package com.microsoft.azure.spring.autoconfigure.aad;

import com.microsoft.aad.msal4j.MsalServiceException;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.jwk.source.JWKSetCache;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.util.ResourceRetriever;
import java.io.IOException;
import java.net.MalformedURLException;
import java.text.ParseException;
import javax.naming.ServiceUnavailableException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:com/microsoft/azure/spring/autoconfigure/aad/AADAuthenticationFilter.class */
public class AADAuthenticationFilter extends OncePerRequestFilter {
    private static final Logger LOGGER = LoggerFactory.getLogger(AADAuthenticationFilter.class);
    private static final String CURRENT_USER_PRINCIPAL = "CURRENT_USER_PRINCIPAL";
    private static final String CURRENT_USER_PRINCIPAL_GRAPHAPI_TOKEN = "CURRENT_USER_PRINCIPAL_GRAPHAPI_TOKEN";
    private static final String CURRENT_USER_PRINCIPAL_JWT_TOKEN = "CURRENT_USER_PRINCIPAL_JWT_TOKEN";
    private static final String TOKEN_HEADER = "Authorization";
    private static final String TOKEN_TYPE = "Bearer ";
    private AADAuthenticationProperties aadAuthProps;
    private ServiceEndpointsProperties serviceEndpointsProps;
    private UserPrincipalManager principalManager;

    public AADAuthenticationFilter(AADAuthenticationProperties aADAuthenticationProperties, ServiceEndpointsProperties serviceEndpointsProperties, ResourceRetriever resourceRetriever) {
        this(aADAuthenticationProperties, serviceEndpointsProperties, new UserPrincipalManager(serviceEndpointsProperties, aADAuthenticationProperties, resourceRetriever, false));
    }

    public AADAuthenticationFilter(AADAuthenticationProperties aADAuthenticationProperties, ServiceEndpointsProperties serviceEndpointsProperties, ResourceRetriever resourceRetriever, JWKSetCache jWKSetCache) {
        this(aADAuthenticationProperties, serviceEndpointsProperties, new UserPrincipalManager(serviceEndpointsProperties, aADAuthenticationProperties, resourceRetriever, false, jWKSetCache));
    }

    public AADAuthenticationFilter(AADAuthenticationProperties aADAuthenticationProperties, ServiceEndpointsProperties serviceEndpointsProperties, UserPrincipalManager userPrincipalManager) {
        this.aadAuthProps = aADAuthenticationProperties;
        this.serviceEndpointsProps = serviceEndpointsProperties;
        this.principalManager = userPrincipalManager;
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        String header = httpServletRequest.getHeader(TOKEN_HEADER);
        if (!alreadyAuthenticated() && header != null && header.startsWith(TOKEN_TYPE)) {
            verifyToken(httpServletRequest.getSession(), header.replace(TOKEN_TYPE, ""));
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private boolean alreadyAuthenticated() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return authentication != null && authentication.isAuthenticated();
    }

    private void verifyToken(HttpSession httpSession, String str) throws IOException, ServletException {
        if (!this.principalManager.isTokenIssuedByAAD(str)) {
            LOGGER.info("Token {} is not issued by AAD", str);
            return;
        }
        try {
            String str2 = (String) httpSession.getAttribute(CURRENT_USER_PRINCIPAL_JWT_TOKEN);
            UserPrincipal userPrincipal = (UserPrincipal) httpSession.getAttribute(CURRENT_USER_PRINCIPAL);
            String str3 = (String) httpSession.getAttribute(CURRENT_USER_PRINCIPAL_GRAPHAPI_TOKEN);
            AzureADGraphClient azureADGraphClient = new AzureADGraphClient(this.aadAuthProps.getClientId(), this.aadAuthProps.getClientSecret(), this.aadAuthProps, this.serviceEndpointsProps);
            if (userPrincipal == null || str3 == null || str3.isEmpty() || !str.equals(str2)) {
                userPrincipal = this.principalManager.buildUserPrincipal(str);
                String accessToken = azureADGraphClient.acquireTokenForGraphApi(str, userPrincipal.getClaim().toString()).accessToken();
                userPrincipal.setUserGroups(azureADGraphClient.getGroups(accessToken));
                httpSession.setAttribute(CURRENT_USER_PRINCIPAL, userPrincipal);
                httpSession.setAttribute(CURRENT_USER_PRINCIPAL_GRAPHAPI_TOKEN, accessToken);
                httpSession.setAttribute(CURRENT_USER_PRINCIPAL_JWT_TOKEN, str);
            }
            PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(userPrincipal, (Object) null, azureADGraphClient.convertGroupsToGrantedAuthorities(userPrincipal.getUserGroups()));
            preAuthenticatedAuthenticationToken.setAuthenticated(true);
            LOGGER.info("Request token verification success. {}", preAuthenticatedAuthenticationToken);
            SecurityContextHolder.getContext().setAuthentication(preAuthenticatedAuthenticationToken);
        } catch (MalformedURLException | ParseException | BadJOSEException | JOSEException e) {
            LOGGER.error("Failed to initialize UserPrincipal.", e);
            throw new ServletException(e);
        } catch (ServiceUnavailableException e2) {
            LOGGER.error("Failed to acquire graph api token.", e2);
            throw new ServletException(e2);
        } catch (MsalServiceException e3) {
            if (e3.claims() != null && !e3.claims().isEmpty()) {
                throw new ServletException("Handle conditional access policy", e3);
            }
            throw e3;
        }
    }
}
