package net.coder966.spring.multisecurityrealms.filter;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import net.coder966.spring.multisecurityrealms.exception.SecurityRealmAuthenticationException;
import net.coder966.spring.multisecurityrealms.model.SecurityRealm;
import net.coder966.spring.multisecurityrealms.model.SecurityRealmAnonymousAuthentication;
import net.coder966.spring.multisecurityrealms.model.SecurityRealmAuthentication;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:net/coder966/spring/multisecurityrealms/filter/SecurityRealmAuthenticationFilter.class */
public class SecurityRealmAuthenticationFilter<T> extends OncePerRequestFilter {
    private static final Logger log = LoggerFactory.getLogger(SecurityRealmAuthenticationFilter.class);
    private final SecurityRealm<T> realm;
    private final SecurityContextRepository securityContextRepository;
    private final String NEXT_STEP_RESPONSE_HEADER_NAME = "X-Next-Auth-Step";
    private final String ERROR_CODE_RESPONSE_HEADER_NAME = "X-Auth-Error-Code";

    public SecurityRealmAuthenticationFilter(SecurityRealm<T> securityRealm, SecurityContextRepository securityContextRepository) {
        this.realm = securityRealm;
        this.securityContextRepository = securityContextRepository;
    }

    public boolean matches(HttpServletRequest httpServletRequest) {
        return matchesLogin(httpServletRequest) || matchesLogout(httpServletRequest) || matchesPublicApi(httpServletRequest);
    }

    private boolean matchesLogin(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getMethod().equals("POST") && httpServletRequest.getRequestURI().equals(this.realm.getLoginUrl());
    }

    private boolean matchesLogout(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getMethod().equals("POST") && httpServletRequest.getRequestURI().equals(this.realm.getLogoutUrl());
    }

    private boolean matchesPublicApi(HttpServletRequest httpServletRequest) {
        return this.realm.getPublicApisRequestMatchers().stream().anyMatch(requestMatcher -> {
            return requestMatcher.matches(httpServletRequest);
        });
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (matchesLogin(httpServletRequest)) {
            log.debug("handling login");
            handleLogin(httpServletRequest, httpServletResponse);
        } else if (matchesLogout(httpServletRequest)) {
            log.debug("handling logout");
            handleLogout(httpServletRequest, httpServletResponse);
        } else {
            if (matchesPublicApi(httpServletRequest)) {
                log.debug("handling public api");
                handlePublicApi(httpServletRequest, httpServletResponse);
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    private void handleLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication != null && !(authentication instanceof SecurityRealmAuthentication)) {
            throw new SecurityRealmAuthenticationException("User already authenticated with a custom authentication not supported by this filter.");
        }
        SecurityRealmAuthentication<T> securityRealmAuthentication = (SecurityRealmAuthentication) authentication;
        try {
            afterAuthenticate(httpServletRequest, httpServletResponse, this.realm, this.realm.authenticate(httpServletRequest, securityRealmAuthentication == null ? null : securityRealmAuthentication.getNextAuthStep(), securityRealmAuthentication));
        } catch (AuthenticationException e) {
            httpServletResponse.setStatus(401);
            httpServletResponse.setHeader("X-Auth-Error-Code", e.getMessage());
        }
    }

    private void handleLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        saveAuthInContextRepository(httpServletRequest, httpServletResponse, null);
    }

    private void handlePublicApi(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        saveAuthInContextRepository(httpServletRequest, httpServletResponse, new SecurityRealmAnonymousAuthentication());
    }

    private void afterAuthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityRealm<T> securityRealm, SecurityRealmAuthentication<T> securityRealmAuthentication) {
        if (securityRealmAuthentication == null) {
            throw new IllegalStateException("MultiRealmAuthenticationProvider should not return null. It should either throw MultiRealmAuthException or return a MultiRealmAuth object.");
        }
        if (securityRealmAuthentication.getPrincipal() == null) {
            throw new IllegalStateException("Principal should not be null.");
        }
        saveAuthInContextRepository(httpServletRequest, httpServletResponse, securityRealmAuthentication);
        if (securityRealmAuthentication.getNextAuthStep() != null) {
            httpServletResponse.setHeader("X-Next-Auth-Step", securityRealmAuthentication.getNextAuthStep());
        } else {
            securityRealmAuthentication.m2getAuthorities().add(new SimpleGrantedAuthority("ROLE_" + securityRealm.getRolePrefix()));
        }
    }

    private void saveAuthInContextRepository(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) {
        SecurityContextHolder.clearContext();
        SecurityContext createEmptyContext = SecurityContextHolder.createEmptyContext();
        createEmptyContext.setAuthentication(authentication);
        SecurityContextHolder.setContext(createEmptyContext);
        this.securityContextRepository.saveContext(createEmptyContext, httpServletRequest, httpServletResponse);
    }
}
