package org.cloudfoundry.identity.uaa.authentication;

import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationManager;
import org.cloudfoundry.identity.uaa.provider.oauth.XOAuthCodeToken;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
import org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint;
import org.springframework.security.saml.SAMLProcessingFilter;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;

/* loaded from: input_file:org/cloudfoundry/identity/uaa/authentication/BackwardsCompatibleTokenEndpointAuthenticationFilter.class */
public class BackwardsCompatibleTokenEndpointAuthenticationFilter implements Filter {
    private static final Log logger = LogFactory.getLog(BackwardsCompatibleTokenEndpointAuthenticationFilter.class);
    private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource;
    private AuthenticationEntryPoint authenticationEntryPoint;
    private final AuthenticationManager authenticationManager;
    private final OAuth2RequestFactory oAuth2RequestFactory;
    private final SAMLProcessingFilter samlAuthenticationFilter;
    private final XOAuthAuthenticationManager xoAuthAuthenticationManager;

    public BackwardsCompatibleTokenEndpointAuthenticationFilter(AuthenticationManager authenticationManager, OAuth2RequestFactory oAuth2RequestFactory) {
        this(authenticationManager, oAuth2RequestFactory, null, null);
    }

    public BackwardsCompatibleTokenEndpointAuthenticationFilter(AuthenticationManager authenticationManager, OAuth2RequestFactory oAuth2RequestFactory, SAMLProcessingFilter sAMLProcessingFilter, XOAuthAuthenticationManager xOAuthAuthenticationManager) {
        this.authenticationDetailsSource = new WebAuthenticationDetailsSource();
        this.authenticationEntryPoint = new OAuth2AuthenticationEntryPoint();
        this.authenticationManager = authenticationManager;
        this.oAuth2RequestFactory = oAuth2RequestFactory;
        this.samlAuthenticationFilter = sAMLProcessingFilter;
        this.xoAuthAuthenticationManager = xOAuthAuthenticationManager;
    }

    public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint) {
        this.authenticationEntryPoint = authenticationEntryPoint;
    }

    public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
        this.authenticationDetailsSource = authenticationDetailsSource;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        try {
            Authentication attemptTokenAuthentication = attemptTokenAuthentication(httpServletRequest, httpServletResponse);
            if (attemptTokenAuthentication != null) {
                Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
                if (authentication == null) {
                    throw new BadCredentialsException("No client authentication found. Remember to put a filter upstream of the TokenEndpointAuthenticationFilter.");
                }
                Map<String, String> singleValueMap = getSingleValueMap(httpServletRequest);
                singleValueMap.put(AbstractClientParametersAuthenticationFilter.CLIENT_ID, authentication.getName());
                SecurityContextHolder.getContext().setAuthentication(attemptTokenAuthentication);
                AuthorizationRequest createAuthorizationRequest = this.oAuth2RequestFactory.createAuthorizationRequest(singleValueMap);
                if (authentication.isAuthenticated()) {
                    createAuthorizationRequest.setApproved(true);
                }
                SecurityContextHolder.getContext().setAuthentication(new OAuth2Authentication(this.oAuth2RequestFactory.createOAuth2Request(createAuthorizationRequest), attemptTokenAuthentication));
                onSuccessfulAuthentication(httpServletRequest, httpServletResponse, attemptTokenAuthentication);
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } catch (AuthenticationException e) {
            logger.debug("Authentication request failed: " + e.getMessage());
            onUnsuccessfulAuthentication(httpServletRequest, httpServletResponse, e);
            this.authenticationEntryPoint.commence(httpServletRequest, httpServletResponse, e);
        } catch (OAuth2Exception e2) {
            String message = e2.getMessage();
            logger.debug("Authentication request failed with Oauth exception: " + message);
            InsufficientAuthenticationException insufficientAuthenticationException = new InsufficientAuthenticationException(message, e2);
            onUnsuccessfulAuthentication(httpServletRequest, httpServletResponse, insufficientAuthenticationException);
            this.authenticationEntryPoint.commence(httpServletRequest, httpServletResponse, insufficientAuthenticationException);
        }
    }

    private Map<String, String> getSingleValueMap(HttpServletRequest httpServletRequest) {
        HashMap hashMap = new HashMap();
        Map parameterMap = httpServletRequest.getParameterMap();
        for (String str : parameterMap.keySet()) {
            String[] strArr = (String[]) parameterMap.get(str);
            hashMap.put(str, (strArr == null || strArr.length <= 0) ? null : strArr[0]);
        }
        return hashMap;
    }

    protected void onSuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException {
    }

    protected void onUnsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        SecurityContextHolder.clearContext();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Authentication extractCredentials(HttpServletRequest httpServletRequest) {
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(httpServletRequest.getParameter("username"), httpServletRequest.getParameter("password"));
        usernamePasswordAuthenticationToken.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
        return usernamePasswordAuthenticationToken;
    }

    protected Authentication attemptTokenAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String parameter = httpServletRequest.getParameter("grant_type");
        logger.debug("Processing token user authentication for grant:" + parameter);
        Authentication authentication = null;
        if ("password".equals(parameter)) {
            Authentication extractCredentials = extractCredentials(httpServletRequest);
            logger.debug("Authentication credentials found password grant for '" + extractCredentials.getName() + "'");
            Authentication authenticate = this.authenticationManager.authenticate(extractCredentials);
            if (authenticate != null && authenticate.isAuthenticated() && (authenticate instanceof UaaAuthentication)) {
                UaaAuthentication uaaAuthentication = (UaaAuthentication) authenticate;
                if (uaaAuthentication.isRequiresPasswordChange()) {
                    throw new PasswordChangeRequiredException(uaaAuthentication, "password change required");
                }
            }
            return authenticate;
        }
        if ("urn:ietf:params:oauth:grant-type:saml2-bearer".equals(parameter)) {
            logger.debug("urn:ietf:params:oauth:grant-type:saml2-bearer found. Attempting authentication with assertion");
            if (httpServletRequest.getParameter("assertion") == null || this.samlAuthenticationFilter == null) {
                logger.debug("No assertion or filter, not attempting SAML authentication for token endpoint.");
                throw new InsufficientAuthenticationException("SAML Assertion is missing");
            }
            logger.debug("Attempting SAML authentication for token endpoint.");
            authentication = this.samlAuthenticationFilter.attemptAuthentication(httpServletRequest, httpServletResponse);
        } else if ("urn:ietf:params:oauth:grant-type:jwt-bearer".equals(parameter)) {
            logger.debug("urn:ietf:params:oauth:grant-type:jwt-bearer found. Attempting authentication with assertion");
            String parameter2 = httpServletRequest.getParameter("assertion");
            if (parameter2 == null || this.xoAuthAuthenticationManager == null) {
                logger.debug("No assertion or authentication manager, not attempting JWT bearer authentication for token endpoint.");
                throw new InsufficientAuthenticationException("Assertion is missing");
            }
            logger.debug("Attempting OIDC JWT authentication for token endpoint.");
            XOAuthCodeToken xOAuthCodeToken = new XOAuthCodeToken(null, null, null, parameter2, null, null);
            xOAuthCodeToken.setRequestContextPath(getContextPath(httpServletRequest));
            authentication = this.xoAuthAuthenticationManager.authenticate(xOAuthCodeToken);
        }
        if (authentication == null || !authentication.isAuthenticated()) {
            return null;
        }
        logger.debug("Authentication success: " + authentication.getName());
        return authentication;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    private String getContextPath(HttpServletRequest httpServletRequest) {
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        return requestURL.substring(0, requestURL.length() - httpServletRequest.getServletPath().length());
    }
}
