package org.keycloak.adapters.springsecurity.filter;

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.AuthenticatedActionsHandler;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:BOOT-INF/lib/keycloak-spring-security-adapter-17.0.1.jar:org/keycloak/adapters/springsecurity/filter/KeycloakAuthenticatedActionsFilter.class */
public class KeycloakAuthenticatedActionsFilter extends GenericFilterBean implements ApplicationContextAware {
    private static final String FILTER_APPLIED = KeycloakAuthenticatedActionsFilter.class.getPackage().getName() + ".authenticated-actions";
    private ApplicationContext applicationContext;
    private AdapterDeploymentContext deploymentContext;

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (servletRequest.getAttribute(FILTER_APPLIED) != null) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        servletRequest.setAttribute(FILTER_APPLIED, Boolean.TRUE);
        if (getKeycloakPrincipal() instanceof RefreshableKeycloakSecurityContext) {
            if (new AuthenticatedActionsHandler(resolveDeployment(servletRequest, servletResponse), (OIDCHttpFacade) OIDCHttpFacade.class.cast(new SimpleHttpFacade((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse))).handledRequest()) {
                return;
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    @Override // org.springframework.web.filter.GenericFilterBean
    protected void initFilterBean() {
        this.deploymentContext = (AdapterDeploymentContext) this.applicationContext.getBean(AdapterDeploymentContext.class);
    }

    @Override // org.springframework.context.ApplicationContextAware
    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
        this.applicationContext = applicationContext;
    }

    private KeycloakSecurityContext getKeycloakPrincipal() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            return null;
        }
        Object principal = authentication.getPrincipal();
        if (principal instanceof KeycloakPrincipal) {
            return ((KeycloakPrincipal) KeycloakPrincipal.class.cast(principal)).getKeycloakSecurityContext();
        }
        return null;
    }

    private KeycloakDeployment resolveDeployment(ServletRequest servletRequest, ServletResponse servletResponse) {
        return this.deploymentContext.resolveDeployment(new SimpleHttpFacade((HttpServletRequest) HttpServletRequest.class.cast(servletRequest), (HttpServletResponse) HttpServletResponse.class.cast(servletResponse)));
    }

    private void clearAuthenticationContext() {
        SecurityContextHolder.clearContext();
    }
}
