package org.springframework.security.web.authentication.www;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Base64;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.naming.ResourceRef;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.core.log.LogMessage;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.SpringSecurityMessageSource;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.core.userdetails.UserCache;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.core.userdetails.cache.NullUserCache;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.GenericFilterBean;
import org.thymeleaf.standard.expression.StandardExpressionObjectFactory;

/* loaded from: input_file:ingrid-ibus-7.5.2/lib/spring-security-web-6.4.3.jar:org/springframework/security/web/authentication/www/DigestAuthenticationFilter.class */
public class DigestAuthenticationFilter extends GenericFilterBean implements MessageSourceAware {
    private static final Log logger = LogFactory.getLog((Class<?>) DigestAuthenticationFilter.class);
    private DigestAuthenticationEntryPoint authenticationEntryPoint;
    private UserDetailsService userDetailsService;
    private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder.getContextHolderStrategy();
    private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
    private UserCache userCache = new NullUserCache();
    private boolean passwordAlreadyEncoded = false;
    private boolean createAuthenticatedToken = false;
    private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:ingrid-ibus-7.5.2/lib/spring-security-web-6.4.3.jar:org/springframework/security/web/authentication/www/DigestAuthenticationFilter$DigestData.class */
    public class DigestData {
        private final String username;
        private final String realm;
        private final String nonce;
        private final String uri;
        private final String response;
        private final String qop;
        private final String nc;
        private final String cnonce;
        private final String section212response;
        private long nonceExpiryTime;

        DigestData(String str) {
            this.section212response = str.substring(7);
            Map<String, String> splitEachArrayElementAndCreateMap = DigestAuthUtils.splitEachArrayElementAndCreateMap(DigestAuthUtils.splitIgnoringQuotes(this.section212response, ','), "=", "\"");
            this.username = splitEachArrayElementAndCreateMap.get("username");
            this.realm = splitEachArrayElementAndCreateMap.get("realm");
            this.nonce = splitEachArrayElementAndCreateMap.get("nonce");
            this.uri = splitEachArrayElementAndCreateMap.get("uri");
            this.response = splitEachArrayElementAndCreateMap.get(StandardExpressionObjectFactory.RESPONSE_EXPRESSION_OBJECT_NAME);
            this.qop = splitEachArrayElementAndCreateMap.get("qop");
            this.nc = splitEachArrayElementAndCreateMap.get("nc");
            this.cnonce = splitEachArrayElementAndCreateMap.get("cnonce");
            DigestAuthenticationFilter.logger.debug(LogMessage.format("Extracted username: '%s'; realm: '%s'; nonce: '%s'; uri: '%s'; response: '%s'", this.username, this.realm, this.nonce, this.uri, this.response));
        }

        void validateAndDecode(String str, String str2) throws BadCredentialsException {
            if (this.username == null || this.realm == null || this.nonce == null || this.uri == null || this.response == null) {
                throw new BadCredentialsException(DigestAuthenticationFilter.this.messages.getMessage("DigestAuthenticationFilter.missingMandatory", new Object[]{this.section212response}, "Missing mandatory digest value; received header {0}"));
            }
            if (ResourceRef.AUTH.equals(this.qop) && (this.nc == null || this.cnonce == null)) {
                DigestAuthenticationFilter.logger.debug(LogMessage.format("extracted nc: '%s'; cnonce: '%s'", this.nc, this.cnonce));
                throw new BadCredentialsException(DigestAuthenticationFilter.this.messages.getMessage("DigestAuthenticationFilter.missingAuth", new Object[]{this.section212response}, "Missing mandatory digest value; received header {0}"));
            }
            if (!str2.equals(this.realm)) {
                throw new BadCredentialsException(DigestAuthenticationFilter.this.messages.getMessage("DigestAuthenticationFilter.incorrectRealm", new Object[]{this.realm, str2}, "Response realm name '{0}' does not match system realm name of '{1}'"));
            }
            try {
                String str3 = new String(Base64.getDecoder().decode(this.nonce.getBytes()));
                String[] delimitedListToStringArray = StringUtils.delimitedListToStringArray(str3, ":");
                if (delimitedListToStringArray.length != 2) {
                    throw new BadCredentialsException(DigestAuthenticationFilter.this.messages.getMessage("DigestAuthenticationFilter.nonceNotTwoTokens", new Object[]{str3}, "Nonce should have yielded two tokens but was {0}"));
                }
                try {
                    this.nonceExpiryTime = Long.valueOf(delimitedListToStringArray[0]).longValue();
                    long j = this.nonceExpiryTime;
                    if (!DigestAuthUtils.md5Hex(j + ":" + j).equals(delimitedListToStringArray[1])) {
                        throw new BadCredentialsException(DigestAuthenticationFilter.this.messages.getMessage("DigestAuthenticationFilter.nonceCompromised", new Object[]{str3}, "Nonce token compromised {0}"));
                    }
                } catch (NumberFormatException e) {
                    throw new BadCredentialsException(DigestAuthenticationFilter.this.messages.getMessage("DigestAuthenticationFilter.nonceNotNumeric", new Object[]{str3}, "Nonce token should have yielded a numeric first token, but was {0}"));
                }
            } catch (IllegalArgumentException e2) {
                throw new BadCredentialsException(DigestAuthenticationFilter.this.messages.getMessage("DigestAuthenticationFilter.nonceEncoding", new Object[]{this.nonce}, "Nonce is not encoded in Base64; received nonce {0}"));
            }
        }

        String calculateServerDigest(String str, String str2) {
            return DigestAuthUtils.generateDigest(DigestAuthenticationFilter.this.passwordAlreadyEncoded, this.username, this.realm, str, str2, this.uri, this.qop, this.nonce, this.nc, this.cnonce);
        }

        boolean isNonceExpired() {
            return this.nonceExpiryTime < System.currentTimeMillis();
        }

        String getUsername() {
            return this.username;
        }

        String getResponse() {
            return this.response;
        }
    }

    @Override // org.springframework.web.filter.GenericFilterBean, org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() {
        Assert.notNull(this.userDetailsService, "A UserDetailsService is required");
        Assert.notNull(this.authenticationEntryPoint, "A DigestAuthenticationEntryPoint is required");
    }

    @Override // jakarta.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        doFilter((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
    }

    private void doFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.startsWith("Digest ")) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        logger.debug(LogMessage.format("Digest Authorization header received from user agent: %s", header));
        DigestData digestData = new DigestData(header);
        try {
            digestData.validateAndDecode(this.authenticationEntryPoint.getKey(), this.authenticationEntryPoint.getRealmName());
            boolean z = true;
            UserDetails userFromCache = this.userCache.getUserFromCache(digestData.getUsername());
            if (userFromCache == null) {
                try {
                    z = false;
                    userFromCache = this.userDetailsService.loadUserByUsername(digestData.getUsername());
                    if (userFromCache == null) {
                        throw new AuthenticationServiceException("AuthenticationDao returned null, which is an interface contract violation");
                    }
                    this.userCache.putUserInCache(userFromCache);
                } catch (UsernameNotFoundException e) {
                    fail(httpServletRequest, httpServletResponse, new BadCredentialsException(this.messages.getMessage("DigestAuthenticationFilter.usernameNotFound", new Object[]{digestData.getUsername()}, "Username {0} not found")));
                    return;
                }
            }
            String calculateServerDigest = digestData.calculateServerDigest(userFromCache.getPassword(), httpServletRequest.getMethod());
            if (!calculateServerDigest.equals(digestData.getResponse()) && z) {
                logger.debug("Digest comparison failure; trying to refresh user from DAO in case password had changed");
                userFromCache = this.userDetailsService.loadUserByUsername(digestData.getUsername());
                this.userCache.putUserInCache(userFromCache);
                calculateServerDigest = digestData.calculateServerDigest(userFromCache.getPassword(), httpServletRequest.getMethod());
            }
            if (!calculateServerDigest.equals(digestData.getResponse())) {
                logger.debug(LogMessage.format("Expected response: '%s' but received: '%s'; is AuthenticationDao returning clear text passwords?", calculateServerDigest, digestData.getResponse()));
                fail(httpServletRequest, httpServletResponse, new BadCredentialsException(this.messages.getMessage("DigestAuthenticationFilter.incorrectResponse", "Incorrect response")));
            } else {
                if (digestData.isNonceExpired()) {
                    fail(httpServletRequest, httpServletResponse, new NonceExpiredException(this.messages.getMessage("DigestAuthenticationFilter.nonceExpired", "Nonce has expired/timed out")));
                    return;
                }
                logger.debug(LogMessage.format("Authentication success for user: '%s' with response: '%s'", digestData.getUsername(), digestData.getResponse()));
                Authentication createSuccessfulAuthentication = createSuccessfulAuthentication(httpServletRequest, userFromCache);
                SecurityContext createEmptyContext = this.securityContextHolderStrategy.createEmptyContext();
                createEmptyContext.setAuthentication(createSuccessfulAuthentication);
                this.securityContextHolderStrategy.setContext(createEmptyContext);
                this.securityContextRepository.saveContext(createEmptyContext, httpServletRequest, httpServletResponse);
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            }
        } catch (BadCredentialsException e2) {
            fail(httpServletRequest, httpServletResponse, e2);
        }
    }

    private Authentication createSuccessfulAuthentication(HttpServletRequest httpServletRequest, UserDetails userDetails) {
        UsernamePasswordAuthenticationToken authRequest = getAuthRequest(userDetails);
        authRequest.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
        return authRequest;
    }

    private UsernamePasswordAuthenticationToken getAuthRequest(UserDetails userDetails) {
        return this.createAuthenticatedToken ? UsernamePasswordAuthenticationToken.authenticated(userDetails, userDetails.getPassword(), userDetails.getAuthorities()) : UsernamePasswordAuthenticationToken.unauthenticated(userDetails, userDetails.getPassword());
    }

    private void fail(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        this.securityContextHolderStrategy.setContext(this.securityContextHolderStrategy.createEmptyContext());
        logger.debug(authenticationException);
        this.authenticationEntryPoint.commence(httpServletRequest, httpServletResponse, authenticationException);
    }

    protected final DigestAuthenticationEntryPoint getAuthenticationEntryPoint() {
        return this.authenticationEntryPoint;
    }

    public UserCache getUserCache() {
        return this.userCache;
    }

    public UserDetailsService getUserDetailsService() {
        return this.userDetailsService;
    }

    public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
        Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
        this.authenticationDetailsSource = authenticationDetailsSource;
    }

    public void setAuthenticationEntryPoint(DigestAuthenticationEntryPoint digestAuthenticationEntryPoint) {
        this.authenticationEntryPoint = digestAuthenticationEntryPoint;
    }

    @Override // org.springframework.context.MessageSourceAware
    public void setMessageSource(MessageSource messageSource) {
        this.messages = new MessageSourceAccessor(messageSource);
    }

    public void setPasswordAlreadyEncoded(boolean z) {
        this.passwordAlreadyEncoded = z;
    }

    public void setUserCache(UserCache userCache) {
        this.userCache = userCache;
    }

    public void setUserDetailsService(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    public void setCreateAuthenticatedToken(boolean z) {
        this.createAuthenticatedToken = z;
    }

    public void setSecurityContextRepository(SecurityContextRepository securityContextRepository) {
        Assert.notNull(securityContextRepository, "securityContextRepository cannot be null");
        this.securityContextRepository = securityContextRepository;
    }

    public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
        Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null");
        this.securityContextHolderStrategy = securityContextHolderStrategy;
    }
}
