package io.gravitee.am.management.handlers.management.api.authentication.filter;

import io.gravitee.am.common.crypto.CryptoUtils;
import io.gravitee.am.common.exception.jwt.JWTException;
import io.gravitee.am.identityprovider.api.AuthenticationProvider;
import io.gravitee.am.identityprovider.api.SimpleAuthenticationContext;
import io.gravitee.am.identityprovider.api.User;
import io.gravitee.am.jwt.JWTParser;
import io.gravitee.am.management.handlers.management.api.authentication.http.JettyHttpServerRequest;
import io.gravitee.am.management.handlers.management.api.authentication.manager.idp.IdentityProviderManager;
import io.gravitee.am.management.handlers.management.api.authentication.provider.security.EndUserAuthentication;
import io.gravitee.am.model.IdentityProvider;
import io.gravitee.am.model.ReferenceType;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.Key;
import java.util.LinkedHashMap;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationEventPublisher;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
import org.springframework.security.authentication.ProviderNotFoundException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:io/gravitee/am/management/handlers/management/api/authentication/filter/SocialAuthenticationFilter.class */
public class SocialAuthenticationFilter extends AbstractAuthenticationProcessingFilter {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(SocialAuthenticationFilter.class);
    private static final String SOURCE = "source";
    private static final String PROVIDER_PARAMETER = "provider";
    private static final String errorPage = "/auth/access/error";
    private static final String REDIRECT_URI = "redirect_uri";
    private AuthenticationEventPublisher authenticationEventPublisher;

    @Autowired
    private IdentityProviderManager identityProviderManager;

    @Autowired
    private AuthenticationSuccessHandler successHandler;

    @Autowired
    @Qualifier("managementJwtParser")
    private JWTParser parser;

    @Autowired
    @Qualifier("managementSecretKey")
    private Key managementKey;

    /* loaded from: input_file:io/gravitee/am/management/handlers/management/api/authentication/filter/SocialAuthenticationFilter$NoopAuthenticationManager.class */
    private static class NoopAuthenticationManager implements AuthenticationManager {
        private NoopAuthenticationManager() {
        }

        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
            throw new UnsupportedOperationException("No authentication should be done with this AuthenticationManager");
        }
    }

    public SocialAuthenticationFilter(String str) {
        super(str);
        setAuthenticationManager(new NoopAuthenticationManager());
        SimpleUrlAuthenticationFailureHandler simpleUrlAuthenticationFailureHandler = new SimpleUrlAuthenticationFailureHandler(errorPage);
        simpleUrlAuthenticationFailureHandler.setAllowSessionCreation(false);
        setAuthenticationFailureHandler(simpleUrlAuthenticationFailureHandler);
        setAllowSessionCreation(false);
    }

    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException {
        String parameter = httpServletRequest.getParameter(PROVIDER_PARAMETER);
        IdentityProvider identityProvider = this.identityProviderManager.getIdentityProvider(parameter);
        AuthenticationProvider authenticationProvider = this.identityProviderManager.get(parameter);
        if (authenticationProvider == null || identityProvider == null || identityProvider.getReferenceType() != ReferenceType.ORGANIZATION) {
            throw new ProviderNotFoundException("Social Provider " + parameter + " not found");
        }
        SimpleAuthenticationContext simpleAuthenticationContext = new SimpleAuthenticationContext(new JettyHttpServerRequest(httpServletRequest));
        simpleAuthenticationContext.set(REDIRECT_URI, buildRedirectUri(httpServletRequest));
        simpleAuthenticationContext.set("idp_code_verifier", getIdpCodeVerifier(httpServletRequest));
        EndUserAuthentication endUserAuthentication = new EndUserAuthentication("__social__", "__social__", simpleAuthenticationContext);
        try {
            User user = (User) authenticationProvider.loadUserByUsername(endUserAuthentication).blockingGet();
            if (user == null) {
                log.error("User is null, fail to authenticate user");
                throw new BadCredentialsException("User is null after authentication process");
            }
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put("source", parameter);
            linkedHashMap.put("org", identityProvider.getReferenceId());
            UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(user, endUserAuthentication.getCredentials(), AuthorityUtils.NO_AUTHORITIES);
            usernamePasswordAuthenticationToken.setDetails(linkedHashMap);
            return usernamePasswordAuthenticationToken;
        } catch (Exception e) {
            log.error("Unable to authenticate with oauth2 provider {}", parameter, e);
            throw new BadCredentialsException(e.getMessage(), e);
        }
    }

    private String getIdpCodeVerifier(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("state");
        if (parameter == null) {
            return null;
        }
        try {
            String str = (String) this.parser.parse(parameter).get("ecv");
            if (str == null) {
                return null;
            }
            return CryptoUtils.decrypt(str, this.managementKey);
        } catch (JWTException e) {
            return null;
        }
    }

    protected final void successfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, Authentication authentication) throws IOException, ServletException {
        if (log.isDebugEnabled()) {
            log.debug("Authentication success. Updating SecurityContextHolder to contain: " + authentication);
        }
        SecurityContextHolder.getContext().setAuthentication(authentication);
        this.successHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, authentication);
    }

    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        super.setApplicationEventPublisher(applicationEventPublisher);
        this.authenticationEventPublisher = new DefaultAuthenticationEventPublisher(applicationEventPublisher);
    }

    protected boolean requiresAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return (!super.requiresAuthentication(httpServletRequest, httpServletResponse) || authenticated() || httpServletRequest.getParameter(PROVIDER_PARAMETER) == null) ? false : true;
    }

    private boolean authenticated() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return (authentication == null || !authentication.isAuthenticated() || (authentication instanceof AnonymousAuthenticationToken)) ? false : true;
    }

    private String buildRedirectUri(HttpServletRequest httpServletRequest) {
        UriComponentsBuilder fromHttpUrl = UriComponentsBuilder.fromHttpUrl(httpServletRequest.getRequestURL().toString());
        fromHttpUrl.queryParam(PROVIDER_PARAMETER, new Object[]{httpServletRequest.getParameter(PROVIDER_PARAMETER)});
        return fromHttpUrl.build(false).toUriString();
    }
}
