package com.premiumminds.flowable.filter;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.premiumminds.flowable.conf.KeycloakProperties;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.flowable.ui.common.filter.FlowableCookieFilterCallback;
import org.flowable.ui.common.model.RemoteToken;
import org.flowable.ui.common.model.RemoteUser;
import org.flowable.ui.common.properties.FlowableCommonAppProperties;
import org.flowable.ui.common.security.FlowableAppUser;
import org.flowable.ui.common.service.idm.RemoteIdmService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Primary;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Service;
import org.springframework.web.filter.OncePerRequestFilter;

@Primary
@Service
/* loaded from: input_file:com/premiumminds/flowable/filter/KeycloakCookieFilter.class */
public class KeycloakCookieFilter extends OncePerRequestFilter {
    private static final Logger LOGGER = LoggerFactory.getLogger(KeycloakCookieFilter.class);
    private static final int MAX_CACHE_SIZE = 100;
    private static final int MAX_CACHE_DURATION_DAYS = 1;
    protected FlowableCookieFilterCallback filterCallback;
    protected final RemoteIdmService remoteIdmService;
    protected final FlowableCommonAppProperties properties;
    protected Collection<String> requiredPrivileges;
    protected Cache<String, FlowableAppUser> userCache;
    protected Cache<String, RemoteToken> tokenCache;
    protected KeycloakTokenHandler keycloakTokenHandler;
    protected AuthenticationHandler authenticationHandler;

    public KeycloakCookieFilter(RemoteIdmService remoteIdmService, FlowableCommonAppProperties flowableCommonAppProperties, KeycloakProperties keycloakProperties) {
        this.remoteIdmService = remoteIdmService;
        this.properties = flowableCommonAppProperties;
        this.keycloakTokenHandler = new KeycloakTokenHandler(keycloakProperties, this, remoteIdmService);
        initUserCache();
        initTokenCache();
        this.authenticationHandler = new AuthenticationHandler(this.userCache, this.tokenCache, keycloakProperties, remoteIdmService, this);
    }

    protected void initUserCache() {
        this.userCache = CacheBuilder.newBuilder().maximumSize(100L).expireAfterWrite(1L, TimeUnit.DAYS).recordStats().build();
    }

    protected void initTokenCache() {
        this.tokenCache = CacheBuilder.newBuilder().maximumSize(100L).expireAfterWrite(1L, TimeUnit.DAYS).recordStats().build();
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (isAuthenticationCallbackRequest(httpServletRequest)) {
            this.authenticationHandler.authenticationCallbackHandler(httpServletRequest, httpServletResponse);
            return;
        }
        if (!skipAuthenticationCheck(httpServletRequest)) {
            if (this.keycloakTokenHandler.hasAuthorizationHeader(httpServletRequest)) {
                if (!this.keycloakTokenHandler.handle(httpServletRequest, httpServletResponse)) {
                    return;
                }
            } else if (!this.authenticationHandler.handleAuthenticatedRequest(httpServletRequest, httpServletResponse)) {
                return;
            }
        }
        try {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            if (this.filterCallback != null) {
                this.filterCallback.onFilterCleanup(httpServletRequest, httpServletResponse);
            }
        } catch (Throwable th) {
            if (this.filterCallback != null) {
                this.filterCallback.onFilterCleanup(httpServletRequest, httpServletResponse);
            }
            throw th;
        }
    }

    protected boolean isAuthenticationCallbackRequest(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().equals(httpServletRequest.getContextPath() + "/callback");
    }

    protected boolean skipAuthenticationCheck(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().endsWith(".css") || httpServletRequest.getRequestURI().endsWith(".js") || httpServletRequest.getRequestURI().endsWith(".html") || httpServletRequest.getRequestURI().endsWith(".map") || httpServletRequest.getRequestURI().endsWith(".woff") || httpServletRequest.getRequestURI().endsWith(".png") || httpServletRequest.getRequestURI().endsWith(".jpg") || httpServletRequest.getRequestURI().endsWith(".jpeg") || httpServletRequest.getRequestURI().endsWith(".tif") || httpServletRequest.getRequestURI().endsWith(".tiff");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void redirectOrSendNotPermitted(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        if (isRootPath(httpServletRequest)) {
            redirectToLogin(httpServletRequest, httpServletResponse, str);
        } else {
            sendNotPermitted(httpServletRequest, httpServletResponse);
        }
    }

    protected void redirectToLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        if (str != null) {
            this.userCache.invalidate(str);
        }
        try {
            httpServletResponse.sendRedirect(this.authenticationHandler.login().toASCIIString());
        } catch (IOException e) {
            throw new RuntimeException("error redirecting user to oidc login", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void sendNotPermitted(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        httpServletResponse.setStatus(403);
    }

    protected boolean isRootPath(HttpServletRequest httpServletRequest) {
        String pathInfo = httpServletRequest.getPathInfo();
        return pathInfo == null || "".equals(pathInfo) || "/".equals(pathInfo);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public FlowableAppUser appUserFromRemoteUser(RemoteUser remoteUser, List<String> list) {
        ArrayList arrayList = new ArrayList();
        list.forEach(str -> {
            arrayList.add(new SimpleGrantedAuthority(str));
        });
        return new FlowableAppUser(remoteUser, remoteUser.getId(), arrayList);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean validateRequiredPrivileges(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FlowableAppUser flowableAppUser) {
        if (flowableAppUser == null) {
            return true;
        }
        String pathInfo = httpServletRequest.getPathInfo();
        if ((!isRootPath(httpServletRequest) && pathInfo.startsWith("/rest")) || this.requiredPrivileges == null || this.requiredPrivileges.size() <= 0) {
            return true;
        }
        if (flowableAppUser.getAuthorities() == null || flowableAppUser.getAuthorities().size() == 0) {
            return false;
        }
        int i = 0;
        Iterator it = flowableAppUser.getAuthorities().iterator();
        while (it.hasNext()) {
            if (this.requiredPrivileges.contains(((GrantedAuthority) it.next()).getAuthority())) {
                i += MAX_CACHE_DURATION_DAYS;
            }
        }
        return i == this.requiredPrivileges.size();
    }

    public void setRequiredPrivileges(Collection<String> collection) {
        this.requiredPrivileges = collection;
    }

    @Autowired(required = false)
    public void setFilterCallback(FlowableCookieFilterCallback flowableCookieFilterCallback) {
        this.filterCallback = flowableCookieFilterCallback;
    }
}
