package org.apache.cxf.fediz.spring.web;

import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.Date;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.cxf.fediz.core.processor.FedizRequest;
import org.apache.cxf.fediz.spring.FederationConfig;
import org.apache.cxf.fediz.spring.authentication.ExpiredTokenException;
import org.apache.cxf.fediz.spring.authentication.FederationAuthenticationToken;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;

/* loaded from: input_file:org/apache/cxf/fediz/spring/web/FederationAuthenticationFilter.class */
public class FederationAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
    private FederationConfig federationConfig;

    public FederationAuthenticationFilter() {
        super("/j_spring_fediz_security_check");
        setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler());
    }

    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException {
        if (isTokenExpired()) {
            throw new ExpiredTokenException("Token is expired");
        }
        verifySavedState(httpServletRequest);
        String parameter = httpServletRequest.getParameter("wa");
        String responseToken = getResponseToken(httpServletRequest);
        FedizRequest fedizRequest = new FedizRequest();
        fedizRequest.setAction(parameter);
        fedizRequest.setResponseToken(responseToken);
        fedizRequest.setState(getState(httpServletRequest));
        fedizRequest.setRequest(httpServletRequest);
        fedizRequest.setCerts((X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate"));
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken((Object) null, fedizRequest);
        usernamePasswordAuthenticationToken.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
        return getAuthenticationManager().authenticate(usernamePasswordAuthenticationToken);
    }

    private boolean isTokenExpired() {
        Date tokenExpires;
        SecurityContext context = SecurityContextHolder.getContext();
        boolean z = this.federationConfig != null && this.federationConfig.getFedizContext().isDetectExpiredTokens();
        if (context == null || !z) {
            return false;
        }
        FederationAuthenticationToken authentication = context.getAuthentication();
        return (authentication instanceof FederationAuthenticationToken) && (tokenExpires = authentication.getResponse().getTokenExpires()) != null && new Date().after(tokenExpires);
    }

    private String getResponseToken(ServletRequest servletRequest) {
        if (servletRequest.getParameter("wresult") != null) {
            return servletRequest.getParameter("wresult");
        }
        if (servletRequest.getParameter("SAMLResponse") != null) {
            return servletRequest.getParameter("SAMLResponse");
        }
        return null;
    }

    private String getState(ServletRequest servletRequest) {
        if (servletRequest.getParameter("wctx") != null) {
            return servletRequest.getParameter("wctx");
        }
        if (servletRequest.getParameter("RelayState") != null) {
            return servletRequest.getParameter("RelayState");
        }
        return null;
    }

    private void verifySavedState(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            String str = (String) session.getAttribute(FederationAuthenticationEntryPoint.SAVED_CONTEXT);
            String state = getState(httpServletRequest);
            if (str == null || str.equals(state)) {
                return;
            }
            this.logger.warn("The received state does not match the state saved in the context");
            throw new BadCredentialsException("The received state does not match the state saved in the context");
        }
    }

    protected boolean requiresAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        boolean contains = httpServletRequest.getRequestURI().contains(getFilterProcessesUrl()) | isTokenExpired();
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("requiresAuthentication = " + contains);
        }
        return contains;
    }

    public FederationConfig getFederationConfig() {
        return this.federationConfig;
    }

    public void setFederationConfig(FederationConfig federationConfig) {
        this.federationConfig = federationConfig;
    }
}
