package org.kuali.kfs.web.filter;

import java.io.IOException;
import java.util.Locale;
import java.util.Optional;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.xml.namespace.QName;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.kuali.kfs.kns.bo.AuthenticationValidationResponse;
import org.kuali.kfs.krad.UserSession;
import org.kuali.kfs.krad.exception.AuthenticationException;
import org.kuali.kfs.krad.util.GlobalVariables;
import org.kuali.kfs.krad.util.KRADConstants;
import org.kuali.kfs.krad.util.KRADUtils;
import org.kuali.kfs.krad.web.filter.LoginFilterBase;
import org.kuali.kfs.sys.context.SpringContext;
import org.kuali.kfs.sys.service.CoreApiKeyAuthenticationService;
import org.kuali.kfs.sys.service.JwtService;
import org.kuali.rice.core.api.resourceloader.GlobalResourceLoader;
import org.kuali.rice.kim.api.identity.AuthenticationService;

/* loaded from: input_file:WEB-INF/classes/org/kuali/kfs/web/filter/ResourceLoginFilter.class */
public class ResourceLoginFilter extends LoginFilterBase {
    private static final Logger LOG = LogManager.getLogger();
    public static final String UNAUTHORIZED_JSON = "[ \"Unauthorized\" ]";
    public static final String FORBIDDEN_JSON = "[ \"Forbidden\" ]";

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        doFilter((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
    }

    private void doFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        LOG.debug("doFilter() started");
        try {
            try {
                Optional<String> principalNameFromRequest = getPrincipalNameFromRequest(httpServletRequest);
                if (!principalNameFromRequest.isPresent()) {
                    sendError(httpServletResponse);
                    removeFromMDC();
                    removeFromMDC();
                } else if (isInactive(principalNameFromRequest.get())) {
                    sendForbidden(httpServletResponse);
                    removeFromMDC();
                    removeFromMDC();
                } else {
                    setUserSession(httpServletRequest, principalNameFromRequest.get());
                    establishUserSession(httpServletRequest, httpServletResponse);
                    filterChain.doFilter(httpServletRequest, httpServletResponse);
                    removeFromMDC();
                }
            } catch (IllegalArgumentException | AuthenticationException e) {
                LOG.error("doFilter() AuthenticationException", e);
                sendError(httpServletResponse);
                removeFromMDC();
            }
        } catch (Throwable th) {
            removeFromMDC();
            throw th;
        }
    }

    protected boolean isInactive(String str) {
        return getCfAuthenticationService().validatePrincipalName(str) == AuthenticationValidationResponse.INVALID_PRINCIPAL_CANNOT_LOGIN;
    }

    protected void establishUserSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        UserSession userSessionFromRequest = KRADUtils.getUserSessionFromRequest(httpServletRequest);
        if (userSessionFromRequest != null) {
            GlobalVariables.setUserSession(userSessionFromRequest);
        }
        establishSessionCookie(httpServletRequest, httpServletResponse);
        establishBackdoorUser(httpServletRequest);
        addToMDC(httpServletRequest);
    }

    private Optional<String> getPrincipalNameFromRequest(HttpServletRequest httpServletRequest) {
        Optional<String> empty = Optional.empty();
        String header = httpServletRequest.getHeader("Authorization");
        if (StringUtils.isNotBlank(header)) {
            empty = getPrincipalNameFromHeader(header);
        } else if (isUserSessionEstablished(httpServletRequest)) {
            empty = Optional.of(KRADUtils.getUserSessionFromRequest(httpServletRequest).getPrincipalName());
        }
        return empty;
    }

    private Optional<String> getPrincipalNameFromHeader(String str) {
        if (str == null) {
            return Optional.empty();
        }
        Optional<String> apiKey = getApiKey(str);
        if (apiKey.isPresent()) {
            if (getCoreApiKeyAuthenticationService().useCore()) {
                return getCoreApiKeyAuthenticationService().getPrincipalIdFromApiKey(apiKey.get());
            }
            try {
                return Optional.of(getJwtService().decodeJwt(apiKey.get()).getPrincipalName());
            } catch (RuntimeException e) {
                LOG.debug("getPrincipalNameFromHeader() invalid financials token", (Throwable) e);
            }
        }
        return Optional.empty();
    }

    private void sendError(HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.setStatus(401);
        httpServletResponse.getWriter().println(UNAUTHORIZED_JSON);
    }

    private void sendForbidden(HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.setStatus(403);
        httpServletResponse.getWriter().println(FORBIDDEN_JSON);
    }

    protected void setUserSession(HttpServletRequest httpServletRequest, String str) {
        UserSession userSessionFromRequest = KRADUtils.getUserSessionFromRequest(httpServletRequest);
        if (userSessionFromRequest == null || userSessionFromRequest.getActualPerson() == null || !StringUtils.equals(userSessionFromRequest.getActualPerson().getPrincipalName(), str)) {
            httpServletRequest.getSession().setAttribute(KRADConstants.USER_SESSION_KEY, new UserSession(str));
        }
    }

    private Optional<String> getApiKey(String str) {
        if (!str.toLowerCase(Locale.US).startsWith("bearer")) {
            LOG.error("getApiKey() authorization header missing Bearer prefix");
            return Optional.empty();
        }
        String[] split = str.split("\\s+");
        if (split.length == 2) {
            return Optional.of(split[1]);
        }
        LOG.error("doFilter() authorization header should be two parts");
        return Optional.empty();
    }

    protected CoreApiKeyAuthenticationService getCoreApiKeyAuthenticationService() {
        return (CoreApiKeyAuthenticationService) SpringContext.getBean(CoreApiKeyAuthenticationService.class);
    }

    protected JwtService getJwtService() {
        return (JwtService) SpringContext.getBean(JwtService.class);
    }

    protected AuthenticationService getAuthenticationService() {
        return (AuthenticationService) GlobalResourceLoader.getResourceLoader().getService(new QName("kimAuthenticationService"));
    }
}
