package com.appiancorp.oauth.inbound.resourceserver.security;

import com.appiancorp.apikey.exceptions.ApiKeyExistingSessionException;
import com.appiancorp.features.FeatureToggleClient;
import com.appiancorp.oauth.inbound.monitor.OAuthInboundEvent;
import com.appiancorp.oauth.inbound.monitor.OAuthInboundProductMetricsLogger;
import com.appiancorp.oauth.inbound.resourceserver.exceptions.AccessTokenAuthenticationException;
import com.appiancorp.oauth.inbound.token.ResourceServerTokenService;
import java.io.IOException;
import java.util.Collections;
import java.util.Optional;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;

/* loaded from: input_file:com/appiancorp/oauth/inbound/resourceserver/security/OAuthFilter.class */
public class OAuthFilter extends AbstractAuthenticationProcessingFilter {
    private final ResourceServerTokenService resourceServerTokenService;
    private final AuthenticationEntryPoint authenticationEntryPoint;
    private final AuthenticationAssembler authenticationAssembler;
    private final FeatureToggleClient featureToggleClient;
    private final OAuthInboundProductMetricsLogger oAuthInboundProductMetricsLogger;
    private static final Logger LOG = LoggerFactory.getLogger(OAuthFilter.class);
    private static final String WEBAPI_SERVLET_URL = "/webapi";
    private static final Set<String> AUTHENTICATED_URLS = Collections.singleton(WEBAPI_SERVLET_URL);

    public OAuthFilter(AuthenticationManager authenticationManager, AuthenticationEntryPoint authenticationEntryPoint, ResourceServerTokenService resourceServerTokenService, AuthenticationAssembler authenticationAssembler, OAuthInboundProductMetricsLogger oAuthInboundProductMetricsLogger, FeatureToggleClient featureToggleClient) {
        super("/j_spring_security_filter");
        setAuthenticationManager(authenticationManager);
        this.authenticationEntryPoint = authenticationEntryPoint;
        this.resourceServerTokenService = resourceServerTokenService;
        this.authenticationAssembler = authenticationAssembler;
        this.oAuthInboundProductMetricsLogger = oAuthInboundProductMetricsLogger;
        this.featureToggleClient = featureToggleClient;
    }

    protected boolean requiresAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!this.featureToggleClient.isFeatureEnabled("ae.data-integrations.oauth-inbound")) {
            return false;
        }
        if (AUTHENTICATED_URLS.contains(httpServletRequest.getServletPath())) {
            return this.resourceServerTokenService.getQualifiedAccessToken(httpServletRequest).isPresent();
        }
        if (!LOG.isDebugEnabled()) {
            return false;
        }
        LOG.debug("Ignoring {} url for oauth processing filter since it's not a webapi endpoint.", httpServletRequest.getServletPath().replaceAll("[\r\n]", ""));
        return false;
    }

    protected void successfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, Authentication authentication) throws IOException, ServletException {
        SecurityContextHolder.getContext().setAuthentication(this.authenticationAssembler.assemble(authentication));
        this.oAuthInboundProductMetricsLogger.logEvent(OAuthInboundEvent.WEBAPI_OAUTH_SUCCESS);
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        long currentTimeMillis = System.currentTimeMillis();
        Optional qualifiedAccessToken = this.resourceServerTokenService.getQualifiedAccessToken(httpServletRequest);
        if (!qualifiedAccessToken.isPresent()) {
            throw new AccessTokenAuthenticationException("No access token found.");
        }
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            if (this.featureToggleClient.isFeatureEnabled("ae.keep-customers-happy.disallow-existing-session-with-api-keys")) {
                throw new ApiKeyExistingSessionException("Request is already authenticated. Cannot authenticate again with an access token");
            }
            session.invalidate();
        }
        return getAuthenticationManager().authenticate(this.authenticationAssembler.assemble((String) qualifiedAccessToken.get(), httpServletRequest, currentTimeMillis));
    }

    protected void unsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        this.oAuthInboundProductMetricsLogger.logEvent(OAuthInboundEvent.WEBAPI_OAUTH_FAILURE);
        this.authenticationEntryPoint.commence(httpServletRequest, httpServletResponse, authenticationException);
    }
}
