package com.erudika.para.security;

import com.erudika.para.Para;
import com.erudika.para.core.App;
import com.erudika.para.core.User;
import com.erudika.para.core.utils.CoreUtils;
import com.erudika.para.rest.RestUtils;
import com.erudika.para.security.filters.AmazonAuthFilter;
import com.erudika.para.security.filters.FacebookAuthFilter;
import com.erudika.para.security.filters.GenericOAuth2Filter;
import com.erudika.para.security.filters.GitHubAuthFilter;
import com.erudika.para.security.filters.GoogleAuthFilter;
import com.erudika.para.security.filters.LdapAuthFilter;
import com.erudika.para.security.filters.LinkedInAuthFilter;
import com.erudika.para.security.filters.MicrosoftAuthFilter;
import com.erudika.para.security.filters.PasswordAuthFilter;
import com.erudika.para.security.filters.PasswordlessAuthFilter;
import com.erudika.para.security.filters.SlackAuthFilter;
import com.erudika.para.security.filters.TwitterAuthFilter;
import com.erudika.para.utils.Config;
import com.erudika.para.utils.Utils;
import com.erudika.para.utils.filters.CORSFilter;
import com.nimbusds.jwt.SignedJWT;
import java.io.IOException;
import java.text.ParseException;
import java.util.HashMap;
import java.util.Map;
import javax.inject.Inject;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.StringUtils;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.util.Assert;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:com/erudika/para/security/JWTRestfulAuthFilter.class */
public class JWTRestfulAuthFilter extends GenericFilterBean {
    private AuthenticationManager authenticationManager;
    private AntPathRequestMatcher authenticationRequestMatcher;
    private FacebookAuthFilter facebookAuth;
    private GoogleAuthFilter googleAuth;
    private GitHubAuthFilter githubAuth;
    private LinkedInAuthFilter linkedinAuth;
    private TwitterAuthFilter twitterAuth;
    private MicrosoftAuthFilter microsoftAuth;
    private SlackAuthFilter slackAuth;
    private AmazonAuthFilter amazonAuth;
    private GenericOAuth2Filter oauth2Auth;
    private LdapAuthFilter ldapAuth;
    private PasswordAuthFilter passwordAuth;
    private PasswordlessAuthFilter passwordlessAuth;
    public static final String JWT_ACTION = "jwt_auth";

    public JWTRestfulAuthFilter(String str) {
        setFilterProcessesUrl(str);
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (this.authenticationRequestMatcher.matches(httpServletRequest)) {
            if ("POST".equals(httpServletRequest.getMethod())) {
                newTokenHandler(httpServletRequest, httpServletResponse);
                return;
            } else if ("GET".equals(httpServletRequest.getMethod())) {
                refreshTokenHandler(httpServletRequest, httpServletResponse);
                return;
            } else {
                if ("DELETE".equals(httpServletRequest.getMethod())) {
                    revokeAllTokensHandler(httpServletRequest, httpServletResponse);
                    return;
                }
                return;
            }
        }
        if (RestRequestMatcher.INSTANCE_STRICT.matches(httpServletRequest) && SecurityContextHolder.getContext().getAuthentication() == null) {
            try {
                JWTAuthentication jWTfromRequest = getJWTfromRequest(httpServletRequest);
                if (jWTfromRequest != null) {
                    Authentication authenticate = this.authenticationManager.authenticate(jWTfromRequest);
                    validateDelegatedTokenIfNecessary(jWTfromRequest);
                    SecurityContextHolder.getContext().setAuthentication(authenticate);
                } else {
                    httpServletResponse.setHeader("WWW-Authenticate", "Bearer");
                }
            } catch (AuthenticationException e) {
                httpServletResponse.setHeader("WWW-Authenticate", "Bearer error=\"invalid_token\"");
                this.logger.debug("AuthenticationManager rejected JWT Authentication.", e);
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private boolean newTokenHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        Response entity = RestUtils.getEntity(httpServletRequest.getInputStream(), Map.class);
        if (entity.getStatusInfo() != Response.Status.OK) {
            RestUtils.returnStatusResponse(httpServletResponse, entity.getStatus(), entity.getEntity().toString());
            return false;
        }
        Map map = (Map) entity.getEntity();
        String str = (String) map.get("provider");
        String str2 = (String) map.get("appid");
        String str3 = (String) map.get("token");
        if (str != null && str2 != null && str3 != null) {
            if (App.isRoot(str2) && !Config.getConfigBoolean("clients_can_access_root_app", false)) {
                RestUtils.returnStatusResponse(httpServletResponse, 403, "Can't authenticate user with app '" + str2 + "' using provider '" + str + "'. Reason: clients aren't allowed to access root app.");
                return false;
            }
            App app = (App) Para.getDAO().read(App.id(str2));
            if (app == null) {
                RestUtils.returnStatusResponse(httpServletResponse, 400, "User belongs to app '" + str2 + "' which does not exist. " + (App.isRoot(str2) ? "Make sure you have initialized Para." : CORSFilter.DEFAULT_EXPOSED_HEADERS));
                return false;
            }
            User authenticatedUser = SecurityUtils.getAuthenticatedUser(getOrCreateUser(app, str, str3));
            if (authenticatedUser == null) {
                RestUtils.returnStatusResponse(httpServletResponse, 400, "Failed to authenticate user with '" + str + "'. Check if user is active.");
                return false;
            }
            SignedJWT generateJWToken = SecurityUtils.generateJWToken(authenticatedUser, app);
            if (generateJWToken != null) {
                succesHandler(httpServletResponse, authenticatedUser, generateJWToken);
                return true;
            }
        }
        RestUtils.returnStatusResponse(httpServletResponse, 400, "Some of the required query parameters 'provider', 'appid', 'token', are missing.");
        return false;
    }

    private boolean refreshTokenHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        SignedJWT generateJWToken;
        JWTAuthentication jWTfromRequest = getJWTfromRequest(httpServletRequest);
        if (jWTfromRequest != null) {
            try {
                User authenticatedUser = SecurityUtils.getAuthenticatedUser(jWTfromRequest);
                if (authenticatedUser != null) {
                    JWTAuthentication jWTAuthentication = (JWTAuthentication) this.authenticationManager.authenticate(jWTfromRequest);
                    validateDelegatedTokenIfNecessary(jWTAuthentication);
                    if (jWTAuthentication != null && jWTAuthentication.getApp() != null && (generateJWToken = SecurityUtils.generateJWToken(authenticatedUser, jWTAuthentication.getApp())) != null) {
                        succesHandler(httpServletResponse, authenticatedUser, generateJWToken);
                        return true;
                    }
                }
            } catch (Exception e) {
                this.logger.debug(e);
            }
        }
        httpServletResponse.setHeader("WWW-Authenticate", "Bearer error=\"invalid_token\"");
        RestUtils.returnStatusResponse(httpServletResponse, 401, "User must reauthenticate.");
        return false;
    }

    private boolean revokeAllTokensHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        JWTAuthentication jWTfromRequest = getJWTfromRequest(httpServletRequest);
        if (jWTfromRequest != null) {
            try {
                User authenticatedUser = SecurityUtils.getAuthenticatedUser(jWTfromRequest);
                if (authenticatedUser != null) {
                    JWTAuthentication jWTAuthentication = (JWTAuthentication) this.authenticationManager.authenticate(jWTfromRequest);
                    validateDelegatedTokenIfNecessary(jWTAuthentication);
                    if (jWTAuthentication != null && jWTAuthentication.getApp() != null) {
                        authenticatedUser.resetTokenSecret();
                        CoreUtils.getInstance().overwrite(jWTAuthentication.getApp().getAppIdentifier(), authenticatedUser);
                        RestUtils.returnStatusResponse(httpServletResponse, 200, Utils.formatMessage("All tokens revoked for user {0}!", new Object[]{authenticatedUser.getId()}));
                        return true;
                    }
                }
            } catch (Exception e) {
                this.logger.debug(e);
            }
        }
        httpServletResponse.setHeader("WWW-Authenticate", "Bearer");
        RestUtils.returnStatusResponse(httpServletResponse, 401, "Invalid or expired token.");
        return false;
    }

    private void succesHandler(HttpServletResponse httpServletResponse, User user, SignedJWT signedJWT) {
        if (user == null || signedJWT == null) {
            RestUtils.returnStatusResponse(httpServletResponse, 500, "Null token.");
            return;
        }
        HashMap hashMap = new HashMap();
        try {
            HashMap hashMap2 = new HashMap();
            hashMap2.put("access_token", signedJWT.serialize());
            hashMap2.put("refresh", signedJWT.getJWTClaimsSet().getLongClaim("refresh"));
            hashMap2.put("expires", Long.valueOf(signedJWT.getJWTClaimsSet().getExpirationTime().getTime()));
            hashMap.put("jwt", hashMap2);
            hashMap.put("user", user);
        } catch (ParseException e) {
            this.logger.info("Unable to parse JWT.", e);
            RestUtils.returnStatusResponse(httpServletResponse, 500, "Bad token.");
        }
        RestUtils.returnObjectResponse(httpServletResponse, hashMap);
    }

    private JWTAuthentication getJWTfromRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            header = httpServletRequest.getParameter("Authorization");
        }
        if (StringUtils.isBlank(header) || !header.contains("Bearer")) {
            return null;
        }
        try {
            SignedJWT parse = SignedJWT.parse(header.substring(6).trim());
            String subject = parse.getJWTClaimsSet().getSubject();
            App read = Para.getDAO().read(App.id((String) parse.getJWTClaimsSet().getClaim("appid")));
            if (read == null) {
                return null;
            }
            User read2 = Para.getDAO().read(read.getAppIdentifier(), subject);
            return read2 != null ? new JWTAuthentication(new AuthenticatedUserDetails(read2)).withJWT(parse).withApp(read) : new JWTAuthentication(null).withJWT(parse).withApp(read);
        } catch (ParseException e) {
            this.logger.debug("Unable to parse JWT.", e);
            return null;
        }
    }

    private UserAuthentication getOrCreateUser(App app, String str, String str2) throws IOException {
        if ("facebook".equalsIgnoreCase(str)) {
            return this.facebookAuth.getOrCreateUser(app, str2);
        }
        if ("google".equalsIgnoreCase(str)) {
            return this.googleAuth.getOrCreateUser(app, str2);
        }
        if ("github".equalsIgnoreCase(str)) {
            return this.githubAuth.getOrCreateUser(app, str2);
        }
        if ("linkedin".equalsIgnoreCase(str)) {
            return this.linkedinAuth.getOrCreateUser(app, str2);
        }
        if ("twitter".equalsIgnoreCase(str)) {
            return this.twitterAuth.getOrCreateUser(app, str2);
        }
        if ("microsoft".equalsIgnoreCase(str)) {
            return this.microsoftAuth.getOrCreateUser(app, str2);
        }
        if ("slack".equalsIgnoreCase(str)) {
            return this.slackAuth.getOrCreateUser(app, str2);
        }
        if ("amazon".equalsIgnoreCase(str)) {
            return this.amazonAuth.getOrCreateUser(app, str2);
        }
        if ("oauth2".equalsIgnoreCase(str)) {
            return this.oauth2Auth.getOrCreateUser(app, str2);
        }
        if ("oauth2second".equalsIgnoreCase(str)) {
            return this.oauth2Auth.getOrCreateUser(app, str2, "second");
        }
        if ("oauth2third".equalsIgnoreCase(str)) {
            return this.oauth2Auth.getOrCreateUser(app, str2, "third");
        }
        if ("ldap".equalsIgnoreCase(str)) {
            return this.ldapAuth.getOrCreateUser(app, str2);
        }
        if ("passwordless".equalsIgnoreCase(str)) {
            return this.passwordlessAuth.getOrCreateUser(app, str2);
        }
        if (StringUtils.equalsAnyIgnoreCase(str, new CharSequence[]{"password", "generic"})) {
            return this.passwordAuth.getOrCreateUser(app, str2);
        }
        return null;
    }

    private void setFilterProcessesUrl(String str) {
        this.authenticationRequestMatcher = new AntPathRequestMatcher(str);
    }

    protected AuthenticationManager getAuthenticationManager() {
        return this.authenticationManager;
    }

    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    public void afterPropertiesSet() {
        Assert.notNull(this.authenticationManager, "authenticationManager cannot be null");
    }

    public FacebookAuthFilter getFacebookAuth() {
        return this.facebookAuth;
    }

    @Inject
    public void setFacebookAuth(FacebookAuthFilter facebookAuthFilter) {
        this.facebookAuth = facebookAuthFilter;
    }

    public GoogleAuthFilter getGoogleAuth() {
        return this.googleAuth;
    }

    @Inject
    public void setGoogleAuth(GoogleAuthFilter googleAuthFilter) {
        this.googleAuth = googleAuthFilter;
    }

    public GitHubAuthFilter getGithubAuth() {
        return this.githubAuth;
    }

    @Inject
    public void setGithubAuth(GitHubAuthFilter gitHubAuthFilter) {
        this.githubAuth = gitHubAuthFilter;
    }

    public LinkedInAuthFilter getLinkedinAuth() {
        return this.linkedinAuth;
    }

    @Inject
    public void setLinkedinAuth(LinkedInAuthFilter linkedInAuthFilter) {
        this.linkedinAuth = linkedInAuthFilter;
    }

    public TwitterAuthFilter getTwitterAuth() {
        return this.twitterAuth;
    }

    @Inject
    public void setTwitterAuth(TwitterAuthFilter twitterAuthFilter) {
        this.twitterAuth = twitterAuthFilter;
    }

    public MicrosoftAuthFilter getMicrosoftAuth() {
        return this.microsoftAuth;
    }

    @Inject
    public void setMicrosoftAuth(MicrosoftAuthFilter microsoftAuthFilter) {
        this.microsoftAuth = microsoftAuthFilter;
    }

    public SlackAuthFilter getSlackAuth() {
        return this.slackAuth;
    }

    @Inject
    public void setSlackAuth(SlackAuthFilter slackAuthFilter) {
        this.slackAuth = slackAuthFilter;
    }

    public AmazonAuthFilter getAmazonAuth() {
        return this.amazonAuth;
    }

    @Inject
    public void setAmazonAuth(AmazonAuthFilter amazonAuthFilter) {
        this.amazonAuth = amazonAuthFilter;
    }

    public GenericOAuth2Filter getGenericOAuth2Auth() {
        return this.oauth2Auth;
    }

    @Inject
    public void setGenericOAuth2Auth(GenericOAuth2Filter genericOAuth2Filter) {
        this.oauth2Auth = genericOAuth2Filter;
    }

    public LdapAuthFilter getLdapAuth() {
        return this.ldapAuth;
    }

    public void setLdapAuth(LdapAuthFilter ldapAuthFilter) {
        this.ldapAuth = ldapAuthFilter;
    }

    public PasswordAuthFilter getPasswordAuth() {
        return this.passwordAuth;
    }

    @Inject
    public void setPasswordAuth(PasswordAuthFilter passwordAuthFilter) {
        this.passwordAuth = passwordAuthFilter;
    }

    public PasswordlessAuthFilter getPasswordlessAuth() {
        return this.passwordlessAuth;
    }

    @Inject
    public void setPasswordlessAuth(PasswordlessAuthFilter passwordlessAuthFilter) {
        this.passwordlessAuth = passwordlessAuthFilter;
    }

    private void validateDelegatedTokenIfNecessary(JWTAuthentication jWTAuthentication) throws AuthenticationException, IOException {
        User authenticatedUser = SecurityUtils.getAuthenticatedUser(jWTAuthentication);
        if (authenticatedUser == null || jWTAuthentication == null) {
            return;
        }
        String str = null;
        try {
            str = (String) jWTAuthentication.getJwt().getJWTClaimsSet().getClaim("idp");
        } catch (ParseException e) {
            this.logger.error(null, e);
        }
        if (StringUtils.isBlank(str)) {
            str = authenticatedUser.getIdentityProvider();
        }
        App app = jWTAuthentication.getApp();
        if ("oauth2".equalsIgnoreCase(str) && this.oauth2Auth.isAccessTokenDelegationEnabled(app, authenticatedUser) && !this.oauth2Auth.isValidAccessToken(app, authenticatedUser)) {
            this.logger.debug("The access token delegated from '" + str + "' is invalid for " + authenticatedUser.getAppid() + "/" + authenticatedUser.getId());
            throw new AuthenticationServiceException("The access token delegated from '" + str + "' is invalid.");
        }
    }
}
