package org.springframework.security.web.authentication.switchuser;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import org.apache.hc.client5.http.classic.methods.HttpPost;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.core.log.LogMessage;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AccountStatusUserDetailsChecker;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.SpringSecurityMessageSource;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsChecker;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.web.filter.GenericFilterBean;
import org.springframework.web.util.UrlPathHelper;

/* loaded from: input_file:BOOT-INF/lib/spring-security-web-6.5.1.jar:org/springframework/security/web/authentication/switchuser/SwitchUserFilter.class */
public class SwitchUserFilter extends GenericFilterBean implements ApplicationEventPublisherAware, MessageSourceAware {
    public static final String SPRING_SECURITY_SWITCH_USERNAME_KEY = "username";
    public static final String ROLE_PREVIOUS_ADMINISTRATOR = "ROLE_PREVIOUS_ADMINISTRATOR";
    private ApplicationEventPublisher eventPublisher;
    private String targetUrl;
    private String switchFailureUrl;
    private SwitchUserAuthorityChanger switchUserAuthorityChanger;
    private UserDetailsService userDetailsService;
    private AuthenticationSuccessHandler successHandler;
    private AuthenticationFailureHandler failureHandler;
    private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder.getContextHolderStrategy();
    private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
    private RequestMatcher exitUserMatcher = createMatcher("/logout/impersonate", true);
    private RequestMatcher switchUserMatcher = createMatcher("/login/impersonate", true);
    private String usernameParameter = "username";
    private String switchAuthorityRole = "ROLE_PREVIOUS_ADMINISTRATOR";
    private UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker();
    private SecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository();

    @Override // org.springframework.web.filter.GenericFilterBean, org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() {
        Assert.notNull(this.userDetailsService, "userDetailsService must be specified");
        Assert.isTrue((this.successHandler == null && this.targetUrl == null) ? false : true, "You must set either a successHandler or the targetUrl");
        if (this.targetUrl != null) {
            Assert.isNull(this.successHandler, "You cannot set both successHandler and targetUrl");
            this.successHandler = new SimpleUrlAuthenticationSuccessHandler(this.targetUrl);
        }
        if (this.failureHandler == null) {
            this.failureHandler = this.switchFailureUrl != null ? new SimpleUrlAuthenticationFailureHandler(this.switchFailureUrl) : new SimpleUrlAuthenticationFailureHandler();
        } else {
            Assert.isNull(this.switchFailureUrl, "You cannot set both a switchFailureUrl and a failureHandler");
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        doFilter((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
    }

    private void doFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (requiresSwitchUser(httpServletRequest)) {
            try {
                Authentication attemptSwitchUser = attemptSwitchUser(httpServletRequest);
                SecurityContext createEmptyContext = this.securityContextHolderStrategy.createEmptyContext();
                createEmptyContext.setAuthentication(attemptSwitchUser);
                this.securityContextHolderStrategy.setContext(createEmptyContext);
                this.logger.debug(LogMessage.format("Set SecurityContextHolder to %s", attemptSwitchUser));
                this.securityContextRepository.saveContext(createEmptyContext, httpServletRequest, httpServletResponse);
                this.successHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, attemptSwitchUser);
                return;
            } catch (AuthenticationException e) {
                this.logger.debug("Failed to switch user", e);
                this.failureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, e);
                return;
            }
        }
        if (!requiresExitUser(httpServletRequest)) {
            this.logger.trace(LogMessage.format("Did not attempt to switch user since request did not match [%s] or [%s]", this.switchUserMatcher, this.exitUserMatcher));
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        Authentication attemptExitUser = attemptExitUser(httpServletRequest);
        SecurityContext createEmptyContext2 = this.securityContextHolderStrategy.createEmptyContext();
        createEmptyContext2.setAuthentication(attemptExitUser);
        this.securityContextHolderStrategy.setContext(createEmptyContext2);
        this.logger.debug(LogMessage.format("Set SecurityContextHolder to %s", attemptExitUser));
        this.securityContextRepository.saveContext(createEmptyContext2, httpServletRequest, httpServletResponse);
        this.successHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, attemptExitUser);
    }

    protected Authentication attemptSwitchUser(HttpServletRequest httpServletRequest) throws AuthenticationException {
        String parameter = httpServletRequest.getParameter(this.usernameParameter);
        String str = parameter != null ? parameter : "";
        this.logger.debug(LogMessage.format("Attempting to switch to user [%s]", str));
        UserDetails loadUserByUsername = this.userDetailsService.loadUserByUsername(str);
        this.userDetailsChecker.check(loadUserByUsername);
        UsernamePasswordAuthenticationToken createSwitchUserToken = createSwitchUserToken(httpServletRequest, loadUserByUsername);
        if (this.eventPublisher != null) {
            this.eventPublisher.publishEvent((ApplicationEvent) new AuthenticationSwitchUserEvent(this.securityContextHolderStrategy.getContext().getAuthentication(), loadUserByUsername));
        }
        return createSwitchUserToken;
    }

    protected Authentication attemptExitUser(HttpServletRequest httpServletRequest) throws AuthenticationCredentialsNotFoundException {
        Authentication authentication = this.securityContextHolderStrategy.getContext().getAuthentication();
        if (authentication == null) {
            throw new AuthenticationCredentialsNotFoundException(this.messages.getMessage("SwitchUserFilter.noCurrentUser", "No current user associated with this request"));
        }
        Authentication sourceAuthentication = getSourceAuthentication(authentication);
        if (sourceAuthentication == null) {
            this.logger.debug("Failed to find original user");
            throw new AuthenticationCredentialsNotFoundException(this.messages.getMessage("SwitchUserFilter.noOriginalAuthentication", "Failed to find original user"));
        }
        UserDetails userDetails = null;
        Object principal = sourceAuthentication.getPrincipal();
        if (principal != null && (principal instanceof UserDetails)) {
            userDetails = (UserDetails) principal;
        }
        if (this.eventPublisher != null) {
            this.eventPublisher.publishEvent((ApplicationEvent) new AuthenticationSwitchUserEvent(authentication, userDetails));
        }
        return sourceAuthentication;
    }

    private UsernamePasswordAuthenticationToken createSwitchUserToken(HttpServletRequest httpServletRequest, UserDetails userDetails) {
        Authentication currentAuthentication = getCurrentAuthentication(httpServletRequest);
        SwitchUserGrantedAuthority switchUserGrantedAuthority = new SwitchUserGrantedAuthority(this.switchAuthorityRole, currentAuthentication);
        Collection<? extends GrantedAuthority> authorities = userDetails.getAuthorities();
        if (this.switchUserAuthorityChanger != null) {
            authorities = this.switchUserAuthorityChanger.modifyGrantedAuthorities(userDetails, currentAuthentication, authorities);
        }
        ArrayList arrayList = new ArrayList(authorities);
        arrayList.add(switchUserGrantedAuthority);
        UsernamePasswordAuthenticationToken authenticated = UsernamePasswordAuthenticationToken.authenticated(userDetails, userDetails.getPassword(), arrayList);
        authenticated.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
        return authenticated;
    }

    private Authentication getCurrentAuthentication(HttpServletRequest httpServletRequest) {
        try {
            return attemptExitUser(httpServletRequest);
        } catch (AuthenticationCredentialsNotFoundException e) {
            return this.securityContextHolderStrategy.getContext().getAuthentication();
        }
    }

    private Authentication getSourceAuthentication(Authentication authentication) {
        Authentication authentication2 = null;
        for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
            if (grantedAuthority instanceof SwitchUserGrantedAuthority) {
                authentication2 = ((SwitchUserGrantedAuthority) grantedAuthority).getSource();
                this.logger.debug(LogMessage.format("Found original switch user granted authority [%s]", authentication2));
            }
        }
        return authentication2;
    }

    protected boolean requiresExitUser(HttpServletRequest httpServletRequest) {
        return this.exitUserMatcher.matches(httpServletRequest);
    }

    protected boolean requiresSwitchUser(HttpServletRequest httpServletRequest) {
        return this.switchUserMatcher.matches(httpServletRequest);
    }

    @Override // org.springframework.context.ApplicationEventPublisherAware
    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) throws BeansException {
        this.eventPublisher = applicationEventPublisher;
    }

    public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
        Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
        this.authenticationDetailsSource = authenticationDetailsSource;
    }

    @Override // org.springframework.context.MessageSourceAware
    public void setMessageSource(MessageSource messageSource) {
        Assert.notNull(messageSource, "messageSource cannot be null");
        this.messages = new MessageSourceAccessor(messageSource);
    }

    public void setUserDetailsService(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    public void setExitUserUrl(String str) {
        Assert.isTrue(UrlUtils.isValidRedirectUrl(str), "exitUserUrl cannot be empty and must be a valid redirect URL");
        this.exitUserMatcher = createMatcher(str, false);
    }

    public void setExitUserMatcher(RequestMatcher requestMatcher) {
        Assert.notNull(requestMatcher, "exitUserMatcher cannot be null");
        this.exitUserMatcher = requestMatcher;
    }

    public void setSwitchUserUrl(String str) {
        Assert.isTrue(UrlUtils.isValidRedirectUrl(str), "switchUserUrl cannot be empty and must be a valid redirect URL");
        this.switchUserMatcher = createMatcher(str, false);
    }

    public void setSwitchUserMatcher(RequestMatcher requestMatcher) {
        Assert.notNull(requestMatcher, "switchUserMatcher cannot be null");
        this.switchUserMatcher = requestMatcher;
    }

    public void setTargetUrl(String str) {
        this.targetUrl = str;
    }

    public void setSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler) {
        Assert.notNull(authenticationSuccessHandler, "successHandler cannot be null");
        this.successHandler = authenticationSuccessHandler;
    }

    public void setSwitchFailureUrl(String str) {
        Assert.isTrue(UrlUtils.isValidRedirectUrl(str), "switchFailureUrl must be a valid redirect URL");
        this.switchFailureUrl = str;
    }

    public void setFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) {
        Assert.notNull(authenticationFailureHandler, "failureHandler cannot be null");
        this.failureHandler = authenticationFailureHandler;
    }

    public void setSwitchUserAuthorityChanger(SwitchUserAuthorityChanger switchUserAuthorityChanger) {
        this.switchUserAuthorityChanger = switchUserAuthorityChanger;
    }

    public void setUserDetailsChecker(UserDetailsChecker userDetailsChecker) {
        this.userDetailsChecker = userDetailsChecker;
    }

    public void setUsernameParameter(String str) {
        this.usernameParameter = str;
    }

    public void setSwitchAuthorityRole(String str) {
        Assert.notNull(str, "switchAuthorityRole cannot be null");
        this.switchAuthorityRole = str;
    }

    public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
        Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null");
        this.securityContextHolderStrategy = securityContextHolderStrategy;
    }

    public void setSecurityContextRepository(SecurityContextRepository securityContextRepository) {
        Assert.notNull(securityContextRepository, "securityContextRepository cannot be null");
        this.securityContextRepository = securityContextRepository;
    }

    private static RequestMatcher createMatcher(String str, boolean z) {
        return z ? PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, str) : new AntPathRequestMatcher(str, HttpPost.METHOD_NAME, true, new UrlPathHelper());
    }
}
