package org.molgenis.security.twofactor.auth;

import java.io.IOException;
import java.util.Objects;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.molgenis.security.account.AccountController;
import org.molgenis.security.core.utils.SecurityUtils;
import org.molgenis.security.settings.AuthenticationSettings;
import org.molgenis.security.token.RestAuthenticationToken;
import org.molgenis.security.twofactor.TwoFactorAuthenticationController;
import org.molgenis.security.twofactor.service.TwoFactorAuthenticationService;
import org.molgenis.security.user.UserAccountService;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:WEB-INF/lib/molgenis-security-6.1.0.jar:org/molgenis/security/twofactor/auth/TwoFactorAuthenticationFilter.class */
public class TwoFactorAuthenticationFilter extends OncePerRequestFilter {
    private final RedirectStrategy redirectStrategy;
    private final UserAccountService userAccountService;
    private final TwoFactorAuthenticationService twoFactorAuthenticationService;
    private final AuthenticationSettings authenticationSettings;

    public TwoFactorAuthenticationFilter(AuthenticationSettings authenticationSettings, TwoFactorAuthenticationService twoFactorAuthenticationService, RedirectStrategy redirectStrategy, UserAccountService userAccountService) {
        this.authenticationSettings = (AuthenticationSettings) Objects.requireNonNull(authenticationSettings);
        this.twoFactorAuthenticationService = (TwoFactorAuthenticationService) Objects.requireNonNull(twoFactorAuthenticationService);
        this.redirectStrategy = (RedirectStrategy) Objects.requireNonNull(redirectStrategy);
        this.userAccountService = (UserAccountService) Objects.requireNonNull(userAccountService);
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (isUserShouldTwoFactorAuthenticate() && SecurityUtils.currentUserIsAuthenticated() && isNotProtected(httpServletRequest.getRequestURI()) && isInsufficientlyAuthenticated()) {
            redirectToTwoFactorAuthenticationController(httpServletRequest, httpServletResponse);
        } else {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    private boolean isUserShouldTwoFactorAuthenticate() {
        return this.authenticationSettings.getTwoFactorAuthentication() != TwoFactorAuthenticationSetting.DISABLED && (this.authenticationSettings.getTwoFactorAuthentication() == TwoFactorAuthenticationSetting.ENFORCED || this.userAccountService.getCurrentUser().isTwoFactorAuthentication());
    }

    private boolean isNotProtected(String str) {
        return (str.startsWith(TwoFactorAuthenticationController.URI) || str.equalsIgnoreCase(AccountController.CHANGE_PASSWORD_URI)) ? false : true;
    }

    private void redirectToTwoFactorAuthenticationController(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (this.twoFactorAuthenticationService.isConfiguredForUser()) {
            this.redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, "/2fa/authenticate");
        } else {
            this.redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, "/2fa/activation");
        }
    }

    private boolean isInsufficientlyAuthenticated() {
        return (isUserTwoFactorAuthenticated() || hasAuthenticatedMolgenisToken() || isUserRecoveryAuthenticated()) ? false : true;
    }

    private boolean isUserTwoFactorAuthenticated() {
        boolean z = false;
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication instanceof TwoFactorAuthenticationToken) {
            z = authentication.isAuthenticated();
        }
        return z;
    }

    private boolean isUserRecoveryAuthenticated() {
        boolean z = false;
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication instanceof RecoveryAuthenticationToken) {
            z = authentication.isAuthenticated();
        }
        return z;
    }

    private boolean hasAuthenticatedMolgenisToken() {
        boolean z = false;
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication instanceof RestAuthenticationToken) {
            z = authentication.isAuthenticated();
        }
        return z;
    }
}
