package eu.openanalytics.containerproxy.auth.impl.oidc;

import eu.openanalytics.containerproxy.util.ImmediateJsonResponse;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import java.io.IOException;
import java.time.Clock;
import java.time.Duration;
import java.time.temporal.TemporalAmount;
import javax.annotation.Nonnull;
import javax.annotation.PostConstruct;
import javax.inject.Inject;
import org.springframework.core.env.Environment;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.ClientAuthorizationException;
import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException;
import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:BOOT-INF/lib/containerproxy-1.2.0.jar:eu/openanalytics/containerproxy/auth/impl/oidc/OpenIdReAuthorizeFilter.class */
public class OpenIdReAuthorizeFilter extends OncePerRequestFilter {
    private static final RequestMatcher REFRESH_OPENID_MATCHER = new AntPathRequestMatcher("/refresh-openid");
    private static final RequestMatcher REQUEST_MATCHER = new OrRequestMatcher(new AntPathRequestMatcher("/app/**"), new AntPathRequestMatcher("/app_i/**"), new AntPathRequestMatcher("/"), REFRESH_OPENID_MATCHER);
    private final Clock clock = Clock.systemUTC();
    private final Duration clockSkew = Duration.ofSeconds(40);

    @Inject
    private OAuth2AuthorizedClientManager oAuth2AuthorizedClientManager;

    @Inject
    private OAuth2AuthorizedClientService oAuth2AuthorizedClientService;

    @Inject
    private Environment environment;
    private boolean ignoreLogout;

    @PostConstruct
    public void init() {
        this.ignoreLogout = ((Boolean) this.environment.getProperty("proxy.openid.ignore-session-expire", Boolean.class, false)).booleanValue();
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(@Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse, @Nonnull FilterChain filterChain) throws ServletException, IOException {
        if (REQUEST_MATCHER.matches(httpServletRequest)) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication instanceof OAuth2AuthenticationToken) {
                OAuth2AuthorizedClient loadAuthorizedClient = this.oAuth2AuthorizedClientService.loadAuthorizedClient("shinyproxy", authentication.getName());
                if (loadAuthorizedClient == null) {
                    if (!this.ignoreLogout) {
                        invalidateSession(httpServletRequest, httpServletResponse, authentication);
                        return;
                    }
                } else if (accessTokenExpired(loadAuthorizedClient)) {
                    try {
                        this.oAuth2AuthorizedClientManager.authorize(OAuth2AuthorizeRequest.withAuthorizedClient(loadAuthorizedClient).principal(authentication).build());
                        this.logger.debug(String.format("OpenID access token refreshed [user: %s]", authentication.getName()));
                    } catch (ClientAuthorizationException e) {
                        if (!this.ignoreLogout) {
                            invalidateSession(httpServletRequest, httpServletResponse, authentication);
                            return;
                        }
                        this.logger.debug(String.format("OpenID access token expired, internal session stays active [user: %s]", authentication.getName()));
                    }
                }
            }
        }
        if (REFRESH_OPENID_MATCHER.matches(httpServletRequest)) {
            ImmediateJsonResponse.write(httpServletResponse, 200, "{\"status\":\"success\"}");
        } else {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    private boolean accessTokenExpired(OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        if (oAuth2AuthorizedClient == null || oAuth2AuthorizedClient.getAccessToken() == null || oAuth2AuthorizedClient.getAccessToken().getExpiresAt() == null) {
            return true;
        }
        return this.clock.instant().isAfter(oAuth2AuthorizedClient.getAccessToken().getExpiresAt().minus((TemporalAmount) this.clockSkew));
    }

    private void invalidateSession(@Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse, Authentication authentication) throws IOException {
        this.logger.debug(String.format("OpenID access token expired, invalidating internal session [user: %s]", authentication.getName()));
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            session.invalidate();
        }
        if (!REFRESH_OPENID_MATCHER.matches(httpServletRequest)) {
            throw new ClientAuthorizationRequiredException("shinyproxy");
        }
        ImmediateJsonResponse.write(httpServletResponse, 200, "{\"status\":\"success\"}");
    }
}
