package org.kuali.kfs.sys.web.filter;

import java.io.IOException;
import java.util.Optional;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.kuali.kfs.core.api.config.property.ConfigurationService;
import org.kuali.kfs.kns.util.CookieUtils;
import org.kuali.kfs.krad.util.KRADUtils;
import org.kuali.kfs.sys.businessobject.JwtData;
import org.kuali.kfs.sys.context.SpringContext;
import org.kuali.kfs.sys.service.CoreApiKeyAuthenticationService;
import org.kuali.kfs.sys.service.JwtService;
import org.kuali.kfs.sys.util.BearerTokenContext;

/* loaded from: input_file:WEB-INF/lib/kfs-core-2025-01-08.jar:org/kuali/kfs/sys/web/filter/AuthenticationTokenFilter.class */
public class AuthenticationTokenFilter implements Filter {
    private static final Logger LOG = LogManager.getLogger();
    public static final String JWT_EXPIRATION_SECONDS = "jwt.expiration.seconds";
    private final CookieUtils cookieUtils = new CookieUtils();
    private ConfigurationService configurationService;
    private JwtService jwtService;
    private CoreApiKeyAuthenticationService coreApiKeyAuthenticationService;
    private FilterConfig filterConfig;

    public void init(FilterConfig filterConfig) {
        this.filterConfig = filterConfig;
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (getCoreApiKeyAuthenticationService().useCore()) {
            coreDoFilter(httpServletRequest, httpServletResponse, filterChain);
        } else {
            nonCoreDoFilter(httpServletRequest, httpServletResponse, filterChain);
        }
    }

    protected void coreDoFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        Optional<String> coreAuthToken = this.cookieUtils.getCoreAuthToken(httpServletRequest);
        if (!coreAuthToken.isPresent()) {
            throw new RuntimeException("Unable to access core token");
        }
        Optional<String> financialsAuthToken = this.cookieUtils.getFinancialsAuthToken(httpServletRequest);
        try {
            if (financialsAuthToken.isPresent()) {
                try {
                    if (!getCoreApiKeyAuthenticationService().getPrincipalIdFromApiKey(financialsAuthToken.get(), KRADUtils.getUserSessionFromRequest(httpServletRequest)).isPresent()) {
                        throw new RuntimeException();
                    }
                    LOG.debug("coreDoFilter() - Setting the token context");
                    BearerTokenContext.setBearerToken(financialsAuthToken.get());
                    filterChain.doFilter(httpServletRequest, httpServletResponse);
                    LOG.debug("coreDoFilter() - Clearing the token context");
                    BearerTokenContext.clear();
                    return;
                } catch (RuntimeException e) {
                    LOG.debug("Nothing to see here, we got a bad financialsAuthToken and need to update it");
                    LOG.debug("coreDoFilter() - Clearing the token context");
                    BearerTokenContext.clear();
                }
            }
            httpServletResponse.addCookie(this.cookieUtils.createFinancialsAuthCookie(httpServletRequest, coreAuthToken.get(), this.filterConfig.getServletContext().getContextPath()));
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } catch (Throwable th) {
            LOG.debug("coreDoFilter() - Clearing the token context");
            BearerTokenContext.clear();
            throw th;
        }
    }

    protected void nonCoreDoFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        String generateJwt;
        Optional<String> financialsAuthToken = this.cookieUtils.getFinancialsAuthToken(httpServletRequest);
        try {
            if (financialsAuthToken.isPresent()) {
                try {
                    getJwtService().decodeJwt(financialsAuthToken.get());
                    LOG.debug("nonCoreDoFilter() - Setting the token context");
                    BearerTokenContext.setBearerToken(financialsAuthToken.get());
                    filterChain.doFilter(httpServletRequest, httpServletResponse);
                    LOG.debug("nonCoreDoFilter() - Clearing the token context");
                    BearerTokenContext.clear();
                    return;
                } catch (RuntimeException e) {
                    generateJwt = getJwtService().generateJwt(new JwtData(httpServletRequest.getRemoteUser(), getExpirationSeconds()));
                    LOG.debug("nonCoreDoFilter() - Clearing the token context");
                    BearerTokenContext.clear();
                }
            } else {
                generateJwt = getJwtService().generateJwt(new JwtData(httpServletRequest.getRemoteUser(), getExpirationSeconds()));
            }
            httpServletResponse.addCookie(this.cookieUtils.createFinancialsAuthCookie(httpServletRequest, generateJwt, this.filterConfig.getServletContext().getContextPath()));
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } catch (Throwable th) {
            LOG.debug("nonCoreDoFilter() - Clearing the token context");
            BearerTokenContext.clear();
            throw th;
        }
    }

    public void destroy() {
    }

    protected int getExpirationSeconds() {
        String propertyValueAsString = getConfigurationService().getPropertyValueAsString(JWT_EXPIRATION_SECONDS);
        if (propertyValueAsString == null) {
            LOG.error("getExpirationSeconds() Missing configuration property: jwt.expiration.seconds");
            throw new RuntimeException("Missing configuration property: jwt.expiration.seconds");
        }
        try {
            return Integer.parseInt(propertyValueAsString);
        } catch (NumberFormatException e) {
            LOG.error("getExpirationSeconds() Invalid configuration property - must be number: jwt.expiration.seconds", (Throwable) e);
            throw new RuntimeException("Invalid configuration property: jwt.expiration.seconds");
        }
    }

    protected ConfigurationService getConfigurationService() {
        if (this.configurationService == null) {
            this.configurationService = (ConfigurationService) SpringContext.getBean(ConfigurationService.class);
        }
        return this.configurationService;
    }

    protected JwtService getJwtService() {
        if (this.jwtService == null) {
            this.jwtService = (JwtService) SpringContext.getBean(JwtService.class);
        }
        return this.jwtService;
    }

    protected CoreApiKeyAuthenticationService getCoreApiKeyAuthenticationService() {
        if (this.coreApiKeyAuthenticationService == null) {
            this.coreApiKeyAuthenticationService = (CoreApiKeyAuthenticationService) SpringContext.getBean(CoreApiKeyAuthenticationService.class);
        }
        return this.coreApiKeyAuthenticationService;
    }

    public void setConfigurationService(ConfigurationService configurationService) {
        this.configurationService = configurationService;
    }

    public void setJwtService(JwtService jwtService) {
        this.jwtService = jwtService;
    }

    public void setCoreApiKeyAuthenticationService(CoreApiKeyAuthenticationService coreApiKeyAuthenticationService) {
        this.coreApiKeyAuthenticationService = coreApiKeyAuthenticationService;
    }
}
