package com.premiumminds.flowable.filter;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.premiumminds.flowable.conf.KeycloakProperties;
import com.premiumminds.flowable.service.KeycloakAccessTokenExtractor;
import com.premiumminds.flowable.service.OIDCMetadataHolder;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.flowable.ui.common.model.RemoteToken;
import org.flowable.ui.common.model.RemoteUser;
import org.flowable.ui.common.security.FlowableAppUser;
import org.flowable.ui.common.service.idm.RemoteIdmService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.RememberMeAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:com/premiumminds/flowable/filter/KeycloakTokenHandler.class */
public class KeycloakTokenHandler {
    private static final Logger LOGGER = LoggerFactory.getLogger(KeycloakTokenHandler.class);
    public static final String AUTHORIZATION = "Authorization";
    private final KeycloakCookieFilter filter;
    private final KeycloakAccessTokenExtractor accessTokenExtractor;
    private final RemoteIdmService remoteIdmService;

    public KeycloakTokenHandler(KeycloakProperties keycloakProperties, KeycloakCookieFilter keycloakCookieFilter, RemoteIdmService remoteIdmService) {
        this.filter = keycloakCookieFilter;
        this.remoteIdmService = remoteIdmService;
        this.accessTokenExtractor = new KeycloakAccessTokenExtractor(keycloakProperties, new OIDCMetadataHolder(keycloakProperties));
    }

    public boolean hasAuthorizationHeader(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getHeader(AUTHORIZATION) != null;
    }

    public boolean handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        BearerAccessToken accessToken = getAccessToken(httpServletRequest);
        if (accessToken == null) {
            LOGGER.warn("Unauthorized.");
            this.filter.sendNotPermitted(httpServletRequest, httpServletResponse);
            return false;
        }
        JWTClaimsSet extractClaims = this.accessTokenExtractor.extractClaims(accessToken.getValue());
        RemoteUser user = this.remoteIdmService.getUser(this.accessTokenExtractor.getUserId(extractClaims));
        FlowableAppUser appUserFromRemoteUser = this.filter.appUserFromRemoteUser(user, this.accessTokenExtractor.getRoles(extractClaims));
        if (!this.filter.validateRequiredPrivileges(httpServletRequest, httpServletResponse, appUserFromRemoteUser)) {
            this.filter.redirectOrSendNotPermitted(httpServletRequest, httpServletResponse, appUserFromRemoteUser.getUserObject().getId());
            return false;
        }
        SecurityContextHolder.getContext().setAuthentication(new RememberMeAuthenticationToken("RUNTIME-USER", appUserFromRemoteUser, appUserFromRemoteUser.getAuthorities()));
        if (this.filter.filterCallback == null) {
            return true;
        }
        RemoteToken remoteToken = new RemoteToken();
        remoteToken.setUserId(user.getId());
        this.filter.filterCallback.onValidTokenFound(httpServletRequest, httpServletResponse, remoteToken);
        return true;
    }

    private BearerAccessToken getAccessToken(HttpServletRequest httpServletRequest) {
        try {
            return BearerAccessToken.parse(httpServletRequest.getHeader(AUTHORIZATION));
        } catch (ParseException e) {
            return null;
        }
    }
}
