package org.dspace.app.rest.security;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.sql.SQLException;
import java.util.List;
import java.util.Objects;
import java.util.UUID;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.util.Supplier;
import org.dspace.app.rest.utils.ContextUtil;
import org.dspace.authorize.AuthorizeException;
import org.dspace.authorize.factory.AuthorizeServiceFactory;
import org.dspace.authorize.service.AuthorizeService;
import org.dspace.core.Context;
import org.dspace.eperson.EPerson;
import org.dspace.eperson.factory.EPersonServiceFactory;
import org.dspace.eperson.service.EPersonService;
import org.dspace.services.ConfigurationService;
import org.dspace.services.RequestService;
import org.dspace.services.factory.DSpaceServicesFactory;
import org.dspace.util.UUIDUtils;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;

/* loaded from: input_file:org/dspace/app/rest/security/StatelessAuthenticationFilter.class */
public class StatelessAuthenticationFilter extends BasicAuthenticationFilter {
    private static final Logger log = LogManager.getLogger();
    private static final String ON_BEHALF_OF_REQUEST_PARAM = "X-On-Behalf-Of";
    private final RestAuthenticationService restAuthenticationService;
    private final EPersonRestAuthenticationProvider authenticationProvider;
    private final RequestService requestService;
    private final AuthorizeService authorizeService;
    private final EPersonService ePersonService;
    private final ConfigurationService configurationService;

    public StatelessAuthenticationFilter(AuthenticationManager authenticationManager, RestAuthenticationService restAuthenticationService, EPersonRestAuthenticationProvider ePersonRestAuthenticationProvider, RequestService requestService) {
        super(authenticationManager);
        this.authorizeService = AuthorizeServiceFactory.getInstance().getAuthorizeService();
        this.ePersonService = EPersonServiceFactory.getInstance().getEPersonService();
        this.configurationService = DSpaceServicesFactory.getInstance().getConfigurationService();
        this.requestService = requestService;
        this.restAuthenticationService = restAuthenticationService;
        this.authenticationProvider = ePersonRestAuthenticationProvider;
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        try {
            Authentication authentication = getAuthentication(httpServletRequest, httpServletResponse);
            if (authentication != null) {
                SecurityContextHolder.getContext().setAuthentication(authentication);
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } catch (AuthorizeException e) {
            httpServletResponse.sendError(401, "Authentication is required");
        } catch (AccessDeniedException e2) {
            httpServletResponse.sendError(403, "Access is denied");
            log.error("Access is denied (status:{})", 403, e2);
        } catch (IllegalArgumentException | SQLException e3) {
            httpServletResponse.sendError(400, "Authentication request is invalid or incorrect");
            log.error("Authentication request is invalid or incorrect (status:{})", 400, e3);
        }
    }

    private Authentication getAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthorizeException, SQLException {
        if (!this.restAuthenticationService.hasAuthenticationData(httpServletRequest)) {
            if (httpServletRequest.getHeader(ON_BEHALF_OF_REQUEST_PARAM) != null) {
                throw new AuthorizeException("Must be logged in (as an admin) to use the 'login as' feature");
            }
            return null;
        }
        Context obtainContext = ContextUtil.obtainContext(httpServletRequest);
        EPerson authenticatedEPerson = this.restAuthenticationService.getAuthenticatedEPerson(httpServletRequest, httpServletResponse, obtainContext);
        if (authenticatedEPerson == null) {
            return null;
        }
        Logger logger = log;
        Objects.requireNonNull(authenticatedEPerson);
        logger.debug("Found authentication data in request for EPerson {}", new Supplier[]{authenticatedEPerson::getEmail});
        this.requestService.setCurrentUserId(authenticatedEPerson.getID());
        List<GrantedAuthority> grantedAuthorities = this.authenticationProvider.getGrantedAuthorities(obtainContext);
        String header = httpServletRequest.getHeader(ON_BEHALF_OF_REQUEST_PARAM);
        if (header == null) {
            return new DSpaceAuthentication(authenticatedEPerson, grantedAuthorities);
        }
        if (this.configurationService.getBooleanProperty("webui.user.assumelogin")) {
            return getOnBehalfOfAuthentication(obtainContext, header, httpServletResponse);
        }
        throw new IllegalArgumentException("The 'login as' feature is not allowed due to the current configuration");
    }

    private Authentication getOnBehalfOfAuthentication(Context context, String str, HttpServletResponse httpServletResponse) throws SQLException {
        if (!this.authorizeService.isAdmin(context)) {
            throw new AccessDeniedException("Only admins are allowed to use the login as feature");
        }
        UUID fromString = UUIDUtils.fromString(str);
        if (fromString == null) {
            throw new IllegalArgumentException("The given UUID in the X-On-Behalf-Of header was not a proper UUID");
        }
        EPerson find = this.ePersonService.find(context, fromString);
        if (find == null) {
            throw new IllegalArgumentException("The given UUID in the X-On-Behalf-Of header was not a proper EPerson UUID");
        }
        if (this.authorizeService.isAdmin(context, find)) {
            throw new IllegalArgumentException("You're unable to use the login as feature to log in as another admin");
        }
        this.requestService.setCurrentUserId(fromString);
        context.switchContextUser(find);
        Logger logger = log;
        Objects.requireNonNull(find);
        logger.debug("Found 'on-behalf-of' authentication data in request for EPerson {}", new Supplier[]{find::getEmail});
        return new DSpaceAuthentication(find, this.authenticationProvider.getGrantedAuthorities(context));
    }
}
