package eu.openanalytics.containerproxy.auth.impl.customHeader;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.annotation.Nonnull;
import net.minidev.json.parser.JSONParser;
import net.minidev.json.parser.ParseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.PropertyAccessor;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:BOOT-INF/lib/containerproxy-1.2.0.jar:eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationFilter.class */
public class CustomHeaderAuthenticationFilter extends OncePerRequestFilter {
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private final AuthenticationManager authenticationManager;
    private final ApplicationEventPublisher eventPublisher;
    private static final RequestMatcher REQUEST_MATCHER = new NegatedRequestMatcher(new OrRequestMatcher(new AntPathRequestMatcher("/logout-success"), new AntPathRequestMatcher("/webjars/**"), new AntPathRequestMatcher("/css/**")));
    private final String usernameHeaderName;
    private final String groupsHeaderName;

    public CustomHeaderAuthenticationFilter(AuthenticationManager authenticationManager, ApplicationEventPublisher applicationEventPublisher, String str, String str2) {
        this.authenticationManager = authenticationManager;
        this.eventPublisher = applicationEventPublisher;
        this.usernameHeaderName = str;
        this.groupsHeaderName = str2;
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(@Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse, @Nonnull FilterChain filterChain) throws ServletException, IOException, AuthenticationException {
        String header;
        if (!REQUEST_MATCHER.matches(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        try {
            header = httpServletRequest.getHeader(this.usernameHeaderName);
        } catch (CustomHeaderAuthenticationException e) {
            this.logger.warn("Authentication failed: {}", e.getMessage());
            SecurityContextHolder.clearContext();
        } catch (Exception e2) {
            this.logger.warn("Authentication failed", (Throwable) e2);
            SecurityContextHolder.clearContext();
        }
        if (header == null) {
            throw new CustomHeaderAuthenticationException(String.format("Missing username header '%s'", this.usernameHeaderName));
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication instanceof CustomHeaderAuthenticationToken) {
            if (!authentication.getPrincipal().equals(header)) {
                throw new CustomHeaderAuthenticationException(String.format("Username in header '%s' does not match existing session '%s'", header, authentication.getPrincipal()));
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } else {
            Authentication authenticate = this.authenticationManager.authenticate(new CustomHeaderAuthenticationToken(header, parseGroups(httpServletRequest, header), false));
            if (authenticate == null) {
                throw new CustomHeaderAuthenticationException("No authentication");
            }
            SecurityContextHolder.getContext().setAuthentication(authenticate);
            this.eventPublisher.publishEvent((ApplicationEvent) new AuthenticationSuccessEvent(authenticate));
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    private List<GrantedAuthority> parseGroups(HttpServletRequest httpServletRequest, String str) {
        if (this.groupsHeaderName == null) {
            return List.of();
        }
        String header = httpServletRequest.getHeader(this.groupsHeaderName);
        if (header == null) {
            this.logger.warn("Header '{}' does not contain the groups of user '{}', the proxy should always override this header. This is a security risk, users might spoof groups!", this.groupsHeaderName, str);
            return List.of();
        }
        String strip = header.strip();
        ArrayList<String> arrayList = new ArrayList();
        if (strip.startsWith(PropertyAccessor.PROPERTY_KEY_PREFIX)) {
            try {
                Object parse = new JSONParser(-1).parse(strip);
                if (parse instanceof List) {
                    ((List) parse).forEach(obj -> {
                        arrayList.add(obj.toString());
                    });
                    this.logger.debug("Parsed groups header as JSON: {} -> {}", this.groupsHeaderName, arrayList);
                }
            } catch (ParseException e) {
                this.logger.debug("Unable to parse groups header as JSON: {} -> {}", this.groupsHeaderName, strip);
            }
        } else {
            if (strip.contains(",")) {
                Arrays.stream(strip.split(",")).forEach(str2 -> {
                    arrayList.add(str2.strip());
                });
            } else {
                arrayList.add(strip);
            }
            this.logger.debug("Parsed groups header as comma-separated string: {} -> {}", this.groupsHeaderName, arrayList);
        }
        ArrayList arrayList2 = new ArrayList();
        for (String str3 : arrayList) {
            arrayList2.add(new SimpleGrantedAuthority((str3.toUpperCase().startsWith("ROLE_") ? str3 : "ROLE_" + str3).toUpperCase()));
        }
        return arrayList2;
    }
}
