package org.springframework.security.web.authentication.switchuser;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.security.authentication.AccountStatusUserDetailsChecker;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.SpringSecurityMessageSource;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsChecker;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:spg-user-ui-war-3.0.14.war:WEB-INF/lib/spring-security-web-3.1.1.RELEASE.jar:org/springframework/security/web/authentication/switchuser/SwitchUserFilter.class */
public class SwitchUserFilter extends GenericFilterBean implements ApplicationEventPublisherAware, MessageSourceAware {
    public static final String SPRING_SECURITY_SWITCH_USERNAME_KEY = "j_username";
    public static final String ROLE_PREVIOUS_ADMINISTRATOR = "ROLE_PREVIOUS_ADMINISTRATOR";
    private ApplicationEventPublisher eventPublisher;
    private String targetUrl;
    private String switchFailureUrl;
    private SwitchUserAuthorityChanger switchUserAuthorityChanger;
    private UserDetailsService userDetailsService;
    private AuthenticationSuccessHandler successHandler;
    private AuthenticationFailureHandler failureHandler;
    private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
    protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
    private String exitUserUrl = "/j_spring_security_exit_user";
    private String switchUserUrl = "/j_spring_security_switch_user";
    private String usernameParameter = "j_username";
    private UserDetailsChecker userDetailsChecker = new AccountStatusUserDetailsChecker();

    @Override // org.springframework.web.filter.GenericFilterBean, org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() {
        Assert.notNull(this.userDetailsService, "userDetailsService must be specified");
        Assert.isTrue((this.successHandler == null && this.targetUrl == null) ? false : true, "You must set either a successHandler or the targetUrl");
        if (this.targetUrl != null) {
            Assert.isNull(this.successHandler, "You cannot set both successHandler and targetUrl");
            this.successHandler = new SimpleUrlAuthenticationSuccessHandler(this.targetUrl);
        }
        if (this.failureHandler == null) {
            this.failureHandler = this.switchFailureUrl == null ? new SimpleUrlAuthenticationFailureHandler() : new SimpleUrlAuthenticationFailureHandler(this.switchFailureUrl);
        } else {
            Assert.isNull(this.switchFailureUrl, "You cannot set both a switchFailureUrl and a failureHandler");
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (!requiresSwitchUser(httpServletRequest)) {
            if (!requiresExitUser(httpServletRequest)) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
            Authentication attemptExitUser = attemptExitUser(httpServletRequest);
            SecurityContextHolder.getContext().setAuthentication(attemptExitUser);
            this.successHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, attemptExitUser);
            return;
        }
        try {
            Authentication attemptSwitchUser = attemptSwitchUser(httpServletRequest);
            SecurityContextHolder.getContext().setAuthentication(attemptSwitchUser);
            this.successHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, attemptSwitchUser);
        } catch (AuthenticationException e) {
            this.logger.debug("Switch User failed", e);
            this.failureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, e);
        }
    }

    protected Authentication attemptSwitchUser(HttpServletRequest httpServletRequest) throws AuthenticationException {
        String parameter = httpServletRequest.getParameter(this.usernameParameter);
        if (parameter == null) {
            parameter = "";
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Attempt to switch to user [" + parameter + "]");
        }
        UserDetails loadUserByUsername = this.userDetailsService.loadUserByUsername(parameter);
        this.userDetailsChecker.check(loadUserByUsername);
        UsernamePasswordAuthenticationToken createSwitchUserToken = createSwitchUserToken(httpServletRequest, loadUserByUsername);
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Switch User Token [" + createSwitchUserToken + "]");
        }
        if (this.eventPublisher != null) {
            this.eventPublisher.publishEvent(new AuthenticationSwitchUserEvent(SecurityContextHolder.getContext().getAuthentication(), loadUserByUsername));
        }
        return createSwitchUserToken;
    }

    protected Authentication attemptExitUser(HttpServletRequest httpServletRequest) throws AuthenticationCredentialsNotFoundException {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (null == authentication) {
            throw new AuthenticationCredentialsNotFoundException(this.messages.getMessage("SwitchUserFilter.noCurrentUser", "No current user associated with this request"));
        }
        Authentication sourceAuthentication = getSourceAuthentication(authentication);
        if (sourceAuthentication == null) {
            this.logger.error("Could not find original user Authentication object!");
            throw new AuthenticationCredentialsNotFoundException(this.messages.getMessage("SwitchUserFilter.noOriginalAuthentication", "Could not find original Authentication object"));
        }
        UserDetails userDetails = null;
        Object principal = sourceAuthentication.getPrincipal();
        if (principal != null && (principal instanceof UserDetails)) {
            userDetails = (UserDetails) principal;
        }
        if (this.eventPublisher != null) {
            this.eventPublisher.publishEvent(new AuthenticationSwitchUserEvent(authentication, userDetails));
        }
        return sourceAuthentication;
    }

    private UsernamePasswordAuthenticationToken createSwitchUserToken(HttpServletRequest httpServletRequest, UserDetails userDetails) {
        Authentication authentication;
        try {
            authentication = attemptExitUser(httpServletRequest);
        } catch (AuthenticationCredentialsNotFoundException e) {
            authentication = SecurityContextHolder.getContext().getAuthentication();
        }
        SwitchUserGrantedAuthority switchUserGrantedAuthority = new SwitchUserGrantedAuthority(ROLE_PREVIOUS_ADMINISTRATOR, authentication);
        Collection<? extends GrantedAuthority> authorities = userDetails.getAuthorities();
        if (this.switchUserAuthorityChanger != null) {
            authorities = this.switchUserAuthorityChanger.modifyGrantedAuthorities(userDetails, authentication, authorities);
        }
        ArrayList arrayList = new ArrayList(authorities);
        arrayList.add(switchUserGrantedAuthority);
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(userDetails, userDetails.getPassword(), arrayList);
        usernamePasswordAuthenticationToken.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
        return usernamePasswordAuthenticationToken;
    }

    private Authentication getSourceAuthentication(Authentication authentication) {
        Authentication authentication2 = null;
        for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
            if (grantedAuthority instanceof SwitchUserGrantedAuthority) {
                authentication2 = ((SwitchUserGrantedAuthority) grantedAuthority).getSource();
                this.logger.debug("Found original switch user granted authority [" + authentication2 + "]");
            }
        }
        return authentication2;
    }

    protected boolean requiresExitUser(HttpServletRequest httpServletRequest) {
        return stripUri(httpServletRequest).endsWith(httpServletRequest.getContextPath() + this.exitUserUrl);
    }

    protected boolean requiresSwitchUser(HttpServletRequest httpServletRequest) {
        return stripUri(httpServletRequest).endsWith(httpServletRequest.getContextPath() + this.switchUserUrl);
    }

    @Override // org.springframework.context.ApplicationEventPublisherAware
    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) throws BeansException {
        this.eventPublisher = applicationEventPublisher;
    }

    public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
        Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
        this.authenticationDetailsSource = authenticationDetailsSource;
    }

    @Override // org.springframework.context.MessageSourceAware
    public void setMessageSource(MessageSource messageSource) {
        Assert.notNull(messageSource, "messageSource cannot be null");
        this.messages = new MessageSourceAccessor(messageSource);
    }

    public void setUserDetailsService(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    public void setExitUserUrl(String str) {
        Assert.isTrue(UrlUtils.isValidRedirectUrl(str), "exitUserUrl cannot be empty and must be a valid redirect URL");
        this.exitUserUrl = str;
    }

    public void setSwitchUserUrl(String str) {
        Assert.isTrue(UrlUtils.isValidRedirectUrl(str), "switchUserUrl cannot be empty and must be a valid redirect URL");
        this.switchUserUrl = str;
    }

    public void setTargetUrl(String str) {
        this.targetUrl = str;
    }

    public void setSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler) {
        Assert.notNull(authenticationSuccessHandler, "successHandler cannot be null");
        this.successHandler = authenticationSuccessHandler;
    }

    public void setSwitchFailureUrl(String str) {
        Assert.isTrue(StringUtils.hasText(this.switchUserUrl) && UrlUtils.isValidRedirectUrl(str), "switchFailureUrl cannot be empty and must be a valid redirect URL");
        this.switchFailureUrl = str;
    }

    public void setFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) {
        Assert.notNull(authenticationFailureHandler, "failureHandler cannot be null");
        this.failureHandler = authenticationFailureHandler;
    }

    public void setSwitchUserAuthorityChanger(SwitchUserAuthorityChanger switchUserAuthorityChanger) {
        this.switchUserAuthorityChanger = switchUserAuthorityChanger;
    }

    public void setUserDetailsChecker(UserDetailsChecker userDetailsChecker) {
        this.userDetailsChecker = userDetailsChecker;
    }

    public void setUsernameParameter(String str) {
        this.usernameParameter = str;
    }

    private String stripUri(HttpServletRequest httpServletRequest) {
        String requestURI = httpServletRequest.getRequestURI();
        int indexOf = requestURI.indexOf(59);
        if (indexOf > 0) {
            requestURI = requestURI.substring(0, indexOf);
        }
        return requestURI;
    }
}
