package org.mitre.openid.connect.filter;

import com.google.common.base.Splitter;
import com.google.common.base.Strings;
import java.io.IOException;
import java.net.URISyntaxException;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.http.client.utils.URIBuilder;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.openid.connect.request.ConnectRequestParameters;
import org.mitre.openid.connect.web.AuthenticationTimeStamper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
import org.springframework.security.oauth2.provider.endpoint.RedirectResolver;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.GenericFilterBean;

@Component("authRequestFilter")
/* loaded from: input_file:WEB-INF/lib/openid-connect-server-1.2.0.jar:org/mitre/openid/connect/filter/AuthorizationRequestFilter.class */
public class AuthorizationRequestFilter extends GenericFilterBean {
    private static final Logger logger = LoggerFactory.getLogger(AuthorizationRequestFilter.class);
    public static final String PROMPTED = "PROMPT_FILTER_PROMPTED";
    public static final String PROMPT_REQUESTED = "PROMPT_FILTER_REQUESTED";

    @Autowired
    private OAuth2RequestFactory authRequestFactory;

    @Autowired
    private ClientDetailsEntityService clientService;

    @Autowired
    private RedirectResolver redirectResolver;

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpSession session = httpServletRequest.getSession();
        if (!httpServletRequest.getServletPath().startsWith("/authorize")) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        try {
            ClientDetailsEntity clientDetailsEntity = null;
            AuthorizationRequest createAuthorizationRequest = this.authRequestFactory.createAuthorizationRequest(createRequestMap(httpServletRequest.getParameterMap()));
            if (!Strings.isNullOrEmpty(createAuthorizationRequest.getClientId())) {
                clientDetailsEntity = this.clientService.loadClientByClientId(createAuthorizationRequest.getClientId());
            }
            if (createAuthorizationRequest.getExtensions().get(ConnectRequestParameters.LOGIN_HINT) != null) {
                session.setAttribute(ConnectRequestParameters.LOGIN_HINT, createAuthorizationRequest.getExtensions().get(ConnectRequestParameters.LOGIN_HINT));
            } else {
                session.removeAttribute(ConnectRequestParameters.LOGIN_HINT);
            }
            if (createAuthorizationRequest.getExtensions().get(ConnectRequestParameters.PROMPT) != null) {
                List<String> splitToList = Splitter.on(" ").splitToList(Strings.nullToEmpty((String) createAuthorizationRequest.getExtensions().get(ConnectRequestParameters.PROMPT)));
                if (splitToList.contains("none")) {
                    if (SecurityContextHolder.getContext().getAuthentication() == null) {
                        logger.info("Client requested no prompt");
                        if (clientDetailsEntity == null || createAuthorizationRequest.getRedirectUri() == null) {
                            httpServletResponse.sendError(403, "Access Denied");
                            return;
                        }
                        try {
                            URIBuilder uRIBuilder = new URIBuilder(this.redirectResolver.resolveRedirect(createAuthorizationRequest.getRedirectUri(), clientDetailsEntity));
                            uRIBuilder.addParameter("error", ConnectRequestParameters.LOGIN_REQUIRED);
                            if (!Strings.isNullOrEmpty(createAuthorizationRequest.getState())) {
                                uRIBuilder.addParameter("state", createAuthorizationRequest.getState());
                            }
                            httpServletResponse.sendRedirect(uRIBuilder.toString());
                            return;
                        } catch (URISyntaxException e) {
                            logger.error("Can't build redirect URI for prompt=none, sending error instead", (Throwable) e);
                            httpServletResponse.sendError(403, "Access Denied");
                            return;
                        }
                    }
                    filterChain.doFilter(servletRequest, servletResponse);
                } else if (!splitToList.contains(ConnectRequestParameters.PROMPT_LOGIN)) {
                    filterChain.doFilter(servletRequest, servletResponse);
                } else if (session.getAttribute(PROMPTED) == null) {
                    session.setAttribute(PROMPT_REQUESTED, Boolean.TRUE);
                    if (SecurityContextHolder.getContext().getAuthentication() != null) {
                        SecurityContextHolder.getContext().setAuthentication(null);
                        filterChain.doFilter(servletRequest, servletResponse);
                    } else {
                        filterChain.doFilter(servletRequest, servletResponse);
                    }
                } else {
                    session.removeAttribute(PROMPTED);
                    filterChain.doFilter(servletRequest, servletResponse);
                }
            } else if (createAuthorizationRequest.getExtensions().get(ConnectRequestParameters.MAX_AGE) == null && (clientDetailsEntity == null || clientDetailsEntity.getDefaultMaxAge() == null)) {
                filterChain.doFilter(servletRequest, servletResponse);
            } else {
                Integer defaultMaxAge = clientDetailsEntity != null ? clientDetailsEntity.getDefaultMaxAge() : null;
                String str = (String) createAuthorizationRequest.getExtensions().get(ConnectRequestParameters.MAX_AGE);
                if (str != null) {
                    defaultMaxAge = Integer.valueOf(Integer.parseInt(str));
                }
                if (defaultMaxAge != null) {
                    Date date = (Date) session.getAttribute(AuthenticationTimeStamper.AUTH_TIMESTAMP);
                    Date date2 = new Date();
                    if (date != null && (date2.getTime() - date.getTime()) / 1000 > defaultMaxAge.intValue()) {
                        SecurityContextHolder.getContext().setAuthentication(null);
                    }
                }
                filterChain.doFilter(servletRequest, servletResponse);
            }
        } catch (InvalidClientException e2) {
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    private Map<String, String> createRequestMap(Map<String, String[]> map) {
        HashMap hashMap = new HashMap();
        for (String str : map.keySet()) {
            String[] strArr = map.get(str);
            if (strArr != null && strArr.length > 0) {
                hashMap.put(str, strArr[0]);
            }
        }
        return hashMap;
    }
}
