package org.nuxeo.ecm.platform.oauth2;

import java.io.IOException;
import java.security.Principal;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nuxeo.ecm.platform.oauth2.clients.OAuth2ClientService;
import org.nuxeo.ecm.platform.oauth2.tokens.NuxeoOAuth2Token;
import org.nuxeo.ecm.platform.oauth2.tokens.OAuth2TokenStore;
import org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter;
import org.nuxeo.ecm.platform.ui.web.auth.NuxeoSecuredRequestWrapper;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthPreFilter;
import org.nuxeo.runtime.api.Framework;
import org.nuxeo.runtime.transaction.TransactionHelper;

/* loaded from: input_file:org/nuxeo/ecm/platform/oauth2/NuxeoOAuth2Filter.class */
public class NuxeoOAuth2Filter implements NuxeoAuthPreFilter {
    private static final Log log = LogFactory.getLog(NuxeoOAuth2Filter.class);
    public static final String ACCESS_TOKEN_PARAM = "access_token";
    public static final String AUTHORIZATION_HEADER = "Authorization";
    public static final String BEARER_AUTHENTICATION_SCHEME = "Bearer ";
    protected OAuth2TokenStore tokenStore = new OAuth2TokenStore(Constants.TOKEN_SERVICE);

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!(servletRequest instanceof HttpServletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String accessToken = getAccessToken(httpServletRequest);
        if (accessToken != null) {
            processAuthentication(accessToken, httpServletRequest, httpServletResponse, filterChain);
        } else {
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    protected void processAuthentication(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        NuxeoOAuth2Token nuxeoOAuth2Token = (NuxeoOAuth2Token) TransactionHelper.runInTransaction(() -> {
            return this.tokenStore.getToken(str);
        });
        OAuth2ClientService oAuth2ClientService = (OAuth2ClientService) Framework.getService(OAuth2ClientService.class);
        if (nuxeoOAuth2Token == null || nuxeoOAuth2Token.isExpired() || !oAuth2ClientService.hasClient(nuxeoOAuth2Token.getClientId())) {
            httpServletResponse.setStatus(401);
            return;
        }
        LoginContext buildLoginContext = buildLoginContext(nuxeoOAuth2Token);
        if (buildLoginContext != null) {
            try {
                filterChain.doFilter(new NuxeoSecuredRequestWrapper(httpServletRequest, (Principal) buildLoginContext.getSubject().getPrincipals().toArray()[0]), httpServletResponse);
                try {
                    buildLoginContext.logout();
                } catch (LoginException e) {
                    log.warn("Error when logging out", e);
                }
            } catch (Throwable th) {
                try {
                    buildLoginContext.logout();
                } catch (LoginException e2) {
                    log.warn("Error when logging out", e2);
                }
                throw th;
            }
        }
    }

    protected String getAccessToken(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("access_token");
        String header = httpServletRequest.getHeader(AUTHORIZATION_HEADER);
        if (StringUtils.isNotBlank(parameter)) {
            return parameter;
        }
        if (header == null || !header.startsWith(BEARER_AUTHENTICATION_SCHEME)) {
            return null;
        }
        return header.substring(BEARER_AUTHENTICATION_SCHEME.length()).trim();
    }

    protected LoginContext buildLoginContext(NuxeoOAuth2Token nuxeoOAuth2Token) {
        try {
            return NuxeoAuthenticationFilter.loginAs(nuxeoOAuth2Token.getNuxeoLogin());
        } catch (LoginException e) {
            log.warn("Error while authenticate user");
            return null;
        }
    }
}
