package org.cloudfoundry.identity.uaa.authentication;

import java.io.IOException;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.savedrequest.SavedRequest;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:org/cloudfoundry/identity/uaa/authentication/PasswordChangeRequiredFilter.class */
public class PasswordChangeRequiredFilter extends OncePerRequestFilter {
    private final String redirectUri;
    private final AntPathRequestMatcher matcher;
    private final RequestCache cache;
    private final AntPathRequestMatcher completed = new AntPathRequestMatcher("/force_password_change_completed");
    private final List<AntPathRequestMatcher> ignorePaths = new LinkedList();

    public PasswordChangeRequiredFilter(String str, RequestCache requestCache, String... strArr) {
        this.redirectUri = str;
        this.matcher = new AntPathRequestMatcher(str);
        this.cache = requestCache;
        if (strArr != null) {
            for (String str2 : strArr) {
                this.ignorePaths.add(new AntPathRequestMatcher(str2));
            }
        }
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (isIgnored(httpServletRequest, httpServletResponse)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        if (isCompleted(httpServletRequest)) {
            this.logger.debug("Forced password change has been completed.");
            SavedRequest request = this.cache.getRequest(httpServletRequest, httpServletResponse);
            if (request != null) {
                sendRedirect(request.getRedirectUrl(), httpServletRequest, httpServletResponse);
                return;
            } else {
                sendRedirect("/", httpServletRequest, httpServletResponse);
                return;
            }
        }
        if (needsPasswordReset() && !this.matcher.matches(httpServletRequest)) {
            this.logger.debug("Password change is required for user.");
            this.cache.saveRequest(httpServletRequest, httpServletResponse);
            sendRedirect(this.redirectUri, httpServletRequest, httpServletResponse);
        } else if (this.matcher.matches(httpServletRequest) && isAuthenticated() && !needsPasswordReset()) {
            sendRedirect("/", httpServletRequest, httpServletResponse);
        } else {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    protected boolean isIgnored(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Iterator<AntPathRequestMatcher> it = this.ignorePaths.iterator();
        while (it.hasNext()) {
            if (it.next().matches(httpServletRequest)) {
                return true;
            }
        }
        return false;
    }

    private boolean isAuthenticated() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return authentication != null && authentication.isAuthenticated();
    }

    protected boolean isCompleted(HttpServletRequest httpServletRequest) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null || !(authentication instanceof UaaAuthentication)) {
            return false;
        }
        UaaAuthentication uaaAuthentication = (UaaAuthentication) authentication;
        return uaaAuthentication.isAuthenticated() && !uaaAuthentication.isRequiresPasswordChange() && this.completed.matches(httpServletRequest);
    }

    protected void sendRedirect(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String str2 = (str.startsWith("/") ? httpServletRequest.getContextPath() : "") + str;
        this.logger.debug("Redirecting request to " + str2);
        httpServletResponse.sendRedirect(str2);
    }

    protected boolean needsPasswordReset() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return authentication != null && (authentication instanceof UaaAuthentication) && ((UaaAuthentication) authentication).isRequiresPasswordChange() && authentication.isAuthenticated();
    }
}
