package no.nav.common.auth.oidc.filter;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.openid.connect.sdk.validators.BadJWTExceptions;
import java.text.ParseException;
import java.util.List;
import java.util.Optional;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import no.nav.common.auth.context.AuthContext;
import no.nav.common.auth.context.AuthContextHolderThreadLocal;
import no.nav.common.auth.context.UserRole;
import no.nav.common.auth.oidc.TokenRefreshClient;
import no.nav.common.auth.oidc.UserRoleNullException;
import no.nav.common.auth.utils.CookieUtils;
import no.nav.common.auth.utils.TokenUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:no/nav/common/auth/oidc/filter/OidcAuthenticationFilter.class */
public class OidcAuthenticationFilter implements Filter {
    private static final Logger logger = LoggerFactory.getLogger(OidcAuthenticationFilter.class);
    private static final long CHECK_EXPIRES_WITHIN = 300000;
    private final List<OidcAuthenticator> oidcAuthenticators;
    private final TokenRefreshClient tokenRefreshClient = new TokenRefreshClient();

    public OidcAuthenticationFilter(List<OidcAuthenticator> list) {
        this.oidcAuthenticators = list;
    }

    public void init(FilterConfig filterConfig) {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        for (OidcAuthenticator oidcAuthenticator : this.oidcAuthenticators) {
            Optional<String> findIdToken = oidcAuthenticator.findIdToken(httpServletRequest);
            if (findIdToken.isPresent()) {
                try {
                    try {
                        JWT parse = JWTParser.parse(findIdToken.get());
                        if (TokenUtils.hasMatchingAudience(parse, oidcAuthenticator.config.clientIds)) {
                            Optional<String> refreshIdTokenIfNecessary = refreshIdTokenIfNecessary(parse, oidcAuthenticator, httpServletRequest);
                            if (refreshIdTokenIfNecessary.isPresent()) {
                                parse = JWTParser.parse(refreshIdTokenIfNecessary.get());
                                addNewIdTokenCookie(oidcAuthenticator.config.idTokenCookieName, parse, httpServletRequest, httpServletResponse);
                            }
                            oidcAuthenticator.tokenValidator.validate(parse);
                            UserRole resolve = oidcAuthenticator.config.userRoleResolver.resolve(parse.getJWTClaimsSet());
                            if (resolve == null) {
                                throw new UserRoleNullException();
                            }
                            AuthContextHolderThreadLocal.instance().withContext(new AuthContext(resolve, parse), () -> {
                                filterChain.doFilter(servletRequest, servletResponse);
                            });
                            return;
                        }
                    } catch (ParseException | JOSEException | BadJOSEException e) {
                        if (e == BadJWTExceptions.EXPIRED_EXCEPTION) {
                            logger.info("Token validation failed", e);
                        } else {
                            logger.error("Token validation failed", e);
                        }
                    }
                } catch (UserRoleNullException e2) {
                    logger.error("User roll is null");
                }
            }
        }
        httpServletResponse.setStatus(401);
    }

    private void addNewIdTokenCookie(String str, JWT jwt, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ParseException {
        httpServletResponse.addCookie(CookieUtils.createCookie(str, jwt.getParsedString(), jwt.getJWTClaimsSet().getExpirationTime(), httpServletRequest));
    }

    private Optional<String> refreshIdTokenIfNecessary(JWT jwt, OidcAuthenticator oidcAuthenticator, HttpServletRequest httpServletRequest) {
        if (TokenUtils.hasMatchingIssuer(jwt, oidcAuthenticator.tokenValidator.getIssuer()) && TokenUtils.expiresWithin(jwt, CHECK_EXPIRES_WITHIN)) {
            Optional<String> findRefreshToken = oidcAuthenticator.findRefreshToken(httpServletRequest);
            if (findRefreshToken.isPresent() && oidcAuthenticator.config.refreshUrl != null) {
                try {
                    return Optional.of(this.tokenRefreshClient.refreshIdToken(oidcAuthenticator.config.refreshUrl, findRefreshToken.get()));
                } catch (Exception e) {
                    logger.error("Unable to refresh id token", e);
                    return Optional.empty();
                }
            }
        }
        return Optional.empty();
    }

    public void destroy() {
    }
}
