperManager = identitySwapperManager;
    }

    @Autowired
    public void setPersonManager(IPersonManager iPersonManager) {
        this.personManager = iPersonManager;
    }

    @Autowired
    public void setPersonService(PersonService personService) {
        this.personService = personService;
    }

    @Autowired
    public void setAuthenticationService(Authentication authentication) {
        this.authenticationService = authentication;
    }

    @Autowired
    public void setIdTokenFactory(IdTokenFactory idTokenFactory) {
        this.idTokenFactory = idTokenFactory;
    }

    public void setClearSecurityContextPriorToPortalAuthentication(boolean z) {
        this.clearSecurityContextPriorToPortalAuthentication = z;
    }

    @Autowired
    public void setSecurityContextFactories(Set<ISecurityContextFactory> set) {
        this.securityContextFactories = set;
    }

    public void afterPropertiesSet() {
        super.afterPropertiesSet();
        this.credentialTokens = new HashMap<>(1);
        this.principalTokens = new HashMap<>(1);
        retrieveCredentialAndPrincipalTokens();
    }

    public void setLoginPath(String str) {
        this.loginPath = str;
    }

    public void setLogoutPath(String str) {
        this.logoutPath = str;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        long currentTimeMillis = System.currentTimeMillis();
        UUID uuid = null;
        if (this.logger.isDebugEnabled()) {
            uuid = UUID.randomUUID();
            this.logger.debug("STARTING [{}] for URI='{}' #milestone", uuid, httpServletRequest.getRequestURI());
        }
        String servletPath = httpServletRequest.getServletPath();
        if (this.loginPath.equals(servletPath)) {
            org.springframework.security.core.Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (this.clearSecurityContextPriorToPortalAuthentication) {
                SecurityContextHolder.clearContext();
            }
            logForLoginPath(servletPath);
            doPortalAuthentication((HttpServletRequest) servletRequest, authentication);
            filterChain.doFilter(servletRequest, servletResponse);
        } else if (this.logoutPath.equals(servletPath)) {
            SecurityContextHolder.clearContext();
            logForLogoutPath(servletPath);
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            logForNonLoginOrLogoutPath(servletPath);
            super.doFilter(servletRequest, servletResponse, filterChain);
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("FINISHED [{}] for URI='{}' in {}ms #milestone", new Object[]{uuid, httpServletRequest.getRequestURI(), Long.toString(System.currentTimeMillis() - currentTimeMillis)});
        }
    }

    protected Object getPreAuthenticatedCredentials(HttpServletRequest httpServletRequest) {
        String bearerToken = this.idTokenFactory.getBearerToken(httpServletRequest);
        if (StringUtils.isNotBlank(bearerToken)) {
            return bearerToken;
        }
        if (httpServletRequest.getSession(false) == null) {
            return null;
        }
        IPerson person = this.personManager.getPerson(httpServletRequest);
        this.logger.debug("getPreAuthenticatedCredentials -- person=[{}]", person);
        return person.getSecurityContext();
    }

    protected Object getPreAuthenticatedPrincipal(HttpServletRequest httpServletRequest) {
        Jws userInfo = this.idTokenFactory.getUserInfo(httpServletRequest);
        if (userInfo != null) {
            String subject = ((Claims) userInfo.getBody()).getSubject();
            this.logger.debug("Processing authentication for username='{}' based on OIDC Id token in the {} header", subject, "Authorization");
            return new PortalPersonUserDetails(this.personService.getPerson(subject));
        }
        if (httpServletRequest.getSession(false) == null) {
            return null;
        }
        IPerson person = this.personManager.getPerson(httpServletRequest);
        this.logger.debug("getPreAuthenticatedPrincipal -- person=[{}]", person);
        return new PortalPersonUserDetails(person);
    }

    private void doPortalAuthentication(HttpServletRequest httpServletRequest, org.springframework.security.core.Authentication authentication) {
        HashMap<String, String> propertyFromRequest;
        HashMap<String, String> propertyFromRequest2;
        IdentitySwapHelper identitySwapHelper = null;
        String requestedSessionId = httpServletRequest.getRequestedSessionId();
        if (httpServletRequest.isRequestedSessionIdValid()) {
            this.logger.debug("doPortalAuthentication for valid requested session id='{}'", requestedSessionId);
            identitySwapHelper = getIdentitySwapDataAndInvalidateSession(httpServletRequest, authentication);
        } else {
            this.logger.trace("Requested session id='{}' was not valid, so no attempt to apply swapping rules.", requestedSessionId);
        }
        HttpSession session = httpServletRequest.getSession(true);
        IPerson iPerson = null;
        try {
            iPerson = this.personManager.getPerson(httpServletRequest);
            if (identitySwapHelper == null || !identitySwapHelper.isSwapOrUnswapRequest()) {
                propertyFromRequest = getPropertyFromRequest(this.principalTokens, httpServletRequest);
                propertyFromRequest2 = getPropertyFromRequest(this.credentialTokens, httpServletRequest);
            } else {
                handleIdentitySwap(iPerson, session, identitySwapHelper);
                propertyFromRequest = new HashMap<>();
                propertyFromRequest2 = new HashMap<>();
            }
            this.authenticationService.authenticate(httpServletRequest, propertyFromRequest, propertyFromRequest2, iPerson);
        } catch (Exception e) {
            this.logger.error("Exception authenticating the request", e);
            httpServletRequest.getSession(false).invalidate();
            httpServletRequest.getSession(true).setAttribute("up_authenticationError", Boolean.TRUE);
        }
        publishProfileSelectionEvent(iPerson, httpServletRequest, identitySwapHelper);
    }

    private IdentitySwapHelper getIdentitySwapDataAndInvalidateSession(HttpServletRequest httpServletRequest, org.springframework.security.core.Authentication authentication) {
        IdentitySwapHelper identitySwapHelper = null;
        try {
            HttpSession session = httpServletRequest.getSession(false);
            if (session != null) {
                identitySwapHelper = new IdentitySwapHelper(session, this.personManager.getPerson(httpServletRequest).getName());
                if (identitySwapHelper.isSwapRequest()) {
                    identitySwapHelper.setOriginalAuthenticationForSwap(authentication);
                }
                this.logger.debug("Invalidating the impersonated session in un-swapping.");
                session.invalidate();
            }
        } catch (IllegalStateException e) {
            this.logger.trace("LoginServlet attempted to invalidate an already invalid session.", e);
        }
        return identitySwapHelper;
    }

    private void handleIdentitySwap(IPerson iPerson, HttpSession httpSession, IdentitySwapHelper identitySwapHelper) {
        String str;
        if (identitySwapHelper.isSwapRequest()) {
            str = "Swapping identity for '%s' to '%s'";
            this.identitySwapperManager.setOriginalUser(httpSession, identitySwapHelper.getSwapFromUid(), identitySwapHelper.getSwapToUid(), identitySwapHelper.getOriginalAuthenticationForSwap());
        } else {
            str = "Reverting swapped identity from '%s' to '%s'";
            if (identitySwapHelper.getOriginalAuthenticationForUnswap() != null) {
                SecurityContextHolder.getContext().setAuthentication(identitySwapHelper.getOriginalAuthenticationForUnswap());
            }
        }
        iPerson.setUserName(identitySwapHelper.getSwapToUid());
        this.swapperLog.warn(String.format(str, identitySwapHelper.getSwapFromUid(), identitySwapHelper.getSwapToUid()));
        iPerson.setSecurityContext(new IdentitySwapperSecurityContext(new IdentitySwapperPrincipal(iPerson)));
    }

    private void publishProfileSelectionEvent(IPerson iPerson, HttpServletRequest httpServletRequest, IdentitySwapHelper identitySwapHelper) {
        String parameter = httpServletRequest.getParameter("profile");
        if (parameter != null) {
            publishProfileSelectionEvent(new ProfileSelectionEvent(this, parameter, iPerson, httpServletRequest));
        } else if (identitySwapHelper == null || !identitySwapHelper.isSwapRequest()) {
            this.logger.trace("No requested or swapper profile requested so no profile selection event.");
        } else {
            publishProfileSelectionEvent(new ProfileSelectionEvent(this, identitySwapHelper.getTargetProfile(), iPerson, httpServletRequest));
        }
    }

    private void publishProfileSelectionEvent(ProfileSelectionEvent profileSelectionEvent) {
        try {
            this.eventPublisher.publishEvent(profileSelectionEvent);
        } catch (Exception e) {
            this.logger.error("Exception on firing profile selection event='{}'", profileSelectionEvent, e);
        }
    }

    private void logForLoginPath(String str) {
        this.logger.debug("Path [{}] is loginPath, so cleared security context so we can re-establish it once the new session is established.", str);
    }

    private void logForLogoutPath(String str) {
        this.logger.debug("Path [{}] is logoutPath, so cleared security context so can re-establish it once the new session is established.", str);
    }

    private void logForNonLoginOrLogoutPath(String str) {
        this.logger.trace("Path [{}] is neither a login nor a logout path, so no uPortal-custom filtering.", str);
    }

    private void retrieveCredentialAndPrincipalTokens() {
        for (ISecurityContextFactory iSecurityContextFactory : this.securityContextFactories) {
            String principalToken = iSecurityContextFactory.getPrincipalToken();
            if (StringUtils.isNotBlank(principalToken)) {
                this.principalTokens.put(iSecurityContextFactory.getName(), principalToken);
            }
            String credentialToken = iSecurityContextFactory.getCredentialToken();
            if (StringUtils.isNotBlank(credentialToken)) {
                this.credentialTokens.put(iSecurityContextFactory.getName(), credentialToken);
            }
        }
    }

    private HashMap<String, String> getPropertyFromRequest(HashMap<String, String> hashMap, HttpServletRequest httpServletRequest) {
        String str;
        HashMap<String, String> hashMap2 = new HashMap<>();
        for (Map.Entry<String, String> entry : hashMap.entrySet()) {
            String key = entry.getKey();
            String value = entry.getValue();
            if (httpServletRequest.getAttribute(value) != null) {
                try {
                    str = (String) httpServletRequest.getAttribute(value);
                } catch (ClassCastException e) {
                    throw new RuntimeException("The request attribute '" + value + "' must be a String.", e);
                }
            } else {
                str = httpServletRequest.getParameter(value);
            }
            hashMap2.put(key.startsWith("root.") ? key.substring(5) : key, "password".equals(value) ? str == null ? "" : str : (str == null ? "" : str).trim());
        }
        return hashMap2;
    }

    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        super.setApplicationEventPublisher(applicationEventPublisher);
        this.eventPublisher = applicationEventPublisher;
    }
}
