package edu.kit.datamanager.security.filter;

import com.nimbusds.jose.proc.BadJOSEException;
import edu.kit.datamanager.entities.RepoUserRole;
import edu.kit.datamanager.exceptions.InvalidAuthenticationException;
import edu.kit.datamanager.util.NetworkUtils;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.MalformedJwtException;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:edu/kit/datamanager/security/filter/KeycloakTokenFilter.class */
public class KeycloakTokenFilter extends OncePerRequestFilter {
    private static final Logger LOG = LoggerFactory.getLogger(KeycloakTokenFilter.class);
    private static final String BEARER = "Bearer ";
    public static final String AUTHORIZATION_HEADER = "Authorization";
    public static final String BASIC_AUTH_PREFIX = "BASIC";
    private final KeycloakTokenValidator tokenValidator;
    private JwtAuthenticationToken jwToken;

    public KeycloakTokenFilter(KeycloakTokenValidator keycloakTokenValidator) {
        this.tokenValidator = keycloakTokenValidator;
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        String header = httpServletRequest.getHeader(AUTHORIZATION_HEADER);
        boolean z = false;
        if (header == null || header.toUpperCase().startsWith(BASIC_AUTH_PREFIX) || !header.startsWith(BEARER)) {
            LOG.info("Bearer token not being sent in Headers.");
        } else {
            LOG.trace("Starting JWT filtering.");
            try {
                if (header.length() > BEARER.length()) {
                    header = header.substring(BEARER.length());
                }
                boolean z2 = false;
                if (this.tokenValidator.supportsLocalJwt() && attemptLocalAuthentication(httpServletRequest, httpServletResponse, header)) {
                    LOG.trace("Authenticated using local JWT secret.");
                    z2 = true;
                    z = true;
                }
                if (!z2) {
                    LOG.trace("Validating received JWT.");
                    this.jwToken = this.tokenValidator.validate(header);
                    LOG.trace("JWT validation finished. Checking result.");
                    if (this.jwToken == null || SecurityContextHolder.getContext().getAuthentication() != null) {
                        LOG.info("Invalid Request: Token is expired or tampered");
                        httpServletResponse.sendError(401, "Unauthorized: Token is expired or tampered");
                        return;
                    }
                    LOG.trace("Authenticated username: {}", this.jwToken.getPrincipal());
                    if (this.jwToken.getAuthorities().stream().filter(grantedAuthority -> {
                        return grantedAuthority.getAuthority().equals(RepoUserRole.INACTIVE.toString());
                    }).count() > 0) {
                        LOG.debug("User roles contain ROLE_INACTIVE. Access denied for user.");
                        httpServletResponse.sendError(403, "Unauthorized: User is marked inactive.");
                        return;
                    } else {
                        setContext(httpServletRequest, this.jwToken);
                        z = true;
                    }
                }
            } catch (BadJOSEException | IOException | MalformedJwtException e) {
                LOG.error("Failed to validate JWT.", e);
            }
        }
        if (z) {
            LOG.trace("Valid authentication context set from JWT. Continue with filterChain.");
        } else {
            LOG.trace("Continue with filterChain as no valid JWT authentication was found.");
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private boolean attemptLocalAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        boolean z = false;
        try {
            Set entrySet = ((Claims) this.tokenValidator.getJwsClaims(str).getBody()).entrySet();
            HashMap hashMap = new HashMap();
            entrySet.forEach(entry -> {
                hashMap.put((String) entry.getKey(), entry.getValue());
            });
            this.jwToken = JwtAuthenticationToken.factoryToken(str, hashMap);
            if ((this.jwToken instanceof JwtServiceToken) && ((JwtServiceToken) this.jwToken).getSources() != null) {
                JwtServiceToken jwtServiceToken = (JwtServiceToken) this.jwToken;
                LOG.debug("Performing source check for JWToken for service {} and sources {}.", jwtServiceToken.getPrincipal(), Arrays.asList(jwtServiceToken.getSources()));
                String remoteAddr = httpServletRequest.getRemoteAddr();
                LOG.debug("Trying to match remote address {} with at least one allowed source.", remoteAddr);
                boolean z2 = false;
                String[] sources = jwtServiceToken.getSources();
                int length = sources.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    if (NetworkUtils.matches(remoteAddr, sources[i])) {
                        z2 = true;
                        break;
                    }
                    i++;
                }
                if (!z2) {
                    LOG.warn("Invalid request from remote address {} to service {} found. Request denied.", remoteAddr, jwtServiceToken.getPrincipal());
                    throw new InvalidAuthenticationException("You are not allowed to authenticate using the provided token from your current location.");
                }
            }
            LOG.trace("JWT validation finished. Checking result.");
            if (this.jwToken == null || SecurityContextHolder.getContext().getAuthentication() != null) {
                try {
                    LOG.info("Invalid Request: Token is expired or tampered");
                    httpServletResponse.sendError(401, "Unauthorized: Token is expired or tampered");
                } catch (IOException e) {
                    LOG.error("Failed to send Unauthorized response back to client.", e);
                }
            } else {
                LOG.info("Authenticated username: {}", this.jwToken.getPrincipal());
                setContext(httpServletRequest, this.jwToken);
            }
            z = true;
        } catch (ExpiredJwtException e2) {
            LOG.debug("Provided token has expired. Refresh of login required.", e2);
            throw new InvalidAuthenticationException("Your token has expired. Please refresh your login.");
        } catch (MalformedJwtException e3) {
            LOG.debug("Provided token is malformed.", e3);
            throw new MalformedJwtException("Your token is malformed.");
        } catch (IllegalArgumentException e4) {
            LOG.debug("Illegal argument exception while local authentication attempt.", e4);
        }
        return z;
    }

    private void setContext(HttpServletRequest httpServletRequest, JwtAuthenticationToken jwtAuthenticationToken) {
        LOG.trace("Setting authentication context.");
        jwtAuthenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpServletRequest));
        SecurityContextHolder.getContext().setAuthentication(jwtAuthenticationToken);
        LOG.trace("Setting request attribute 'username' to {}.", jwtAuthenticationToken.getPrincipal());
        httpServletRequest.setAttribute(JwtAuthenticationToken.USERNAME_CLAIM, jwtAuthenticationToken.getPrincipal());
    }

    public boolean isValid() {
        return this.tokenValidator.isValid();
    }
}
