package com.microsoft.azure.spring.autoconfigure.aad;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jwt.proc.BadJWTException;
import java.io.IOException;
import java.text.ParseException;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.minidev.json.JSONArray;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:com/microsoft/azure/spring/autoconfigure/aad/AADAppRoleStatelessAuthenticationFilter.class */
public class AADAppRoleStatelessAuthenticationFilter extends OncePerRequestFilter {
    private static final String TOKEN_TYPE = "Bearer ";
    private static final String ROLE_PREFIX = "ROLE_";
    private final UserPrincipalManager principalManager;
    private static final Logger LOGGER = LoggerFactory.getLogger(AADAppRoleStatelessAuthenticationFilter.class);
    private static final JSONArray DEFAULT_ROLE_CLAIM = new JSONArray().appendElement("USER");

    public AADAppRoleStatelessAuthenticationFilter(UserPrincipalManager userPrincipalManager) {
        this.principalManager = userPrincipalManager;
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        String header = httpServletRequest.getHeader("Authorization");
        boolean z = false;
        if (!alreadyAuthenticated() && StringUtils.hasText(header) && header.startsWith(TOKEN_TYPE)) {
            z = verifyToken(header.replace(TOKEN_TYPE, ""));
        }
        try {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            if (z) {
                SecurityContextHolder.clearContext();
            }
        } catch (Throwable th) {
            if (z) {
                SecurityContextHolder.clearContext();
            }
            throw th;
        }
    }

    private boolean verifyToken(String str) throws ServletException {
        if (!this.principalManager.isTokenIssuedByAAD(str)) {
            LOGGER.info("Token {} is not issued by AAD", str);
            return false;
        }
        try {
            UserPrincipal buildUserPrincipal = this.principalManager.buildUserPrincipal(str);
            PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(buildUserPrincipal, (Object) null, rolesToGrantedAuthorities((JSONArray) Optional.ofNullable((JSONArray) buildUserPrincipal.getClaims().get("roles")).filter(jSONArray -> {
                return !jSONArray.isEmpty();
            }).orElse(DEFAULT_ROLE_CLAIM)));
            preAuthenticatedAuthenticationToken.setAuthenticated(true);
            LOGGER.info("Request token verification success. {}", preAuthenticatedAuthenticationToken);
            SecurityContextHolder.getContext().setAuthentication(preAuthenticatedAuthenticationToken);
            return true;
        } catch (ParseException | BadJOSEException | JOSEException e) {
            LOGGER.error("Failed to initialize UserPrincipal.", e);
            throw new ServletException(e);
        } catch (BadJWTException e2) {
            String str2 = "Invalid JWT. Either expired or not yet valid. " + e2.getMessage();
            LOGGER.warn(str2);
            throw new ServletException(str2, e2);
        }
    }

    private boolean alreadyAuthenticated() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return authentication != null && authentication.isAuthenticated();
    }

    protected Set<SimpleGrantedAuthority> rolesToGrantedAuthorities(JSONArray jSONArray) {
        return (Set) jSONArray.stream().filter(Objects::nonNull).map(obj -> {
            return new SimpleGrantedAuthority(ROLE_PREFIX + obj);
        }).collect(Collectors.toSet());
    }
}
