package com.azure.spring.autoconfigure.aad;

import com.microsoft.aad.msal4j.MsalServiceException;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.jwk.source.JWKSetCache;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.util.ResourceRetriever;
import com.nimbusds.jwt.proc.BadJWTException;
import java.io.IOException;
import java.net.MalformedURLException;
import java.text.ParseException;
import java.util.Objects;
import java.util.Optional;
import javax.naming.ServiceUnavailableException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:com/azure/spring/autoconfigure/aad/AADAuthenticationFilter.class */
public class AADAuthenticationFilter extends OncePerRequestFilter {
    private static final Logger LOGGER = LoggerFactory.getLogger(AADAuthenticationFilter.class);
    private static final String CURRENT_USER_PRINCIPAL = "CURRENT_USER_PRINCIPAL";
    private final UserPrincipalManager userPrincipalManager;
    private final GraphOboClient graphOboClient;

    public AADAuthenticationFilter(AADAuthenticationProperties aADAuthenticationProperties, ServiceEndpointsProperties serviceEndpointsProperties, ResourceRetriever resourceRetriever) {
        this(aADAuthenticationProperties, serviceEndpointsProperties, new UserPrincipalManager(serviceEndpointsProperties, aADAuthenticationProperties, resourceRetriever, false));
    }

    public AADAuthenticationFilter(AADAuthenticationProperties aADAuthenticationProperties, ServiceEndpointsProperties serviceEndpointsProperties, ResourceRetriever resourceRetriever, JWKSetCache jWKSetCache) {
        this(aADAuthenticationProperties, serviceEndpointsProperties, new UserPrincipalManager(serviceEndpointsProperties, aADAuthenticationProperties, resourceRetriever, false, jWKSetCache));
    }

    public AADAuthenticationFilter(AADAuthenticationProperties aADAuthenticationProperties, ServiceEndpointsProperties serviceEndpointsProperties, UserPrincipalManager userPrincipalManager) {
        this.userPrincipalManager = userPrincipalManager;
        this.graphOboClient = new GraphOboClient(aADAuthenticationProperties, serviceEndpointsProperties);
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        Optional map = Optional.of(httpServletRequest).map(httpServletRequest2 -> {
            return httpServletRequest2.getHeader("Authorization");
        }).map((v0) -> {
            return v0.trim();
        }).filter(str -> {
            return str.startsWith(Constants.BEARER_PREFIX);
        }).map(str2 -> {
            return str2.replace(Constants.BEARER_PREFIX, "");
        });
        UserPrincipalManager userPrincipalManager = this.userPrincipalManager;
        Objects.requireNonNull(userPrincipalManager);
        String str3 = (String) map.filter(userPrincipalManager::isTokenIssuedByAAD).orElse(null);
        if (str3 == null || alreadyAuthenticated()) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        try {
            HttpSession session = httpServletRequest.getSession();
            UserPrincipal userPrincipal = (UserPrincipal) session.getAttribute(CURRENT_USER_PRINCIPAL);
            if (userPrincipal == null || !userPrincipal.getAadIssuedBearerToken().equals(str3)) {
                userPrincipal = this.userPrincipalManager.buildUserPrincipal(str3);
                userPrincipal.setGroups(this.graphOboClient.getGroups(this.graphOboClient.acquireTokenForGraphApi(str3, userPrincipal.getClaim(AADTokenClaim.TID).toString()).accessToken()));
                session.setAttribute(CURRENT_USER_PRINCIPAL, userPrincipal);
            }
            PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(userPrincipal, (Object) null, this.graphOboClient.toGrantedAuthoritySet(userPrincipal.getGroups()));
            LOGGER.info("Request token verification success. {}", preAuthenticatedAuthenticationToken);
            SecurityContextHolder.getContext().setAuthentication(preAuthenticatedAuthenticationToken);
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } catch (MalformedURLException | ParseException | JOSEException | BadJOSEException e) {
            LOGGER.error("Failed to initialize UserPrincipal.", e);
            throw new ServletException(e);
        } catch (MsalServiceException e2) {
            if (e2.claims() != null && !e2.claims().isEmpty()) {
                throw new ServletException("Handle conditional access policy", e2);
            }
            throw e2;
        } catch (ServiceUnavailableException e3) {
            LOGGER.error("Failed to acquire graph api token.", e3);
            throw new ServletException(e3);
        } catch (BadJWTException e4) {
            httpServletResponse.sendError(HttpStatus.UNAUTHORIZED.value());
        }
    }

    private boolean alreadyAuthenticated() {
        return ((Boolean) Optional.of(SecurityContextHolder.getContext()).map((v0) -> {
            return v0.getAuthentication();
        }).map((v0) -> {
            return v0.isAuthenticated();
        }).orElse(false)).booleanValue();
    }
}
