package org.cloudfoundry.identity.uaa.mfa;

import java.io.IOException;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.mfa.exception.MfaRequiredException;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.27.0.jar:org/cloudfoundry/identity/uaa/mfa/MfaRequiredFilter.class */
public class MfaRequiredFilter extends GenericFilterBean {
    private static Log logger = LogFactory.getLog(MfaRequiredFilter.class);
    private final MfaChecker checker;
    private final AuthenticationEntryPoint entryPoint;

    public MfaRequiredFilter(MfaChecker mfaChecker, AuthenticationEntryPoint authenticationEntryPoint) {
        this.checker = mfaChecker;
        this.entryPoint = authenticationEntryPoint;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (!isMfaRequiredAndMissing()) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } else {
            logger.debug("MFA is configured, but missing in authentication. Invoking entry point");
            this.entryPoint.commence(httpServletRequest, httpServletResponse, new MfaRequiredException("Multi-factor authentication required."));
        }
    }

    protected boolean isMfaRequiredAndMissing() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null || (authentication instanceof AnonymousAuthenticationToken) || !(authentication instanceof UaaAuthentication)) {
            return false;
        }
        UaaAuthentication uaaAuthentication = (UaaAuthentication) authentication;
        if (!mfaRequired(uaaAuthentication.getPrincipal().getOrigin())) {
            return false;
        }
        Set<String> authenticationMethods = uaaAuthentication.getAuthenticationMethods();
        return authenticationMethods == null || !authenticationMethods.contains("mfa");
    }

    protected boolean mfaRequired(String str) {
        return this.checker.isMfaEnabled(IdentityZoneHolder.get(), str);
    }
}
