package org.springframework.security.web.server.authentication;

import java.util.ArrayList;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Function;
import java.util.function.Supplier;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage;
import org.springframework.http.HttpMethod;
import org.springframework.lang.NonNull;
import org.springframework.lang.Nullable;
import org.springframework.security.authentication.AccountStatusUserDetailsChecker;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsChecker;
import org.springframework.security.web.authentication.switchuser.SwitchUserGrantedAuthority;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.security.web.server.context.ServerSecurityContextRepository;
import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

/* loaded from: classes4.dex */
public class SwitchUserWebFilter implements WebFilter {
    public static final String ROLE_PREVIOUS_ADMINISTRATOR = "ROLE_PREVIOUS_ADMINISTRATOR";
    public static final String SPRING_SECURITY_SWITCH_USERNAME_KEY = "username";
    private final ServerAuthenticationFailureHandler failureHandler;
    private ServerSecurityContextRepository securityContextRepository;
    private final ServerAuthenticationSuccessHandler successHandler;
    private final UserDetailsChecker userDetailsChecker;
    private final ReactiveUserDetailsService userDetailsService;
    private final Log logger = LogFactory.getLog(getClass());
    private ServerWebExchangeMatcher switchUserMatcher = createMatcher("/login/impersonate");
    private ServerWebExchangeMatcher exitUserMatcher = createMatcher("/logout/impersonate");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes4.dex */
    public static class SwitchUserAuthenticationException extends RuntimeException {
        SwitchUserAuthenticationException(AuthenticationException authenticationException) {
            super(authenticationException);
        }
    }

    public SwitchUserWebFilter(ReactiveUserDetailsService reactiveUserDetailsService, String str, @Nullable String str2) {
        Assert.notNull(reactiveUserDetailsService, "userDetailsService must be specified");
        Assert.notNull(str, "successTargetUrl must be specified");
        this.userDetailsService = reactiveUserDetailsService;
        this.successHandler = new RedirectServerAuthenticationSuccessHandler(str);
        this.failureHandler = str2 != null ? new RedirectServerAuthenticationFailureHandler(str2) : null;
        this.securityContextRepository = new WebSessionServerSecurityContextRepository();
        this.userDetailsChecker = new AccountStatusUserDetailsChecker();
    }

    public SwitchUserWebFilter(ReactiveUserDetailsService reactiveUserDetailsService, ServerAuthenticationSuccessHandler serverAuthenticationSuccessHandler, @Nullable ServerAuthenticationFailureHandler serverAuthenticationFailureHandler) {
        Assert.notNull(reactiveUserDetailsService, "userDetailsService must be specified");
        Assert.notNull(serverAuthenticationSuccessHandler, "successHandler must be specified");
        this.userDetailsService = reactiveUserDetailsService;
        this.successHandler = serverAuthenticationSuccessHandler;
        this.failureHandler = serverAuthenticationFailureHandler;
        this.securityContextRepository = new WebSessionServerSecurityContextRepository();
        this.userDetailsChecker = new AccountStatusUserDetailsChecker();
    }

    /* JADX INFO: Access modifiers changed from: private */
    @NonNull
    public Authentication attemptExitUser(Authentication authentication) {
        Optional<Authentication> extractSourceAuthentication = extractSourceAuthentication(authentication);
        if (extractSourceAuthentication.isPresent()) {
            return extractSourceAuthentication.get();
        }
        this.logger.debug("Could not find original user Authentication object!");
        throw noOriginalAuthenticationException();
    }

    @NonNull
    private Mono<Authentication> attemptSwitchUser(final Authentication authentication, String str) {
        Assert.notNull(str, "The userName can not be null.");
        this.logger.debug(LogMessage.format("Attempt to switch to user [%s]", str));
        Mono switchIfEmpty = this.userDetailsService.findByUsername(str).switchIfEmpty(Mono.error(new Supplier() { // from class: org.springframework.security.web.server.authentication.-$$Lambda$SwitchUserWebFilter$aDb5PoTdFuGepu6hC872isFJJDM
            @Override // java.util.function.Supplier
            public final Object get() {
                AuthenticationCredentialsNotFoundException noTargetAuthenticationException;
                noTargetAuthenticationException = SwitchUserWebFilter.this.noTargetAuthenticationException();
                return noTargetAuthenticationException;
            }
        }));
        UserDetailsChecker userDetailsChecker = this.userDetailsChecker;
        Objects.requireNonNull(userDetailsChecker);
        return switchIfEmpty.doOnNext(new $$Lambda$TuzcvPHSZBRlHW6tZ4Sq0ioevW8(userDetailsChecker)).map(new Function() { // from class: org.springframework.security.web.server.authentication.-$$Lambda$SwitchUserWebFilter$7vqy1OBOnEHzLYalvJhOtwy3RXQ
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                return SwitchUserWebFilter.this.lambda$attemptSwitchUser$8$SwitchUserWebFilter(authentication, (UserDetails) obj);
            }
        });
    }

    private static ServerWebExchangeMatcher createMatcher(String str) {
        return ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* renamed from: createSwitchUserToken, reason: merged with bridge method [inline-methods] */
    public Authentication lambda$attemptSwitchUser$8$SwitchUserWebFilter(UserDetails userDetails, Authentication authentication) {
        Optional<Authentication> extractSourceAuthentication = extractSourceAuthentication(authentication);
        if (extractSourceAuthentication.isPresent()) {
            this.logger.info(LogMessage.format("Found original switch user granted authority [%s]", extractSourceAuthentication.get()));
            authentication = extractSourceAuthentication.get();
        }
        SwitchUserGrantedAuthority switchUserGrantedAuthority = new SwitchUserGrantedAuthority("ROLE_PREVIOUS_ADMINISTRATOR", authentication);
        ArrayList arrayList = new ArrayList(userDetails.getAuthorities());
        arrayList.add(switchUserGrantedAuthority);
        return new UsernamePasswordAuthenticationToken(userDetails, userDetails.getPassword(), arrayList);
    }

    private Optional<Authentication> extractSourceAuthentication(Authentication authentication) {
        for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
            if (grantedAuthority instanceof SwitchUserGrantedAuthority) {
                return Optional.of(((SwitchUserGrantedAuthority) grantedAuthority).getSource());
            }
        }
        return Optional.empty();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AuthenticationCredentialsNotFoundException noCurrentUserException() {
        return new AuthenticationCredentialsNotFoundException("No current user associated with this request");
    }

    private AuthenticationCredentialsNotFoundException noOriginalAuthenticationException() {
        return new AuthenticationCredentialsNotFoundException("Could not find original Authentication object");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AuthenticationCredentialsNotFoundException noTargetAuthenticationException() {
        return new AuthenticationCredentialsNotFoundException("No target user for the given username");
    }

    private Mono<Void> onAuthenticationFailure(final AuthenticationException authenticationException, final WebFilterExchange webFilterExchange) {
        return Mono.justOrEmpty(this.failureHandler).switchIfEmpty(Mono.defer(new Supplier() { // from class: org.springframework.security.web.server.authentication.-$$Lambda$SwitchUserWebFilter$pplb28igYTA9p7pa_rfvo5asgqE
            @Override // java.util.function.Supplier
            public final Object get() {
                return SwitchUserWebFilter.this.lambda$onAuthenticationFailure$9$SwitchUserWebFilter(authenticationException);
            }
        })).flatMap(new Function() { // from class: org.springframework.security.web.server.authentication.-$$Lambda$SwitchUserWebFilter$paZVg83CRUO4PUz9putPWLTG7qs
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                Mono onAuthenticationFailure;
                onAuthenticationFailure = ((ServerAuthenticationFailureHandler) obj).onAuthenticationFailure(WebFilterExchange.this, authenticationException);
                return onAuthenticationFailure;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* renamed from: onAuthenticationSuccess, reason: merged with bridge method [inline-methods] */
    public Mono<Void> lambda$filter$2$SwitchUserWebFilter(Authentication authentication, WebFilterExchange webFilterExchange) {
        ServerWebExchange exchange = webFilterExchange.getExchange();
        SecurityContextImpl securityContextImpl = new SecurityContextImpl(authentication);
        return this.securityContextRepository.save(exchange, securityContextImpl).then(this.successHandler.onAuthenticationSuccess(webFilterExchange, authentication)).subscriberContext(ReactiveSecurityContextHolder.withSecurityContext(Mono.just(securityContextImpl)));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* renamed from: exitSwitchUser, reason: merged with bridge method [inline-methods] */
    public Mono<Authentication> lambda$filter$0$SwitchUserWebFilter(WebFilterExchange webFilterExchange) {
        return this.exitUserMatcher.matches(webFilterExchange.getExchange()).filter($$Lambda$XJxKU7dlh20UO6iiJY8Ek9QMFc.INSTANCE).flatMap(new Function() { // from class: org.springframework.security.web.server.authentication.-$$Lambda$SwitchUserWebFilter$egvnXr-smcFnDn2NkJw-GIllIOc
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                return SwitchUserWebFilter.this.lambda$exitSwitchUser$7$SwitchUserWebFilter((ServerWebExchangeMatcher.MatchResult) obj);
            }
        }).map(new Function() { // from class: org.springframework.security.web.server.authentication.-$$Lambda$SwitchUserWebFilter$gKe8sjQ-kRzRhYawRIfzYjzBY6Y
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                Authentication attemptExitUser;
                attemptExitUser = SwitchUserWebFilter.this.attemptExitUser((Authentication) obj);
                return attemptExitUser;
            }
        });
    }

    @Override // org.springframework.web.server.WebFilter
    public Mono<Void> filter(final ServerWebExchange serverWebExchange, final WebFilterChain webFilterChain) {
        final WebFilterExchange webFilterExchange = new WebFilterExchange(serverWebExchange, webFilterChain);
        return switchUser(webFilterExchange).switchIfEmpty(Mono.defer(new Supplier() { // from class: org.springframework.security.web.server.authentication.-$$Lambda$SwitchUserWebFilter$Gvkdv2tCGiLtNAW3pIonkvN5NsQ
            @Override // java.util.function.Supplier
            public final Object get() {
                return SwitchUserWebFilter.this.lambda$filter$0$SwitchUserWebFilter(webFilterExchange);
            }
        })).switchIfEmpty(Mono.defer(new Supplier() { // from class: org.springframework.security.web.server.authentication.-$$Lambda$SwitchUserWebFilter$6HJSrv_t8qDSp1OTYe6f9H4t9AI
            @Override // java.util.function.Supplier
            public final Object get() {
                Mono then;
                then = WebFilterChain.this.filter(serverWebExchange).then(Mono.empty());
                return then;
            }
        })).flatMap(new Function() { // from class: org.springframework.security.web.server.authentication.-$$Lambda$SwitchUserWebFilter$O-PjIMOntfCB3Y2tEDpZN_9gwRI
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                return SwitchUserWebFilter.this.lambda$filter$2$SwitchUserWebFilter(webFilterExchange, (Authentication) obj);
            }
        }).onErrorResume(SwitchUserAuthenticationException.class, new Function() { // from class: org.springframework.security.web.server.authentication.-$$Lambda$SwitchUserWebFilter$hvsfRvwfQbl3fnySLbssiVmIb7o
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                Mono empty;
                empty = Mono.empty();
                return empty;
            }
        });
    }

    protected String getUsername(ServerWebExchange serverWebExchange) {
        return serverWebExchange.getRequest().getQueryParams().getFirst("username");
    }

    public /* synthetic */ Mono lambda$exitSwitchUser$7$SwitchUserWebFilter(ServerWebExchangeMatcher.MatchResult matchResult) {
        return ReactiveSecurityContextHolder.getContext().map($$Lambda$i9hJLRfjJqbe33wC7r43i3uBOlQ.INSTANCE).switchIfEmpty(Mono.error(new Supplier() { // from class: org.springframework.security.web.server.authentication.-$$Lambda$SwitchUserWebFilter$l3T0d89S67Lj8Z4uCmpnpgV4a7s
            @Override // java.util.function.Supplier
            public final Object get() {
                AuthenticationCredentialsNotFoundException noCurrentUserException;
                noCurrentUserException = SwitchUserWebFilter.this.noCurrentUserException();
                return noCurrentUserException;
            }
        }));
    }

    public /* synthetic */ Mono lambda$onAuthenticationFailure$9$SwitchUserWebFilter(AuthenticationException authenticationException) {
        this.logger.error("Switch User failed", authenticationException);
        return Mono.error(authenticationException);
    }

    public /* synthetic */ Mono lambda$switchUser$5$SwitchUserWebFilter(WebFilterExchange webFilterExchange, Authentication authentication) {
        return attemptSwitchUser(authentication, getUsername(webFilterExchange.getExchange()));
    }

    public /* synthetic */ Mono lambda$switchUser$6$SwitchUserWebFilter(WebFilterExchange webFilterExchange, AuthenticationException authenticationException) {
        return onAuthenticationFailure(authenticationException, webFilterExchange).then(Mono.error(new SwitchUserAuthenticationException(authenticationException)));
    }

    public void setExitUserMatcher(ServerWebExchangeMatcher serverWebExchangeMatcher) {
        Assert.notNull(serverWebExchangeMatcher, "exitUserMatcher cannot be null");
        this.exitUserMatcher = serverWebExchangeMatcher;
    }

    public void setExitUserUrl(String str) {
        Assert.isTrue(UrlUtils.isValidRedirectUrl(str), "exitUserUrl cannot be empty and must be a valid redirect URL");
        this.exitUserMatcher = createMatcher(str);
    }

    public void setSecurityContextRepository(ServerSecurityContextRepository serverSecurityContextRepository) {
        Assert.notNull(serverSecurityContextRepository, "securityContextRepository cannot be null");
        this.securityContextRepository = serverSecurityContextRepository;
    }

    public void setSwitchUserMatcher(ServerWebExchangeMatcher serverWebExchangeMatcher) {
        Assert.notNull(serverWebExchangeMatcher, "switchUserMatcher cannot be null");
        this.switchUserMatcher = serverWebExchangeMatcher;
    }

    public void setSwitchUserUrl(String str) {
        Assert.isTrue(UrlUtils.isValidRedirectUrl(str), "switchUserUrl cannot be empty and must be a valid redirect URL");
        this.switchUserMatcher = createMatcher(str);
    }

    protected Mono<Authentication> switchUser(final WebFilterExchange webFilterExchange) {
        return this.switchUserMatcher.matches(webFilterExchange.getExchange()).filter($$Lambda$XJxKU7dlh20UO6iiJY8Ek9QMFc.INSTANCE).flatMap(new Function() { // from class: org.springframework.security.web.server.authentication.-$$Lambda$SwitchUserWebFilter$iz4rf1CIbIXnn9Xfu2YDYCZeAD4
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                Mono context;
                context = ReactiveSecurityContextHolder.getContext();
                return context;
            }
        }).map($$Lambda$i9hJLRfjJqbe33wC7r43i3uBOlQ.INSTANCE).flatMap(new Function() { // from class: org.springframework.security.web.server.authentication.-$$Lambda$SwitchUserWebFilter$vRgBrKhlNT5mXi6uhOxfE15OWyE
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                return SwitchUserWebFilter.this.lambda$switchUser$5$SwitchUserWebFilter(webFilterExchange, (Authentication) obj);
            }
        }).onErrorResume(AuthenticationException.class, new Function() { // from class: org.springframework.security.web.server.authentication.-$$Lambda$SwitchUserWebFilter$pQx518MMQSNIG4fKjHcEWw2rQEc
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                return SwitchUserWebFilter.this.lambda$switchUser$6$SwitchUserWebFilter(webFilterExchange, (AuthenticationException) obj);
            }
        });
    }
}
