package org.kuali.kfs.sys.web.filter;

import java.io.IOException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Objects;
import java.util.Optional;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.math.NumberUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.kuali.kfs.sys.rest.exception.NotOkStatusException;
import org.kuali.kfs.sys.web.WebClientFactory;
import org.springframework.web.reactive.function.client.WebClient;
import org.springframework.web.reactive.function.client.WebClientResponseException;
import org.springframework.web.util.UriComponentsBuilder;
import reactor.core.publisher.Mono;

/* loaded from: input_file:WEB-INF/lib/kfs-core-2023-07-19.jar:org/kuali/kfs/sys/web/filter/CoreAuthenticationFilter.class */
public class CoreAuthenticationFilter implements Filter {
    private static final Logger LOG = LogManager.getLogger();
    private static final WebClient WEB_CLIENT = WebClientFactory.create();
    private static final String AUTH_SERVICE_FILTER_AUTH_TOKEN_SESSION_ATTR = "AUTH_SERVICE_FILTER_AUTH_TOKEN";
    static final String AUTH_SERVICE_FILTER_AUTHED_USER_ATTR = "AUTH_SERVICE_FILTER_AUTHED_USER";
    static final String AUTH_CONFIGURATION_CLASS = "authConfigurationClass";
    static final String AUTH_BASE_URL_PARAM = "authBaseUrl";
    static final String CACHE_TTL_PARAM = "secondsToCacheAuthTokenResponse";
    private static final String AUTH_TOKEN_COOKIE_NAME = "authToken";
    private static final String AUTH_RETURN_TO = "/auth?return_to=";
    private static final String USERS_URL = "/api/v1/users";
    private static final String CURRENT_USER_APPEND = "/current";
    private static final String AUTHORIZATION_PREFIX = "Bearer ";
    private static final String AUTHORIZATION_HEADER_NAME = "Authorization";
    private static final String CONTENT_TYPE = "application/json";
    private String authServiceUrl;
    private AuthConfiguration authConfiguration;

    /* loaded from: input_file:WEB-INF/lib/kfs-core-2023-07-19.jar:org/kuali/kfs/sys/web/filter/CoreAuthenticationFilter$AuthServiceRequestWrapper.class */
    public static class AuthServiceRequestWrapper extends HttpServletRequestWrapper {
        private final String username;

        AuthServiceRequestWrapper(String str, HttpServletRequest httpServletRequest) {
            super(httpServletRequest);
            this.username = str;
        }

        @Override // javax.servlet.http.HttpServletRequestWrapper, javax.servlet.http.HttpServletRequest
        public String getRemoteUser() {
            return this.username;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            AuthServiceRequestWrapper authServiceRequestWrapper = (AuthServiceRequestWrapper) obj;
            return this.username == null ? authServiceRequestWrapper.username == null : this.username.equals(authServiceRequestWrapper.username);
        }

        public int hashCode() {
            if (this.username != null) {
                return this.username.hashCode();
            }
            return 0;
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        LOG.debug("init() started");
        final String initParameter = filterConfig.getInitParameter(AUTH_BASE_URL_PARAM);
        final String initParameter2 = filterConfig.getInitParameter(CACHE_TTL_PARAM);
        if (StringUtils.isNotBlank(initParameter) && StringUtils.isNotBlank(initParameter2)) {
            this.authServiceUrl = initParameter;
            this.authConfiguration = new AuthConfiguration() { // from class: org.kuali.kfs.sys.web.filter.CoreAuthenticationFilter.1
                @Override // org.kuali.kfs.sys.web.filter.AuthConfiguration
                public Long getSecondsToCacheAuthTokenResponse() {
                    return Long.valueOf(NumberUtils.toLong(initParameter2));
                }

                @Override // org.kuali.kfs.sys.web.filter.AuthConfiguration
                public String getAuthBaseUrl() {
                    return initParameter;
                }
            };
            return;
        }
        String initParameter3 = filterConfig.getInitParameter(AUTH_CONFIGURATION_CLASS);
        if (initParameter3 == null) {
            LOG.fatal("init() Unable to initialize CoreAuthenticationFilter: {} init parameter is missing", AUTH_CONFIGURATION_CLASS);
            throw new ServletException("authConfigurationClass init parameter is missing");
        }
        initializeFilter(initParameter3);
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        LOG.debug("doFilter() started");
        if (this.authConfiguration == null) {
            LOG.fatal("init() Unable to initialize CoreAuthenticationFilter: authConfigurationClass init parameter is missing");
            throw new ServletException("authConfigurationClass init parameter is missing");
        }
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        AuthUser authUser = (AuthUser) httpServletRequest.getSession().getAttribute(AUTH_SERVICE_FILTER_AUTHED_USER_ATTR);
        if (authUser != null) {
            LOG.debug("doFilter() user in session");
            filterChain.doFilter(new AuthServiceRequestWrapper(authUser.getUsername(), httpServletRequest), httpServletResponse);
            return;
        }
        Cookie authToken = getAuthToken(httpServletRequest);
        if (authToken == null) {
            LOG.debug("doFilter() No auth cookie, redirecting to login page");
            redirectToLogin(httpServletRequest, httpServletResponse);
            return;
        }
        LOG.debug("doFilter() auth cookie found");
        Optional<AuthUser> authUserFromToken = getAuthUserFromToken(authToken.getValue());
        if (!authUserFromToken.isPresent()) {
            LOG.debug("doFilter() invalid token, redirecting to login page");
            httpServletRequest.getSession().removeAttribute(AUTH_SERVICE_FILTER_AUTHED_USER_ATTR);
            httpServletRequest.getSession().removeAttribute(AUTH_SERVICE_FILTER_AUTH_TOKEN_SESSION_ATTR);
            redirectToLogin(httpServletRequest, httpServletResponse);
            return;
        }
        LOG.debug("doFilter() validated token with core");
        AuthUser authUser2 = authUserFromToken.get();
        authUser2.setAuthToken(authToken.getValue());
        httpServletRequest.getSession().setAttribute(AUTH_SERVICE_FILTER_AUTHED_USER_ATTR, authUser2);
        httpServletRequest.getSession().setAttribute(AUTH_SERVICE_FILTER_AUTH_TOKEN_SESSION_ATTR, authToken.getValue());
        filterChain.doFilter(new AuthServiceRequestWrapper(authUser2.getUsername(), httpServletRequest), httpServletResponse);
    }

    public void destroy() {
    }

    private static Cookie getAuthToken(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            return (Cookie) Arrays.stream(cookies).filter(cookie -> {
                return cookie.getName().equals("authToken");
            }).findFirst().orElse(null);
        }
        return null;
    }

    void redirectToLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String queryString = httpServletRequest.getQueryString();
        if (queryString == null || queryString.isEmpty()) {
            httpServletResponse.sendRedirect(this.authServiceUrl + "/auth?return_to=" + httpServletRequest.getRequestURL());
        } else {
            httpServletResponse.sendRedirect(this.authServiceUrl + "/auth?return_to=" + httpServletRequest.getRequestURL() + "%3F" + URLEncoder.encode(queryString, StandardCharsets.UTF_8));
        }
    }

    private void initializeFilter(String str) throws ServletException {
        this.authConfiguration = createInstanceOfAuthConfiguration(str);
        this.authServiceUrl = this.authConfiguration.getAuthBaseUrl();
    }

    private static AuthConfiguration createInstanceOfAuthConfiguration(String str) throws ServletException {
        try {
            return (AuthConfiguration) Class.forName(str).newInstance();
        } catch (ClassCastException | ClassNotFoundException | IllegalAccessException | InstantiationException e) {
            LOG.error("createInstanceOfAuthConfiguration() Unable to create instance of authConfiguration class", e);
            throw new ServletException("Unable to create instance of authConfiguration class: " + str);
        }
    }

    protected Optional<AuthUser> getAuthUserFromToken(String str) {
        try {
            return Optional.of(invokeWebResource(str));
        } catch (NotOkStatusException e) {
            Logger logger = LOG;
            Objects.requireNonNull(e);
            logger.debug("getAuthUserFromToken() non-OK response from core: {}", e::getHttpStatus);
            return Optional.empty();
        } catch (WebClientResponseException e2) {
            LOG.debug("getAuthUserFromToken(...) - error retrieving response from auth API: Content-Type={}; content={}", e2.getHeaders().getFirst("Content-Type"), e2.getResponseBodyAsString());
            return Optional.empty();
        }
    }

    /* JADX WARN: Type inference failed for: r0v9, types: [org.springframework.web.reactive.function.client.WebClient$RequestHeadersSpec] */
    protected AuthUser invokeWebResource(String str) {
        return (AuthUser) WEB_CLIENT.get().uri(UriComponentsBuilder.fromUriString(this.authConfiguration.getAuthBaseUrl() + "/api/v1/users/current").build().toUri()).header2("Accept", "application/json").header2("Authorization", "Bearer " + str).header2("Content-Type", "application/json").retrieve().onStatus((v0) -> {
            return v0.isError();
        }, clientResponse -> {
            return Mono.error(new NotOkStatusException(clientResponse.statusCode()));
        }).bodyToMono(AuthUser.class).block();
    }
}
