package de.acosix.alfresco.keycloak.share.web;

import de.acosix.alfresco.keycloak.share.config.KeycloakAdapterConfigElement;
import de.acosix.alfresco.keycloak.share.config.KeycloakAuthenticationConfigElement;
import de.acosix.alfresco.keycloak.share.remote.BearerTokenAwareSlingshotAlfrescoConnector;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Locale;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.FilterChain;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.alfresco.util.PropertyCheck;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.AuthenticatedActionsHandler;
import org.keycloak.adapters.HttpClientBuilder;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.OAuthRequestAuthenticator;
import org.keycloak.adapters.OidcKeycloakAccount;
import org.keycloak.adapters.PreAuthActionsHandler;
import org.keycloak.adapters.RequestAuthenticator;
import org.keycloak.adapters.servlet.FilterRequestAuthenticator;
import org.keycloak.adapters.servlet.OIDCFilterSessionStore;
import org.keycloak.adapters.servlet.OIDCServletHttpFacade;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.AuthenticationError;
import org.keycloak.adapters.spi.KeycloakAccount;
import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.adapters.spi.UserSessionManagement;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.extensions.config.ConfigService;
import org.springframework.extensions.config.RemoteConfigElement;
import org.springframework.extensions.surf.RequestContext;
import org.springframework.extensions.surf.RequestContextUtil;
import org.springframework.extensions.surf.ServletUtil;
import org.springframework.extensions.surf.exception.ConnectorServiceException;
import org.springframework.extensions.surf.mvc.PageViewResolver;
import org.springframework.extensions.surf.site.AuthenticationUtil;
import org.springframework.extensions.surf.types.Page;
import org.springframework.extensions.webscripts.Description;
import org.springframework.extensions.webscripts.connector.ConnectorService;
import org.springframework.extensions.webscripts.servlet.DependencyInjectedFilter;

/* loaded from: input_file:de/acosix/alfresco/keycloak/share/web/KeycloakAuthenticationFilter.class */
public class KeycloakAuthenticationFilter implements DependencyInjectedFilter, InitializingBean, ApplicationContextAware {
    private static final String HEADER_AUTHORIZATION = "Authorization";
    private static final String KEYCLOAK_ACTION_URL_PATTERN = "^(?:/page)?/keycloak/k_[^/]+$";
    private static final String PAGE_SERVLET_PATH = "/page";
    private static final String LOGIN_PAGE_TYPE_PARAMETER_VALUE = "login";
    private static final String PAGE_TYPE_PARAMETER_NAME = "pt";
    private static final String LOGIN_PATH_INFORMATION = "/dologin";
    private static final String LOGOUT_PATH_INFORMATION = "/dologout";
    private static final int DEFAULT_BODY_BUFFER_LIMIT = 32768;
    protected ApplicationContext applicationContext;
    protected DependencyInjectedFilter defaultSsoFilter;
    protected ConfigService configService;
    protected ConnectorService connectorService;
    protected PageViewResolver pageViewResolver;
    protected SessionIdMapper sessionIdMapper;
    protected String primaryEndpoint;
    protected List<String> secondaryEndpoints;
    protected boolean externalAuthEnabled = false;
    protected boolean filterEnabled = false;
    protected boolean loginFormEnhancementEnabled = false;
    protected boolean forceSso = false;
    protected KeycloakDeployment keycloakDeployment;
    protected AdapterDeploymentContext deploymentContext;
    private static final Logger LOGGER = LoggerFactory.getLogger(KeycloakAuthenticationFilter.class);
    private static final String PROXY_URL_PATTERN = "^(?:/page)?/proxy/([^/]+)(-noauth)?/.+$";
    private static final Pattern PROXY_URL_PATTERN_COMPILED = Pattern.compile(PROXY_URL_PATTERN);
    private static final ThreadLocal<String> LOGIN_REDIRECT_URL = new ThreadLocal<>();

    public static String getLoginRedirectUrl() {
        return LOGIN_REDIRECT_URL.get();
    }

    public static boolean isAuthenticatedByKeycloak() {
        HttpServletRequest request = ServletUtil.getRequest();
        boolean z = false;
        if (request != null) {
            HttpSession session = request.getSession(false);
            z = (session == null || !AuthenticationUtil.isAuthenticated(request) || session.getAttribute(KeycloakAccount.class.getName()) == null) ? false : true;
        }
        return z;
    }

    public void setApplicationContext(ApplicationContext applicationContext) {
        this.applicationContext = applicationContext;
    }

    public void afterPropertiesSet() {
        PropertyCheck.mandatory(this, "primaryEndpoint", this.primaryEndpoint);
        PropertyCheck.mandatory(this, "configService", this.configService);
        PropertyCheck.mandatory(this, "connectorService", this.connectorService);
        PropertyCheck.mandatory(this, "pageViewResolver", this.pageViewResolver);
        PropertyCheck.mandatory(this, "sessionIdMapper", this.sessionIdMapper);
        LOGGER.info("Setting up filter for primary endpoint {} and secondary endpoints {}", this.primaryEndpoint, this.secondaryEndpoints);
        RemoteConfigElement configElement = this.configService.getConfig("Remote").getConfigElement("remote");
        if (configElement != null) {
            RemoteConfigElement.EndpointDescriptor endpointDescriptor = configElement.getEndpointDescriptor(this.primaryEndpoint);
            if (endpointDescriptor != null) {
                this.externalAuthEnabled = endpointDescriptor.getExternalAuth();
            } else {
                LOGGER.error("Endpoint {} has not been defined in the application configuration", this.primaryEndpoint);
            }
            if (this.secondaryEndpoints != null) {
                this.secondaryEndpoints = (List) this.secondaryEndpoints.stream().filter(str -> {
                    boolean z = configElement.getEndpointDescriptor(str) != null;
                    if (!z) {
                        LOGGER.info("Excluding configured secondary endpoint {} which is not defined in the application configuration", str);
                    }
                    return z;
                }).collect(Collectors.toList());
            }
        } else {
            LOGGER.error("No remote configuration has been defined for the application");
        }
        KeycloakAdapterConfigElement configElement2 = this.configService.getConfig("Keycloak").getConfigElement(KeycloakAdapterConfigElement.NAME);
        if (configElement2 != null) {
            AdapterConfig buildAdapterConfiguration = configElement2.buildAdapterConfiguration();
            buildAdapterConfiguration.setCors(false);
            buildAdapterConfiguration.setEnableBasicAuth(false);
            this.keycloakDeployment = KeycloakDeploymentBuilder.build(buildAdapterConfiguration);
            if (this.keycloakDeployment.getClient() != null) {
                Long connectionTimeout = configElement2.getConnectionTimeout();
                Long socketTimeout = configElement2.getSocketTimeout();
                HttpClientBuilder httpClientBuilder = new HttpClientBuilder();
                if (connectionTimeout != null && connectionTimeout.longValue() >= 0) {
                    httpClientBuilder = httpClientBuilder.establishConnectionTimeout(connectionTimeout.longValue(), TimeUnit.MILLISECONDS);
                }
                if (socketTimeout != null && socketTimeout.longValue() >= 0) {
                    httpClientBuilder = httpClientBuilder.socketTimeout(socketTimeout.longValue(), TimeUnit.MILLISECONDS);
                }
                this.keycloakDeployment.setClient(httpClientBuilder.build(buildAdapterConfiguration));
            }
            this.deploymentContext = new AdapterDeploymentContext(this.keycloakDeployment);
        } else {
            LOGGER.error("No Keycloak adapter configuration has been defined for the application");
        }
        KeycloakAuthenticationConfigElement configElement3 = this.configService.getConfig("Keycloak").getConfigElement(KeycloakAuthenticationConfigElement.NAME);
        if (configElement3 != null) {
            this.filterEnabled = Boolean.TRUE.equals(configElement3.getEnableSsoFilter());
            this.loginFormEnhancementEnabled = Boolean.TRUE.equals(configElement3.getEnhanceLoginForm());
            this.forceSso = Boolean.TRUE.equals(configElement3.getForceKeycloakSso());
        } else {
            LOGGER.error("No Keycloak authentication configuration has been defined for the application");
        }
        if (this.filterEnabled && !this.keycloakDeployment.isConfigured()) {
            throw new IllegalStateException("The Keycloak adapter has not been properly configured");
        }
    }

    public void setDefaultSsoFilter(DependencyInjectedFilter dependencyInjectedFilter) {
        this.defaultSsoFilter = dependencyInjectedFilter;
    }

    public void setConfigService(ConfigService configService) {
        this.configService = configService;
    }

    public void setConnectorService(ConnectorService connectorService) {
        this.connectorService = connectorService;
    }

    public void setPageViewResolver(PageViewResolver pageViewResolver) {
        this.pageViewResolver = pageViewResolver;
    }

    public void setSessionIdMapper(SessionIdMapper sessionIdMapper) {
        this.sessionIdMapper = sessionIdMapper;
    }

    public void setPrimaryEndpoint(String str) {
        this.primaryEndpoint = str;
    }

    public void setSecondaryEndpoints(List<String> list) {
        this.secondaryEndpoints = list != null ? new ArrayList(list) : null;
    }

    public void doFilter(ServletContext servletContext, ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        try {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            LOGGER.debug("Entered doFilter for {}", httpServletRequest);
            if (isLogoutRequest(httpServletRequest)) {
                processLogout(servletContext, httpServletRequest, httpServletResponse, filterChain);
            } else if (checkForSkipCondition(httpServletRequest, httpServletResponse)) {
                if (!AuthenticationUtil.isAuthenticated(httpServletRequest) && this.loginFormEnhancementEnabled && isLoginPage(httpServletRequest)) {
                    prepareLoginFormEnhancement(servletContext, httpServletRequest, httpServletResponse);
                }
                continueFilterChain(servletContext, servletRequest, servletResponse, filterChain);
            } else {
                processKeycloakAuthenticationAndActions(servletContext, httpServletRequest, httpServletResponse, filterChain);
            }
            LOGIN_REDIRECT_URL.remove();
        } catch (Throwable th) {
            LOGIN_REDIRECT_URL.remove();
            throw th;
        }
    }

    protected void processLogout(ServletContext servletContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null || !AuthenticationUtil.isAuthenticated(httpServletRequest) || session.getAttribute(KeycloakAccount.class.getName()) == null || !this.sessionIdMapper.hasSession(session.getId())) {
            continueFilterChain(servletContext, httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        LOGGER.debug("Processing logout for Keycloak-authenticated user {} in session {}", AuthenticationUtil.getUserId(httpServletRequest), session.getId());
        KeycloakAuthenticationConfigElement configElement = this.configService.getConfig("Keycloak").getConfigElement(KeycloakAuthenticationConfigElement.NAME);
        OIDCServletHttpFacade oIDCServletHttpFacade = new OIDCServletHttpFacade(httpServletRequest, httpServletResponse);
        Integer bodyBufferLimit = configElement.getBodyBufferLimit();
        new OIDCFilterSessionStore(httpServletRequest, oIDCServletHttpFacade, bodyBufferLimit != null ? bodyBufferLimit.intValue() : DEFAULT_BODY_BUFFER_LIMIT, this.keycloakDeployment, (SessionIdMapper) null).logout();
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    protected void processKeycloakAuthenticationAndActions(ServletContext servletContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        LOGGER.debug("Processing Keycloak authentication on request to {}", httpServletRequest.getRequestURL());
        KeycloakAuthenticationConfigElement configElement = this.configService.getConfig("Keycloak").getConfigElement(KeycloakAuthenticationConfigElement.NAME);
        Integer bodyBufferLimit = configElement.getBodyBufferLimit();
        Integer sslRedirectPort = configElement.getSslRedirectPort();
        OIDCServletHttpFacade oIDCServletHttpFacade = new OIDCServletHttpFacade(httpServletRequest, httpServletResponse);
        String servletPath = httpServletRequest.getServletPath();
        String pathInfo = httpServletRequest.getPathInfo();
        if ((servletPath + (pathInfo != null ? pathInfo : "")).matches(KEYCLOAK_ACTION_URL_PATTERN)) {
            LOGGER.debug("Applying Keycloak pre-auth actions handler");
            if (new PreAuthActionsHandler(new UserSessionManagement() { // from class: de.acosix.alfresco.keycloak.share.web.KeycloakAuthenticationFilter.1
                public void logoutAll() {
                    KeycloakAuthenticationFilter.this.sessionIdMapper.clear();
                }

                public void logoutHttpSessions(List<String> list) {
                    SessionIdMapper sessionIdMapper = KeycloakAuthenticationFilter.this.sessionIdMapper;
                    sessionIdMapper.getClass();
                    list.forEach(sessionIdMapper::removeSession);
                }
            }, this.deploymentContext, oIDCServletHttpFacade).handleRequest()) {
                LOGGER.debug("Keycloak pre-auth actions processed the request - stopping filter chain execution");
                return;
            }
        }
        OIDCFilterSessionStore oIDCFilterSessionStore = new OIDCFilterSessionStore(httpServletRequest, oIDCServletHttpFacade, bodyBufferLimit != null ? bodyBufferLimit.intValue() : DEFAULT_BODY_BUFFER_LIMIT, this.keycloakDeployment, this.sessionIdMapper);
        FilterRequestAuthenticator filterRequestAuthenticator = new FilterRequestAuthenticator(this.keycloakDeployment, oIDCFilterSessionStore, oIDCServletHttpFacade, httpServletRequest, sslRedirectPort != null ? sslRedirectPort.intValue() : 8443);
        AuthOutcome authenticate = filterRequestAuthenticator.authenticate();
        if (authenticate == AuthOutcome.AUTHENTICATED) {
            onKeycloakAuthenticationSuccess(servletContext, httpServletRequest, httpServletResponse, filterChain, oIDCServletHttpFacade, oIDCFilterSessionStore);
            return;
        }
        if (authenticate == AuthOutcome.NOT_ATTEMPTED && this.forceSso) {
            LOGGER.debug("No authentication took place - sending authentication challenge");
            filterRequestAuthenticator.getChallenge().challenge(oIDCServletHttpFacade);
        } else {
            if (authenticate == AuthOutcome.FAILED) {
                onKeycloakAuthenticationFailure(servletContext, httpServletRequest, httpServletResponse, filterChain);
                return;
            }
            if (authenticate == AuthOutcome.NOT_ATTEMPTED) {
                LOGGER.debug("No authentication took place - continueing with filter chain processing");
                if (this.loginFormEnhancementEnabled) {
                    prepareLoginFormEnhancement(servletContext, httpServletRequest, httpServletResponse, filterRequestAuthenticator);
                }
            } else {
                LOGGER.warn("Unexpected authentication outcome {} - continueing with filter chain processing", authenticate);
            }
            continueFilterChain(servletContext, httpServletRequest, httpServletResponse, filterChain);
        }
    }

    protected void prepareLoginFormEnhancement(ServletContext servletContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterRequestAuthenticator filterRequestAuthenticator) {
        RedirectCaptureServletHttpFacade redirectCaptureServletHttpFacade = new RedirectCaptureServletHttpFacade(httpServletRequest);
        filterRequestAuthenticator.getChallenge().challenge(redirectCaptureServletHttpFacade);
        resetStateCookies(servletContext, httpServletRequest, httpServletResponse);
        Stream<R> map = redirectCaptureServletHttpFacade.getCookies().stream().map(cookie -> {
            cookie.setPath(servletContext.getContextPath());
            return cookie;
        });
        httpServletResponse.getClass();
        map.forEach(httpServletResponse::addCookie);
        List<String> list = redirectCaptureServletHttpFacade.getHeaders().get("Location");
        if (list == null || list.isEmpty()) {
            return;
        }
        LOGIN_REDIRECT_URL.set(list.get(0));
    }

    protected void prepareLoginFormEnhancement(ServletContext servletContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        KeycloakAuthenticationConfigElement configElement = this.configService.getConfig("Keycloak").getConfigElement(KeycloakAuthenticationConfigElement.NAME);
        Integer bodyBufferLimit = configElement.getBodyBufferLimit();
        Integer sslRedirectPort = configElement.getSslRedirectPort();
        RedirectCaptureServletHttpFacade redirectCaptureServletHttpFacade = new RedirectCaptureServletHttpFacade(new HttpServletRequestWrapper(httpServletRequest) { // from class: de.acosix.alfresco.keycloak.share.web.KeycloakAuthenticationFilter.2
            public String getQueryString() {
                return "";
            }
        });
        OAuthRequestAuthenticator oAuthRequestAuthenticator = new OAuthRequestAuthenticator((RequestAuthenticator) null, redirectCaptureServletHttpFacade, this.keycloakDeployment, sslRedirectPort != null ? sslRedirectPort.intValue() : 8443, new OIDCFilterSessionStore(httpServletRequest, redirectCaptureServletHttpFacade, bodyBufferLimit != null ? bodyBufferLimit.intValue() : DEFAULT_BODY_BUFFER_LIMIT, this.keycloakDeployment, (SessionIdMapper) null));
        AuthOutcome authenticate = oAuthRequestAuthenticator.authenticate();
        if (authenticate != AuthOutcome.NOT_ATTEMPTED) {
            LOGGER.error("OAuthRequestAuthenticator yielded unexpected auth outcome {}", authenticate);
            httpServletResponse.setStatus(500);
            throw new IllegalStateException("OAuthRequestAuthenticator did not generate login redirect");
        }
        oAuthRequestAuthenticator.getChallenge().challenge(redirectCaptureServletHttpFacade);
        resetStateCookies(servletContext, httpServletRequest, httpServletResponse);
        Stream<R> map = redirectCaptureServletHttpFacade.getCookies().stream().map(cookie -> {
            cookie.setPath(servletContext.getContextPath());
            return cookie;
        });
        httpServletResponse.getClass();
        map.forEach(httpServletResponse::addCookie);
        List<String> list = redirectCaptureServletHttpFacade.getHeaders().get("Location");
        if (list == null || list.isEmpty()) {
            return;
        }
        LOGIN_REDIRECT_URL.set(list.get(0));
    }

    protected void onKeycloakAuthenticationSuccess(ServletContext servletContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, OIDCServletHttpFacade oIDCServletHttpFacade, OIDCFilterSessionStore oIDCFilterSessionStore) throws IOException, ServletException {
        HttpSession session = httpServletRequest.getSession();
        Object attribute = session != null ? session.getAttribute(KeycloakAccount.class.getName()) : null;
        if (attribute instanceof OidcKeycloakAccount) {
            KeycloakSecurityContext keycloakSecurityContext = ((OidcKeycloakAccount) attribute).getKeycloakSecurityContext();
            String preferredUsername = keycloakSecurityContext.getToken().getPreferredUsername();
            LOGGER.debug("User {} successfully authenticated via Keycloak", preferredUsername);
            String tokenString = keycloakSecurityContext.getTokenString();
            updateEndpointConnectorBearerToken(this.primaryEndpoint, preferredUsername, session, tokenString);
            if (this.secondaryEndpoints != null) {
                this.secondaryEndpoints.forEach(str -> {
                    updateEndpointConnectorBearerToken(str, preferredUsername, session, tokenString);
                });
            }
            session.setAttribute("_alfExternalAuth", Boolean.TRUE);
            session.setAttribute("_alf_USER_ID", preferredUsername);
        }
        if (oIDCServletHttpFacade.isEnded()) {
            LOGGER.debug("Authenticator already handled response");
            return;
        }
        String servletPath = httpServletRequest.getServletPath();
        String pathInfo = httpServletRequest.getPathInfo();
        if ((servletPath + (pathInfo != null ? pathInfo : "")).matches(KEYCLOAK_ACTION_URL_PATTERN)) {
            LOGGER.debug("Applying Keycloak authenticated actions handler");
            if (new AuthenticatedActionsHandler(this.keycloakDeployment, oIDCServletHttpFacade).handledRequest()) {
                LOGGER.debug("Keycloak authenticated actions processed the request - stopping filter chain execution");
                return;
            }
        }
        LOGGER.debug("Continueing with filter chain processing");
        continueFilterChain(servletContext, oIDCFilterSessionStore.buildWrapper(), httpServletResponse, filterChain);
    }

    protected void onKeycloakAuthenticationFailure(ServletContext servletContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        LOGGER.warn("Keycloak authentication failed due to {}", httpServletRequest.getAttribute(AuthenticationError.class.getName()));
        LOGGER.debug("Resetting session and state cookie before continueing with filter chain");
        httpServletRequest.getSession().invalidate();
        resetStateCookies(servletContext, httpServletRequest, httpServletResponse);
        continueFilterChain(servletContext, httpServletRequest, httpServletResponse, filterChain);
    }

    protected void continueFilterChain(ServletContext servletContext, ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpSession session = ((HttpServletRequest) servletRequest).getSession(false);
        Object attribute = session != null ? session.getAttribute(KeycloakAccount.class.getName()) : null;
        if (this.defaultSsoFilter == null || attribute != null) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            this.defaultSsoFilter.doFilter(servletContext, servletRequest, servletResponse, filterChain);
        }
    }

    protected boolean checkForSkipCondition(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException {
        boolean z = false;
        String servletPath = httpServletRequest.getServletPath();
        String pathInfo = httpServletRequest.getPathInfo();
        String str = servletPath + (pathInfo != null ? pathInfo : "");
        Matcher matcher = PROXY_URL_PATTERN_COMPILED.matcher(str);
        HttpSession session = httpServletRequest.getSession(false);
        if (this.externalAuthEnabled && this.filterEnabled && this.keycloakDeployment != null && session != null && AuthenticationUtil.isAuthenticated(httpServletRequest) && session.getAttribute(KeycloakAccount.class.getName()) != null && !this.sessionIdMapper.hasSession(session.getId())) {
            LOGGER.debug("Session {} for Keycloak-authenticated user {} was invalidated by back-channel logout", session.getId(), AuthenticationUtil.getUserId(httpServletRequest));
            session.invalidate();
            session = httpServletRequest.getSession(false);
        }
        if (!this.externalAuthEnabled || !this.filterEnabled) {
            LOGGER.debug("Skipping doFilter as filter and/or external authentication are not enabled");
            z = true;
        } else if (this.keycloakDeployment == null) {
            LOGGER.debug("Skipping doFilter as Keycloak adapter was not properly initialised");
            z = true;
        } else if (str.matches(KEYCLOAK_ACTION_URL_PATTERN)) {
            LOGGER.debug("Explicitly not skipping doFilter as Keycloak action URL is being called");
        } else if (httpServletRequest.getParameter("state") != null && httpServletRequest.getParameter("code") != null && hasStateCookie(httpServletRequest)) {
            LOGGER.debug("Explicitly not skipping doFilter as state and code query parameters of OAuth2 redirect as well as state cookie are present");
        } else if (httpServletRequest.getHeader(HEADER_AUTHORIZATION) != null && httpServletRequest.getHeader(HEADER_AUTHORIZATION).startsWith("Bearer ")) {
            LOGGER.debug("Explicitly not skipping doFilter as Bearer authorization header is present");
        } else if (httpServletRequest.getHeader(HEADER_AUTHORIZATION) != null) {
            LOGGER.debug("Skipping doFilter as non-OIDC authorization header is present");
            z = true;
        } else if (httpServletRequest.getHeader(HEADER_AUTHORIZATION) == null && session != null && AuthenticationUtil.isAuthenticated(httpServletRequest)) {
            String userId = AuthenticationUtil.getUserId(httpServletRequest);
            LOGGER.debug("Existing HTTP session is associated with user {}", userId);
            KeycloakAccount keycloakAccount = (KeycloakAccount) session.getAttribute(KeycloakAccount.class.getName());
            if (keycloakAccount != null) {
                z = validateAndRefreshKeycloakAuthentication(httpServletRequest, httpServletResponse, userId, keycloakAccount);
            } else {
                LOGGER.debug("Skipping doFilter as non-Keycloak-authenticated session is already established");
                z = true;
            }
        } else if (matcher.matches()) {
            String group = matcher.group(1);
            String group2 = matcher.group(2);
            if (group2 != null && !group2.trim().isEmpty()) {
                LOGGER.debug("Skipping doFilter as proxy servlet to noauth endpoint {} is being called");
                z = true;
            } else if (!group.equals(this.primaryEndpoint) && (this.secondaryEndpoints == null || !this.secondaryEndpoints.contains(group))) {
                LOGGER.debug("Skipping doFilter on proxy servlet call as endpoint {} has not been configured as a primary / secondary endpoint to handle");
                z = true;
            }
        } else if (PAGE_SERVLET_PATH.equals(servletPath) && (LOGIN_PATH_INFORMATION.equals(pathInfo) || (pathInfo == null && LOGIN_PAGE_TYPE_PARAMETER_VALUE.equals(httpServletRequest.getParameter(PAGE_TYPE_PARAMETER_NAME))))) {
            LOGGER.debug("Skipping doFilter as login page was explicitly requested");
            z = true;
        } else if (isNoAuthPage(httpServletRequest)) {
            LOGGER.debug("Skipping doFilter as requested page does not require authentication");
            z = true;
        }
        return z;
    }

    protected boolean validateAndRefreshKeycloakAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, KeycloakAccount keycloakAccount) {
        OIDCServletHttpFacade oIDCServletHttpFacade = new OIDCServletHttpFacade(httpServletRequest, httpServletResponse);
        Integer bodyBufferLimit = this.configService.getConfig("Keycloak").getConfigElement(KeycloakAuthenticationConfigElement.NAME).getBodyBufferLimit();
        new OIDCFilterSessionStore(httpServletRequest, oIDCServletHttpFacade, bodyBufferLimit != null ? bodyBufferLimit.intValue() : DEFAULT_BODY_BUFFER_LIMIT, this.keycloakDeployment, (SessionIdMapper) null).checkCurrentToken();
        HttpSession session = httpServletRequest.getSession(false);
        boolean z = false;
        if (session != null) {
            LOGGER.debug("Skipping doFilter as Keycloak-authentication session is still valid");
            z = true;
            if (keycloakAccount instanceof OidcKeycloakAccount) {
                String tokenString = ((OidcKeycloakAccount) keycloakAccount).getKeycloakSecurityContext().getTokenString();
                updateEndpointConnectorBearerToken(this.primaryEndpoint, str, session, tokenString);
                if (this.secondaryEndpoints != null) {
                    this.secondaryEndpoints.forEach(str2 -> {
                        updateEndpointConnectorBearerToken(str2, str, session, tokenString);
                    });
                }
            }
        } else {
            LOGGER.debug("Keycloak-authenticated session for user {} was invalidated after token expiration", str);
        }
        return z;
    }

    protected boolean isNoAuthPage(HttpServletRequest httpServletRequest) throws ServletException {
        String pathInfo = httpServletRequest.getPathInfo();
        try {
            RequestContext initRequestContext = RequestContextUtil.initRequestContext(this.applicationContext, httpServletRequest, true);
            Page page = initRequestContext.getPage();
            if (page == null && pathInfo != null) {
                try {
                    if (this.pageViewResolver.resolveViewName(pathInfo, (Locale) null) != null) {
                        page = initRequestContext.getPage();
                    }
                } catch (Exception e) {
                    LOGGER.warn("Error during resolution of requested page view", e);
                }
            }
            boolean z = false;
            if (page != null && page.getAuthentication() == Description.RequiredAuthentication.none) {
                z = true;
            }
            return z;
        } catch (Exception e2) {
            LOGGER.error("Error calling initRequestContext", e2);
            throw new ServletException(e2);
        }
    }

    protected boolean isLoginPage(HttpServletRequest httpServletRequest) throws ServletException {
        boolean z;
        String servletPath = httpServletRequest.getServletPath();
        String pathInfo = httpServletRequest.getPathInfo();
        if (PAGE_SERVLET_PATH.equals(servletPath) && pathInfo == null && LOGIN_PAGE_TYPE_PARAMETER_VALUE.equals(httpServletRequest.getParameter(PAGE_TYPE_PARAMETER_NAME))) {
            z = true;
        } else {
            try {
                RequestContext initRequestContext = RequestContextUtil.initRequestContext(this.applicationContext, httpServletRequest, true);
                Page page = initRequestContext.getPage();
                if (page == null && pathInfo != null) {
                    try {
                        if (this.pageViewResolver.resolveViewName(pathInfo, (Locale) null) != null) {
                            page = initRequestContext.getPage();
                        }
                    } catch (Exception e) {
                        LOGGER.warn("Error during resolution of requested page view", e);
                    }
                }
                z = false;
                if (page != null && page.getPageType(initRequestContext) != null && LOGIN_PAGE_TYPE_PARAMETER_VALUE.equals(page.getPageType(initRequestContext).getId())) {
                    z = true;
                }
            } catch (Exception e2) {
                LOGGER.error("Error calling initRequestContext", e2);
                throw new ServletException(e2);
            }
        }
        return z;
    }

    protected boolean isLogoutRequest(HttpServletRequest httpServletRequest) throws ServletException {
        return PAGE_SERVLET_PATH.equals(httpServletRequest.getServletPath()) && LOGOUT_PATH_INFORMATION.equals(httpServletRequest.getPathInfo());
    }

    protected void updateEndpointConnectorBearerToken(String str, String str2, HttpSession httpSession, String str3) {
        try {
            this.connectorService.getConnector(str, str2, httpSession).getConnectorSession().setParameter(BearerTokenAwareSlingshotAlfrescoConnector.CS_PARAM_BEARER_TOKEN, str3);
        } catch (ConnectorServiceException e) {
            LOGGER.warn("Endpoint {} has not been defined", str);
        }
    }

    protected boolean hasStateCookie(HttpServletRequest httpServletRequest) {
        boolean z;
        String stateCookieName = this.keycloakDeployment.getStateCookieName();
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            Stream map = Arrays.asList(cookies).stream().map((v0) -> {
                return v0.getName();
            });
            stateCookieName.getClass();
            z = map.filter((v1) -> {
                return r1.equals(v1);
            }).findAny().isPresent();
        } else {
            z = false;
        }
        return z;
    }

    protected void resetStateCookies(ServletContext servletContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            String stateCookieName = this.keycloakDeployment.getStateCookieName();
            Arrays.asList(cookies).stream().filter(cookie -> {
                return stateCookieName.equals(cookie.getName());
            }).findAny().ifPresent(cookie2 -> {
                Cookie cookie2 = new Cookie(cookie2.getName(), "");
                cookie2.setPath(servletContext.getContextPath());
                cookie2.setMaxAge(0);
                cookie2.setHttpOnly(false);
                cookie2.setSecure(false);
                httpServletResponse.addCookie(cookie2);
            });
        }
    }
}
