package org.flowable.app.filter;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.concurrent.TimeUnit;
import javax.annotation.PostConstruct;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.flowable.app.model.common.RemoteToken;
import org.flowable.app.model.common.RemoteUser;
import org.flowable.app.security.CookieConstants;
import org.flowable.app.security.FlowableAppUser;
import org.flowable.app.service.idm.RemoteIdmService;
import org.flowable.engine.common.api.FlowableException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.RememberMeAuthenticationToken;
import org.springframework.security.config.http.PortMappingsBeanDefinitionParser;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.rememberme.InvalidCookieException;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:WEB-INF/lib/flowable-ui-common-6.0.0.RC1.jar:org/flowable/app/filter/FlowableCookieFilter.class */
public class FlowableCookieFilter extends OncePerRequestFilter {
    private final Logger logger = LoggerFactory.getLogger(FlowableCookieFilter.class);
    protected static final String DELIMITER = ":";

    @Autowired
    protected Environment env;

    @Autowired
    protected RemoteIdmService remoteIdmService;

    @Autowired(required = false)
    protected FlowableCookieFilterCallback filterCallback;
    protected String idmAppUrl;
    protected Collection<String> requiredPrivileges;
    protected LoadingCache<String, RemoteToken> tokenCache;
    protected LoadingCache<String, FlowableAppUser> userCache;

    @PostConstruct
    protected void initCaches() {
        initIdmAppRedirectUrl();
        initTokenCache();
        initUserCache();
    }

    protected void initIdmAppRedirectUrl() {
        this.idmAppUrl = this.env.getProperty("idm.app.redirect.url");
        if (this.idmAppUrl == null || this.idmAppUrl.isEmpty()) {
            this.idmAppUrl = this.env.getRequiredProperty("idm.app.url");
        }
        if (this.idmAppUrl.endsWith("/")) {
            return;
        }
        this.idmAppUrl += "/";
    }

    protected void initTokenCache() {
        this.tokenCache = CacheBuilder.newBuilder().maximumSize(((Long) this.env.getProperty("cache.login-tokens.max.size", Long.class, 2048L)).longValue()).expireAfterWrite(((Long) this.env.getProperty("cache.login-tokens.max.age", Long.class, 30L)).longValue(), TimeUnit.SECONDS).recordStats().build(new CacheLoader<String, RemoteToken>() { // from class: org.flowable.app.filter.FlowableCookieFilter.1
            @Override // com.google.common.cache.CacheLoader
            public RemoteToken load(String str) throws Exception {
                RemoteToken token = FlowableCookieFilter.this.remoteIdmService.getToken(str);
                if (token != null) {
                    return token;
                }
                throw new FlowableException("token not found " + str);
            }
        });
    }

    protected void initUserCache() {
        this.userCache = CacheBuilder.newBuilder().maximumSize(((Long) this.env.getProperty("cache.login-users.max.size", Long.class, 2048L)).longValue()).expireAfterWrite(((Long) this.env.getProperty("cache.login-users.max.age", Long.class, 30L)).longValue(), TimeUnit.SECONDS).recordStats().build(new CacheLoader<String, FlowableAppUser>() { // from class: org.flowable.app.filter.FlowableCookieFilter.2
            @Override // com.google.common.cache.CacheLoader
            public FlowableAppUser load(String str) throws Exception {
                RemoteUser user = FlowableCookieFilter.this.remoteIdmService.getUser(str);
                if (user == null) {
                    throw new FlowableException("user not found " + str);
                }
                ArrayList arrayList = new ArrayList();
                Iterator<String> it = user.getPrivileges().iterator();
                while (it.hasNext()) {
                    arrayList.add(new SimpleGrantedAuthority(it.next()));
                }
                return new FlowableAppUser(user, user.getId(), arrayList);
            }
        });
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (!skipAuthenticationCheck(httpServletRequest)) {
            RemoteToken validToken = getValidToken(httpServletRequest);
            if (validToken == null) {
                redirectOrSendNotPermitted(httpServletRequest, httpServletResponse, null);
                return;
            } else {
                onValidTokenFound(httpServletRequest, httpServletResponse, validToken);
                if (this.filterCallback != null) {
                    this.filterCallback.onValidTokenFound(httpServletRequest, httpServletResponse, validToken);
                }
            }
        }
        try {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            if (this.filterCallback != null) {
                this.filterCallback.onFilterCleanup(httpServletRequest, httpServletResponse);
            }
        } catch (Throwable th) {
            if (this.filterCallback != null) {
                this.filterCallback.onFilterCleanup(httpServletRequest, httpServletResponse);
            }
            throw th;
        }
    }

    protected RemoteToken getValidToken(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (CookieConstants.COOKIE_NAME.equals(cookie.getName())) {
                String[] decodeCookie = decodeCookie(cookie.getValue());
                try {
                    RemoteToken remoteToken = this.tokenCache.get(decodeCookie[0]);
                    if (remoteToken.getValue().equals(decodeCookie[1])) {
                        return remoteToken;
                    }
                    this.tokenCache.invalidate(decodeCookie[0]);
                    RemoteToken remoteToken2 = this.tokenCache.get(decodeCookie[0]);
                    if (remoteToken2.getValue().equals(decodeCookie[1])) {
                        return remoteToken2;
                    }
                    return null;
                } catch (Exception e) {
                    this.logger.trace("Could not get token", (Throwable) e);
                    return null;
                }
            }
        }
        return null;
    }

    protected void onValidTokenFound(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, RemoteToken remoteToken) {
        try {
            FlowableAppUser flowableAppUser = this.userCache.get(remoteToken.getUserId());
            validateRequiredPriviliges(httpServletRequest, httpServletResponse, flowableAppUser);
            SecurityContextHolder.getContext().setAuthentication(new RememberMeAuthenticationToken(remoteToken.getId(), flowableAppUser, flowableAppUser.getAuthorities()));
        } catch (Exception e) {
            this.logger.trace("Could not set necessary threadlocals for token, e");
            redirectOrSendNotPermitted(httpServletRequest, httpServletResponse, remoteToken.getUserId());
        }
    }

    protected void validateRequiredPriviliges(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FlowableAppUser flowableAppUser) {
        if (flowableAppUser == null) {
            return;
        }
        String pathInfo = httpServletRequest.getPathInfo();
        if ((isRootPath(httpServletRequest) || !pathInfo.startsWith("/rest")) && this.requiredPrivileges != null && this.requiredPrivileges.size() > 0) {
            if (flowableAppUser.getAuthorities() == null || flowableAppUser.getAuthorities().size() == 0) {
                redirectOrSendNotPermitted(httpServletRequest, httpServletResponse, flowableAppUser.getUserObject().getId());
            }
            int i = 0;
            Iterator<GrantedAuthority> it = flowableAppUser.getAuthorities().iterator();
            while (it.hasNext()) {
                if (this.requiredPrivileges.contains(it.next().getAuthority())) {
                    i++;
                }
            }
            if (i != this.requiredPrivileges.size()) {
                redirectOrSendNotPermitted(httpServletRequest, httpServletResponse, flowableAppUser.getUserObject().getId());
            }
        }
    }

    protected void redirectOrSendNotPermitted(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        if (isRootPath(httpServletRequest)) {
            redirectToLogin(httpServletRequest, httpServletResponse, str);
        } else {
            sendNotPermitted(httpServletRequest, httpServletResponse);
        }
    }

    protected void redirectToLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        if (str != null) {
            try {
                this.userCache.invalidate(str);
            } catch (IOException e) {
                this.logger.warn("Could not redirect to " + this.idmAppUrl, (Throwable) e);
                return;
            }
        }
        httpServletResponse.sendRedirect(this.idmAppUrl + "#/login?redirectOnAuthSuccess=true&redirectUrl=" + ((Object) httpServletRequest.getRequestURL()));
    }

    protected void sendNotPermitted(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        httpServletResponse.setStatus(403);
    }

    protected boolean isRootPath(HttpServletRequest httpServletRequest) {
        String pathInfo = httpServletRequest.getPathInfo();
        return pathInfo == null || "".equals(pathInfo) || "/".equals(pathInfo);
    }

    protected boolean skipAuthenticationCheck(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().endsWith(".css") || httpServletRequest.getRequestURI().endsWith(".js") || httpServletRequest.getRequestURI().endsWith(".html") || httpServletRequest.getRequestURI().endsWith(".map") || httpServletRequest.getRequestURI().endsWith(".woff") || httpServletRequest.getRequestURI().endsWith(".map") || httpServletRequest.getRequestURI().endsWith(".png") || httpServletRequest.getRequestURI().endsWith(".jpg");
    }

    protected String[] decodeCookie(String str) throws InvalidCookieException {
        for (int i = 0; i < str.length() % 4; i++) {
            str = str + "=";
        }
        if (!Base64.isBase64(str.getBytes())) {
            throw new InvalidCookieException("Cookie token was not Base64 encoded; value was '" + str + "'");
        }
        String[] delimitedListToStringArray = StringUtils.delimitedListToStringArray(new String(Base64.decodeBase64(str.getBytes())), ":");
        if ((delimitedListToStringArray[0].equalsIgnoreCase("http") || delimitedListToStringArray[0].equalsIgnoreCase(PortMappingsBeanDefinitionParser.ATT_HTTPS_PORT)) && delimitedListToStringArray[1].startsWith("//")) {
            String[] strArr = new String[delimitedListToStringArray.length - 1];
            strArr[0] = delimitedListToStringArray[0] + ":" + delimitedListToStringArray[1];
            System.arraycopy(delimitedListToStringArray, 2, strArr, 1, strArr.length - 1);
            delimitedListToStringArray = strArr;
        }
        return delimitedListToStringArray;
    }

    public Collection<String> getRequiredPrivileges() {
        return this.requiredPrivileges;
    }

    public void setRequiredPrivileges(Collection<String> collection) {
        this.requiredPrivileges = collection;
    }
}
