package pl.edu.icm.unity.webui.authn;

import java.io.IOException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.hc.core5.net.URIBuilder;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.AuthenticationFlow;
import pl.edu.icm.unity.engine.api.authn.AuthenticatorInstance;
import pl.edu.icm.unity.engine.api.authn.AuthenticatorStepContext;
import pl.edu.icm.unity.engine.api.endpoint.BindingAuthn;
import pl.edu.icm.unity.types.authn.AuthenticationOptionKeyUtils;
import pl.edu.icm.unity.types.authn.AuthenticationRealm;
import pl.edu.icm.unity.webui.VaadinRequestMatcher;

/* loaded from: input_file:pl/edu/icm/unity/webui/authn/ProxyAuthenticationFilter.class */
public class ProxyAuthenticationFilter implements Filter {
    private static final Logger log = Log.getLogger("unity.server.web", ProxyAuthenticationFilter.class);
    public static final String TRIGGERING_PARAM = "uy_auto_login";
    public static final String AUTOMATED_LOGIN_FIRED = "automaticLoginWasTriggered";
    private Map<String, RetrievalWithFlow> authenticators;
    private String endpointPath;
    private boolean triggerByDefault;
    private final AuthenticationRealm realm;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/webui/authn/ProxyAuthenticationFilter$RetrievalWithFlow.class */
    public static class RetrievalWithFlow {
        final AuthenticationFlow flow;
        final BindingAuthn retrieval;

        RetrievalWithFlow(AuthenticationFlow authenticationFlow, BindingAuthn bindingAuthn) {
            this.flow = authenticationFlow;
            this.retrieval = bindingAuthn;
        }
    }

    public ProxyAuthenticationFilter(List<AuthenticationFlow> list, String str, boolean z, AuthenticationRealm authenticationRealm) {
        this.endpointPath = str;
        this.triggerByDefault = z;
        this.realm = authenticationRealm;
        updateAuthenticators(list);
    }

    public void updateAuthenticators(List<AuthenticationFlow> list) {
        HashMap hashMap = new HashMap();
        for (AuthenticationFlow authenticationFlow : list) {
            for (AuthenticatorInstance authenticatorInstance : authenticationFlow.getFirstFactorAuthenticators()) {
                hashMap.put(authenticatorInstance.getRetrieval().getAuthenticatorId(), new RetrievalWithFlow(authenticationFlow, authenticatorInstance.getRetrieval()));
            }
        }
        this.authenticators = hashMap;
    }

    private static String filteredQuery(HttpServletRequest httpServletRequest) {
        Map parameterMap = httpServletRequest.getParameterMap();
        URIBuilder uRIBuilder = new URIBuilder();
        for (Map.Entry entry : parameterMap.entrySet()) {
            if (!((String) entry.getKey()).equals(TRIGGERING_PARAM) && !((String) entry.getKey()).equals(PreferredAuthenticationHelper.IDP_SELECT_PARAM)) {
                for (String str : (String[]) entry.getValue()) {
                    uRIBuilder.addParameter((String) entry.getKey(), str);
                }
            }
        }
        return uRIBuilder.toString();
    }

    public static String getCurrentRelativeURL(HttpServletRequest httpServletRequest) {
        String str = (String) httpServletRequest.getAttribute("javax.servlet.forward.request_uri");
        return (str == null ? "/" : str) + (httpServletRequest.getQueryString() == null ? "" : filteredQuery(httpServletRequest));
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (triggerProxyAuthentication((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse)) {
            return;
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private boolean triggerProxyAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!isAutomatedAuthenticationDesired(httpServletRequest)) {
            return false;
        }
        String parameter = httpServletRequest.getParameter(PreferredAuthenticationHelper.IDP_SELECT_PARAM);
        if (parameter == null && this.authenticators.size() > 1) {
            log.error("There are more multiple authenticators installed, and automated login was requested without specifying (with uy_select_authn) which one should be used. Automatic login is skipped.");
            return false;
        }
        String next = parameter == null ? this.authenticators.keySet().iterator().next() : AuthenticationOptionKeyUtils.decodeAuthenticator(parameter);
        RetrievalWithFlow retrievalWithFlow = this.authenticators.get(next);
        if (retrievalWithFlow != null) {
            return triggerProxyAuthenticator(retrievalWithFlow, httpServletRequest, httpServletResponse, parameter);
        }
        log.error("There is no authenticator which was provided as the one which should perform automated proxy authentication: {}", next);
        return false;
    }

    private boolean isAutomatedAuthenticationDesired(HttpServletRequest httpServletRequest) {
        if (VaadinRequestMatcher.isVaadinRequest(httpServletRequest)) {
            log.trace("Ignoring request to Vaadin internal address/Unity initiated {}", httpServletRequest.getRequestURI());
            return false;
        }
        if (autoLoginWasAlreadyTriggered(httpServletRequest)) {
            log.trace("Ignoring request as auto login was already triggered");
            return false;
        }
        if (this.triggerByDefault) {
            return true;
        }
        String parameter = httpServletRequest.getParameter(TRIGGERING_PARAM);
        return parameter != null && Boolean.parseBoolean(parameter);
    }

    private boolean autoLoginWasAlreadyTriggered(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        return (session == null || session.getAttribute(AUTOMATED_LOGIN_FIRED) == null) ? false : true;
    }

    private boolean triggerProxyAuthenticator(RetrievalWithFlow retrievalWithFlow, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        if (!(retrievalWithFlow.retrieval instanceof ProxyAuthenticationCapable)) {
            log.error("The authenticator {} configured for automated proxy authentication is not supporting this feature", retrievalWithFlow.retrieval.getAuthenticatorId());
            return false;
        }
        ProxyAuthenticationCapable proxyAuthenticationCapable = (ProxyAuthenticationCapable) retrievalWithFlow.retrieval;
        try {
            log.info("Invoking automated proxy authentication handler of {}", proxyAuthenticationCapable.getAuthenticatorId());
            boolean triggerAutomatedAuthentication = proxyAuthenticationCapable.triggerAutomatedAuthentication(httpServletRequest, httpServletResponse, this.endpointPath, new AuthenticatorStepContext(this.realm, retrievalWithFlow.flow, this.endpointPath, AuthenticatorStepContext.FactorOrder.FIRST));
            if (triggerAutomatedAuthentication) {
                log.info("Automated proxy authentication of {} handled the request", proxyAuthenticationCapable.getAuthenticatorId());
            } else {
                log.debug("Automated proxy authentication of {} ignored the request", proxyAuthenticationCapable.getAuthenticatorId());
            }
            return triggerAutomatedAuthentication;
        } catch (Exception e) {
            log.error("Can not invoke automated proxy authentication", e);
            return false;
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }
}
