package org.cloudfoundry.identity.uaa.mfa;

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.savedrequest.SavedRequest;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.20.0.jar:org/cloudfoundry/identity/uaa/mfa/MfaUiRequiredFilter.class */
public class MfaUiRequiredFilter extends GenericFilterBean {
    private static Log logger = LogFactory.getLog(MfaUiRequiredFilter.class);
    private final AntPathRequestMatcher inProgressMatcher;
    private final AntPathRequestMatcher completedMatcher;
    private final AntPathRequestMatcher logoutMatcher;
    private final String redirect;
    private final RequestCache cache;
    private final MfaChecker checker;

    /* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.20.0.jar:org/cloudfoundry/identity/uaa/mfa/MfaUiRequiredFilter$MfaNextStep.class */
    public enum MfaNextStep {
        NOT_AUTHENTICATED,
        MFA_IN_PROGRESS,
        MFA_REQUIRED,
        MFA_OK,
        MFA_NOT_REQUIRED,
        MFA_COMPLETED,
        INVALID_AUTH
    }

    public MfaUiRequiredFilter(String str, String str2, RequestCache requestCache, String str3, AntPathRequestMatcher antPathRequestMatcher, MfaChecker mfaChecker) {
        this.inProgressMatcher = new AntPathRequestMatcher(str);
        this.redirect = str2;
        this.cache = requestCache;
        this.completedMatcher = new AntPathRequestMatcher(str3);
        this.checker = mfaChecker;
        this.logoutMatcher = antPathRequestMatcher;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        switch (getNextStep(httpServletRequest)) {
            case INVALID_AUTH:
                logger.debug("Unrecognized authentication object:" + getAuthenticationLogInfo());
                httpServletResponse.sendError(401, "Invalid authentication object for UI operations.");
                return;
            case NOT_AUTHENTICATED:
            case MFA_IN_PROGRESS:
            case MFA_NOT_REQUIRED:
            case MFA_OK:
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            case MFA_REQUIRED:
                logger.debug("Request requires MFA, redirecting to MFA flow for " + getAuthenticationLogInfo());
                this.cache.saveRequest(httpServletRequest, httpServletResponse);
                sendRedirect(this.redirect, httpServletRequest, httpServletResponse);
                return;
            case MFA_COMPLETED:
                logger.debug("MFA has been completed for " + getAuthenticationLogInfo());
                SavedRequest request = this.cache.getRequest(httpServletRequest, httpServletResponse);
                if (request != null) {
                    logger.debug("Redirecting request to " + request.getRedirectUrl());
                    sendRedirect(request.getRedirectUrl(), httpServletRequest, httpServletResponse);
                    return;
                } else {
                    logger.debug("Redirecting request to /");
                    sendRedirect("/", httpServletRequest, httpServletResponse);
                    return;
                }
            default:
                return;
        }
    }

    protected String getAuthenticationLogInfo() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            return null;
        }
        StringBuilder sb = new StringBuilder();
        if (authentication instanceof UaaAuthentication) {
            UaaPrincipal principal = ((UaaAuthentication) authentication).getPrincipal();
            sb.append("Username:").append(principal.getName()).append(" User-ID:").append(principal.getId());
        } else {
            sb.append("Unknown Auth=").append(authentication).append(" Principal=" + authentication.getPrincipal());
        }
        return sb.toString();
    }

    protected MfaNextStep getNextStep(HttpServletRequest httpServletRequest) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null || (authentication instanceof AnonymousAuthenticationToken)) {
            return MfaNextStep.NOT_AUTHENTICATED;
        }
        if (!(authentication instanceof UaaAuthentication)) {
            return MfaNextStep.INVALID_AUTH;
        }
        UaaAuthentication uaaAuthentication = (UaaAuthentication) authentication;
        return (!mfaRequired(uaaAuthentication.getPrincipal().getOrigin()) || logoutInProgress(httpServletRequest)) ? MfaNextStep.MFA_NOT_REQUIRED : (this.completedMatcher.matches(httpServletRequest) && uaaAuthentication.getAuthenticationMethods().contains("mfa")) ? MfaNextStep.MFA_COMPLETED : (!this.inProgressMatcher.matches(httpServletRequest) || uaaAuthentication.getAuthenticationMethods().contains("mfa")) ? (this.inProgressMatcher.matches(httpServletRequest) || uaaAuthentication.getAuthenticationMethods().contains("mfa")) ? uaaAuthentication.getAuthenticationMethods().contains("mfa") ? MfaNextStep.MFA_OK : MfaNextStep.INVALID_AUTH : MfaNextStep.MFA_REQUIRED : MfaNextStep.MFA_IN_PROGRESS;
    }

    protected void sendRedirect(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.sendRedirect((str.startsWith("/") ? httpServletRequest.getContextPath() : "") + str);
    }

    protected boolean mfaRequired(String str) {
        return this.checker.isMfaEnabled(IdentityZoneHolder.get(), str) && this.checker.isRequired(IdentityZoneHolder.get(), str);
    }

    private boolean logoutInProgress(HttpServletRequest httpServletRequest) {
        return this.logoutMatcher.matches(httpServletRequest);
    }
}
