package org.geoserver.security.keycloak;

import java.io.IOException;
import java.util.Collections;
import java.util.Iterator;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.geoserver.security.GeoServerSecurityManager;
import org.geoserver.security.config.SecurityNamedServiceConfig;
import org.geoserver.security.filter.AuthenticationCachingFilter;
import org.geoserver.security.filter.GeoServerAuthenticationFilter;
import org.geoserver.security.filter.GeoServerSecurityFilter;
import org.geotools.util.logging.Logging;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticator;
import org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade;
import org.keycloak.adapters.springsecurity.token.SpringSecurityAdapterTokenStoreFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.logout.LogoutHandler;

/* loaded from: input_file:org/geoserver/security/keycloak/GeoServerKeycloakFilter.class */
public class GeoServerKeycloakFilter extends GeoServerSecurityFilter implements AuthenticationCachingFilter, GeoServerAuthenticationFilter, LogoutHandler {
    private static final Logger LOG = Logging.getLogger(GeoServerKeycloakFilter.class);
    private AdapterDeploymentContext keycloakContext;
    private final SpringSecurityAdapterTokenStoreFactory adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory();
    private final KeycloakAuthenticationProvider authenticationMapper = new KeycloakAuthenticationProvider();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.geoserver.security.keycloak.GeoServerKeycloakFilter$1, reason: invalid class name */
    /* loaded from: input_file:org/geoserver/security/keycloak/GeoServerKeycloakFilter$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$adapters$spi$AuthOutcome = new int[AuthOutcome.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$adapters$spi$AuthOutcome[AuthOutcome.AUTHENTICATED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$adapters$spi$AuthOutcome[AuthOutcome.NOT_ATTEMPTED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$adapters$spi$AuthOutcome[AuthOutcome.FAILED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public GeoServerKeycloakFilter() {
        this.authenticationMapper.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
    }

    public void initializeFromConfig(SecurityNamedServiceConfig securityNamedServiceConfig) throws IOException {
        LOG.log(Level.FINER, "GeoServerKeycloakFilter.initializeFromConfig ENTRY");
        super.initializeFromConfig(securityNamedServiceConfig);
        this.keycloakContext = new AdapterDeploymentContext(KeycloakDeploymentBuilder.build(((GeoServerKeycloakFilterConfig) securityNamedServiceConfig).readAdapterConfig()));
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        doFilter((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
    }

    protected void doFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        LOG.log(Level.FINER, "GeoServerKeycloakFilter.doFilter ENTRY");
        LOG.log(Level.FINEST, ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>");
        logHttpRequest(Level.FINEST, httpServletRequest);
        AuthResults loadAuthn = loadAuthn(httpServletRequest);
        if (!loadAuthn.hasAuthentication()) {
            loadAuthn = getNewAuthn(httpServletRequest, httpServletResponse);
        }
        saveAuthn(httpServletRequest, loadAuthn);
        httpServletRequest.setAttribute("_AUTHENTICATION_ENTRY_POINT_HEADER", loadAuthn);
        LOG.log(Level.FINER, "continuing filter chain");
        LOG.log(Level.FINEST, filterChain.getClass().getCanonicalName());
        filterChain.doFilter(httpServletRequest, httpServletResponse);
        logHttpResponse(Level.FINEST, httpServletResponse);
        LOG.log(Level.FINEST, "<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<");
    }

    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        LOG.log(Level.FINER, "GeoServerKeycloakFilter.logout ENTRY");
        httpServletRequest.setAttribute("_logout_redirect", this.keycloakContext.resolveDeployment(new SimpleHttpFacade(httpServletRequest, httpServletResponse)).getLogoutUrl().queryParam("redirect_uri", new Object[]{httpServletRequest.getHeader("Referer").split("\\?")[0]}).build(new Object[0]).toString());
    }

    public String getCacheKey(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || header.isEmpty()) {
            return null;
        }
        LOG.log(Level.FINEST, () -> {
            return "cache key = " + header;
        });
        return header;
    }

    public boolean applicableForHtml() {
        return true;
    }

    public boolean applicableForServices() {
        return true;
    }

    protected AuthResults getNewAuthn(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        LOG.log(Level.FINER, "GeoServerKeycloakFilter.getNewAuthn ENTRY");
        SimpleHttpFacade simpleHttpFacade = new SimpleHttpFacade(httpServletRequest, httpServletResponse);
        KeycloakDeployment resolveDeployment = this.keycloakContext.resolveDeployment(simpleHttpFacade);
        resolveDeployment.setDelegateBearerErrorResponseSending(true);
        SpringSecurityRequestAuthenticator springSecurityRequestAuthenticator = new SpringSecurityRequestAuthenticator(simpleHttpFacade, httpServletRequest, resolveDeployment, this.adapterTokenStoreFactory.createAdapterTokenStore(resolveDeployment, httpServletRequest), -1);
        AuthOutcome authenticate = springSecurityRequestAuthenticator.authenticate();
        AuthChallenge challenge = springSecurityRequestAuthenticator.getChallenge();
        LOG.log(Level.FINE, () -> {
            return "auth result is " + authenticate.toString();
        });
        switch (AnonymousClass1.$SwitchMap$org$keycloak$adapters$spi$AuthOutcome[authenticate.ordinal()]) {
            case 1:
                return new AuthResults(this.authenticationMapper.authenticate(SecurityContextHolder.getContext().getAuthentication()));
            case 2:
                return resolveDeployment.isBearerOnly() ? new AuthResults() : new AuthResults(challenge);
            case 3:
                return new AuthResults();
            default:
                return new AuthResults(challenge);
        }
    }

    protected void saveAuthn(HttpServletRequest httpServletRequest, AuthResults authResults) {
        LOG.log(Level.FINER, "GeoServerKeycloakFilter.cacheAuthn ENTRY");
        if (authResults == null || !authResults.hasAuthentication()) {
            SecurityContextHolder.clearContext();
            if (httpServletRequest == null || httpServletRequest.getSession(false) == null) {
                return;
            }
            httpServletRequest.getSession(false).invalidate();
            return;
        }
        Authentication authentication = authResults.getAuthentication();
        GeoServerSecurityManager securityManager = getSecurityManager();
        String cacheKey = getCacheKey(httpServletRequest);
        if (securityManager != null && cacheKey != null && !cacheKey.isEmpty()) {
            if (authentication != null) {
                LOG.log(Level.FINE, () -> {
                    return "cachinig auth for " + authentication.getName();
                });
            }
            securityManager.getAuthenticationCache().put(getName(), cacheKey, authentication);
        }
        if (authentication != null) {
            LOG.log(Level.FINE, "adding auth to context");
        }
        SecurityContextHolder.getContext().setAuthentication(authentication);
    }

    protected AuthResults loadAuthn(HttpServletRequest httpServletRequest) {
        Authentication authentication;
        LOG.log(Level.FINER, "GeoServerKeycloakFilter.getCachedAuthn ENTRY");
        Authentication authentication2 = SecurityContextHolder.getContext().getAuthentication();
        if (authentication2 != null && authentication2.isAuthenticated()) {
            LOG.log(Level.FINE, "auth already exists in context");
            return new AuthResults(authentication2);
        }
        GeoServerSecurityManager securityManager = getSecurityManager();
        String cacheKey = getCacheKey(httpServletRequest);
        if (securityManager == null || cacheKey == null || cacheKey.isEmpty() || (authentication = securityManager.getAuthenticationCache().get(getName(), cacheKey)) == null) {
            return new AuthResults();
        }
        LOG.log(Level.FINE, () -> {
            return "auth located in cache for " + authentication.getName();
        });
        return new AuthResults(authentication);
    }

    private static void logHttpRequest(Level level, HttpServletRequest httpServletRequest) {
        if (LOG.isLoggable(level)) {
            LOG.log(level, "request.method   = " + httpServletRequest.getMethod());
            LOG.log(level, "request.uri      = " + httpServletRequest.getRequestURI());
            LOG.log(level, "request.headers  = ");
            Iterator it = Collections.list(httpServletRequest.getHeaderNames()).iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                if (str != "Cookie") {
                    StringBuilder sb = new StringBuilder(80);
                    sb.append(leftPadMessage(str)).append(str).append(" = ");
                    Iterator it2 = Collections.list(httpServletRequest.getHeaders(str)).iterator();
                    while (it2.hasNext()) {
                        sb.append((String) it2.next()).append(' ');
                    }
                    LOG.log(level, sb.toString());
                }
            }
            LOG.log(level, "request.query    = ");
            Iterator it3 = Collections.list(httpServletRequest.getParameterNames()).iterator();
            while (it3.hasNext()) {
                String str2 = (String) it3.next();
                StringBuilder sb2 = new StringBuilder(80);
                sb2.append(leftPadMessage(str2)).append(str2).append(" = ");
                for (String str3 : httpServletRequest.getParameterValues(str2)) {
                    sb2.append(str3).append(' ');
                }
                LOG.log(level, sb2.toString());
            }
            LOG.log(level, "request.cookies  = ");
            if (httpServletRequest.getCookies() != null) {
                for (Cookie cookie : httpServletRequest.getCookies()) {
                    StringBuilder sb3 = new StringBuilder(80);
                    sb3.append(leftPadMessage(cookie.getName())).append(cookie.getName()).append(" = ").append(cookie.getValue()).append("; ").append(cookie.getPath());
                    LOG.log(level, sb3.toString());
                }
            }
        }
    }

    private static void logHttpResponse(Level level, HttpServletResponse httpServletResponse) {
        if (LOG.isLoggable(level)) {
            LOG.log(level, "response.status  = " + httpServletResponse.getStatus());
            LOG.log(level, "response.headers = ");
            for (String str : httpServletResponse.getHeaderNames()) {
                if (str != "Set-Cookie") {
                    StringBuilder sb = new StringBuilder(80);
                    sb.append(leftPadMessage(str)).append(str).append(" = ");
                    Iterator it = httpServletResponse.getHeaders(str).iterator();
                    while (it.hasNext()) {
                        sb.append((String) it.next()).append(' ');
                    }
                    LOG.log(level, sb.toString());
                }
            }
            LOG.log(level, "response.cookies = ");
            for (String str2 : httpServletResponse.getHeaders("Set-Cookie")) {
                int indexOf = str2.indexOf(61);
                String substring = str2.substring(0, indexOf);
                String substring2 = str2.substring(indexOf + 1);
                StringBuilder sb2 = new StringBuilder(80);
                sb2.append(leftPadMessage(substring)).append(substring).append(" = ").append(substring2);
                LOG.log(level, sb2.toString());
            }
        }
    }

    private static String leftPadMessage(String str) {
        return "                              ".substring(Math.min(str.length(), "                              ".length()));
    }
}
