package org.kuali.coeus.sys.framework.auth;

import java.io.IOException;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Optional;
import java.util.UUID;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.kuali.coeus.sys.framework.rest.AuthServiceRestUtilService;
import org.kuali.coeus.sys.framework.rest.RestServiceConstants;
import org.kuali.coeus.sys.framework.service.KcServiceLocator;
import org.kuali.kra.infrastructure.Constants;
import org.kuali.rice.core.api.config.ConfigurationException;
import org.kuali.rice.core.api.config.property.ConfigurationService;
import org.kuali.rice.coreservice.framework.parameter.ParameterService;
import org.kuali.rice.kim.api.identity.IdentityService;
import org.kuali.rice.kim.api.identity.principal.Principal;
import org.kuali.rice.krad.service.BusinessObjectService;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/kuali/coeus/sys/framework/auth/AuthServiceFilter.class */
public class AuthServiceFilter implements Filter {
    private static final String ADMIN_ROLE = "admin";
    private static final String CURRENT_USER_APPEND = "/current";
    private static final String TOKEN_APPEND = "/auth/token";
    private static final String SECONDS_TO_CACHE_AUTH_TOKEN_RESPONSE_CONFIG = "secondsToCacheAuthTokenResponse";
    private static final String BASIC_AUTH_KC_USERNAME = "admin";
    private static final long SECONDS_TO_CACHE_AUTH_TOKEN_IN_SESSION_DEFAULT = 300;
    private static final String ACCESS_DENIED_MESSAGE = "Access Denied";
    private static final String AUTHORIZATION_PREFIX = "Bearer ";
    private static final String AUTHORIZATION_HEADER_NAME = "Authorization";
    private static final String AUTH_TOKEN_COOKIE_NAME = "authToken";
    private static final String CODE_PARAM_NAME = "code";
    private static final String AUTH_REDIRECT_URI = "/auth/authorize";
    private static final String AUTH_CLIENT_ID_PARAM = "auth.client.id";
    private static final String KC_REST_ADMIN_PASSWORD = "kc.rest.admin.password";
    private static final String KC_REST_ADMIN_USERNAME = "kc.rest.admin.username";
    private static final String REST_API_URLS_PARAM = "auth.rest.urls.regex";
    private static final String ALLOW_MISSING_ADMINS_TO_PROXY_ADMIN_ACCOUNT = "auth.filter.allow.admin.proxy";
    private static final String AUTH_ADMIN_PROXY_USER = "auth.filter.proxy.username";
    private static final String SERVICE_USER = "auth.filter.service2service.username";
    private static final String AUTH_IMPERSONATION_LOGGING = "auth.impersonation.logging";
    private static final Logger LOG = LogManager.getLogger(AuthServiceFilter.class);
    private static final String GRANT_TYPE = "grant_type";
    private static final String AUTHORIZATION_CODE = "authorization_code";
    private static final String CLIENT_ID = "client_id";
    private static final String AUTH_CODE_PARAM = "code";
    private static final String REDIRECT_URI = "redirect_uri";
    private static final String AUTH_STATE = "state";
    private static final String RESPONSE_TYPE = "response_type";
    private static final String AUTH_SERVICE_FILTER_REQ_VER_TOKEN = "AUTH_SERVICE_FILTER_REQ_VER_TOKEN";
    private static final String AUTH_SERVICE_FILTER_REDIRECT_URI = "AUTH_SERVICE_FILTER_REDIRECT_URI";
    static final String AUTH_SERVICE_FILTER_IS_SERVICE_USER = "AUTH_SERVICE_FILTER_IS_SERVICE_USER";
    static final String AUTH_SERVICE_FILTER_AUTHED_USER_ATTR = "AUTH_SERVICE_FILTER_AUTHED_USER";
    public static final String AUTH_SERVICE_FILTER_AUTH_TOKEN_SESSION_ATTR = "AUTH_SERVICE_FILTER_AUTH_TOKEN";
    private String authClientId;
    private String authRedirectURI;
    private String getCurrentUserUrl;
    private String fetchTokenUrl;
    private String hashedApiAdminBasicAuth;
    private List<Pattern> restUrlsRegex;
    private String adminProxyUsername;
    private String serviceProxyUsername;
    private ConfigurationService configurationService;
    private RestOperations restTemplate;
    private AuthServiceRestUtilService authServiceRestUtilService;
    private IdentityService identityService;
    private BusinessObjectService businessObjectService;
    private ParameterService parameterService;
    private JwtService jwtService;
    private Boolean allowAdminProxy = Boolean.FALSE;
    private long secondsToCacheAuthTokenInSession = SECONDS_TO_CACHE_AUTH_TOKEN_IN_SESSION_DEFAULT;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/kuali/coeus/sys/framework/auth/AuthServiceFilter$AuthServiceRequestWrapper.class */
    public static class AuthServiceRequestWrapper extends HttpServletRequestWrapper {
        private String username;

        public AuthServiceRequestWrapper(String str, HttpServletRequest httpServletRequest) {
            super(httpServletRequest);
            this.username = str;
        }

        public String getRemoteUser() {
            return this.username;
        }
    }

    public void init(FilterConfig filterConfig) {
        String initParameter = filterConfig.getInitParameter(SECONDS_TO_CACHE_AUTH_TOKEN_RESPONSE_CONFIG);
        if (initParameter != null) {
            this.secondsToCacheAuthTokenInSession = Long.parseLong(initParameter);
        }
        String propertyValueAsString = getConfigurationService().getPropertyValueAsString(RestServiceConstants.Configuration.AUTH_BASE_URL);
        this.authRedirectURI = propertyValueAsString + "/auth/authorize";
        this.getCurrentUserUrl = getConfigurationService().getPropertyValueAsString(RestServiceConstants.Configuration.AUTH_USERS_URL) + "/current";
        this.fetchTokenUrl = propertyValueAsString + "/auth/token";
        this.allowAdminProxy = Boolean.valueOf(getConfigurationService().getPropertyValueAsBoolean(ALLOW_MISSING_ADMINS_TO_PROXY_ADMIN_ACCOUNT));
        this.adminProxyUsername = getConfigurationService().getPropertyValueAsString(AUTH_ADMIN_PROXY_USER);
        this.serviceProxyUsername = getConfigurationService().getPropertyValueAsString(SERVICE_USER);
        this.restUrlsRegex = buildRestUrlRegexPatterns(getConfigurationService().getPropertyValueAsString(REST_API_URLS_PARAM));
        this.authClientId = getConfigurationService().getPropertyValueAsString(AUTH_CLIENT_ID_PARAM);
        String propertyValueAsString2 = getConfigurationService().getPropertyValueAsString(KC_REST_ADMIN_USERNAME);
        String propertyValueAsString3 = getConfigurationService().getPropertyValueAsString(KC_REST_ADMIN_PASSWORD);
        if (StringUtils.isNotBlank(propertyValueAsString2) && StringUtils.isNotBlank(propertyValueAsString3)) {
            this.hashedApiAdminBasicAuth = "Basic " + new String(Base64.getEncoder().encode((propertyValueAsString2 + ":" + propertyValueAsString3).getBytes()));
        }
    }

    protected List<Pattern> buildRestUrlRegexPatterns(String str) {
        return (List) Arrays.stream(str.split(",")).map(Pattern::compile).collect(Collectors.toList());
    }

    protected boolean isUrlForRest(String str) {
        return this.restUrlsRegex.stream().anyMatch(pattern -> {
            return pattern.matcher(str).matches();
        });
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (isUrlForRest(httpServletRequest.getRequestURI())) {
            authenticateBasedOnAuthorizationHeader(httpServletRequest.getHeader("Authorization"), httpServletRequest, httpServletResponse, filterChain);
        } else {
            authenticateWebBasedUser(filterChain, httpServletRequest, httpServletResponse);
        }
    }

    protected void authenticateWebBasedUser(FilterChain filterChain, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        Optional<Cookie> findAuthTokenCookie = findAuthTokenCookie(httpServletRequest);
        if (findAuthTokenCookie.isPresent()) {
            Optional<AuthUser> authUser = getAuthUser(findAuthTokenCookie.get().getValue(), httpServletRequest);
            if (authUser.isPresent()) {
                continueFilterChain(filterChain, httpServletRequest, httpServletResponse, authUser.get().getUsername());
                return;
            }
            invalidateAuthTokenCookie(httpServletRequest, httpServletResponse);
        } else if (httpServletRequest.getParameterMap().containsKey("code") && httpServletRequest.getParameterMap().containsKey("state")) {
            String str = (String) httpServletRequest.getSession().getAttribute(AUTH_SERVICE_FILTER_REQ_VER_TOKEN);
            LOG.debug("Saved auth state from session: " + str);
            if (str != null && str.equals(httpServletRequest.getParameter("state"))) {
                Optional<AuthTokenResponseDto> fetchTokenFromCode = fetchTokenFromCode(httpServletRequest.getParameter("code"), httpServletRequest);
                if (fetchTokenFromCode.isPresent()) {
                    String authToken = fetchTokenFromCode.get().getAuthToken();
                    Optional<AuthUser> authUser2 = getAuthUser(authToken, httpServletRequest);
                    if (authUser2.isPresent()) {
                        addAuthTokenCookie(httpServletRequest, httpServletResponse, authToken);
                        continueFilterChain(filterChain, httpServletRequest, httpServletResponse, authUser2.get().getUsername());
                        return;
                    }
                } else {
                    LOG.debug("No token returned with code: " + httpServletRequest.getParameter("code"));
                }
            }
        }
        redirectToLogin(httpServletRequest, httpServletResponse);
    }

    private void continueFilterChain(FilterChain filterChain, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException, ServletException {
        filterChain.doFilter(new AuthServiceRequestWrapper(str, httpServletRequest), httpServletResponse);
    }

    private Cookie createAuthTokenCookie(HttpServletRequest httpServletRequest, String str, int i) {
        Cookie cookie = new Cookie(AUTH_TOKEN_COOKIE_NAME, str);
        cookie.setDomain(httpServletRequest.getServerName());
        cookie.setPath("/");
        cookie.setSecure(httpServletRequest.isSecure());
        cookie.setMaxAge(i);
        return cookie;
    }

    private void invalidateAuthTokenCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        httpServletResponse.addCookie(createAuthTokenCookie(httpServletRequest, "", 0));
    }

    private void addAuthTokenCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        httpServletResponse.addCookie(createAuthTokenCookie(httpServletRequest, str, -1));
    }

    private Optional<Cookie> findAuthTokenCookie(HttpServletRequest httpServletRequest) {
        return Optional.ofNullable(httpServletRequest.getCookies()).flatMap(cookieArr -> {
            return Stream.of((Object[]) cookieArr).filter(cookie -> {
                return cookie.getName().equals(AUTH_TOKEN_COOKIE_NAME);
            }).findFirst();
        });
    }

    protected Optional<AuthUser> getAuthUser(String str, HttpServletRequest httpServletRequest) {
        try {
            AuthUser validateAuthToken = validateAuthToken(str, httpServletRequest);
            return (validateAuthToken == null || !StringUtils.isNotBlank(validateAuthToken.getUsername())) ? Optional.empty() : Optional.of(proxyAdminUsers(validateAuthToken));
        } catch (RuntimeException e) {
            LOG.warn("Error validating auth token", e);
            return Optional.empty();
        }
    }

    protected void authenticateBasedOnAuthorizationHeader(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (this.hashedApiAdminBasicAuth != null && this.hashedApiAdminBasicAuth.equals(str)) {
            continueFilterChain(filterChain, httpServletRequest, httpServletResponse, "admin");
            return;
        }
        if (str != null && str.startsWith("Bearer ")) {
            try {
                AuthUser validateAuthToken = validateAuthToken(str, httpServletRequest);
                if (validateAuthToken != null) {
                    continueFilterChain(filterChain, httpServletRequest, httpServletResponse, proxyAdminUsers(validateAuthToken).getUsername());
                    return;
                }
            } catch (RuntimeException e) {
                LOG.debug("Error validating auth token in header", e);
            }
        }
        httpServletResponse.sendError(403, ACCESS_DENIED_MESSAGE);
    }

    protected void redirectToLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        try {
            String redirectUri = getRedirectUri(httpServletRequest);
            httpServletRequest.getSession().setAttribute(AUTH_SERVICE_FILTER_REDIRECT_URI, redirectUri);
            String uuid = UUID.randomUUID().toString();
            httpServletRequest.getSession().setAttribute(AUTH_SERVICE_FILTER_REQ_VER_TOKEN, uuid);
            URIBuilder uRIBuilder = new URIBuilder(this.authRedirectURI);
            uRIBuilder.addParameter(CLIENT_ID, this.authClientId);
            uRIBuilder.addParameter("state", uuid);
            uRIBuilder.addParameter(RESPONSE_TYPE, "code");
            uRIBuilder.addParameter(REDIRECT_URI, redirectUri);
            httpServletResponse.sendRedirect(uRIBuilder.toString());
        } catch (URISyntaxException e) {
            throw new ConfigurationException("authentication url is invalid: " + this.authRedirectURI, e);
        }
    }

    protected String getRedirectUri(HttpServletRequest httpServletRequest) throws URISyntaxException {
        List of = List.of("state", "code");
        URIBuilder uRIBuilder = new URIBuilder(httpServletRequest.getRequestURL().toString());
        List list = (List) URLEncodedUtils.parse(httpServletRequest.getQueryString(), StandardCharsets.UTF_8).stream().filter(nameValuePair -> {
            return !of.contains(nameValuePair.getName());
        }).collect(Collectors.toList());
        if (!list.isEmpty()) {
            uRIBuilder.setParameters(list);
        }
        return uRIBuilder.toString();
    }

    protected AuthUser validateAuthToken(String str, HttpServletRequest httpServletRequest) {
        AuthUser authUser;
        AuthUser authUser2 = (AuthUser) httpServletRequest.getSession().getAttribute(AUTH_SERVICE_FILTER_AUTHED_USER_ATTR);
        if (authUser2 != null && StringUtils.equals(authUser2.getAuthToken(), str) && authUser2.getLastValidated().plus(this.secondsToCacheAuthTokenInSession, (TemporalUnit) ChronoUnit.SECONDS).isAfter(Instant.now())) {
            return authUser2;
        }
        httpServletRequest.getSession().removeAttribute(AUTH_SERVICE_FILTER_AUTHED_USER_ATTR);
        if (getJwtService().verifyToken(str)) {
            authUser = createServiceUser();
            httpServletRequest.getSession().setAttribute(AUTH_SERVICE_FILTER_IS_SERVICE_USER, true);
        } else {
            authUser = (AuthUser) getRestTemplate().exchange(fixUrlFormat(this.getCurrentUserUrl, httpServletRequest), HttpMethod.GET, new HttpEntity(getAuthServiceRestUtilService().getAuthServiceStyleHttpHeadersForToken(str)), AuthUser.class, new Object[0]).getBody();
            if (authUser != null) {
                authUser.setAuthToken(str);
                httpServletRequest.getSession().setAttribute(AUTH_SERVICE_FILTER_AUTHED_USER_ATTR, authUser);
                httpServletRequest.getSession().setAttribute(AUTH_SERVICE_FILTER_AUTH_TOKEN_SESSION_ATTR, str);
            }
            logImpersonation(authUser, httpServletRequest.getRequestURL().toString());
        }
        return authUser;
    }

    protected Optional<AuthTokenResponseDto> fetchTokenFromCode(String str, HttpServletRequest httpServletRequest) {
        String fixUrlFormat = fixUrlFormat(this.fetchTokenUrl, httpServletRequest);
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add("code", str);
        linkedMultiValueMap.add(GRANT_TYPE, AUTHORIZATION_CODE);
        linkedMultiValueMap.add(CLIENT_ID, this.authClientId);
        linkedMultiValueMap.add(REDIRECT_URI, (String) httpServletRequest.getSession().getAttribute(AUTH_SERVICE_FILTER_REDIRECT_URI));
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
        try {
            return Optional.ofNullable((AuthTokenResponseDto) getRestTemplate().postForObject(fixUrlFormat, new HttpEntity(linkedMultiValueMap, httpHeaders), AuthTokenResponseDto.class, new Object[0]));
        } catch (RestClientException e) {
            LOG.debug("Unable to fetch token using code: " + str, e);
            return Optional.empty();
        }
    }

    private String fixUrlFormat(String str, HttpServletRequest httpServletRequest) {
        return !str.startsWith("http") ? httpServletRequest.getScheme() + "://" + httpServletRequest.getServerName() + ":" + httpServletRequest.getServerPort() + str : str;
    }

    protected AuthUser createServiceUser() {
        if (this.serviceProxyUsername == null) {
            throw new RuntimeException("service2service enabled, but no service user is configured");
        }
        AuthUser authUser = new AuthUser();
        authUser.setUsername(this.serviceProxyUsername);
        return authUser;
    }

    protected AuthUser proxyAdminUsers(AuthUser authUser) {
        if (this.allowAdminProxy.booleanValue() && "admin".equals(authUser.getRole()) && getPrincipal(authUser.getUsername()) == null) {
            authUser.setActualUser(authUser.getUsername());
            authUser.setUsername(this.adminProxyUsername);
            LOG.warn("Proxying admin user '" + authUser.getActualUser() + "' to the proxy admin account of '" + this.adminProxyUsername + "'");
        }
        return authUser;
    }

    protected void logImpersonation(AuthUser authUser, String str) {
        if (authUser.getImpersonatedBy() == null || !getParameterService().getParameterValueAsBoolean("KC-SYS", Constants.KC_ALL_PARAMETER_DETAIL_TYPE_CODE, AUTH_IMPERSONATION_LOGGING).booleanValue()) {
            return;
        }
        CoreImpersonation coreImpersonation = new CoreImpersonation(authUser, str);
        coreImpersonation.setUpdateUser(authUser.getImpersonatedBy());
        getBusinessObjectService().save(coreImpersonation);
        LOG.warn("User in session'" + authUser.getUsername() + "' is being impersonated by'" + authUser.getImpersonatedBy() + "' as " + authUser.getDisplayName());
    }

    protected Principal getPrincipal(String str) {
        return getIdentityService().getPrincipalByPrincipalName(str);
    }

    public void destroy() {
    }

    public ConfigurationService getConfigurationService() {
        if (this.configurationService == null) {
            this.configurationService = (ConfigurationService) KcServiceLocator.getService(ConfigurationService.class);
        }
        return this.configurationService;
    }

    public void setConfigurationService(ConfigurationService configurationService) {
        this.configurationService = configurationService;
    }

    public RestOperations getRestTemplate() {
        if (this.restTemplate == null) {
            this.restTemplate = (RestOperations) KcServiceLocator.getService(RestOperations.class);
        }
        return this.restTemplate;
    }

    public void setRestTemplate(RestOperations restOperations) {
        this.restTemplate = restOperations;
    }

    public AuthServiceRestUtilService getAuthServiceRestUtilService() {
        if (this.authServiceRestUtilService == null) {
            this.authServiceRestUtilService = (AuthServiceRestUtilService) KcServiceLocator.getService(AuthServiceRestUtilService.class);
        }
        return this.authServiceRestUtilService;
    }

    public void setAuthServiceRestUtilService(AuthServiceRestUtilService authServiceRestUtilService) {
        this.authServiceRestUtilService = authServiceRestUtilService;
    }

    public IdentityService getIdentityService() {
        if (this.identityService == null) {
            this.identityService = (IdentityService) KcServiceLocator.getService(IdentityService.class);
        }
        return this.identityService;
    }

    public void setIdentityService(IdentityService identityService) {
        this.identityService = identityService;
    }

    public BusinessObjectService getBusinessObjectService() {
        if (this.businessObjectService == null) {
            this.businessObjectService = (BusinessObjectService) KcServiceLocator.getService(BusinessObjectService.class);
        }
        return this.businessObjectService;
    }

    public void setBusinessObjectService(BusinessObjectService businessObjectService) {
        this.businessObjectService = businessObjectService;
    }

    public ParameterService getParameterService() {
        if (this.parameterService == null) {
            this.parameterService = (ParameterService) KcServiceLocator.getService(ParameterService.class);
        }
        return this.parameterService;
    }

    public void setParameterService(ParameterService parameterService) {
        this.parameterService = parameterService;
    }

    public JwtService getJwtService() {
        if (this.jwtService == null) {
            this.jwtService = (JwtService) KcServiceLocator.getService(JwtService.class);
        }
        return this.jwtService;
    }

    public void setJwtService(JwtService jwtService) {
        this.jwtService = jwtService;
    }
}
