package org.springframework.security.web.server.authentication;

import java.util.ArrayList;
import java.util.Objects;
import java.util.Optional;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage;
import org.springframework.http.HttpMethod;
import org.springframework.lang.NonNull;
import org.springframework.lang.Nullable;
import org.springframework.security.authentication.AccountStatusUserDetailsChecker;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsChecker;
import org.springframework.security.web.authentication.switchuser.SwitchUserGrantedAuthority;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.security.web.server.context.ServerSecurityContextRepository;
import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

/* loaded from: input_file:ingrid-iplug-csw-dsc-7.3.5/lib/spring-security-web-5.7.11.jar:org/springframework/security/web/server/authentication/SwitchUserWebFilter.class */
public class SwitchUserWebFilter implements WebFilter {
    public static final String SPRING_SECURITY_SWITCH_USERNAME_KEY = "username";
    public static final String ROLE_PREVIOUS_ADMINISTRATOR = "ROLE_PREVIOUS_ADMINISTRATOR";
    private final ServerAuthenticationSuccessHandler successHandler;
    private final ServerAuthenticationFailureHandler failureHandler;
    private final ReactiveUserDetailsService userDetailsService;
    private final UserDetailsChecker userDetailsChecker;
    private ServerSecurityContextRepository securityContextRepository;
    private final Log logger = LogFactory.getLog(getClass());
    private ServerWebExchangeMatcher switchUserMatcher = createMatcher("/login/impersonate");
    private ServerWebExchangeMatcher exitUserMatcher = createMatcher("/logout/impersonate");

    /* loaded from: input_file:ingrid-iplug-csw-dsc-7.3.5/lib/spring-security-web-5.7.11.jar:org/springframework/security/web/server/authentication/SwitchUserWebFilter$SwitchUserAuthenticationException.class */
    private static class SwitchUserAuthenticationException extends RuntimeException {
        SwitchUserAuthenticationException(AuthenticationException authenticationException) {
            super(authenticationException);
        }
    }

    public SwitchUserWebFilter(ReactiveUserDetailsService reactiveUserDetailsService, ServerAuthenticationSuccessHandler serverAuthenticationSuccessHandler, @Nullable ServerAuthenticationFailureHandler serverAuthenticationFailureHandler) {
        Assert.notNull(reactiveUserDetailsService, "userDetailsService must be specified");
        Assert.notNull(serverAuthenticationSuccessHandler, "successHandler must be specified");
        this.userDetailsService = reactiveUserDetailsService;
        this.successHandler = serverAuthenticationSuccessHandler;
        this.failureHandler = serverAuthenticationFailureHandler;
        this.securityContextRepository = new WebSessionServerSecurityContextRepository();
        this.userDetailsChecker = new AccountStatusUserDetailsChecker();
    }

    public SwitchUserWebFilter(ReactiveUserDetailsService reactiveUserDetailsService, String str, @Nullable String str2) {
        Assert.notNull(reactiveUserDetailsService, "userDetailsService must be specified");
        Assert.notNull(str, "successTargetUrl must be specified");
        this.userDetailsService = reactiveUserDetailsService;
        this.successHandler = new RedirectServerAuthenticationSuccessHandler(str);
        this.failureHandler = str2 != null ? new RedirectServerAuthenticationFailureHandler(str2) : null;
        this.securityContextRepository = new WebSessionServerSecurityContextRepository();
        this.userDetailsChecker = new AccountStatusUserDetailsChecker();
    }

    @Override // org.springframework.web.server.WebFilter
    public Mono<Void> filter(ServerWebExchange serverWebExchange, WebFilterChain webFilterChain) {
        WebFilterExchange webFilterExchange = new WebFilterExchange(serverWebExchange, webFilterChain);
        return switchUser(webFilterExchange).switchIfEmpty(Mono.defer(() -> {
            return exitSwitchUser(webFilterExchange);
        })).switchIfEmpty(Mono.defer(() -> {
            this.logger.trace(LogMessage.format("Did not attempt to switch user since request did not match [%s] or [%s]", this.switchUserMatcher, this.exitUserMatcher));
            return webFilterChain.filter(serverWebExchange).then(Mono.empty());
        })).flatMap(authentication -> {
            return onAuthenticationSuccess(authentication, webFilterExchange);
        }).onErrorResume(SwitchUserAuthenticationException.class, switchUserAuthenticationException -> {
            return Mono.empty();
        });
    }

    protected Mono<Authentication> switchUser(WebFilterExchange webFilterExchange) {
        return this.switchUserMatcher.matches(webFilterExchange.getExchange()).filter((v0) -> {
            return v0.isMatch();
        }).flatMap(matchResult -> {
            return ReactiveSecurityContextHolder.getContext();
        }).map((v0) -> {
            return v0.getAuthentication();
        }).flatMap(authentication -> {
            return attemptSwitchUser(authentication, getUsername(webFilterExchange.getExchange()));
        }).onErrorResume(AuthenticationException.class, authenticationException -> {
            return onAuthenticationFailure(authenticationException, webFilterExchange).then(Mono.error(new SwitchUserAuthenticationException(authenticationException)));
        });
    }

    protected Mono<Authentication> exitSwitchUser(WebFilterExchange webFilterExchange) {
        return this.exitUserMatcher.matches(webFilterExchange.getExchange()).filter((v0) -> {
            return v0.isMatch();
        }).flatMap(matchResult -> {
            return ReactiveSecurityContextHolder.getContext().map((v0) -> {
                return v0.getAuthentication();
            }).switchIfEmpty(Mono.error(this::noCurrentUserException));
        }).map(this::attemptExitUser);
    }

    protected String getUsername(ServerWebExchange serverWebExchange) {
        return serverWebExchange.getRequest().getQueryParams().getFirst("username");
    }

    @NonNull
    private Mono<Authentication> attemptSwitchUser(Authentication authentication, String str) {
        Assert.notNull(str, "The userName can not be null.");
        this.logger.debug(LogMessage.format("Attempting to switch to user [%s]", str));
        Mono switchIfEmpty = this.userDetailsService.findByUsername(str).switchIfEmpty(Mono.error(this::noTargetAuthenticationException));
        UserDetailsChecker userDetailsChecker = this.userDetailsChecker;
        Objects.requireNonNull(userDetailsChecker);
        return switchIfEmpty.doOnNext(userDetailsChecker::check).map(userDetails -> {
            return createSwitchUserToken(userDetails, authentication);
        });
    }

    @NonNull
    private Authentication attemptExitUser(Authentication authentication) {
        Optional<Authentication> extractSourceAuthentication = extractSourceAuthentication(authentication);
        if (extractSourceAuthentication.isPresent()) {
            return extractSourceAuthentication.get();
        }
        this.logger.debug("Failed to find original user");
        throw noOriginalAuthenticationException();
    }

    private Mono<Void> onAuthenticationSuccess(Authentication authentication, WebFilterExchange webFilterExchange) {
        ServerWebExchange exchange = webFilterExchange.getExchange();
        SecurityContextImpl securityContextImpl = new SecurityContextImpl(authentication);
        return this.securityContextRepository.save(exchange, securityContextImpl).doOnSuccess(r6 -> {
            this.logger.debug(LogMessage.format("Switched user to %s", authentication));
        }).then(this.successHandler.onAuthenticationSuccess(webFilterExchange, authentication)).subscriberContext(ReactiveSecurityContextHolder.withSecurityContext(Mono.just(securityContextImpl)));
    }

    private Mono<Void> onAuthenticationFailure(AuthenticationException authenticationException, WebFilterExchange webFilterExchange) {
        return Mono.justOrEmpty(this.failureHandler).switchIfEmpty(Mono.defer(() -> {
            this.logger.debug("Failed to switch user", authenticationException);
            return Mono.error(authenticationException);
        })).flatMap(serverAuthenticationFailureHandler -> {
            return serverAuthenticationFailureHandler.onAuthenticationFailure(webFilterExchange, authenticationException);
        });
    }

    private Authentication createSwitchUserToken(UserDetails userDetails, Authentication authentication) {
        Optional<Authentication> extractSourceAuthentication = extractSourceAuthentication(authentication);
        if (extractSourceAuthentication.isPresent()) {
            this.logger.debug(LogMessage.format("Found original switch user granted authority [%s]", extractSourceAuthentication.get()));
            authentication = extractSourceAuthentication.get();
        }
        SwitchUserGrantedAuthority switchUserGrantedAuthority = new SwitchUserGrantedAuthority("ROLE_PREVIOUS_ADMINISTRATOR", authentication);
        ArrayList arrayList = new ArrayList(userDetails.getAuthorities());
        arrayList.add(switchUserGrantedAuthority);
        return UsernamePasswordAuthenticationToken.authenticated(userDetails, userDetails.getPassword(), arrayList);
    }

    private Optional<Authentication> extractSourceAuthentication(Authentication authentication) {
        for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
            if (grantedAuthority instanceof SwitchUserGrantedAuthority) {
                return Optional.of(((SwitchUserGrantedAuthority) grantedAuthority).getSource());
            }
        }
        return Optional.empty();
    }

    private static ServerWebExchangeMatcher createMatcher(String str) {
        return ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, str);
    }

    private AuthenticationCredentialsNotFoundException noCurrentUserException() {
        return new AuthenticationCredentialsNotFoundException("No current user associated with this request");
    }

    private AuthenticationCredentialsNotFoundException noOriginalAuthenticationException() {
        return new AuthenticationCredentialsNotFoundException("Could not find original Authentication object");
    }

    private AuthenticationCredentialsNotFoundException noTargetAuthenticationException() {
        return new AuthenticationCredentialsNotFoundException("No target user for the given username");
    }

    public void setSecurityContextRepository(ServerSecurityContextRepository serverSecurityContextRepository) {
        Assert.notNull(serverSecurityContextRepository, "securityContextRepository cannot be null");
        this.securityContextRepository = serverSecurityContextRepository;
    }

    public void setExitUserUrl(String str) {
        Assert.isTrue(UrlUtils.isValidRedirectUrl(str), "exitUserUrl cannot be empty and must be a valid redirect URL");
        this.exitUserMatcher = createMatcher(str);
    }

    public void setExitUserMatcher(ServerWebExchangeMatcher serverWebExchangeMatcher) {
        Assert.notNull(serverWebExchangeMatcher, "exitUserMatcher cannot be null");
        this.exitUserMatcher = serverWebExchangeMatcher;
    }

    public void setSwitchUserUrl(String str) {
        Assert.isTrue(UrlUtils.isValidRedirectUrl(str), "switchUserUrl cannot be empty and must be a valid redirect URL");
        this.switchUserMatcher = createMatcher(str);
    }

    public void setSwitchUserMatcher(ServerWebExchangeMatcher serverWebExchangeMatcher) {
        Assert.notNull(serverWebExchangeMatcher, "switchUserMatcher cannot be null");
        this.switchUserMatcher = serverWebExchangeMatcher;
    }
}
