package com.kerb4j.server.spring;

import com.kerb4j.common.util.base64.Base64Codec;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.util.Assert;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:com/kerb4j/server/spring/SpnegoAuthenticationProcessingFilter.class */
public class SpnegoAuthenticationProcessingFilter extends OncePerRequestFilter {
    private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource;
    private AuthenticationManager authenticationManager;
    private AuthenticationSuccessHandler authenticationSuccessHandler;
    private AuthenticationFailureHandler authenticationFailureHandler;
    private SessionAuthenticationStrategy sessionAuthenticationStrategy;
    private boolean skipIfAlreadyAuthenticated;
    private boolean supportBasicAuthentication;

    public SpnegoAuthenticationProcessingFilter() {
        this(true);
    }

    public SpnegoAuthenticationProcessingFilter(boolean z) {
        this.authenticationDetailsSource = new WebAuthenticationDetailsSource();
        this.sessionAuthenticationStrategy = new NullAuthenticatedSessionStrategy();
        this.skipIfAlreadyAuthenticated = true;
        this.supportBasicAuthentication = z;
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        SpnegoRequestToken usernamePasswordAuthenticationToken;
        Authentication authentication;
        if (this.skipIfAlreadyAuthenticated && (authentication = SecurityContextHolder.getContext().getAuthentication()) != null && authentication.isAuthenticated() && !(authentication instanceof AnonymousAuthenticationToken)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        if (header.startsWith("Negotiate")) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Received Negotiate Header for request " + httpServletRequest.getRequestURL() + ": " + header);
            }
            usernamePasswordAuthenticationToken = new SpnegoRequestToken(Base64.decode(header.substring(header.indexOf(" ") + 1).getBytes(StandardCharsets.UTF_8)));
        } else if (!this.supportBasicAuthentication || !header.startsWith("Basic")) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        } else {
            String[] extractAndDecodeHeader = extractAndDecodeHeader(header);
            usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(extractAndDecodeHeader[0], extractAndDecodeHeader[1]);
        }
        usernamePasswordAuthenticationToken.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
        try {
            Authentication authenticate = this.authenticationManager.authenticate(usernamePasswordAuthenticationToken);
            this.sessionAuthenticationStrategy.onAuthentication(authenticate, httpServletRequest, httpServletResponse);
            SecurityContextHolder.getContext().setAuthentication(authenticate);
            if (this.authenticationSuccessHandler != null) {
                this.authenticationSuccessHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, authenticate);
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } catch (AuthenticationException e) {
            this.logger.warn("Negotiate Header was invalid: " + header, e);
            SecurityContextHolder.clearContext();
            if (this.authenticationFailureHandler != null) {
                this.authenticationFailureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, e);
            } else {
                httpServletResponse.setStatus(401);
                httpServletResponse.flushBuffer();
            }
        }
    }

    private String[] extractAndDecodeHeader(String str) {
        try {
            String str2 = new String(Base64Codec.decode(str.substring(6)), StandardCharsets.UTF_8);
            int indexOf = str2.indexOf(":");
            if (indexOf == -1) {
                throw new BadCredentialsException("Invalid basic authentication token");
            }
            return new String[]{str2.substring(0, indexOf), str2.substring(indexOf + 1)};
        } catch (IllegalArgumentException e) {
            throw new BadCredentialsException("Failed to decode basic authentication token");
        }
    }

    public void afterPropertiesSet() throws ServletException {
        super.afterPropertiesSet();
        Assert.notNull(this.authenticationManager, "authenticationManager must be specified");
    }

    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler) {
        this.authenticationSuccessHandler = authenticationSuccessHandler;
    }

    public void setAuthenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) {
        this.authenticationFailureHandler = authenticationFailureHandler;
    }

    public void setSkipIfAlreadyAuthenticated(boolean z) {
        this.skipIfAlreadyAuthenticated = z;
    }

    public void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy) {
        this.sessionAuthenticationStrategy = sessionAuthenticationStrategy;
    }

    public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
        Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
        this.authenticationDetailsSource = authenticationDetailsSource;
    }

    public void setSupportBasicAuthentication(boolean z) {
        this.supportBasicAuthentication = z;
    }
}
