package net.solarnetwork.web.security;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.Calendar;
import java.util.GregorianCalendar;
import java.util.TimeZone;
import net.solarnetwork.security.AuthorizationUtils;
import net.solarnetwork.web.support.JSONView;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:net/solarnetwork/web/security/AuthenticationDataTokenAuthenticationFilter.class */
public class AuthenticationDataTokenAuthenticationFilter extends OncePerRequestFilter {
    public static final String REQUEST_PARAM_SET_COOKIE = "sntoken-cookie";
    public static final String COOKIE_NAME_AUTH_TOKEN = "sntoken";
    private UserDetailsService userDetailsService;
    private AuthenticationEntryPoint authenticationEntryPoint;
    private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
    private long maxDateSkew = 900000;
    private final Logger log = LoggerFactory.getLogger(getClass());

    public AuthenticationDataTokenAuthenticationFilter() {
    }

    public AuthenticationDataTokenAuthenticationFilter(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        try {
            httpServletRequest = doAuthentication(httpServletRequest, httpServletResponse);
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } catch (AuthenticationException e) {
            if (this.authenticationEntryPoint == null) {
                throw e;
            }
            this.authenticationEntryPoint.commence(httpServletRequest, httpServletResponse, e);
        }
    }

    private HttpServletRequest doAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        Cookie[] cookies;
        Authentication authentication = null;
        SecurityHttpServletRequestWrapper securityHttpServletRequestWrapper = new SecurityHttpServletRequestWrapper(httpServletRequest, SecurityHttpServletRequestWrapper.DEFAULT_MINIMUM_SPOOL_LENGTH);
        AuthenticationData authenticationDataForAuthorizationHeader = AuthenticationDataFactory.authenticationDataForAuthorizationHeader(securityHttpServletRequestWrapper);
        if (authenticationDataForAuthorizationHeader != null) {
            UserDetails loadUserByUsername = this.userDetailsService.loadUserByUsername(authenticationDataForAuthorizationHeader.getAuthTokenId());
            String computeSignatureDigest = authenticationDataForAuthorizationHeader.computeSignatureDigest(loadUserByUsername.getPassword());
            if (!computeSignatureDigest.equals(authenticationDataForAuthorizationHeader.getSignatureDigest())) {
                this.log.debug("Expected digest: '{}' but received: '{}'", computeSignatureDigest, authenticationDataForAuthorizationHeader.getSignatureDigest());
                throw new BadCredentialsException("Bad signature digest");
            }
            if (!authenticationDataForAuthorizationHeader.isDateValid(this.maxDateSkew)) {
                this.log.debug("Request date '{}' diff too large: {}", authenticationDataForAuthorizationHeader.getDate(), Long.valueOf(authenticationDataForAuthorizationHeader.getDateSkew()));
                throw new BadCredentialsException("Request date skew too large");
            }
            if ("true".equalsIgnoreCase(httpServletRequest.getParameter(REQUEST_PARAM_SET_COOKIE))) {
                Cookie cookie = new Cookie(COOKIE_NAME_AUTH_TOKEN, new AuthenticationDataToken(authenticationDataForAuthorizationHeader, computeJWTSigningKey(loadUserByUsername.getPassword(), authenticationDataForAuthorizationHeader.getDate().toEpochMilli())).cookieValue());
                cookie.setHttpOnly(true);
                cookie.setMaxAge(-1);
                httpServletResponse.addCookie(cookie);
            }
            authentication = createSuccessfulAuthentication(httpServletRequest, loadUserByUsername);
            this.log.debug("Authentication success for user: '{}'", loadUserByUsername.getUsername());
        } else {
            this.log.trace("Missing Authorization header or unsupported scheme");
        }
        if (authentication == null && (cookies = httpServletRequest.getCookies()) != null) {
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie2 = cookies[i];
                if (COOKIE_NAME_AUTH_TOKEN.equals(cookie2.getName())) {
                    try {
                        AuthenticationDataToken authenticationDataToken = new AuthenticationDataToken(cookie2);
                        UserDetails loadUserByUsername2 = this.userDetailsService.loadUserByUsername(authenticationDataToken.getIdentity());
                        authenticationDataToken.verify(computeJWTSigningKey(loadUserByUsername2.getPassword(), authenticationDataToken.getIssued() * 1000));
                        authentication = createSuccessfulAuthentication(httpServletRequest, loadUserByUsername2);
                        break;
                    } catch (SecurityException e) {
                        throw new BadCredentialsException(e.getMessage(), e);
                    }
                }
                i++;
            }
        }
        if (authentication != null) {
            SecurityContextHolder.getContext().setAuthentication(authentication);
        }
        return securityHttpServletRequestWrapper;
    }

    private String formatJWTSigningDate(Calendar calendar) {
        int i = calendar.get(1);
        int i2 = calendar.get(2) + 1;
        int i3 = calendar.get(5);
        StringBuilder sb = new StringBuilder();
        sb.append(i);
        if (i2 < 10) {
            sb.append('0');
        }
        sb.append(i2);
        if (i3 < 10) {
            sb.append('0');
        }
        sb.append(i3);
        return sb.toString();
    }

    private byte[] computeJWTSigningKey(String str, long j) {
        GregorianCalendar gregorianCalendar = new GregorianCalendar(TimeZone.getTimeZone("GMT"));
        gregorianCalendar.setTimeInMillis(j);
        gregorianCalendar.set(11, 0);
        gregorianCalendar.set(12, 0);
        gregorianCalendar.set(13, 0);
        gregorianCalendar.set(14, 0);
        try {
            return AuthorizationUtils.computeMacDigest(AuthorizationUtils.computeMacDigest("SNWS" + str, formatJWTSigningDate(gregorianCalendar), "HmacSHA256"), COOKIE_NAME_AUTH_TOKEN.getBytes(JSONView.UTF8_CHAR_ENCODING), "HmacSHA256");
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    private Authentication createSuccessfulAuthentication(HttpServletRequest httpServletRequest, UserDetails userDetails) {
        PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(userDetails, (Object) null, userDetails.getAuthorities());
        preAuthenticatedAuthenticationToken.eraseCredentials();
        preAuthenticatedAuthenticationToken.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
        return preAuthenticatedAuthenticationToken;
    }

    public void setUserDetailsService(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
        this.authenticationDetailsSource = authenticationDetailsSource;
    }

    public void setMaxDateSkew(long j) {
        this.maxDateSkew = j;
    }

    public void setAuthenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint) {
        this.authenticationEntryPoint = authenticationEntryPoint;
    }
}
