package org.artifactory.webapp.servlet.authentication;

import java.io.IOException;
import java.util.Collection;
import javax.annotation.Nonnull;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.artifactory.security.access.AccessService;
import org.jfrog.access.token.JwtAccessToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:org/artifactory/webapp/servlet/authentication/ArtifactoryAccessTokenAuthenticationFilter.class */
public class ArtifactoryAccessTokenAuthenticationFilter implements ArtifactoryAuthenticationFilter {
    private static final Logger log = LoggerFactory.getLogger(ArtifactoryAccessTokenAuthenticationFilter.class);
    private static final String TOKEN_QUERY_PARAM_PREFIX = "token=";
    private AuthenticationManager passwordDecryptingManager;

    @Autowired
    private AccessService accessService;

    @Override // org.artifactory.webapp.servlet.authentication.ArtifactoryAuthenticationFilter
    public boolean requiresReAuthentication(ServletRequest servletRequest, Authentication authentication) {
        return false;
    }

    public ArtifactoryAccessTokenAuthenticationFilter(AuthenticationManager authenticationManager) {
        this.passwordDecryptingManager = authenticationManager;
    }

    @Override // org.artifactory.webapp.servlet.authentication.ArtifactoryAuthenticationFilter
    public boolean acceptFilter(ServletRequest servletRequest) {
        return extractQueryParamAccessToken((HttpServletRequest) servletRequest) != null;
    }

    @Override // org.artifactory.webapp.servlet.authentication.ArtifactoryAuthenticationFilter
    public String getCacheKey(ServletRequest servletRequest) {
        String queryString = ((HttpServletRequest) servletRequest).getQueryString();
        if (queryString == null || !queryString.startsWith(TOKEN_QUERY_PARAM_PREFIX)) {
            return null;
        }
        return queryString.replaceFirst(TOKEN_QUERY_PARAM_PREFIX, "");
    }

    @Override // org.artifactory.webapp.servlet.authentication.ArtifactoryAuthenticationFilter
    public String getLoginIdentifier(ServletRequest servletRequest) {
        JwtAccessToken extractQueryParamAccessToken = extractQueryParamAccessToken((HttpServletRequest) servletRequest);
        if (extractQueryParamAccessToken != null) {
            return extractUsername(extractQueryParamAccessToken);
        }
        return null;
    }

    public void init(FilterConfig filterConfig) {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        JwtAccessToken extractQueryParamAccessToken = extractQueryParamAccessToken(httpServletRequest);
        if (extractQueryParamAccessToken != null) {
            try {
                log.trace("trying authenticate with query param access token {}", extractQueryParamAccessToken.getTokenValue());
                SecurityContextHolder.getContext().setAuthentication(this.passwordDecryptingManager.authenticate(new UsernamePasswordAuthenticationToken(this.accessService.extractSubjectUsername(extractQueryParamAccessToken), extractQueryParamAccessToken.getTokenValue(), (Collection) null)));
                log.trace("authentication with query param access token {} succeeded", extractQueryParamAccessToken.getTokenValue());
            } catch (AuthenticationException e) {
                SecurityContextHolder.clearContext();
                String str = "Failed to authenticate request with token " + extractQueryParamAccessToken.getTokenValue();
                log.error(str);
                log.debug(str, e);
                httpServletResponse.sendError(401, str);
                return;
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    public void destroy() {
    }

    @Nonnull
    private String extractUsername(@Nonnull JwtAccessToken jwtAccessToken) {
        String extractSubjectUsername = this.accessService.extractSubjectUsername(jwtAccessToken);
        return extractSubjectUsername != null ? extractSubjectUsername : jwtAccessToken.getSubject();
    }

    private JwtAccessToken extractQueryParamAccessToken(HttpServletRequest httpServletRequest) {
        String queryString = httpServletRequest.getQueryString();
        if (queryString == null || !queryString.startsWith(TOKEN_QUERY_PARAM_PREFIX)) {
            return null;
        }
        return quietlyParseToken(queryString.replaceFirst(TOKEN_QUERY_PARAM_PREFIX, ""));
    }

    private JwtAccessToken quietlyParseToken(String str) {
        try {
            return this.accessService.parseToken(str);
        } catch (IllegalArgumentException e) {
            log.trace("", e);
            return null;
        }
    }
}
