package nl.nn.adapterframework.management.security;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.JWKSourceBuilder;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.io.IOException;
import java.net.URL;
import java.text.ParseException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;

/* loaded from: input_file:nl/nn/adapterframework/management/security/JwtSecurityFilter.class */
public class JwtSecurityFilter implements Filter, InitializingBean {
    private static final String JWT_TOKEN_CONTEXT_KEY = "JWT_TOKEN_CONTEXT_KEY";
    private ConfigurableJWTProcessor<SecurityContext> jwtProcessor;

    @Value("${management.gateway.http.jwks.endpoint}")
    private String jwksEndpoint;
    private final Logger log = LogManager.getLogger(JwtSecurityFilter.class);
    private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder.getContextHolderStrategy();

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        try {
            org.springframework.security.core.context.SecurityContext createEmptyContext = this.securityContextHolderStrategy.createEmptyContext();
            createEmptyContext.setAuthentication(getAuthenticationToken((HttpServletRequest) servletRequest));
            this.securityContextHolderStrategy.setContext(createEmptyContext);
            filterChain.doFilter(servletRequest, servletResponse);
        } catch (IOException e) {
            this.securityContextHolderStrategy.clearContext();
            this.log.debug("Failed to process authentication request", e);
            throw e;
        }
    }

    private Authentication getAuthenticationToken(HttpServletRequest httpServletRequest) throws IOException {
        String header = httpServletRequest.getHeader("Authentication");
        if (StringUtils.isEmpty(header) || !header.contains("Bearer")) {
            this.securityContextHolderStrategy.clearContext();
            this.log.debug("Failed to process authentication request");
            throw new IOException("no (valid) JWT provided");
        }
        String substring = header.substring(7);
        HttpSession session = httpServletRequest.getSession(true);
        JwtAuthenticationToken jwtAuthenticationToken = (JwtAuthenticationToken) session.getAttribute(JWT_TOKEN_CONTEXT_KEY);
        if (jwtAuthenticationToken != null && jwtAuthenticationToken.verifyJWT(substring)) {
            this.log.debug("using stored authentication token [{}]", jwtAuthenticationToken);
            return jwtAuthenticationToken;
        }
        Authentication createAuthenticationToken = createAuthenticationToken(substring);
        this.log.debug("created new authentication token [{}]", createAuthenticationToken);
        session.setAttribute(JWT_TOKEN_CONTEXT_KEY, createAuthenticationToken);
        return createAuthenticationToken;
    }

    private Authentication createAuthenticationToken(String str) throws IOException {
        try {
            try {
                return new JwtAuthenticationToken(this.jwtProcessor.process(str, (SecurityContext) null), str);
            } catch (ParseException e) {
                throw new IOException("unable to create AuthenticationToken", e);
            }
        } catch (JOSEException | ParseException | BadJOSEException e2) {
            throw new IOException("unable to parse JWT", e2);
        }
    }

    public void destroy() {
        this.jwtProcessor = null;
    }

    public void afterPropertiesSet() throws Exception {
        if (StringUtils.isBlank(this.jwksEndpoint)) {
            throw new IllegalStateException("no JWKS endpoint specified");
        }
        JWKSource build = JWKSourceBuilder.create(new URL(this.jwksEndpoint)).cacheForever().build();
        this.jwtProcessor = new DefaultJWTProcessor();
        this.jwtProcessor.setJWSKeySelector(new JWSVerificationKeySelector(JWSAlgorithm.ES256K, build));
    }

    public void setJwksEndpoint(String str) {
        this.jwksEndpoint = str;
    }
}
