package org.kuali.research.pdf.sys.auth;

import com.nimbusds.jose.KeyLengthException;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jwt.SignedJWT;
import io.undertow.server.protocol.ajp.AjpRequestParser;
import jakarta.servlet.FilterChain;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.Set;
import java.util.UUID;
import kotlin.Metadata;
import kotlin.Pair;
import kotlin.Unit;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.SourceDebugExtension;
import kotlin.text.CharsKt;
import kotlin.text.Regex;
import kotlin.text.StringsKt;
import org.jetbrains.annotations.NotNull;
import org.kuali.research.pdf.PdfConfigPropertyNames;
import org.kuali.research.pdf.sys.extensions.CoreExtensionsKt;
import org.kuali.research.pdf.sys.extensions.ServletExtensionsKt;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.cache.annotation.Cacheable;
import org.springframework.cglib.core.Constants;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Component;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.UriComponentsBuilder;
import org.xmlresolver.logging.AbstractLogger;

/* compiled from: Auth.kt */
@Metadata(mv = {2, 1, 0}, k = 1, xi = 48, d1 = {"��\\\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0010\"\n\u0002\u0010\u000e\n\u0002\b\u0007\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u000b\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0007\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\b\n\u0002\u0010\b\n��\b\u0017\u0018��2\u00020\u0001Bc\u0012\u000e\b\u0001\u0010\u0002\u001a\b\u0012\u0004\u0012\u00020\u00040\u0003\u0012\b\b\u0001\u0010\u0005\u001a\u00020\u0004\u0012\b\b\u0001\u0010\u0006\u001a\u00020\u0004\u0012\b\b\u0001\u0010\u0007\u001a\u00020\u0004\u0012\b\b\u0001\u0010\b\u001a\u00020\u0004\u0012\b\b\u0001\u0010\t\u001a\u00020\u0004\u0012\u000e\b\u0001\u0010\n\u001a\b\u0012\u0004\u0012\u00020\u00040\u0003\u0012\b\b\u0001\u0010\u000b\u001a\u00020\f¢\u0006\u0004\b\r\u0010\u000eJ\u0010\u0010\u000f\u001a\u00020\u00102\u0006\u0010\u0011\u001a\u00020\u0012H\u0014J \u0010\u0013\u001a\u00020\u00142\u0006\u0010\u0011\u001a\u00020\u00122\u0006\u0010\u0015\u001a\u00020\u00162\u0006\u0010\u0017\u001a\u00020\u0018H\u0014J\u001a\u0010\u0019\u001a\u00020\u00102\b\u0010\u001a\u001a\u0004\u0018\u00010\u00042\u0006\u0010\u0011\u001a\u00020\u0012H\u0012J\u0010\u0010\u001b\u001a\u00020\u00102\u0006\u0010\u001c\u001a\u00020\u0004H\u0012J\u0018\u0010\u001d\u001a\u00020\u00102\u0006\u0010\u001c\u001a\u00020\u00042\u0006\u0010\u0011\u001a\u00020\u0012H\u0017J\u0012\u0010\u001e\u001a\u0004\u0018\u00010\u00042\u0006\u0010\u0011\u001a\u00020\u0012H\u0012J\u001a\u0010\u001f\u001a\u0004\u0018\u00010 2\u0006\u0010!\u001a\u00020\u00042\u0006\u0010\u0011\u001a\u00020\u0012H\u0012J!\u0010\"\u001a\u0013\u0012\t\u0012\u00070\u0004¢\u0006\u0002\b$\u0012\u0004\u0012\u00020%0#2\u0006\u0010\u0011\u001a\u00020\u0012H\u0012J\u0018\u0010&\u001a\u00020\u00042\u0006\u0010'\u001a\u00020\u00042\u0006\u0010(\u001a\u00020\u0004H\u0012J(\u0010)\u001a\u00020%2\u0006\u0010*\u001a\u00020\u00042\u0006\u0010+\u001a\u00020\u00122\u0006\u0010,\u001a\u00020\u00042\u0006\u0010-\u001a\u00020.H\u0012R\u0014\u0010\u0002\u001a\b\u0012\u0004\u0012\u00020\u00040\u0003X\u0092\u0004¢\u0006\u0002\n��R\u000e\u0010\u0005\u001a\u00020\u0004X\u0092\u0004¢\u0006\u0002\n��R\u000e\u0010\u0006\u001a\u00020\u0004X\u0092\u0004¢\u0006\u0002\n��R\u000e\u0010\u0007\u001a\u00020\u0004X\u0092\u0004¢\u0006\u0002\n��R\u000e\u0010\b\u001a\u00020\u0004X\u0092\u0004¢\u0006\u0002\n��R\u000e\u0010\t\u001a\u00020\u0004X\u0092\u0004¢\u0006\u0002\n��R\u0014\u0010\n\u001a\b\u0012\u0004\u0012\u00020\u00040\u0003X\u0092\u0004¢\u0006\u0002\n��R\u000e\u0010\u000b\u001a\u00020\fX\u0092\u0004¢\u0006\u0002\n��¨\u0006/"}, d2 = {"Lorg/kuali/research/pdf/sys/auth/AuthFilter;", "Lorg/springframework/web/filter/OncePerRequestFilter;", "service2serviceSecrets", "", "", "baseUrl", "currentUserUrl", "authorizeUrl", "tokenUrl", "appName", "excludedUrls", "restTemplate", "Lorg/springframework/web/client/RestTemplate;", Constants.CONSTRUCTOR_NAME, "(Ljava/util/Set;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/util/Set;Lorg/springframework/web/client/RestTemplate;)V", "shouldNotFilter", "", "request", "Ljakarta/servlet/http/HttpServletRequest;", "doFilterInternal", "", AbstractLogger.RESPONSE, "Ljakarta/servlet/http/HttpServletResponse;", "filterChain", "Ljakarta/servlet/FilterChain;", "validateToken", AuthKt.AUTH_TOKEN_NAME, "validateJwt", "tokenBody", "validateCoreToken", "validateOauthReturnAndFetchCode", "fetchTokenFromCode", "Lorg/kuali/research/pdf/sys/auth/AuthTokenResponse;", "code", "getOauthRedirectUrlAndCookie", "Lkotlin/Pair;", "Lkotlin/jvm/internal/EnhancedNullability;", "Ljakarta/servlet/http/Cookie;", "hashToken", "token", AjpRequestParser.CONTEXT, "createCookie", "cookieName", "httpRequest", "cookieValue", "maxAge", "", "pdf"})
@ConditionalOnProperty(name = {PdfConfigPropertyNames.Auth.ENABLED})
@Component
@SourceDebugExtension({"SMAP\nAuth.kt\nKotlin\n*S Kotlin\n*F\n+ 1 Auth.kt\norg/kuali/research/pdf/sys/auth/AuthFilter\n+ 2 _Collections.kt\nkotlin/collections/CollectionsKt___CollectionsKt\n+ 3 fake.kt\nkotlin/jvm/internal/FakeKt\n*L\n1#1,292:1\n1755#2,3:293\n1557#2:297\n1628#2,3:298\n1755#2,3:301\n1#3:296\n*S KotlinDebug\n*F\n+ 1 Auth.kt\norg/kuali/research/pdf/sys/auth/AuthFilter\n*L\n106#1:293,3\n165#1:297\n165#1:298,3\n166#1:301,3\n*E\n"})
/* loaded from: input_file:BOOT-INF/classes/org/kuali/research/pdf/sys/auth/AuthFilter.class */
public class AuthFilter extends OncePerRequestFilter {

    @NotNull
    private final Set<String> service2serviceSecrets;

    @NotNull
    private final String baseUrl;

    @NotNull
    private final String currentUserUrl;

    @NotNull
    private final String authorizeUrl;

    @NotNull
    private final String tokenUrl;

    @NotNull
    private final String appName;

    @NotNull
    private final Set<String> excludedUrls;

    @NotNull
    private final RestTemplate restTemplate;

    public AuthFilter(@Value("${auth.service2service.secrets}") @NotNull Set<String> service2serviceSecrets, @Value("${auth.baseUrl:}") @NotNull String baseUrl, @Value("${auth.currentUserUrl}") @NotNull String currentUserUrl, @Value("${auth.authorizeUrl}") @NotNull String authorizeUrl, @Value("${auth.tokenUrl}") @NotNull String tokenUrl, @Value("${spring.application.name}") @NotNull String appName, @Value("${auth.excludedUrls:/pdf/health.*,/pdf/swagger/.*,/pdf/webjars/.*}") @NotNull Set<String> excludedUrls, @Autowired @NotNull RestTemplate restTemplate) {
        Intrinsics.checkNotNullParameter(service2serviceSecrets, "service2serviceSecrets");
        Intrinsics.checkNotNullParameter(baseUrl, "baseUrl");
        Intrinsics.checkNotNullParameter(currentUserUrl, "currentUserUrl");
        Intrinsics.checkNotNullParameter(authorizeUrl, "authorizeUrl");
        Intrinsics.checkNotNullParameter(tokenUrl, "tokenUrl");
        Intrinsics.checkNotNullParameter(appName, "appName");
        Intrinsics.checkNotNullParameter(excludedUrls, "excludedUrls");
        Intrinsics.checkNotNullParameter(restTemplate, "restTemplate");
        this.service2serviceSecrets = service2serviceSecrets;
        this.baseUrl = baseUrl;
        this.currentUserUrl = currentUserUrl;
        this.authorizeUrl = authorizeUrl;
        this.tokenUrl = tokenUrl;
        this.appName = appName;
        this.excludedUrls = excludedUrls;
        this.restTemplate = restTemplate;
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected boolean shouldNotFilter(@NotNull HttpServletRequest request) {
        Intrinsics.checkNotNullParameter(request, "request");
        Set<String> set = this.excludedUrls;
        if ((set instanceof Collection) && set.isEmpty()) {
            return false;
        }
        for (String str : set) {
            String requestURI = request.getRequestURI();
            Intrinsics.checkNotNullExpressionValue(requestURI, "getRequestURI(...)");
            if (new Regex(str).matches(requestURI)) {
                return true;
            }
        }
        return false;
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(@NotNull HttpServletRequest request, @NotNull HttpServletResponse response, @NotNull FilterChain filterChain) {
        String authToken;
        boolean isOauthReturn;
        AuthTokenResponse fetchTokenFromCode;
        Intrinsics.checkNotNullParameter(request, "request");
        Intrinsics.checkNotNullParameter(response, "response");
        Intrinsics.checkNotNullParameter(filterChain, "filterChain");
        this.logger.trace("AuthFilter called");
        authToken = AuthKt.authToken(request);
        if (validateToken(authToken, request)) {
            this.logger.trace("Token validated: " + authToken);
            filterChain.doFilter(request, response);
            return;
        }
        isOauthReturn = AuthKt.isOauthReturn(request);
        if (!isOauthReturn) {
            if (ServletExtensionsKt.isApi(request)) {
                response.sendError(403);
                return;
            }
            Pair<String, Cookie> oauthRedirectUrlAndCookie = getOauthRedirectUrlAndCookie(request);
            response.addCookie(createCookie(AuthKt.AUTH_TOKEN_NAME, request, "", 0));
            response.addCookie(oauthRedirectUrlAndCookie.getSecond());
            response.sendRedirect(oauthRedirectUrlAndCookie.getFirst());
            return;
        }
        String validateOauthReturnAndFetchCode = validateOauthReturnAndFetchCode(request);
        if (validateOauthReturnAndFetchCode == null || (fetchTokenFromCode = fetchTokenFromCode(validateOauthReturnAndFetchCode, request)) == null) {
            Pair<String, Cookie> oauthRedirectUrlAndCookie2 = getOauthRedirectUrlAndCookie(request);
            response.addCookie(oauthRedirectUrlAndCookie2.getSecond());
            response.sendRedirect(oauthRedirectUrlAndCookie2.getFirst());
        } else {
            String authToken2 = fetchTokenFromCode.getAuthToken();
            Intrinsics.checkNotNull(authToken2);
            response.addCookie(createCookie(AuthKt.AUTH_TOKEN_NAME, request, authToken2, -1));
            filterChain.doFilter(request, response);
        }
    }

    private boolean validateToken(String str, HttpServletRequest httpServletRequest) {
        boolean z;
        boolean z2;
        if (str != null) {
            try {
                z2 = validateJwt(str) ? false : validateCoreToken(str, httpServletRequest);
            } catch (KeyLengthException e) {
                this.logger.error("The service2service secret provided is too short", e);
                z = false;
            } catch (Exception e2) {
                this.logger.debug("Failed to validate token: " + str, e2);
                z = false;
            }
        }
        z = z2;
        return z;
    }

    private boolean validateJwt(String str) {
        boolean z;
        boolean z2;
        try {
            Set<String> set = this.service2serviceSecrets;
            ArrayList arrayList = new ArrayList(CollectionsKt.collectionSizeOrDefault(set, 10));
            Iterator<T> it = set.iterator();
            while (it.hasNext()) {
                arrayList.add(Boolean.valueOf(SignedJWT.parse(str).verify(new MACVerifier((String) it.next()))));
            }
            ArrayList arrayList2 = arrayList;
            if (!(arrayList2 instanceof Collection) || !arrayList2.isEmpty()) {
                Iterator it2 = arrayList2.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        z2 = false;
                        break;
                    }
                    if (((Boolean) it2.next()).booleanValue()) {
                        z2 = true;
                        break;
                    }
                }
            } else {
                z2 = false;
            }
            z = z2;
        } catch (ParseException e) {
            this.logger.debug("Failed to parse token as jwt: " + str, e);
            z = false;
        }
        return z;
    }

    @Cacheable(value = {"coreAuthUsers"}, key = "tokenBody")
    public boolean validateCoreToken(@NotNull String tokenBody, @NotNull HttpServletRequest request) {
        boolean z;
        Intrinsics.checkNotNullParameter(tokenBody, "tokenBody");
        Intrinsics.checkNotNullParameter(request, "request");
        try {
            RestTemplate restTemplate = this.restTemplate;
            String str = ServletExtensionsKt.baseOrCurrentUrl(request, this.baseUrl) + "/" + StringsKt.removePrefix(this.currentUserUrl, (CharSequence) "/");
            HttpMethod httpMethod = HttpMethod.GET;
            HttpHeaders httpHeaders = new HttpHeaders();
            httpHeaders.set("Authorization", CoreExtensionsKt.ensurePrefix(tokenBody, AuthKt.AUTHORIZATION_PREFIX));
            Unit unit = Unit.INSTANCE;
            ResponseEntity exchange = restTemplate.exchange(str, httpMethod, new HttpEntity<>((MultiValueMap<String, String>) httpHeaders), AuthUser.class, new Object[0]);
            this.logger.debug("User authenticated by core: " + exchange);
            z = exchange.getBody() != 0;
        } catch (Exception e) {
            this.logger.debug("Failed to validate core token: " + tokenBody, e);
            z = false;
        }
        return z;
    }

    /* JADX WARN: Code restructure failed: missing block: B:7:0x002c, code lost:
    
        r0 = org.kuali.research.pdf.sys.auth.AuthKt.oauthCode(r5);
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private java.lang.String validateOauthReturnAndFetchCode(jakarta.servlet.http.HttpServletRequest r5) {
        /*
            r4 = this;
            r0 = r5
            java.lang.String r1 = "pdfAuthToken"
            jakarta.servlet.http.Cookie r0 = org.kuali.research.pdf.sys.extensions.ServletExtensionsKt.cookie(r0, r1)
            r1 = r0
            if (r1 == 0) goto L7e
            java.lang.String r0 = r0.getValue()
            r1 = r0
            if (r1 == 0) goto L7e
            r6 = r0
            r0 = 0
            r7 = r0
            r0 = r4
            org.apache.commons.logging.Log r0 = r0.logger
            r1 = r6
            java.lang.String r1 = "pdf cookie value: " + r1
            r0.debug(r1)
            r0 = r5
            java.lang.String r0 = org.kuali.research.pdf.sys.auth.AuthKt.access$oauthState(r0)
            r1 = r0
            if (r1 == 0) goto L78
            r8 = r0
            r0 = 0
            r9 = r0
            r0 = r5
            java.lang.String r0 = org.kuali.research.pdf.sys.auth.AuthKt.access$oauthCode(r0)
            r1 = r0
            if (r1 == 0) goto L72
            r10 = r0
            r0 = r10
            r11 = r0
            r0 = 0
            r12 = r0
            r0 = r4
            r1 = r8
            r2 = r5
            java.lang.String r2 = org.kuali.research.pdf.sys.auth.AuthKt.access$oauthRedirectUri(r2)
            java.lang.String r0 = r0.hashToken(r1, r2)
            r13 = r0
            r0 = r4
            org.apache.commons.logging.Log r0 = r0.logger
            r1 = r8
            r2 = r13
            java.lang.String r1 = "returned state: " + r1 + ", new hash: " + r2
            r0.debug(r1)
            r0 = r13
            r1 = r6
            boolean r0 = kotlin.jvm.internal.Intrinsics.areEqual(r0, r1)
            if (r0 == 0) goto L6e
            r0 = r10
            goto L74
        L6e:
            r0 = 0
            goto L74
        L72:
            r0 = 0
        L74:
            goto L7a
        L78:
            r0 = 0
        L7a:
            goto L80
        L7e:
            r0 = 0
        L80:
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: org.kuali.research.pdf.sys.auth.AuthFilter.validateOauthReturnAndFetchCode(jakarta.servlet.http.HttpServletRequest):java.lang.String");
    }

    private AuthTokenResponse fetchTokenFromCode(String str, HttpServletRequest httpServletRequest) {
        AuthTokenResponse authTokenResponse;
        String oauthRedirectUri;
        try {
            RestTemplate restTemplate = this.restTemplate;
            String str2 = ServletExtensionsKt.baseOrCurrentUrl(httpServletRequest, this.baseUrl) + "/" + StringsKt.removePrefix(this.tokenUrl, (CharSequence) "/");
            LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
            linkedMultiValueMap.add("code", str);
            linkedMultiValueMap.add(AuthKt.GRANT_TYPE, AuthKt.AUTHORIZATION_CODE);
            linkedMultiValueMap.add(AuthKt.CLIENT_ID, this.appName);
            oauthRedirectUri = AuthKt.oauthRedirectUri(httpServletRequest);
            linkedMultiValueMap.add(AuthKt.REDIRECT_URI, oauthRedirectUri);
            Unit unit = Unit.INSTANCE;
            HttpHeaders httpHeaders = new HttpHeaders();
            httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
            Unit unit2 = Unit.INSTANCE;
            authTokenResponse = (AuthTokenResponse) restTemplate.postForObject(str2, new HttpEntity(linkedMultiValueMap, httpHeaders), AuthTokenResponse.class, new Object[0]);
        } catch (RestClientException e) {
            this.logger.debug("Unable to fetch token using code: " + str, e);
            authTokenResponse = null;
        }
        return authTokenResponse;
    }

    private Pair<String, Cookie> getOauthRedirectUrlAndCookie(HttpServletRequest httpServletRequest) {
        String oauthRedirectUri;
        UriComponentsBuilder fromUriString = UriComponentsBuilder.fromUriString(ServletExtensionsKt.baseOrCurrentUrl(httpServletRequest, this.baseUrl) + "/" + StringsKt.removePrefix(this.authorizeUrl, (CharSequence) "/"));
        String uuid = UUID.randomUUID().toString();
        Intrinsics.checkNotNullExpressionValue(uuid, "toString(...)");
        oauthRedirectUri = AuthKt.oauthRedirectUri(httpServletRequest);
        fromUriString.queryParam("state", uuid);
        fromUriString.queryParam(AuthKt.CLIENT_ID, this.appName);
        fromUriString.queryParam(AuthKt.RESPONSE_TYPE, "code");
        fromUriString.queryParam(AuthKt.REDIRECT_URI, oauthRedirectUri);
        return new Pair<>(fromUriString.toUriString(), createCookie(AuthKt.PDF_COOKIE_NAME, httpServletRequest, hashToken(uuid, oauthRedirectUri), 600));
    }

    private String hashToken(String str, String str2) {
        String num = Integer.toString((CollectionsKt.first(this.service2serviceSecrets) + "|" + str + "|" + str2).hashCode(), CharsKt.checkRadix(16));
        Intrinsics.checkNotNullExpressionValue(num, "toString(...)");
        return num;
    }

    private Cookie createCookie(String str, HttpServletRequest httpServletRequest, String str2, int i) {
        Cookie cookie = new Cookie(str, str2);
        cookie.setDomain(httpServletRequest.getServerName());
        cookie.setPath("/");
        cookie.setSecure(httpServletRequest.isSecure());
        cookie.setMaxAge(i);
        cookie.setHttpOnly(true);
        return cookie;
    }
}
