package org.cloudfoundry.identity.uaa.security;

import java.io.IOException;
import java.util.Iterator;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.springframework.http.MediaType;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.WebAttributes;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.csrf.InvalidCsrfTokenException;
import org.springframework.security.web.csrf.MissingCsrfTokenException;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.8.0.jar:org/cloudfoundry/identity/uaa/security/CsrfAwareEntryPointAndDeniedHandler.class */
public class CsrfAwareEntryPointAndDeniedHandler implements AccessDeniedHandler, AuthenticationEntryPoint {
    private static Log logger = LogFactory.getLog(CsrfAwareEntryPointAndDeniedHandler.class);
    private LoginUrlAuthenticationEntryPoint loginEntryPoint;
    private LoginUrlAuthenticationEntryPoint csrfEntryPoint;

    public CsrfAwareEntryPointAndDeniedHandler(String str, String str2) {
        if (str == null || !str.startsWith("/")) {
            throw new NullPointerException("Invalid CSRF redirect URL, must start with '/'");
        }
        if (str2 == null || !str2.startsWith("/")) {
            throw new NullPointerException("Invalid login redirect URL, must start with '/'");
        }
        this.loginEntryPoint = new LoginUrlAuthenticationEntryPoint(str2);
        this.csrfEntryPoint = new LoginUrlAuthenticationEntryPoint(str);
    }

    protected boolean isUserLoggedIn() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return authentication != null && authentication.isAuthenticated() && (authentication.getPrincipal() instanceof UaaPrincipal);
    }

    protected boolean wantJson(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Accept");
        boolean z = false;
        if (StringUtils.hasText(header)) {
            Iterator<MediaType> it = MediaType.parseMediaTypes(header).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (it.next().equals(MediaType.APPLICATION_JSON)) {
                    z = true;
                    break;
                }
            }
        }
        return z;
    }

    protected void internalHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Exception exc) throws IOException, ServletException {
        AuthenticationException internalAuthenticationServiceException = exc instanceof AuthenticationException ? (AuthenticationException) exc : new InternalAuthenticationServiceException("Access denied.", exc);
        if (!wantJson(httpServletRequest)) {
            getLoginUrlAuthenticationEntryPoint(exc).commence(httpServletRequest, httpServletResponse, internalAuthenticationServiceException);
            return;
        }
        httpServletResponse.setStatus(403);
        httpServletResponse.setContentType("application/json");
        httpServletResponse.getWriter().append((CharSequence) String.format("{\"error\":\"%s\"}", exc.getMessage()));
    }

    protected LoginUrlAuthenticationEntryPoint getLoginUrlAuthenticationEntryPoint(Exception exc) {
        if ((exc instanceof MissingCsrfTokenException) || (exc instanceof InvalidCsrfTokenException)) {
            return this.csrfEntryPoint;
        }
        if (!isUserLoggedIn()) {
            return this.loginEntryPoint;
        }
        logger.debug("Redirecting to CSRF endpoint based on error.", exc);
        return this.csrfEntryPoint;
    }

    @Override // org.springframework.security.web.access.AccessDeniedHandler
    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException accessDeniedException) throws IOException, ServletException {
        httpServletRequest.setAttribute(WebAttributes.ACCESS_DENIED_403, accessDeniedException);
        internalHandle(httpServletRequest, httpServletResponse, accessDeniedException);
    }

    @Override // org.springframework.security.web.AuthenticationEntryPoint
    public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        internalHandle(httpServletRequest, httpServletResponse, authenticationException);
    }
}
