package eu.openanalytics.shinyproxy;

import eu.openanalytics.shinyproxy.controllers.dto.ShinyProxyApiResponse;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException;
import org.springframework.security.web.util.ThrowableAnalyzer;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:BOOT-INF/classes/eu/openanalytics/shinyproxy/AuthenticationRequiredFilter.class */
public class AuthenticationRequiredFilter extends GenericFilterBean {
    private static final RequestMatcher REQUEST_MATCHER = new OrRequestMatcher(new AntPathRequestMatcher("/app_proxy/**"), new AntPathRequestMatcher("/heartbeat/*"), new AntPathRequestMatcher("/api/**"), new AntPathRequestMatcher("/admin/data"), new AntPathRequestMatcher("/issue"));
    private final ThrowableAnalyzer throwableAnalyzer = new DefaultThrowableAnalyzer();

    /* loaded from: input_file:BOOT-INF/classes/eu/openanalytics/shinyproxy/AuthenticationRequiredFilter$DefaultThrowableAnalyzer.class */
    private static final class DefaultThrowableAnalyzer extends ThrowableAnalyzer {
        private DefaultThrowableAnalyzer() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.springframework.security.web.util.ThrowableAnalyzer
        public void initExtractorMap() {
            super.initExtractorMap();
            registerExtractor(ServletException.class, th -> {
                ThrowableAnalyzer.verifyThrowableHierarchy(th, ServletException.class);
                return ((ServletException) th).getRootCause();
            });
        }
    }

    @Override // jakarta.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        try {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } catch (IOException e) {
            throw e;
        } catch (Exception e2) {
            if (!REQUEST_MATCHER.matches(httpServletRequest) || !isAuthException(e2)) {
                throw e2;
            }
            if (httpServletResponse.isCommitted()) {
                throw new ServletException("Unable to handle the Spring Security Exception because the response is already committed.", e2);
            }
            SecurityContextHolder.getContext().setAuthentication(null);
            ShinyProxyApiResponse.authenticationRequired(httpServletResponse);
        }
    }

    private boolean isAuthException(Exception exc) {
        Throwable[] determineCauseChain = this.throwableAnalyzer.determineCauseChain(exc);
        return (this.throwableAnalyzer.getFirstThrowableOfType(AuthenticationException.class, determineCauseChain) == null && this.throwableAnalyzer.getFirstThrowableOfType(ClientAuthorizationRequiredException.class, determineCauseChain) == null && this.throwableAnalyzer.getFirstThrowableOfType(AccessDeniedException.class, determineCauseChain) == null) ? false : true;
    }
}
