package net.solarnetwork.node.setup.web.security;

import java.io.IOException;
import java.util.Objects;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.solarnetwork.node.domain.AuthenticatedToken;
import net.solarnetwork.node.domain.SecurityToken;
import net.solarnetwork.web.security.AuthenticationData;
import net.solarnetwork.web.security.AuthenticationDataFactory;
import net.solarnetwork.web.security.SecurityException;
import net.solarnetwork.web.security.SecurityHttpServletRequestWrapper;
import net.solarnetwork.web.security.SecurityTokenAuthenticationEntryPoint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.dao.DataAccessException;
import org.springframework.http.MediaType;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.transaction.TransactionException;
import org.springframework.util.Assert;
import org.springframework.util.MimeType;
import org.springframework.util.unit.DataSize;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.multipart.MaxUploadSizeExceededException;

/* loaded from: input_file:WEB-INF/classes/net/solarnetwork/node/setup/web/security/SecurityTokenAuthenticationFilter.class */
public class SecurityTokenAuthenticationFilter extends OncePerRequestFilter implements Filter {
    public static final int AUTH_TOKEN_LENGTH = 20;
    public static final int DEFAULT_MAX_REQUEST_BODY_SIZE = 65535;
    private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource;
    private SecurityTokenAuthenticationEntryPoint authenticationEntryPoint;
    private UserDetailsService userDetailsService;
    private final SecurityTokenFilterSettings settings;
    private final Logger log;

    public SecurityTokenAuthenticationFilter() {
        this(null);
    }

    public SecurityTokenAuthenticationFilter(SecurityTokenFilterSettings securityTokenFilterSettings) {
        this.authenticationDetailsSource = new WebAuthenticationDetailsSource();
        this.log = LoggerFactory.getLogger(getClass());
        this.settings = securityTokenFilterSettings != null ? securityTokenFilterSettings : new SecurityTokenFilterSettings();
    }

    public void afterPropertiesSet() {
        Assert.notNull(this.userDetailsService, "A UserDetailsService is required");
        Assert.notNull(this.authenticationEntryPoint, "A SecurityTokenAuthenticationEntryPoint is required");
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        SecurityHttpServletRequestWrapper securityHttpServletRequestWrapper = new SecurityHttpServletRequestWrapper(httpServletRequest, (int) this.settings.getMaxRequestBodySize().toBytes(), true, (int) this.settings.getMinimumCompressLength().toBytes(), this.settings.getCompressibleContentTypePattern(), (int) this.settings.getMinimumSpoolLength().toBytes(), this.settings.getSpoolDirectory());
        if (httpServletRequest.getContentType() != null && MediaType.MULTIPART_FORM_DATA.isCompatibleWith(MimeType.valueOf(httpServletRequest.getContentType()))) {
            securityHttpServletRequestWrapper.getContentSHA256();
        }
        try {
            AuthenticationData authenticationDataForAuthorizationHeader = AuthenticationDataFactory.authenticationDataForAuthorizationHeader(securityHttpServletRequestWrapper);
            if (authenticationDataForAuthorizationHeader == null) {
                this.log.trace("Missing Authorization header or unsupported scheme");
                filterChain.doFilter(securityHttpServletRequestWrapper, httpServletResponse);
                return;
            }
            try {
                UserDetails loadUserByUsername = this.userDetailsService.loadUserByUsername(authenticationDataForAuthorizationHeader.getAuthTokenId());
                if (!(loadUserByUsername instanceof AuthenticatedToken)) {
                    fail(securityHttpServletRequestWrapper, httpServletResponse, new BadCredentialsException("Access denied"));
                    return;
                }
                AuthenticatedToken authenticatedToken = (AuthenticatedToken) loadUserByUsername;
                SecurityToken securityToken = authenticatedToken.getSecurityToken();
                Objects.requireNonNull(authenticationDataForAuthorizationHeader);
                String str = (String) securityToken.applySecret(authenticationDataForAuthorizationHeader::computeSignatureDigest);
                if (!str.equals(authenticationDataForAuthorizationHeader.getSignatureDigest())) {
                    this.log.debug("Expected response: [{}] but received: [{}]", str, authenticationDataForAuthorizationHeader.getSignatureDigest());
                    fail(securityHttpServletRequestWrapper, httpServletResponse, new BadCredentialsException("Bad credentials"));
                } else if (!authenticationDataForAuthorizationHeader.isDateValid(this.settings.getMaxDateSkew())) {
                    this.log.debug("Request date [{}] diff too large: {}", authenticationDataForAuthorizationHeader.getDate(), Long.valueOf(authenticationDataForAuthorizationHeader.getDateSkew()));
                    fail(securityHttpServletRequestWrapper, httpServletResponse, new BadCredentialsException("Date skew too large"));
                } else {
                    this.log.debug("Authentication success for user: [{}]", loadUserByUsername.getUsername());
                    SecurityContextHolder.getContext().setAuthentication(createSuccessfulAuthentication(securityHttpServletRequestWrapper, authenticatedToken));
                    filterChain.doFilter(securityHttpServletRequestWrapper, httpServletResponse);
                }
            } catch (DataAccessException | TransactionException e) {
                this.log.debug("Auth token [{}] transient DAO exception: {}", authenticationDataForAuthorizationHeader.getAuthTokenId(), e.getMessage());
                failDao(securityHttpServletRequestWrapper, httpServletResponse, e);
            } catch (AuthenticationException e2) {
                this.log.debug("Auth token [{}] exception: {}", authenticationDataForAuthorizationHeader.getAuthTokenId(), e2.getMessage());
                fail(securityHttpServletRequestWrapper, httpServletResponse, new BadCredentialsException("Bad credentials"));
            } catch (Exception e3) {
                this.log.debug("Auth token [{}] exception: {}", authenticationDataForAuthorizationHeader.getAuthTokenId(), e3.getMessage());
                fail(securityHttpServletRequestWrapper, httpServletResponse, new AuthenticationServiceException("Unable to verify credentials", e3));
            }
        } catch (AuthenticationException e4) {
            fail(securityHttpServletRequestWrapper, httpServletResponse, e4);
        } catch (SecurityException e5) {
            deny(securityHttpServletRequestWrapper, httpServletResponse, new MaxUploadSizeExceededException((int) this.settings.getMaxRequestBodySize().toBytes(), e5));
        } catch (SecurityException e6) {
            deny(securityHttpServletRequestWrapper, httpServletResponse, e6);
        }
    }

    private Authentication createSuccessfulAuthentication(HttpServletRequest httpServletRequest, AuthenticatedToken authenticatedToken) {
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(new AuthenticatedToken(authenticatedToken.getSecurityToken().copyWithoutSecret((String) null, (String) null), authenticatedToken.getAuthorities()), (Object) null, authenticatedToken.getAuthorities());
        usernamePasswordAuthenticationToken.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
        return usernamePasswordAuthenticationToken;
    }

    private void fail(SecurityHttpServletRequestWrapper securityHttpServletRequestWrapper, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        SecurityContextHolder.getContext().setAuthentication((Authentication) null);
        securityHttpServletRequestWrapper.deleteCachedContent();
        this.authenticationEntryPoint.commence(securityHttpServletRequestWrapper, httpServletResponse, authenticationException);
    }

    private void deny(SecurityHttpServletRequestWrapper securityHttpServletRequestWrapper, HttpServletResponse httpServletResponse, Exception exc) throws IOException, ServletException {
        SecurityContextHolder.getContext().setAuthentication((Authentication) null);
        securityHttpServletRequestWrapper.deleteCachedContent();
        String message = exc.getMessage();
        if (message == null) {
            message = "Access denied.";
        }
        this.authenticationEntryPoint.handle(securityHttpServletRequestWrapper, httpServletResponse, new AccessDeniedException(message, exc));
    }

    private void failDao(SecurityHttpServletRequestWrapper securityHttpServletRequestWrapper, HttpServletResponse httpServletResponse, Exception exc) throws IOException, ServletException {
        SecurityContextHolder.getContext().setAuthentication((Authentication) null);
        securityHttpServletRequestWrapper.deleteCachedContent();
        this.authenticationEntryPoint.handleTransientResourceException(securityHttpServletRequestWrapper, httpServletResponse, exc);
    }

    public void setUserDetailsService(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
        this.authenticationDetailsSource = authenticationDetailsSource;
    }

    public void setMaxDateSkew(long j) {
        this.settings.setMaxDateSkew(j);
    }

    public void setAuthenticationEntryPoint(SecurityTokenAuthenticationEntryPoint securityTokenAuthenticationEntryPoint) {
        this.authenticationEntryPoint = securityTokenAuthenticationEntryPoint;
    }

    public void setMaxRequestBodySize(int i) {
        this.settings.setMaxRequestBodySize(DataSize.ofBytes(i));
    }

    public SecurityTokenFilterSettings getSettings() {
        return this.settings;
    }
}
