package org.nuxeo.ecm.platform.ui.web.auth.oauth2;

import java.io.IOException;
import java.net.URLDecoder;
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.codehaus.jackson.map.ObjectMapper;
import org.nuxeo.ecm.platform.oauth2.clients.ClientRegistry;
import org.nuxeo.ecm.platform.oauth2.providers.NuxeoOAuth2ServiceProvider;
import org.nuxeo.ecm.platform.oauth2.request.AuthorizationRequest;
import org.nuxeo.ecm.platform.oauth2.request.Oauth2Request;
import org.nuxeo.ecm.platform.oauth2.request.TokenRequest;
import org.nuxeo.ecm.platform.oauth2.tokens.NuxeoOAuth2Token;
import org.nuxeo.ecm.platform.oauth2.tokens.OAuth2TokenStore;
import org.nuxeo.ecm.platform.ui.web.auth.NuxeoAuthenticationFilter;
import org.nuxeo.ecm.platform.ui.web.auth.NuxeoSecuredRequestWrapper;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthPreFilter;
import org.nuxeo.ecm.platform.web.common.vh.VirtualHostHelper;
import org.nuxeo.runtime.api.Framework;
import org.nuxeo.runtime.transaction.TransactionHelper;

/* loaded from: input_file:org/nuxeo/ecm/platform/ui/web/auth/oauth2/NuxeoOAuth2Filter.class */
public class NuxeoOAuth2Filter implements NuxeoAuthPreFilter {
    protected static final String TOKEN_SERVICE = "org.nuxeo.server.token.store";
    protected static final String OAUTH2_SEGMENT = "/oauth2/";
    protected static final String ENDPOINT_AUTH = "authorization";
    protected static final String ENDPOINT_TOKEN = "token";
    private static final Log log = LogFactory.getLog(NuxeoOAuth2Filter.class);
    public static String USERNAME_KEY = "nuxeo_user";
    public static String AUTHORIZATION_KEY = "authorization_key";
    public static String CLIENTNAME_KEY = "client_name";

    /* loaded from: input_file:org/nuxeo/ecm/platform/ui/web/auth/oauth2/NuxeoOAuth2Filter$ERRORS.class */
    public enum ERRORS {
        invalid_request,
        invalid_grant,
        unauthorized_client,
        access_denied,
        unsupported_response_type,
        invalid_scope,
        server_error,
        temporarily_unavailable
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!isValid(servletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        boolean z = false;
        if (!TransactionHelper.isTransactionActive()) {
            z = TransactionHelper.startTransaction();
        }
        boolean z2 = false;
        try {
            process(servletRequest, servletResponse, filterChain);
            z2 = true;
            if (z) {
                if (1 == 0) {
                    TransactionHelper.setTransactionRollbackOnly();
                }
                TransactionHelper.commitOrRollbackTransaction();
            }
        } catch (Throwable th) {
            if (z) {
                if (!z2) {
                    TransactionHelper.setTransactionRollbackOnly();
                }
                TransactionHelper.commitOrRollbackTransaction();
            }
            throw th;
        }
    }

    protected boolean isValid(ServletRequest servletRequest) {
        if (!(servletRequest instanceof HttpServletRequest)) {
            return false;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        return isAuthorizedRequest(httpServletRequest) || httpServletRequest.getRequestURI().contains(OAUTH2_SEGMENT);
    }

    protected void process(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String requestURI = httpServletRequest.getRequestURI();
        if (requestURI.contains(OAUTH2_SEGMENT)) {
            String str = requestURI.split(OAUTH2_SEGMENT)[1];
            boolean z = -1;
            switch (str.hashCode()) {
                case -1385570183:
                    if (str.equals(ENDPOINT_AUTH)) {
                        z = false;
                        break;
                    }
                    break;
                case 110541305:
                    if (str.equals(ENDPOINT_TOKEN)) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    processAuthorization(httpServletRequest, httpServletResponse, filterChain);
                    break;
                case true:
                    processToken(httpServletRequest, httpServletResponse, filterChain);
                    break;
            }
        } else if (isAuthorizedRequest(httpServletRequest)) {
            processAuthentication(httpServletRequest, httpServletResponse, filterChain);
        }
        if (servletResponse.isCommitted()) {
            return;
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    protected void processAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        NuxeoOAuth2Token token = getTokenStore().getToken(URLDecoder.decode(httpServletRequest.getHeader("Authorization").substring(7), "UTF-8").trim());
        if (token == null) {
            return;
        }
        if (token.isExpired() || !getClientRegistry().hasClient(token.getClientId())) {
            httpServletResponse.setStatus(401);
            return;
        }
        LoginContext buildLoginContext = buildLoginContext(token);
        if (buildLoginContext != null) {
            try {
                filterChain.doFilter(new NuxeoSecuredRequestWrapper(httpServletRequest, (Principal) buildLoginContext.getSubject().getPrincipals().toArray()[0]), httpServletResponse);
                try {
                    buildLoginContext.logout();
                } catch (LoginException e) {
                    log.warn("Error when logging out", e);
                }
            } catch (Throwable th) {
                try {
                    buildLoginContext.logout();
                } catch (LoginException e2) {
                    log.warn("Error when logging out", e2);
                }
                throw th;
            }
        }
    }

    protected LoginContext buildLoginContext(NuxeoOAuth2Token nuxeoOAuth2Token) {
        try {
            return NuxeoAuthenticationFilter.loginAs(nuxeoOAuth2Token.getNuxeoLogin());
        } catch (LoginException e) {
            log.warn("Error while authenticate user");
            return null;
        }
    }

    protected boolean isAuthorizedRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        return header != null && header.startsWith("Bearer");
    }

    protected void processAuthorization(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException {
        AuthorizationRequest from = AuthorizationRequest.from(httpServletRequest);
        String checkError = from.checkError();
        if (StringUtils.isNotBlank(checkError)) {
            handleError(checkError, httpServletRequest, httpServletResponse);
            return;
        }
        if (httpServletRequest.getMethod().equals("GET")) {
            httpServletRequest.getSession().setAttribute(AUTHORIZATION_KEY, from.getAuthorizationKey());
            httpServletRequest.getSession().setAttribute(AuthorizationRequest.STATE, from.getState());
            httpServletRequest.getSession().setAttribute(CLIENTNAME_KEY, getClientRegistry().getClient(from.getClientId()).getName());
            sendRedirect(httpServletResponse, VirtualHostHelper.getBaseURL(httpServletRequest) + "oauth2Grant.jsp", null);
            return;
        }
        if (!from.getAuthorizationKey().equals(httpServletRequest.getParameter(AUTHORIZATION_KEY))) {
            handleError(ERRORS.access_denied, httpServletRequest, httpServletResponse);
            return;
        }
        from.setUsername((String) httpServletRequest.getSession().getAttribute(USERNAME_KEY));
        HashMap hashMap = new HashMap();
        hashMap.put(NuxeoOAuth2ServiceProvider.CODE_URL_PARAMETER, from.getAuthorizationCode());
        if (StringUtils.isNotBlank(from.getState())) {
            hashMap.put(AuthorizationRequest.STATE, from.getState());
        }
        httpServletRequest.getSession().invalidate();
        sendRedirect(httpServletResponse, from.getRedirectUri(), hashMap);
    }

    ClientRegistry getClientRegistry() {
        return (ClientRegistry) Framework.getLocalService(ClientRegistry.class);
    }

    protected void processToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException {
        TokenRequest tokenRequest = new TokenRequest(httpServletRequest);
        if (!"authorization_code".equals(tokenRequest.getGrantType())) {
            if (!"refresh_token".equals(tokenRequest.getGrantType())) {
                handleJsonError(ERRORS.invalid_grant, httpServletRequest, httpServletResponse);
                return;
            }
            ERRORS errors = null;
            if (StringUtils.isBlank(tokenRequest.getClientId())) {
                errors = ERRORS.access_denied;
            } else if (!getClientRegistry().isValidClient(tokenRequest.getClientId(), tokenRequest.getClientSecret())) {
                errors = ERRORS.access_denied;
            }
            if (errors != null) {
                handleError(errors, httpServletRequest, httpServletResponse);
                return;
            }
            NuxeoOAuth2Token refresh = getTokenStore().refresh(tokenRequest.getRefreshToken(), tokenRequest.getClientId());
            if (refresh == null) {
                handleJsonError(ERRORS.invalid_request, httpServletRequest, httpServletResponse);
                return;
            } else {
                handleTokenResponse(refresh, httpServletResponse);
                return;
            }
        }
        AuthorizationRequest fromCode = AuthorizationRequest.fromCode(tokenRequest.getCode());
        ERRORS errors2 = null;
        if (fromCode == null) {
            errors2 = ERRORS.access_denied;
        } else if (!fromCode.getClientId().equals(tokenRequest.getClientId())) {
            errors2 = ERRORS.access_denied;
        } else if (getClientRegistry().isValidClient(tokenRequest.getClientId(), tokenRequest.getClientSecret())) {
            boolean equals = fromCode.getRedirectUri().equals(tokenRequest.getRedirectUri());
            if (!StringUtils.isBlank(fromCode.getRedirectUri()) && !equals) {
                errors2 = ERRORS.invalid_request;
            }
        } else {
            errors2 = ERRORS.unauthorized_client;
        }
        if (errors2 != null) {
            handleError(errors2, httpServletRequest, httpServletResponse);
            return;
        }
        NuxeoOAuth2Token nuxeoOAuth2Token = new NuxeoOAuth2Token(3600000L, fromCode.getClientId());
        getTokenStore().store(fromCode.getUsername(), nuxeoOAuth2Token);
        handleTokenResponse(nuxeoOAuth2Token, httpServletResponse);
    }

    protected void handleTokenResponse(NuxeoOAuth2Token nuxeoOAuth2Token, HttpServletResponse httpServletResponse) throws IOException {
        ObjectMapper objectMapper = new ObjectMapper();
        httpServletResponse.setHeader("Content-Type", "application/json");
        httpServletResponse.setStatus(200);
        objectMapper.writeValue(httpServletResponse.getWriter(), nuxeoOAuth2Token.toJsonObject());
    }

    protected void handleError(ERRORS errors, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        handleError(errors.toString(), httpServletRequest, httpServletResponse);
    }

    protected void handleError(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        HashMap hashMap = new HashMap();
        hashMap.put(NuxeoOAuth2ServiceProvider.ERROR_URL_PARAMETER, str);
        String parameter = httpServletRequest.getParameter(AuthorizationRequest.STATE);
        if (StringUtils.isNotBlank(parameter)) {
            hashMap.put(AuthorizationRequest.STATE, parameter);
        }
        sendRedirect(httpServletResponse, httpServletRequest.getParameter(Oauth2Request.REDIRECT_URI), hashMap);
    }

    protected void handleJsonError(ERRORS errors, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        ObjectMapper objectMapper = new ObjectMapper();
        httpServletResponse.setHeader("Content-Type", "application/json");
        httpServletResponse.setStatus(400);
        HashMap hashMap = new HashMap();
        hashMap.put(NuxeoOAuth2ServiceProvider.ERROR_URL_PARAMETER, errors.toString());
        objectMapper.writeValue(httpServletResponse.getWriter(), hashMap);
    }

    protected void sendRedirect(HttpServletResponse httpServletResponse, String str, Map<String, String> map) throws IOException {
        if (str == null) {
            str = "http://dummyurl";
        }
        StringBuilder sb = new StringBuilder(str);
        if (map != null) {
            if (str.contains("?")) {
                sb.append("&");
            } else {
                sb.append("?");
            }
            for (String str2 : map.keySet()) {
                sb.append(str2).append("=").append(map.get(str2)).append("&");
            }
            sb.deleteCharAt(sb.length() - 1);
        }
        httpServletResponse.sendRedirect(sb.toString());
    }

    protected OAuth2TokenStore getTokenStore() {
        return new OAuth2TokenStore(TOKEN_SERVICE);
    }
}
