package org.apache.syncope.sra.security.cas;

import java.net.URI;
import org.apache.syncope.sra.security.web.server.DoNothingIfCommittedServerRedirectStrategy;
import org.apache.syncope.sra.session.SessionUtils;
import org.apereo.cas.client.Protocol;
import org.apereo.cas.client.validation.TicketValidationException;
import org.apereo.cas.client.validation.TicketValidator;
import org.apereo.cas.client.validation.json.Cas30JsonServiceTicketValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.server.ServerRedirectStrategy;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
import org.springframework.security.web.server.authentication.ServerAuthenticationConverter;
import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler;
import org.springframework.security.web.server.util.matcher.AndServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.NegatedServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import reactor.core.publisher.Mono;

/* loaded from: input_file:org/apache/syncope/sra/security/cas/CASAuthenticationWebFilter.class */
public class CASAuthenticationWebFilter extends AuthenticationWebFilter {
    private static final Logger LOG = LoggerFactory.getLogger(CASAuthenticationWebFilter.class);
    private final Protocol protocol;
    private final TicketValidator ticketValidator;

    public CASAuthenticationWebFilter(ReactiveAuthenticationManager reactiveAuthenticationManager, Protocol protocol, String str) {
        super(reactiveAuthenticationManager);
        this.protocol = protocol;
        this.ticketValidator = new Cas30JsonServiceTicketValidator(str);
        setRequiresAuthenticationMatcher(new AndServerWebExchangeMatcher(new ServerWebExchangeMatcher[]{CASUtils.ticketAvailable(protocol), new NegatedServerWebExchangeMatcher(SessionUtils.authInSession())}));
        setServerAuthenticationConverter(validateAssertion());
        setAuthenticationSuccessHandler(redirectToInitialRequestURI());
    }

    private ServerAuthenticationConverter validateAssertion() {
        return serverWebExchange -> {
            return CASUtils.retrieveTicketFromRequest(serverWebExchange, this.protocol).flatMap(str -> {
                try {
                    LOG.debug("Constructed service url: {}", CASUtils.constructServiceUrl(serverWebExchange, this.protocol));
                    return Mono.just(new CASAuthenticationToken(this.ticketValidator.validate(str, CASUtils.constructServiceUrl(serverWebExchange, this.protocol))));
                } catch (TicketValidationException e) {
                    LOG.error("Could not validate {}", str, e);
                    throw new BadCredentialsException("Could not validate " + str);
                }
            });
        };
    }

    private ServerAuthenticationSuccessHandler redirectToInitialRequestURI() {
        return new ServerAuthenticationSuccessHandler(this) { // from class: org.apache.syncope.sra.security.cas.CASAuthenticationWebFilter.1
            private final ServerRedirectStrategy redirectStrategy = new DoNothingIfCommittedServerRedirectStrategy();

            public Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange, Authentication authentication) {
                return webFilterExchange.getExchange().getSession().flatMap(webSession -> {
                    return this.redirectStrategy.sendRedirect(webFilterExchange.getExchange(), (URI) webSession.getRequiredAttribute(SessionUtils.INITIAL_REQUEST_URI));
                });
            }
        };
    }
}
