package org.flowable.ui.common.filter;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collection;
import java.util.Iterator;
import java.util.concurrent.TimeUnit;
import javax.annotation.PostConstruct;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.flowable.common.engine.api.FlowableException;
import org.flowable.ui.common.model.RemoteToken;
import org.flowable.ui.common.model.RemoteUser;
import org.flowable.ui.common.properties.FlowableCommonAppProperties;
import org.flowable.ui.common.security.CookieConstants;
import org.flowable.ui.common.security.FlowableAppUser;
import org.flowable.ui.common.service.idm.RemoteIdmService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.thymeleaf.ThymeleafProperties;
import org.springframework.security.authentication.RememberMeAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.rememberme.InvalidCookieException;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:WEB-INF/lib/flowable-ui-common-6.3.1.jar:org/flowable/ui/common/filter/FlowableCookieFilter.class */
public class FlowableCookieFilter extends OncePerRequestFilter {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) FlowableCookieFilter.class);
    protected static final String DELIMITER = ":";
    protected final RemoteIdmService remoteIdmService;
    protected final FlowableCommonAppProperties properties;
    protected FlowableCookieFilterCallback filterCallback;
    protected String idmAppUrl;
    protected String redirectUrlOnAuthSuccess;
    protected Collection<String> requiredPrivileges;
    protected LoadingCache<String, RemoteToken> tokenCache;
    protected LoadingCache<String, FlowableAppUser> userCache;

    public FlowableCookieFilter(RemoteIdmService remoteIdmService, FlowableCommonAppProperties flowableCommonAppProperties) {
        this.remoteIdmService = remoteIdmService;
        this.properties = flowableCommonAppProperties;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @PostConstruct
    public void initCaches() {
        initIdmAppRedirectUrl();
        initTokenCache();
        initUserCache();
    }

    protected void initIdmAppRedirectUrl() {
        this.idmAppUrl = this.properties.determineIdmAppRedirectUrl();
        this.redirectUrlOnAuthSuccess = this.properties.getRedirectOnAuthSuccess();
    }

    protected void initTokenCache() {
        FlowableCommonAppProperties.Cache cacheLoginTokens = this.properties.getCacheLoginTokens();
        this.tokenCache = CacheBuilder.newBuilder().maximumSize(Long.valueOf(cacheLoginTokens.getMaxSize()).longValue()).expireAfterWrite(Long.valueOf(cacheLoginTokens.getMaxAge()).longValue(), TimeUnit.SECONDS).recordStats().build(new CacheLoader<String, RemoteToken>() { // from class: org.flowable.ui.common.filter.FlowableCookieFilter.1
            @Override // com.google.common.cache.CacheLoader
            public RemoteToken load(String str) throws Exception {
                RemoteToken token = FlowableCookieFilter.this.remoteIdmService.getToken(str);
                if (token != null) {
                    return token;
                }
                throw new FlowableException("token not found " + str);
            }
        });
    }

    protected void initUserCache() {
        FlowableCommonAppProperties.Cache cacheLoginUsers = this.properties.getCacheLoginUsers();
        this.userCache = CacheBuilder.newBuilder().maximumSize(Long.valueOf(cacheLoginUsers.getMaxSize()).longValue()).expireAfterWrite(Long.valueOf(cacheLoginUsers.getMaxAge()).longValue(), TimeUnit.SECONDS).recordStats().build(new CacheLoader<String, FlowableAppUser>() { // from class: org.flowable.ui.common.filter.FlowableCookieFilter.2
            @Override // com.google.common.cache.CacheLoader
            public FlowableAppUser load(String str) throws Exception {
                RemoteUser user = FlowableCookieFilter.this.remoteIdmService.getUser(str);
                if (user == null) {
                    throw new FlowableException("user not found " + str);
                }
                ArrayList arrayList = new ArrayList();
                Iterator<String> it = user.getPrivileges().iterator();
                while (it.hasNext()) {
                    arrayList.add(new SimpleGrantedAuthority(it.next()));
                }
                return new FlowableAppUser(user, user.getId(), arrayList);
            }
        });
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        FlowableAppUser flowableAppUser;
        if (!skipAuthenticationCheck(httpServletRequest)) {
            RemoteToken validToken = getValidToken(httpServletRequest);
            if (validToken == null) {
                redirectOrSendNotPermitted(httpServletRequest, httpServletResponse, null);
                return;
            }
            try {
                flowableAppUser = this.userCache.get(validToken.getUserId());
            } catch (Exception e) {
                LOGGER.trace("Could not set necessary threadlocals for token", (Throwable) e);
                redirectOrSendNotPermitted(httpServletRequest, httpServletResponse, validToken.getUserId());
            }
            if (!validateRequiredPriviliges(httpServletRequest, httpServletResponse, flowableAppUser)) {
                redirectOrSendNotPermitted(httpServletRequest, httpServletResponse, flowableAppUser.getUserObject().getId());
                return;
            } else {
                SecurityContextHolder.getContext().setAuthentication(new RememberMeAuthenticationToken(validToken.getId(), flowableAppUser, flowableAppUser.getAuthorities()));
                if (this.filterCallback != null) {
                    this.filterCallback.onValidTokenFound(httpServletRequest, httpServletResponse, validToken);
                }
            }
        }
        try {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            if (this.filterCallback != null) {
                this.filterCallback.onFilterCleanup(httpServletRequest, httpServletResponse);
            }
        } catch (Throwable th) {
            if (this.filterCallback != null) {
                this.filterCallback.onFilterCleanup(httpServletRequest, httpServletResponse);
            }
            throw th;
        }
    }

    protected RemoteToken getValidToken(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (CookieConstants.COOKIE_NAME.equals(cookie.getName())) {
                String[] decodeCookie = decodeCookie(cookie.getValue());
                try {
                    RemoteToken remoteToken = this.tokenCache.get(decodeCookie[0]);
                    if (remoteToken.getValue().equals(decodeCookie[1])) {
                        return remoteToken;
                    }
                    this.tokenCache.invalidate(decodeCookie[0]);
                    RemoteToken remoteToken2 = this.tokenCache.get(decodeCookie[0]);
                    if (remoteToken2.getValue().equals(decodeCookie[1])) {
                        return remoteToken2;
                    }
                    return null;
                } catch (Exception e) {
                    LOGGER.trace("Could not get token", (Throwable) e);
                    return null;
                }
            }
        }
        return null;
    }

    protected boolean validateRequiredPriviliges(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FlowableAppUser flowableAppUser) {
        if (flowableAppUser == null) {
            return true;
        }
        String pathInfo = httpServletRequest.getPathInfo();
        if ((!isRootPath(httpServletRequest) && pathInfo.startsWith("/rest")) || this.requiredPrivileges == null || this.requiredPrivileges.size() <= 0) {
            return true;
        }
        if (flowableAppUser.getAuthorities() == null || flowableAppUser.getAuthorities().size() == 0) {
            return false;
        }
        int i = 0;
        Iterator<GrantedAuthority> it = flowableAppUser.getAuthorities().iterator();
        while (it.hasNext()) {
            if (this.requiredPrivileges.contains(it.next().getAuthority())) {
                i++;
            }
        }
        return i == this.requiredPrivileges.size();
    }

    protected void redirectOrSendNotPermitted(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        if (isRootPath(httpServletRequest)) {
            redirectToLogin(httpServletRequest, httpServletResponse, str);
        } else {
            sendNotPermitted(httpServletRequest, httpServletResponse);
        }
    }

    protected void redirectToLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        if (str != null) {
            try {
                this.userCache.invalidate(str);
            } catch (IOException e) {
                LOGGER.warn("Could not redirect to {}", this.idmAppUrl, e);
                return;
            }
        }
        String str2 = this.idmAppUrl + "#/login?redirectOnAuthSuccess=true&redirectUrl=";
        if (this.redirectUrlOnAuthSuccess != null) {
            httpServletResponse.sendRedirect(str2 + this.redirectUrlOnAuthSuccess);
        } else {
            httpServletResponse.sendRedirect(str2 + ((Object) httpServletRequest.getRequestURL()));
        }
    }

    protected void sendNotPermitted(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        httpServletResponse.setStatus(403);
    }

    protected boolean isRootPath(HttpServletRequest httpServletRequest) {
        String pathInfo = httpServletRequest.getPathInfo();
        return pathInfo == null || "".equals(pathInfo) || "/".equals(pathInfo);
    }

    protected boolean skipAuthenticationCheck(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().endsWith(".css") || httpServletRequest.getRequestURI().endsWith(".js") || httpServletRequest.getRequestURI().endsWith(ThymeleafProperties.DEFAULT_SUFFIX) || httpServletRequest.getRequestURI().endsWith(".map") || httpServletRequest.getRequestURI().endsWith(".woff") || httpServletRequest.getRequestURI().endsWith(".png") || httpServletRequest.getRequestURI().endsWith(".jpg") || httpServletRequest.getRequestURI().endsWith(".jpeg") || httpServletRequest.getRequestURI().endsWith(".tif") || httpServletRequest.getRequestURI().endsWith(".tiff");
    }

    protected String[] decodeCookie(String str) throws InvalidCookieException {
        for (int i = 0; i < str.length() % 4; i++) {
            str = str + "=";
        }
        try {
            String[] delimitedListToStringArray = StringUtils.delimitedListToStringArray(new String(Base64.getDecoder().decode(str.getBytes())), ":");
            for (int i2 = 0; i2 < delimitedListToStringArray.length; i2++) {
                try {
                    delimitedListToStringArray[i2] = URLDecoder.decode(delimitedListToStringArray[i2], StandardCharsets.UTF_8.toString());
                } catch (UnsupportedEncodingException e) {
                    this.logger.error(e.getMessage(), e);
                }
            }
            return delimitedListToStringArray;
        } catch (IllegalArgumentException e2) {
            throw new InvalidCookieException("Cookie token was not Base64 encoded; value was '" + str + "'");
        }
    }

    public Collection<String> getRequiredPrivileges() {
        return this.requiredPrivileges;
    }

    public void setRequiredPrivileges(Collection<String> collection) {
        this.requiredPrivileges = collection;
    }

    @Autowired(required = false)
    public void setFilterCallback(FlowableCookieFilterCallback flowableCookieFilterCallback) {
        this.filterCallback = flowableCookieFilterCallback;
    }
}
