package org.geoserver.security.filter;

import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.logging.Level;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.geoserver.security.config.SecurityNamedServiceConfig;
import org.geoserver.security.impl.GeoServerRole;
import org.geoserver.security.impl.GeoServerUser;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint;
import org.springframework.security.web.authentication.WebAuthenticationDetails;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;

/* loaded from: input_file:org/geoserver/security/filter/GeoServerPreAuthenticationFilter.class */
public abstract class GeoServerPreAuthenticationFilter extends GeoServerSecurityFilter implements AuthenticationCachingFilter, GeoServerAuthenticationFilter {
    private AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> authenticationDetailsSource = new WebAuthenticationDetailsSource();
    protected AuthenticationEntryPoint aep;

    @Override // org.geoserver.security.impl.AbstractGeoServerSecurityService, org.geoserver.security.GeoServerSecurityService
    public void initializeFromConfig(SecurityNamedServiceConfig securityNamedServiceConfig) throws IOException {
        super.initializeFromConfig(securityNamedServiceConfig);
        this.aep = new Http403ForbiddenEntryPoint();
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String authenticateFromCache = authenticateFromCache(this, (HttpServletRequest) servletRequest);
        if (SecurityContextHolder.getContext().getAuthentication() == null) {
            doAuthenticate((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse);
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication != null && authenticateFromCache != null && cacheAuthentication(authentication, (HttpServletRequest) servletRequest)) {
                getSecurityManager().getAuthenticationCache().put(getName(), authenticateFromCache, authentication);
            }
        }
        servletRequest.setAttribute(GeoServerSecurityFilter.AUTHENTICATION_ENTRY_POINT_HEADER, this.aep);
        filterChain.doFilter(servletRequest, servletResponse);
    }

    protected abstract String getPreAuthenticatedPrincipal(HttpServletRequest httpServletRequest);

    protected abstract Collection<GeoServerRole> getRoles(HttpServletRequest httpServletRequest, String str) throws IOException;

    protected void doAuthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken;
        String preAuthenticatedPrincipal = getPreAuthenticatedPrincipal(httpServletRequest);
        if (preAuthenticatedPrincipal == null || preAuthenticatedPrincipal.trim().length() == 0) {
            return;
        }
        LOGGER.log(Level.FINE, "preAuthenticatedPrincipal = " + preAuthenticatedPrincipal + ", trying to authenticate");
        if (GeoServerUser.ROOT_USERNAME.equals(preAuthenticatedPrincipal)) {
            preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(preAuthenticatedPrincipal, (Object) null, Collections.singleton(GeoServerRole.ADMIN_ROLE));
        } else {
            try {
                Collection<GeoServerRole> roles = getRoles(httpServletRequest, preAuthenticatedPrincipal);
                if (!roles.contains(GeoServerRole.AUTHENTICATED_ROLE)) {
                    roles.add(GeoServerRole.AUTHENTICATED_ROLE);
                }
                preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(preAuthenticatedPrincipal, (Object) null, roles);
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        }
        preAuthenticatedAuthenticationToken.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
        SecurityContextHolder.getContext().setAuthentication(preAuthenticatedAuthenticationToken);
    }

    public AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> getAuthenticationDetailsSource() {
        return this.authenticationDetailsSource;
    }

    public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> authenticationDetailsSource) {
        this.authenticationDetailsSource = authenticationDetailsSource;
    }

    @Override // org.geoserver.security.impl.AbstractGeoServerSecurityService
    public AuthenticationEntryPoint getAuthenticationEntryPoint() {
        return this.aep;
    }

    protected boolean cacheAuthentication(Authentication authentication, HttpServletRequest httpServletRequest) {
        return httpServletRequest.getSession(false) == null;
    }

    public String getCacheKey(HttpServletRequest httpServletRequest) {
        if (httpServletRequest.getSession(false) != null) {
            return null;
        }
        String preAuthenticatedPrincipal = getPreAuthenticatedPrincipal(httpServletRequest);
        if (GeoServerUser.ROOT_USERNAME.equals(preAuthenticatedPrincipal)) {
            return null;
        }
        return preAuthenticatedPrincipal;
    }

    @Override // org.geoserver.security.filter.GeoServerAuthenticationFilter
    public boolean applicableForHtml() {
        return true;
    }

    @Override // org.geoserver.security.filter.GeoServerAuthenticationFilter
    public boolean applicableForServices() {
        return true;
    }
}
