package org.geoserver.security.oauth2;

import com.google.common.collect.Lists;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.logging.Level;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.geoserver.security.config.PreAuthenticatedUserNameFilterConfig;
import org.geoserver.security.config.SecurityNamedServiceConfig;
import org.geoserver.security.filter.AuthenticationCachingFilter;
import org.geoserver.security.filter.GeoServerAuthenticationFilter;
import org.geoserver.security.filter.GeoServerPreAuthenticatedUserNameFilter;
import org.geoserver.security.impl.GeoServerRole;
import org.geoserver.security.impl.GeoServerUser;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.OAuth2RestOperations;
import org.springframework.security.oauth2.client.filter.OAuth2ClientAuthenticationProcessingFilter;
import org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException;
import org.springframework.security.oauth2.client.resource.UserRedirectRequiredException;
import org.springframework.security.oauth2.client.token.AccessTokenRequest;
import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.web.client.ResourceAccessException;

/* loaded from: input_file:org/geoserver/security/oauth2/GeoServerOAuthAuthenticationFilter.class */
public abstract class GeoServerOAuthAuthenticationFilter extends GeoServerPreAuthenticatedUserNameFilter implements GeoServerAuthenticationFilter, LogoutHandler {
    static final String GEONODE_COOKIE_NAME = "sessionid";
    OAuth2FilterConfig filterConfig;
    OAuth2RestOperations restTemplate;
    OAuth2ClientAuthenticationProcessingFilter filter = new OAuth2ClientAuthenticationProcessingFilter("/");
    ResourceServerTokenServices tokenServices;
    GeoServerOAuth2SecurityConfiguration oauth2SecurityConfiguration;

    public GeoServerOAuthAuthenticationFilter(SecurityNamedServiceConfig securityNamedServiceConfig, RemoteTokenServices remoteTokenServices, GeoServerOAuth2SecurityConfiguration geoServerOAuth2SecurityConfiguration, OAuth2RestOperations oAuth2RestOperations) {
        this.filterConfig = (OAuth2FilterConfig) securityNamedServiceConfig;
        this.tokenServices = remoteTokenServices;
        this.oauth2SecurityConfiguration = geoServerOAuth2SecurityConfiguration;
        this.restTemplate = oAuth2RestOperations;
    }

    public void initializeFromConfig(SecurityNamedServiceConfig securityNamedServiceConfig) throws IOException {
        super.initializeFromConfig(securityNamedServiceConfig);
        this.aep = this.filterConfig.getAuthenticationEntryPoint();
    }

    public AuthenticationEntryPoint getAuthenticationEntryPoint() {
        return this.aep;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String authenticateFromCache = authenticateFromCache(this, (HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse);
        String parameter = servletRequest.getParameter("access_token");
        OAuth2AccessToken accessToken = this.restTemplate.getOAuth2ClientContext().getAccessToken();
        if (parameter != null && accessToken != null && !accessToken.getValue().equals(parameter)) {
            this.restTemplate.getOAuth2ClientContext().setAccessToken((OAuth2AccessToken) null);
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String geoNodeCookieValue = getGeoNodeCookieValue(httpServletRequest);
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        Collection authorities = authentication != null ? authentication.getAuthorities() : null;
        if (parameter == null && geoNodeCookieValue == null && authentication != null && (authentication instanceof PreAuthenticatedAuthenticationToken) && (authorities.size() != 1 || !authorities.contains(GeoServerRole.ANONYMOUS_ROLE))) {
            AccessTokenRequest accessTokenRequest = this.restTemplate.getOAuth2ClientContext().getAccessTokenRequest();
            if (accessTokenRequest != null && accessTokenRequest.getStateKey() != null) {
                this.restTemplate.getOAuth2ClientContext().removePreservedState(accessTokenRequest.getStateKey());
            }
            try {
                accessTokenRequest.remove("access_token");
                SecurityContextHolder.clearContext();
                httpServletRequest.getSession(false).invalidate();
                try {
                    httpServletRequest.logout();
                } catch (ServletException e) {
                    LOGGER.fine(e.getLocalizedMessage());
                }
                LOGGER.fine("Cleaned out Session Access Token Request!");
            } catch (Throwable th) {
                SecurityContextHolder.clearContext();
                httpServletRequest.getSession(false).invalidate();
                try {
                    httpServletRequest.logout();
                } catch (ServletException e2) {
                    LOGGER.fine(e2.getLocalizedMessage());
                }
                LOGGER.fine("Cleaned out Session Access Token Request!");
                throw th;
            }
        }
        if (parameter != null || authentication == null || (authentication != null && authorities.size() == 1 && authorities.contains(GeoServerRole.ANONYMOUS_ROLE))) {
            doAuthenticate((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse);
            if (authentication != null && authenticateFromCache != null && cacheAuthentication(authentication, (HttpServletRequest) servletRequest)) {
                getSecurityManager().getAuthenticationCache().put(getName(), authenticateFromCache, authentication);
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    protected String authenticateFromCache(AuthenticationCachingFilter authenticationCachingFilter, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String cacheKey;
        if (SecurityContextHolder.getContext().getAuthentication() != null || (cacheKey = getCacheKey(httpServletRequest, httpServletResponse)) == null) {
            return null;
        }
        Authentication authentication = getSecurityManager().getAuthenticationCache().get(getName(), cacheKey);
        if (authentication == null) {
            return cacheKey;
        }
        SecurityContextHolder.getContext().setAuthentication(authentication);
        return null;
    }

    protected String getCacheKey(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (httpServletRequest.getSession(false) != null) {
            return null;
        }
        try {
            String preAuthenticatedPrincipal = getPreAuthenticatedPrincipal(httpServletRequest, httpServletResponse);
            if ("root".equals(preAuthenticatedPrincipal)) {
                return null;
            }
            return preAuthenticatedPrincipal;
        } catch (Exception e) {
            return null;
        }
    }

    private String getGeoNodeCookieValue(HttpServletRequest httpServletRequest) {
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.fine("Inspecting the http request looking for the GeoNode Session ID.");
        }
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            if (!LOGGER.isLoggable(Level.FINE)) {
                return null;
            }
            LOGGER.fine("Found no cookies!");
            return null;
        }
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.fine("Found " + cookies.length + " cookies!");
        }
        for (Cookie cookie : cookies) {
            if (GEONODE_COOKIE_NAME.equals(cookie.getName())) {
                if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.fine("Found GeoNode cookie: " + cookie.getValue());
                }
                return cookie.getValue();
            }
        }
        return null;
    }

    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        OAuth2AccessToken accessToken = this.restTemplate.getOAuth2ClientContext().getAccessToken();
        if ((accessToken == null || !accessToken.getTokenType().equalsIgnoreCase("Bearer")) && !httpServletRequest.getRequestURI().endsWith(this.filterConfig.getLogoutEndpoint())) {
            return;
        }
        AccessTokenRequest accessTokenRequest = this.restTemplate.getOAuth2ClientContext().getAccessTokenRequest();
        if (accessTokenRequest != null && accessTokenRequest.getStateKey() != null) {
            this.restTemplate.getOAuth2ClientContext().removePreservedState(accessTokenRequest.getStateKey());
        }
        try {
            accessTokenRequest.remove("access_token");
            SecurityContextHolder.clearContext();
            httpServletRequest.getSession(false).invalidate();
            try {
                httpServletRequest.logout();
            } catch (ServletException e) {
                LOGGER.fine(e.getLocalizedMessage());
            }
            LOGGER.fine("Cleaned out Session Access Token Request!");
            httpServletResponse.setStatus(204);
            Cookie[] cookies = httpServletRequest.getCookies();
            for (int i = 0; i < cookies.length; i++) {
                if (cookies[i].getName().equalsIgnoreCase("JSESSIONID")) {
                    Cookie cookie = cookies[i];
                    cookie.setMaxAge(-1);
                    cookie.setPath("/");
                    cookie.setComment("EXPIRING COOKIE at " + System.currentTimeMillis());
                    httpServletResponse.addCookie(cookie);
                }
            }
            httpServletRequest.setAttribute("_logout_redirect", this.filterConfig.getLogoutUri());
        } catch (Throwable th) {
            SecurityContextHolder.clearContext();
            httpServletRequest.getSession(false).invalidate();
            try {
                httpServletRequest.logout();
            } catch (ServletException e2) {
                LOGGER.fine(e2.getLocalizedMessage());
            }
            LOGGER.fine("Cleaned out Session Access Token Request!");
            throw th;
        }
    }

    protected void doAuthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String str;
        PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken;
        try {
            str = getPreAuthenticatedPrincipal(httpServletRequest, httpServletResponse);
        } catch (ServletException e) {
            LOGGER.log(Level.FINE, e.getMessage(), e);
            str = null;
        } catch (IOException e2) {
            LOGGER.log(Level.FINE, e2.getMessage(), (Throwable) e2);
            str = null;
        }
        LOGGER.log(Level.FINE, "preAuthenticatedPrincipal = " + str + ", trying to authenticate");
        if (str == null || str.trim().length() == 0) {
            preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(str, (Object) null, Collections.singleton(GeoServerRole.ANONYMOUS_ROLE));
        } else if ("root".equals(str)) {
            preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(str, (Object) null, Collections.singleton(GeoServerRole.ADMIN_ROLE));
        } else {
            try {
                Collection roles = getRoles(httpServletRequest, str);
                if (!roles.contains(GeoServerRole.AUTHENTICATED_ROLE)) {
                    roles.add(GeoServerRole.AUTHENTICATED_ROLE);
                }
                preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(str, (Object) null, roles);
            } catch (IOException e3) {
                throw new RuntimeException(e3);
            }
        }
        preAuthenticatedAuthenticationToken.setDetails(getAuthenticationDetailsSource().buildDetails(httpServletRequest));
        SecurityContextHolder.getContext().setAuthentication(preAuthenticatedAuthenticationToken);
    }

    protected String getPreAuthenticatedPrincipal(HttpServletRequest httpServletRequest) {
        try {
            return getPreAuthenticatedPrincipal(httpServletRequest, null);
        } catch (IOException e) {
            return null;
        } catch (ServletException e2) {
            return null;
        }
    }

    protected String getPreAuthenticatedPrincipal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        GeoServerUser userByUsername;
        configureRestTemplate();
        String parameter = httpServletRequest.getParameter("access_token");
        if (parameter != null) {
            this.restTemplate.getOAuth2ClientContext().setAccessToken(new DefaultOAuth2AccessToken(parameter));
        }
        this.filter.setRestTemplate(this.restTemplate);
        this.filter.setTokenServices(this.tokenServices);
        Authentication authentication = null;
        try {
            authentication = this.filter.attemptAuthentication(httpServletRequest, (HttpServletResponse) null);
        } catch (Exception e) {
            if (e instanceof UserRedirectRequiredException) {
                if (this.filterConfig.getEnableRedirectAuthenticationEntryPoint().booleanValue() || httpServletRequest.getRequestURI().endsWith(this.filterConfig.getLoginEndpoint())) {
                    this.aep.commence(httpServletRequest, httpServletResponse, (AuthenticationException) null);
                } else if (httpServletResponse.getStatus() != 302) {
                    AccessTokenRequest accessTokenRequest = this.restTemplate.getOAuth2ClientContext().getAccessTokenRequest();
                    if (accessTokenRequest.getPreservedState() != null && accessTokenRequest.getStateKey() != null) {
                        accessTokenRequest.remove("state");
                        accessTokenRequest.remove(accessTokenRequest.getStateKey());
                        accessTokenRequest.setPreservedState((Object) null);
                    }
                }
            } else if ((e instanceof BadCredentialsException) || (e instanceof ResourceAccessException)) {
                if (e.getCause() instanceof OAuth2AccessDeniedException) {
                    LOGGER.log(Level.WARNING, "Error while trying to authenticate to OAuth2 Provider with the following Exception cause:", e.getCause());
                }
                if (e instanceof ResourceAccessException) {
                    LOGGER.log(Level.SEVERE, "Could not Authorize OAuth2 Resource due to the following exception:", (Throwable) e);
                }
                if ((e instanceof ResourceAccessException) || (e.getCause() instanceof OAuth2AccessDeniedException)) {
                    LOGGER.log(Level.WARNING, "It is worth notice that if you try to validate credentials against an SSH protected Endpoint, you need either your server exposed on a secure SSL channel or OAuth2 Provider Certificate to be trusted on your JVM!");
                    LOGGER.info("Please refer to the GeoServer OAuth2 Plugin Documentation in order to find the steps for importing the SSH certificates.");
                }
            }
        }
        String str = authentication != null ? (String) authentication.getPrincipal() : null;
        if (str != null && str.trim().length() == 0) {
            str = null;
        }
        if (str != null) {
            try {
                if (PreAuthenticatedUserNameFilterConfig.PreAuthenticatedUserNameRoleSource.UserGroupService.equals(getRoleSource()) && (userByUsername = getSecurityManager().loadUserGroupService(getUserGroupServiceName()).getUserByUsername(str)) != null && !userByUsername.isEnabled()) {
                    str = null;
                    handleDisabledUser(userByUsername, httpServletRequest);
                }
            } catch (IOException e2) {
                throw new RuntimeException(e2);
            }
        }
        httpServletRequest.setAttribute("org.geoserver.security.filter.usernameAlreadyRetrieved", Boolean.TRUE);
        if (str != null) {
            httpServletRequest.setAttribute("org.geoserver.security.filter.username", str);
        }
        return str;
    }

    protected void configureRestTemplate() {
        AuthorizationCodeResourceDetails resource = this.restTemplate.getResource();
        resource.setClientId(this.filterConfig.getCliendId());
        resource.setClientSecret(this.filterConfig.getClientSecret());
        this.tokenServices.setClientId(this.filterConfig.getCliendId());
        this.tokenServices.setClientSecret(this.filterConfig.getClientSecret());
        resource.setAccessTokenUri(this.filterConfig.getAccessTokenUri());
        resource.setUserAuthorizationUri(this.filterConfig.getUserAuthorizationUri());
        resource.setPreEstablishedRedirectUri(this.filterConfig.getRedirectUri());
        this.tokenServices.setCheckTokenEndpointUrl(this.filterConfig.getCheckTokenEndpointUrl());
        resource.setScope(parseScopes(this.filterConfig.getScopes()));
    }

    protected List<String> parseScopes(String str) {
        ArrayList newArrayList = Lists.newArrayList();
        Collections.addAll(newArrayList, str.split(","));
        return newArrayList;
    }

    protected String getPreAuthenticatedPrincipalName(HttpServletRequest httpServletRequest) {
        return null;
    }
}
