package io.gravitee.am.management.handlers.management.api.authentication.filter;

import io.gravitee.am.common.jwt.JWT;
import io.gravitee.am.identityprovider.api.DefaultUser;
import io.gravitee.am.jwt.JWTParser;
import io.gravitee.am.management.handlers.management.api.authentication.web.Http401UnauthorizedEntryPoint;
import io.gravitee.am.management.service.OrganizationUserService;
import io.gravitee.am.model.ReferenceType;
import io.gravitee.am.model.User;
import io.reactivex.rxjava3.core.Single;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.session.SessionAuthenticationException;
import org.springframework.security.web.util.matcher.RequestMatcher;

/* loaded from: input_file:io/gravitee/am/management/handlers/management/api/authentication/filter/BearerAuthenticationFilter.class */
public class BearerAuthenticationFilter extends AbstractAuthenticationProcessingFilter implements InitializingBean {

    @Value("${http.blockingGet.timeoutMillis:120000}")
    private long blockingGetTimeoutMillis;
    protected static final String BEARER_PREFIX = "Bearer ";

    @Value("${jwt.cookie-path:/}")
    private String jwtCookiePath;

    @Value("${jwt.cookie-name:Auth-Graviteeio-AM}")
    private String authCookieName;

    @Value("${jwt.cookie-secure:false}")
    private boolean jwtCookieSecure;

    @Value("${jwt.cookie-domain:}")
    private String jwtCookieDomain;

    @Autowired
    private Http401UnauthorizedEntryPoint http401UnauthorizedEntryPoint;

    @Autowired
    @Qualifier("managementJwtParser")
    private JWTParser jwtParser;

    @Autowired
    private OrganizationUserService userService;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/gravitee/am/management/handlers/management/api/authentication/filter/BearerAuthenticationFilter$AccountAccessToken.class */
    public static final class AccountAccessToken extends Record {
        private final String id;
        private final String value;

        private AccountAccessToken(String str, String str2) {
            this.id = str;
            this.value = str2;
        }

        private static AccountAccessToken parse(String str) {
            String[] split = new String(Base64.getDecoder().decode(str.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8).split("\\.");
            if (split.length != 2) {
                throw new BadCredentialsException("Malformed token");
            }
            return new AccountAccessToken(split[0], split[1]);
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, AccountAccessToken.class), AccountAccessToken.class, "id;value", "FIELD:Lio/gravitee/am/management/handlers/management/api/authentication/filter/BearerAuthenticationFilter$AccountAccessToken;->id:Ljava/lang/String;", "FIELD:Lio/gravitee/am/management/handlers/management/api/authentication/filter/BearerAuthenticationFilter$AccountAccessToken;->value:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, AccountAccessToken.class), AccountAccessToken.class, "id;value", "FIELD:Lio/gravitee/am/management/handlers/management/api/authentication/filter/BearerAuthenticationFilter$AccountAccessToken;->id:Ljava/lang/String;", "FIELD:Lio/gravitee/am/management/handlers/management/api/authentication/filter/BearerAuthenticationFilter$AccountAccessToken;->value:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, AccountAccessToken.class, Object.class), AccountAccessToken.class, "id;value", "FIELD:Lio/gravitee/am/management/handlers/management/api/authentication/filter/BearerAuthenticationFilter$AccountAccessToken;->id:Ljava/lang/String;", "FIELD:Lio/gravitee/am/management/handlers/management/api/authentication/filter/BearerAuthenticationFilter$AccountAccessToken;->value:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String id() {
            return this.id;
        }

        public String value() {
            return this.value;
        }
    }

    /* loaded from: input_file:io/gravitee/am/management/handlers/management/api/authentication/filter/BearerAuthenticationFilter$JWTAuthenticationFailureHandler.class */
    private class JWTAuthenticationFailureHandler implements AuthenticationFailureHandler {
        public JWTAuthenticationFailureHandler() {
            BearerAuthenticationFilter.this.setAllowSessionCreation(false);
        }

        public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
            BearerAuthenticationFilter.this.http401UnauthorizedEntryPoint.commence(httpServletRequest, httpServletResponse, authenticationException);
        }
    }

    /* loaded from: input_file:io/gravitee/am/management/handlers/management/api/authentication/filter/BearerAuthenticationFilter$JWTAuthenticationSuccessHandler.class */
    private class JWTAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
        private JWTAuthenticationSuccessHandler() {
        }

        public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        }
    }

    /* loaded from: input_file:io/gravitee/am/management/handlers/management/api/authentication/filter/BearerAuthenticationFilter$NoopAuthenticationManager.class */
    private static class NoopAuthenticationManager implements AuthenticationManager {
        private NoopAuthenticationManager() {
        }

        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
            throw new UnsupportedOperationException("No authentication should be done with this AuthenticationManager");
        }
    }

    public BearerAuthenticationFilter(RequestMatcher requestMatcher) {
        super(requestMatcher);
        setAuthenticationManager(new NoopAuthenticationManager());
        setAuthenticationSuccessHandler(new JWTAuthenticationSuccessHandler());
        setAuthenticationFailureHandler(new JWTAuthenticationFailureHandler());
        super.setAllowSessionCreation(false);
    }

    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
        try {
            return getAuthentication(extractToken(httpServletRequest), httpServletRequest);
        } catch (Exception e) {
            clearAuthenticationCookie(httpServletResponse);
            throw new BadCredentialsException("Error occured while attempting authentication", e);
        }
    }

    private String extractToken(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        return (header == null || !header.startsWith(BEARER_PREFIX)) ? (String) Optional.ofNullable(httpServletRequest.getCookies()).stream().flatMap((v0) -> {
            return Arrays.stream(v0);
        }).filter(cookie -> {
            return this.authCookieName.equals(cookie.getName());
        }).filter(cookie2 -> {
            return cookie2.getValue().startsWith(BEARER_PREFIX);
        }).findAny().map(cookie3 -> {
            return cookie3.getValue().substring(BEARER_PREFIX.length());
        }).orElseThrow(() -> {
            return new BadCredentialsException("No Bearer token found");
        }) : header.substring(BEARER_PREFIX.length());
    }

    protected Authentication getAuthentication(String str, HttpServletRequest httpServletRequest) {
        return str.contains(".") ? jwtAuthentication(httpServletRequest, this.jwtParser.parse(str)) : accountAccessTokenAuthentication(AccountAccessToken.parse(str));
    }

    private UsernamePasswordAuthenticationToken jwtAuthentication(HttpServletRequest httpServletRequest, JWT jwt) {
        HashMap hashMap = new HashMap((Map) jwt);
        hashMap.put("ip_address", remoteAddress(httpServletRequest));
        hashMap.put("user_agent", userAgent(httpServletRequest));
        User user = (User) this.userService.findById(ReferenceType.ORGANIZATION, (String) jwt.get("org"), (String) hashMap.get("sub")).compose(this::applyTimeout).blockingGet();
        if (List.of(Optional.ofNullable(user.getLastLogoutAt()), Optional.ofNullable(user.getLastUsernameReset())).stream().filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).anyMatch(date -> {
            return date.after(new Date(jwt.getIat() * 1000));
        })) {
            throw new SessionAuthenticationException("Session expired");
        }
        DefaultUser defaultUser = new DefaultUser((String) hashMap.get("preferred_username"));
        defaultUser.setId((String) hashMap.get("sub"));
        defaultUser.setAdditionalInformation(hashMap);
        defaultUser.setRoles((List) hashMap.get("roles"));
        return new UsernamePasswordAuthenticationToken(defaultUser, (Object) null, getAuthorities(defaultUser));
    }

    private Authentication accountAccessTokenAuthentication(AccountAccessToken accountAccessToken) {
        User user = (User) this.userService.findByAccessToken(accountAccessToken.id(), accountAccessToken.value()).compose(this::applyTimeout).blockingGet();
        DefaultUser defaultUser = new DefaultUser(user.getUsername());
        defaultUser.setId(user.getId());
        defaultUser.setAdditionalInformation(Map.of("accountTokenId", accountAccessToken.id()));
        defaultUser.setRoles(user.getRoles());
        return new UsernamePasswordAuthenticationToken(defaultUser, accountAccessToken.id(), getAuthorities(defaultUser));
    }

    private Single<User> applyTimeout(Single<User> single) {
        return this.blockingGetTimeoutMillis > 0 ? single.timeout(this.blockingGetTimeoutMillis, TimeUnit.MILLISECONDS) : single;
    }

    private List<GrantedAuthority> getAuthorities(DefaultUser defaultUser) {
        return defaultUser.getRoles() == null ? AuthorityUtils.NO_AUTHORITIES : (List) defaultUser.getRoles().stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList());
    }

    private void clearAuthenticationCookie(HttpServletResponse httpServletResponse) {
        Cookie cookie = new Cookie(this.authCookieName, (String) null);
        cookie.setSecure(this.jwtCookieSecure);
        cookie.setPath(this.jwtCookiePath);
        cookie.setDomain(this.jwtCookieDomain);
        cookie.setMaxAge(0);
        httpServletResponse.addCookie(cookie);
    }

    protected void successfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, Authentication authentication) throws IOException, ServletException {
        super.successfulAuthentication(httpServletRequest, httpServletResponse, filterChain, authentication);
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private String remoteAddress(HttpServletRequest httpServletRequest) {
        String remoteAddr;
        String header = httpServletRequest.getHeader("X-Forwarded-For");
        if (header == null || header.length() <= 0) {
            remoteAddr = httpServletRequest.getRemoteAddr();
        } else {
            int indexOf = header.indexOf(44);
            String substring = indexOf != -1 ? header.substring(0, indexOf) : header;
            int indexOf2 = substring.indexOf(58);
            remoteAddr = indexOf2 != -1 ? substring.substring(0, indexOf2).trim() : substring.trim();
        }
        return remoteAddr;
    }

    private String userAgent(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getHeader("User-Agent");
    }
}
