package org.genesys.blocks.security.filter;

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.genesys.blocks.oauth.service.OAuthClientService;
import org.genesys.blocks.tokenauth.model.ApiToken;
import org.genesys.blocks.tokenauth.service.ApiTokenService;
import org.genesys.blocks.tokenauth.spring.ApiTokenAuthenticationFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:org/genesys/blocks/security/filter/InvalidatedTokenFilter.class */
public class InvalidatedTokenFilter extends OncePerRequestFilter {
    private static final Logger log = LoggerFactory.getLogger(InvalidatedTokenFilter.class);
    private final OAuth2AuthorizationService authorizationService;
    private final ApiTokenService apiTokenService;
    private final OAuthClientService oAuthClientService;

    public InvalidatedTokenFilter(OAuth2AuthorizationService oAuth2AuthorizationService, ApiTokenService apiTokenService, OAuthClientService oAuthClientService) {
        this.authorizationService = oAuth2AuthorizationService;
        this.apiTokenService = apiTokenService;
        this.oAuthClientService = oAuthClientService;
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        String header = httpServletRequest.getHeader("Authorization");
        if (StringUtils.isNotBlank(header)) {
            if (header.startsWith("Bearer ")) {
                OAuth2Authorization findByToken = this.authorizationService.findByToken(header.substring(7), OAuth2TokenType.ACCESS_TOKEN);
                if (findByToken == null) {
                    throw new AuthenticationCredentialsNotFoundException("Access token is invalidated");
                }
                OAuth2Authorization.Token accessToken = findByToken.getAccessToken();
                if (accessToken != null && !accessToken.isActive()) {
                    log.debug("Access token is invalidated for authorization id = {}", findByToken.getId());
                    throw new AuthenticationCredentialsNotFoundException("Access token is invalidated");
                }
                if (!this.oAuthClientService.isClientActive(findByToken.getRegisteredClientId())) {
                    log.debug("Client {} is not active", findByToken.getRegisteredClientId());
                    throw new AuthenticationCredentialsNotFoundException("Client is not active");
                }
            } else if (StringUtils.startsWithIgnoreCase(header, ApiTokenAuthenticationFilter.AUTHORIZATION_TYPE)) {
                String substring = header.substring(10);
                if (this.apiTokenService == null) {
                    log.warn("Cannot check API-Token validity without ApiTokenService");
                    throw new AuthenticationCredentialsNotFoundException("API-Token authentication not supported");
                }
                ApiToken token = this.apiTokenService.getToken(this.apiTokenService.encodeToken(substring));
                if (token == null) {
                    throw new AuthenticationCredentialsNotFoundException("Invalid API token");
                }
                if (!token.isCredentialsNonExpired()) {
                    throw new AuthenticationCredentialsNotFoundException("API token expired");
                }
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }
}
