package org.keycloak.adapters.springsecurity.filter;

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.RequestAuthenticator;
import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.springsecurity.KeycloakAuthenticationException;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationFailureHandler;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationSuccessHandler;
import org.keycloak.adapters.springsecurity.authentication.RequestAuthenticatorFactory;
import org.keycloak.adapters.springsecurity.authentication.SpringSecurityRequestAuthenticatorFactory;
import org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade;
import org.keycloak.adapters.springsecurity.token.AdapterTokenStoreFactory;
import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken;
import org.keycloak.adapters.springsecurity.token.SpringSecurityAdapterTokenStoreFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.context.ApplicationEvent;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;

/* loaded from: input_file:BOOT-INF/lib/keycloak-spring-security-adapter-9.0.3.jar:org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticationProcessingFilter.class */
public class KeycloakAuthenticationProcessingFilter extends AbstractAuthenticationProcessingFilter implements ApplicationContextAware {
    public static final String AUTHORIZATION_HEADER = "Authorization";
    public static final RequestMatcher DEFAULT_REQUEST_MATCHER = new OrRequestMatcher(new AntPathRequestMatcher(KeycloakAuthenticationEntryPoint.DEFAULT_LOGIN_URI), new RequestHeaderRequestMatcher("Authorization"), new QueryParamPresenceRequestMatcher("access_token"), new AdapterStateCookieRequestMatcher());
    private static final Logger log = LoggerFactory.getLogger((Class<?>) KeycloakAuthenticationProcessingFilter.class);
    private ApplicationContext applicationContext;
    private AdapterDeploymentContext adapterDeploymentContext;
    private AdapterTokenStoreFactory adapterTokenStoreFactory;
    private AuthenticationManager authenticationManager;
    private RequestAuthenticatorFactory requestAuthenticatorFactory;

    public KeycloakAuthenticationProcessingFilter(AuthenticationManager authenticationManager) {
        this(authenticationManager, DEFAULT_REQUEST_MATCHER);
        setAuthenticationFailureHandler(new KeycloakAuthenticationFailureHandler());
        setAuthenticationSuccessHandler(new KeycloakAuthenticationSuccessHandler(new SavedRequestAwareAuthenticationSuccessHandler()));
    }

    public KeycloakAuthenticationProcessingFilter(AuthenticationManager authenticationManager, RequestMatcher requestMatcher) {
        super(requestMatcher);
        this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory();
        this.requestAuthenticatorFactory = new SpringSecurityRequestAuthenticatorFactory();
        Assert.notNull(authenticationManager, "authenticationManager cannot be null");
        this.authenticationManager = authenticationManager;
        super.setAuthenticationManager(authenticationManager);
        super.setAllowSessionCreation(false);
        super.setContinueChainBeforeSuccessfulAuthentication(false);
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter, org.springframework.web.filter.GenericFilterBean, org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() {
        this.adapterDeploymentContext = (AdapterDeploymentContext) this.applicationContext.getBean(AdapterDeploymentContext.class);
        super.afterPropertiesSet();
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
        log.debug("Attempting Keycloak authentication");
        SimpleHttpFacade simpleHttpFacade = new SimpleHttpFacade(httpServletRequest, httpServletResponse);
        KeycloakDeployment resolveDeployment = this.adapterDeploymentContext.resolveDeployment(simpleHttpFacade);
        resolveDeployment.setDelegateBearerErrorResponseSending(true);
        RequestAuthenticator createRequestAuthenticator = this.requestAuthenticatorFactory.createRequestAuthenticator(simpleHttpFacade, httpServletRequest, resolveDeployment, this.adapterTokenStoreFactory.createAdapterTokenStore(resolveDeployment, httpServletRequest, httpServletResponse), -1);
        AuthOutcome authenticate = createRequestAuthenticator.authenticate();
        log.debug("Auth outcome: {}", authenticate);
        if (AuthOutcome.FAILED.equals(authenticate)) {
            AuthChallenge challenge = createRequestAuthenticator.getChallenge();
            if (challenge != null) {
                challenge.challenge(simpleHttpFacade);
            }
            throw new KeycloakAuthenticationException("Invalid authorization header, see WWW-Authenticate header for details");
        }
        if (AuthOutcome.NOT_ATTEMPTED.equals(authenticate)) {
            AuthChallenge challenge2 = createRequestAuthenticator.getChallenge();
            if (challenge2 != null) {
                challenge2.challenge(simpleHttpFacade);
            }
            if (resolveDeployment.isBearerOnly()) {
                throw new KeycloakAuthenticationException("Authorization header not found,  see WWW-Authenticate header");
            }
            return null;
        }
        if (AuthOutcome.AUTHENTICATED.equals(authenticate)) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            Assert.notNull(authentication, "Authentication SecurityContextHolder was null");
            return this.authenticationManager.authenticate(authentication);
        }
        AuthChallenge challenge3 = createRequestAuthenticator.getChallenge();
        if (challenge3 == null) {
            return null;
        }
        challenge3.challenge(simpleHttpFacade);
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public void successfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, Authentication authentication) throws IOException, ServletException {
        if ((authentication instanceof KeycloakAuthenticationToken) && ((KeycloakAuthenticationToken) authentication).isInteractive()) {
            super.successfulAuthentication(httpServletRequest, httpServletResponse, filterChain, authentication);
            return;
        }
        if (log.isDebugEnabled()) {
            log.debug("Authentication success using bearer token/basic authentication. Updating SecurityContextHolder to contain: {}", authentication);
        }
        SecurityContext createEmptyContext = SecurityContextHolder.createEmptyContext();
        createEmptyContext.setAuthentication(authentication);
        SecurityContextHolder.setContext(createEmptyContext);
        try {
            if (this.eventPublisher != null) {
                this.eventPublisher.publishEvent((ApplicationEvent) new InteractiveAuthenticationSuccessEvent(authentication, getClass()));
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } finally {
            SecurityContextHolder.clearContext();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public void unsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        super.unsuccessfulAuthentication(httpServletRequest, httpServletResponse, authenticationException);
    }

    @Override // org.springframework.context.ApplicationContextAware
    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
        this.applicationContext = applicationContext;
    }

    public void setAdapterTokenStoreFactory(AdapterTokenStoreFactory adapterTokenStoreFactory) {
        Assert.notNull(adapterTokenStoreFactory, "AdapterTokenStoreFactory cannot be null");
        this.adapterTokenStoreFactory = adapterTokenStoreFactory;
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public final void setAllowSessionCreation(boolean z) {
        throw new UnsupportedOperationException("This filter does not support explicitly setting a session creation policy");
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public final void setContinueChainBeforeSuccessfulAuthentication(boolean z) {
        throw new UnsupportedOperationException("This filter does not support explicitly setting a continue chain before success policy");
    }

    public void setRequestAuthenticatorFactory(RequestAuthenticatorFactory requestAuthenticatorFactory) {
        Assert.notNull(requestAuthenticatorFactory, "RequestAuthenticatorFactory cannot be null");
        this.requestAuthenticatorFactory = requestAuthenticatorFactory;
    }
}
