package org.kuali.kfs.web.filter;

import com.newrelic.agent.security.intcodeagent.logging.IAgentConstants;
import java.io.IOException;
import java.util.Locale;
import java.util.Optional;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.kuali.kfs.kns.bo.AuthenticationValidationResponse;
import org.kuali.kfs.krad.UserSession;
import org.kuali.kfs.krad.exception.AuthenticationException;
import org.kuali.kfs.krad.util.GlobalVariables;
import org.kuali.kfs.krad.util.KRADConstants;
import org.kuali.kfs.krad.util.KRADUtils;
import org.kuali.kfs.krad.web.filter.LoginFilterBase;
import org.kuali.kfs.sys.context.SpringContext;
import org.kuali.kfs.sys.service.CoreApiKeyAuthenticationService;
import org.kuali.kfs.sys.service.JwtService;
import org.kuali.kfs.sys.util.BearerTokenContext;

/* loaded from: input_file:WEB-INF/lib/kfs-core-2023-10-25.jar:org/kuali/kfs/web/filter/ResourceLoginFilter.class */
public class ResourceLoginFilter extends LoginFilterBase {
    static final String UNAUTHORIZED_JSON = "[ \"Unauthorized\" ]";
    static final String FORBIDDEN_JSON = "[ \"Forbidden\" ]";
    private static final Logger LOG = LogManager.getLogger();
    private static final Set<String> ENDPOINTS_EXEMPT_FROM_AUTHENTICATION = Set.of("/health/check", "/health/integrity");

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        doFilter((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
    }

    private void doFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        LOG.debug("doFilter() started");
        try {
            try {
                if (pathRequiresAuthentication(httpServletRequest)) {
                    Optional<String> principalNameFromRequest = getPrincipalNameFromRequest(httpServletRequest);
                    if (principalNameFromRequest.isEmpty()) {
                        sendError(httpServletResponse);
                        removeFromMDC();
                        removeFromMDC();
                        return;
                    } else if (isInactive(principalNameFromRequest.get())) {
                        sendForbidden(httpServletResponse);
                        removeFromMDC();
                        removeFromMDC();
                        return;
                    } else {
                        setUserSession(httpServletRequest, principalNameFromRequest.get());
                        establishUserSession(httpServletRequest, httpServletResponse);
                        setBearerTokenContext(httpServletRequest);
                    }
                }
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                removeFromMDC();
            } catch (IllegalArgumentException | AuthenticationException e) {
                LOG.error("doFilter() AuthenticationException", e);
                sendError(httpServletResponse);
                removeFromMDC();
            }
        } catch (Throwable th) {
            removeFromMDC();
            throw th;
        }
    }

    private boolean pathRequiresAuthentication(HttpServletRequest httpServletRequest) {
        LOG.debug("pathRequiresAuthentication(...) - Enter");
        boolean z = !getEndpointsExemptFromAuthentication().contains(httpServletRequest.getPathInfo());
        LOG.debug("pathRequiresAuthentication(...) - Exit : pathRequiresAuthentication={}", Boolean.valueOf(z));
        return z;
    }

    protected Set<String> getEndpointsExemptFromAuthentication() {
        return ENDPOINTS_EXEMPT_FROM_AUTHENTICATION;
    }

    private boolean isInactive(String str) {
        return getCfAuthenticationService().validatePrincipalName(str) == AuthenticationValidationResponse.INVALID_PRINCIPAL_CANNOT_LOGIN;
    }

    protected void establishUserSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        UserSession userSessionFromRequest = KRADUtils.getUserSessionFromRequest(httpServletRequest);
        if (userSessionFromRequest != null) {
            GlobalVariables.setUserSession(userSessionFromRequest);
        }
        establishSessionCookie(httpServletRequest, httpServletResponse);
        establishBackdoorUser(httpServletRequest);
        addToMDC(httpServletRequest);
    }

    private Optional<String> getPrincipalNameFromRequest(HttpServletRequest httpServletRequest) {
        Optional<String> empty = Optional.empty();
        String header = httpServletRequest.getHeader("Authorization");
        UserSession userSessionFromRequest = KRADUtils.getUserSessionFromRequest(httpServletRequest);
        if (StringUtils.isNotBlank(header)) {
            empty = getPrincipalNameFromHeader(header, userSessionFromRequest);
        } else if (isUserSessionEstablished(httpServletRequest)) {
            empty = Optional.of(userSessionFromRequest.getPrincipalName());
        }
        return empty;
    }

    private Optional<String> getPrincipalNameFromHeader(String str, UserSession userSession) {
        if (str == null) {
            return Optional.empty();
        }
        Optional<String> apiKey = getApiKey(str);
        if (apiKey.isPresent()) {
            if (getCoreApiKeyAuthenticationService().useCore()) {
                return getCoreApiKeyAuthenticationService().getPrincipalIdFromApiKey(apiKey.get(), userSession);
            }
            try {
                return Optional.of(getJwtService().decodeJwt(apiKey.get()).getPrincipalName());
            } catch (RuntimeException e) {
                LOG.debug("getPrincipalNameFromHeader() invalid financials token", (Throwable) e);
            }
        }
        return Optional.empty();
    }

    private static void sendError(HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.setStatus(401);
        httpServletResponse.getWriter().println(UNAUTHORIZED_JSON);
    }

    private static void sendForbidden(HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.setStatus(403);
        httpServletResponse.getWriter().println(FORBIDDEN_JSON);
    }

    protected void setUserSession(HttpServletRequest httpServletRequest, String str) {
        UserSession userSessionFromRequest = KRADUtils.getUserSessionFromRequest(httpServletRequest);
        if (userSessionFromRequest == null || userSessionFromRequest.getActualPerson() == null || !StringUtils.equals(userSessionFromRequest.getActualPerson().getPrincipalName(), str)) {
            httpServletRequest.getSession().setAttribute(KRADConstants.USER_SESSION_KEY, new UserSession(str));
        }
    }

    private static Optional<String> getApiKey(String str) {
        if (!str.toLowerCase(Locale.US).startsWith("bearer")) {
            LOG.error("getApiKey() authorization header missing Bearer prefix");
            return Optional.empty();
        }
        String[] split = str.split(IAgentConstants.REGEX_SPACE);
        if (split.length == 2) {
            return Optional.of(split[1]);
        }
        LOG.error("doFilter() authorization header should be two parts");
        return Optional.empty();
    }

    protected CoreApiKeyAuthenticationService getCoreApiKeyAuthenticationService() {
        return (CoreApiKeyAuthenticationService) SpringContext.getBean(CoreApiKeyAuthenticationService.class);
    }

    protected JwtService getJwtService() {
        return (JwtService) SpringContext.getBean(JwtService.class);
    }

    private static void setBearerTokenContext(HttpServletRequest httpServletRequest) {
        LOG.debug("setBearerTokenContext(...) - Enter : request={}", httpServletRequest);
        extractBearerToken(httpServletRequest).ifPresent(BearerTokenContext::setBearerToken);
        LOG.debug("setBearerTokenContext(...) - Exit");
    }

    private static Optional<String> extractBearerToken(HttpServletRequest httpServletRequest) {
        LOG.debug("extractBearerToken(...) - Enter : request={}", httpServletRequest);
        String header = httpServletRequest.getHeader("Authorization");
        LOG.debug("extractBearerToken(...) - authorizationHeaderValue={}", header);
        if (StringUtils.isNotBlank(header)) {
            String[] split = header.split(IAgentConstants.REGEX_SPACE);
            if (split.length == 2) {
                String str = split[1];
                LOG.debug("extractBearerToken(...) - Exit : bearerToken={}", str);
                return Optional.of(str);
            }
        }
        LOG.debug("extractBearerToken(...) - Exit; empty");
        return Optional.empty();
    }
}
