package net.devh.boot.grpc.server.security.interceptors;

import io.grpc.Context;
import io.grpc.Metadata;
import io.grpc.ServerCall;
import io.grpc.ServerCallHandler;
import java.util.Objects;
import net.devh.boot.grpc.common.util.InterceptorOrder;
import net.devh.boot.grpc.server.interceptor.GrpcGlobalServerInterceptor;
import net.devh.boot.grpc.server.security.authentication.GrpcAuthenticationReader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.annotation.Order;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;

@GrpcGlobalServerInterceptor
@Order(InterceptorOrder.ORDER_SECURITY_AUTHENTICATION)
/* loaded from: input_file:BOOT-INF/lib/grpc-server-spring-boot-autoconfigure-2.15.0.RELEASE.jar:net/devh/boot/grpc/server/security/interceptors/DefaultAuthenticatingServerInterceptor.class */
public class DefaultAuthenticatingServerInterceptor implements AuthenticatingServerInterceptor {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) DefaultAuthenticatingServerInterceptor.class);
    private final AuthenticationManager authenticationManager;
    private final GrpcAuthenticationReader grpcAuthenticationReader;

    /* loaded from: input_file:BOOT-INF/lib/grpc-server-spring-boot-autoconfigure-2.15.0.RELEASE.jar:net/devh/boot/grpc/server/security/interceptors/DefaultAuthenticatingServerInterceptor$AuthenticatingServerCallListener.class */
    private static class AuthenticatingServerCallListener<ReqT> extends AbstractAuthenticatingServerCallListener<ReqT> {
        private final SecurityContext securityContext;

        public AuthenticatingServerCallListener(ServerCall.Listener<ReqT> listener, Context context, SecurityContext securityContext) {
            super(listener, context);
            this.securityContext = securityContext;
        }

        @Override // net.devh.boot.grpc.server.security.interceptors.AbstractAuthenticatingServerCallListener
        protected void attachAuthenticationContext() {
            SecurityContextHolder.setContext(this.securityContext);
        }

        @Override // net.devh.boot.grpc.server.security.interceptors.AbstractAuthenticatingServerCallListener
        protected void detachAuthenticationContext() {
            SecurityContextHolder.clearContext();
        }

        @Override // net.devh.boot.grpc.server.security.interceptors.AbstractAuthenticatingServerCallListener, io.grpc.ForwardingServerCallListener.SimpleForwardingServerCallListener, io.grpc.ForwardingServerCallListener, io.grpc.PartialForwardingServerCallListener, io.grpc.ServerCall.Listener
        public void onHalfClose() {
            try {
                super.onHalfClose();
            } catch (AccessDeniedException e) {
                if (!(this.securityContext.getAuthentication() instanceof AnonymousAuthenticationToken)) {
                    throw e;
                }
                throw DefaultAuthenticatingServerInterceptor.newNoCredentialsException(e);
            }
        }
    }

    @Autowired
    public DefaultAuthenticatingServerInterceptor(AuthenticationManager authenticationManager, GrpcAuthenticationReader grpcAuthenticationReader) {
        this.authenticationManager = (AuthenticationManager) Objects.requireNonNull(authenticationManager, "authenticationManager");
        this.grpcAuthenticationReader = (GrpcAuthenticationReader) Objects.requireNonNull(grpcAuthenticationReader, "authenticationReader");
    }

    @Override // io.grpc.ServerInterceptor
    public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler) {
        try {
            AbstractAuthenticationToken readAuthentication = this.grpcAuthenticationReader.readAuthentication(serverCall, metadata);
            if (readAuthentication == null) {
                log.debug("No credentials found: Continuing unauthenticated");
                try {
                    return serverCallHandler.startCall(serverCall, metadata);
                } catch (AccessDeniedException e) {
                    throw newNoCredentialsException(e);
                }
            }
            if (readAuthentication.getDetails() == null && (readAuthentication instanceof AbstractAuthenticationToken)) {
                readAuthentication.setDetails(serverCall.getAttributes());
            }
            log.debug("Credentials found: Authenticating '{}'", readAuthentication.getName());
            try {
                Authentication authenticate = this.authenticationManager.authenticate(readAuthentication);
                SecurityContext createEmptyContext = SecurityContextHolder.createEmptyContext();
                createEmptyContext.setAuthentication(authenticate);
                SecurityContextHolder.setContext(createEmptyContext);
                Context withValues = Context.current().withValues(SECURITY_CONTEXT_KEY, createEmptyContext, AUTHENTICATION_CONTEXT_KEY, authenticate);
                Context attach = withValues.attach();
                log.debug("Authentication successful: Continuing as {} ({})", authenticate.getName(), authenticate.getAuthorities());
                onSuccessfulAuthentication(serverCall, metadata, authenticate);
                try {
                    try {
                        AuthenticatingServerCallListener authenticatingServerCallListener = new AuthenticatingServerCallListener(serverCallHandler.startCall(serverCall, metadata), withValues, createEmptyContext);
                        SecurityContextHolder.clearContext();
                        withValues.detach(attach);
                        log.debug("startCall - Authentication cleared");
                        return authenticatingServerCallListener;
                    } catch (AccessDeniedException e2) {
                        if (authenticate instanceof AnonymousAuthenticationToken) {
                            throw newNoCredentialsException(e2);
                        }
                        throw e2;
                    }
                } catch (Throwable th) {
                    SecurityContextHolder.clearContext();
                    withValues.detach(attach);
                    log.debug("startCall - Authentication cleared");
                    throw th;
                }
            } catch (AuthenticationException e3) {
                log.debug("Authentication request failed: {}", e3.getMessage());
                onUnsuccessfulAuthentication(serverCall, metadata, e3);
                throw e3;
            }
        } catch (AuthenticationException e4) {
            log.debug("Failed to read authentication: {}", e4.getMessage());
            throw e4;
        }
    }

    protected void onSuccessfulAuthentication(ServerCall<?, ?> serverCall, Metadata metadata, Authentication authentication) {
    }

    protected void onUnsuccessfulAuthentication(ServerCall<?, ?> serverCall, Metadata metadata, AuthenticationException authenticationException) {
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static AuthenticationException newNoCredentialsException(AccessDeniedException accessDeniedException) {
        return new BadCredentialsException("No credentials found in the request", accessDeniedException);
    }
}
