package org.alfresco.web.site.servlet;

import java.io.IOException;
import java.util.Collections;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.web.site.servlet.config.AIMSConfig;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.json.JSONException;
import org.json.JSONObject;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.servlet.KeycloakOIDCFilter;
import org.keycloak.adapters.servlet.OIDCFilterSessionStore;
import org.keycloak.adapters.spi.KeycloakAccount;
import org.springframework.context.ApplicationContext;
import org.springframework.extensions.surf.FrameworkUtil;
import org.springframework.extensions.surf.RequestContext;
import org.springframework.extensions.surf.ServletUtil;
import org.springframework.extensions.surf.UserFactory;
import org.springframework.extensions.surf.exception.ConnectorServiceException;
import org.springframework.extensions.surf.exception.RequestContextException;
import org.springframework.extensions.surf.exception.UserFactoryException;
import org.springframework.extensions.surf.site.AuthenticationUtil;
import org.springframework.extensions.surf.support.ServletRequestContextFactory;
import org.springframework.extensions.surf.support.ThreadLocalRequestContext;
import org.springframework.extensions.webscripts.connector.AlfrescoAuthenticator;
import org.springframework.extensions.webscripts.connector.Connector;
import org.springframework.extensions.webscripts.connector.ConnectorContext;
import org.springframework.extensions.webscripts.connector.ConnectorService;
import org.springframework.extensions.webscripts.connector.CredentialVault;
import org.springframework.extensions.webscripts.connector.Credentials;
import org.springframework.extensions.webscripts.connector.HttpMethod;
import org.springframework.extensions.webscripts.connector.Response;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import org.springframework.web.context.request.ServletWebRequest;
import org.springframework.web.context.support.WebApplicationContextUtils;

/* loaded from: input_file:WEB-INF/classes/org/alfresco/web/site/servlet/AIMSFilter.class */
public class AIMSFilter extends KeycloakOIDCFilter {
    private static final Log logger = LogFactory.getLog(AIMSFilter.class);
    private ApplicationContext context;
    private ConnectorService connectorService;
    private SlingshotLoginController loginController;
    private boolean enabled = false;
    public static final String ALFRESCO_ENDPOINT_ID = "alfresco";
    public static final String ALFRESCO_API_ENDPOINT_ID = "alfresco-api";

    @Override // org.keycloak.adapters.servlet.KeycloakOIDCFilter
    public void init(FilterConfig filterConfig) throws ServletException {
        if (logger.isInfoEnabled()) {
            logger.info("Initializing the AIMS filter.");
        }
        super.init(filterConfig);
        this.context = WebApplicationContextUtils.getRequiredWebApplicationContext(filterConfig.getServletContext());
        AIMSConfig aIMSConfig = (AIMSConfig) this.context.getBean("aims.config");
        this.enabled = aIMSConfig.isEnabled();
        this.connectorService = (ConnectorService) this.context.getBean("connector.service");
        this.loginController = (SlingshotLoginController) this.context.getBean("loginController");
        if (this.enabled) {
            KeycloakDeployment build = KeycloakDeploymentBuilder.build(aIMSConfig.getAdapterConfig());
            if (!build.isConfigured() || build.getRealm().isEmpty() || build.getResourceName().isEmpty() || build.getAuthServerBaseUrl().isEmpty()) {
                throw new AlfrescoRuntimeException("AIMS is not configured properly; realm, resource and auth-server-url should not be empty.");
            }
            this.deploymentContext.updateDeployment(aIMSConfig.getAdapterConfig());
        }
        if (logger.isInfoEnabled()) {
            logger.info("AIMS filter initialized.");
        }
    }

    @Override // org.keycloak.adapters.servlet.KeycloakOIDCFilter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpSession session = httpServletRequest.getSession();
        if (!this.enabled || (AuthenticationUtil.isAuthenticated(httpServletRequest) && !isLoggedOutFromKeycloak(session))) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        super.doFilter(servletRequest, servletResponse, filterChain);
        RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext = (RefreshableKeycloakSecurityContext) httpServletRequest.getAttribute(KeycloakSecurityContext.class.getName());
        if (refreshableKeycloakSecurityContext != null) {
            onSuccess(httpServletRequest, httpServletResponse, session, refreshableKeycloakSecurityContext);
        }
    }

    private boolean isLoggedOutFromKeycloak(HttpSession httpSession) {
        RefreshableKeycloakSecurityContext keycloakSecurityContext;
        OIDCFilterSessionStore.SerializableKeycloakAccount serializableKeycloakAccount = (OIDCFilterSessionStore.SerializableKeycloakAccount) httpSession.getAttribute(KeycloakAccount.class.getName());
        return serializableKeycloakAccount == null || (keycloakSecurityContext = serializableKeycloakAccount.getKeycloakSecurityContext()) == null || !keycloakSecurityContext.refreshExpiredToken(false);
    }

    private void onSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession, RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext) {
        if (logger.isInfoEnabled()) {
            logger.info("Completing the AIMS authentication.");
        }
        String preferredUsername = refreshableKeycloakSecurityContext.getToken().getPreferredUsername();
        String tokenString = refreshableKeycloakSecurityContext.getTokenString();
        try {
            initRequestContext(httpServletRequest, httpServletResponse);
            String alfTicket = getAlfTicket(httpSession, preferredUsername, tokenString);
            if (alfTicket != null) {
                httpSession.setAttribute(UserFactory.SESSION_ATTRIBUTE_KEY_USER_ID, preferredUsername);
                this.connectorService.getConnector("alfresco", preferredUsername, httpSession).getConnectorSession().setParameter(AlfrescoAuthenticator.CS_PARAM_ALF_TICKET, alfTicket);
                CredentialVault credentialVault = FrameworkUtil.getCredentialVault(httpSession, preferredUsername);
                Credentials newCredentials = credentialVault.newCredentials("alfresco");
                newCredentials.setProperty(Credentials.CREDENTIAL_USERNAME, preferredUsername);
                credentialVault.store(newCredentials);
                this.loginController.beforeSuccess(httpServletRequest, httpServletResponse);
                initUser(httpServletRequest);
            } else {
                logger.error("Could not get an alfTicket from Repository.");
            }
        } catch (Exception e) {
            throw new AlfrescoRuntimeException("Failed to complete AIMS authentication process.", e);
        }
    }

    private void initRequestContext(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws RequestContextException {
        if (ThreadLocalRequestContext.getRequestContext() == null) {
            httpServletRequest.setAttribute(RequestContext.ATTR_REQUEST_CONTEXT, ((ServletRequestContextFactory) this.context.getBean("webframework.factory.requestcontext.servlet")).newInstance(new ServletWebRequest(httpServletRequest)));
        }
        RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(httpServletRequest, httpServletResponse));
        ServletUtil.setRequest(httpServletRequest);
    }

    private void initUser(HttpServletRequest httpServletRequest) throws UserFactoryException {
        RequestContext requestContext = ThreadLocalRequestContext.getRequestContext();
        if (requestContext == null || requestContext.getUser() != null) {
            return;
        }
        requestContext.setUser(requestContext.getServiceRegistry().getUserFactory().initialiseUser(requestContext, httpServletRequest, (String) requestContext.getAttribute(RequestContext.USER_ENDPOINT)));
    }

    private String getAlfTicket(HttpSession httpSession, String str, String str2) throws ConnectorServiceException {
        if (logger.isInfoEnabled()) {
            logger.info("Retrieving the Alfresco Ticket from Repository.");
        }
        String str3 = null;
        Connector connector = this.connectorService.getConnector(ALFRESCO_API_ENDPOINT_ID, str, httpSession);
        ConnectorContext connectorContext = new ConnectorContext(HttpMethod.GET, null, Collections.singletonMap("Authorization", "Bearer " + str2));
        connectorContext.setContentType("application/json");
        Response call = connector.call("/-default-/public/authentication/versions/1/tickets/-me-", connectorContext);
        if (200 == call.getStatus().getCode()) {
            try {
                str3 = new JSONObject(call.getText()).getJSONObject("entry").getString("id");
            } catch (JSONException e) {
                if (logger.isErrorEnabled()) {
                    logger.error("Failed to parse Alfresco Ticket from Repository response.");
                }
            }
        } else if (logger.isErrorEnabled()) {
            logger.error("Failed to retrieve Alfresco Ticket from Repository.");
        }
        return str3;
    }
}
