package org.jenkinsci.plugins;

import com.fasterxml.jackson.annotation.JsonProperty;
import hudson.security.SecurityRealm;
import java.io.IOException;
import java.util.Calendar;
import java.util.Date;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import jenkins.model.Jenkins;
import org.acegisecurity.context.SecurityContext;
import org.acegisecurity.context.SecurityContextHolder;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.ServerRequest;

/* loaded from: input_file:WEB-INF/lib/keycloak.jar:org/jenkinsci/plugins/RefreshFilter.class */
public class RefreshFilter implements Filter {
    private static final Logger LOGGER = Logger.getLogger(RefreshFilter.class.getName());
    private transient boolean initCalled = false;

    public void init(FilterConfig filterConfig) throws ServletException {
        this.initCalled = true;
    }

    private boolean skipUrl(HttpServletRequest httpServletRequest) {
        boolean z = false;
        String pathInfo = httpServletRequest.getPathInfo();
        LOGGER.log(Level.FINEST, "Path" + pathInfo);
        if (pathInfo != null) {
            z = pathInfo.endsWith("/logout") || pathInfo.endsWith(KeycloakSecurityRealm.JENKINS_FINISH_LOGIN_URL);
        }
        return z;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        SecurityRealm securityRealm;
        LOGGER.log(Level.FINER, "KeycloakFilter entered");
        Jenkins activeInstance = Jenkins.getActiveInstance();
        if (activeInstance == null || (securityRealm = activeInstance.getSecurityRealm()) == null || !(securityRealm instanceof KeycloakSecurityRealm)) {
            return;
        }
        KeycloakSecurityRealm keycloakSecurityRealm = (KeycloakSecurityRealm) securityRealm;
        LOGGER.log(Level.FINER, "KeycloakSecurityRealm found");
        boolean checkKeycloakOnEachRequest = keycloakSecurityRealm.checkKeycloakOnEachRequest();
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        Boolean bool = (Boolean) httpServletRequest.getSession().getAttribute(KeycloakSecurityRealm.AUTH_REQUESTED);
        boolean booleanValue = bool == null ? false : bool.booleanValue();
        boolean skipUrl = skipUrl(httpServletRequest);
        LOGGER.log(Level.FINEST, "RequestPath" + httpServletRequest.getPathInfo() + " skipUrl" + skipUrl + " AuthenticationRequested" + booleanValue + " CheckRequest" + checkKeycloakOnEachRequest);
        if (checkKeycloakOnEachRequest && !skipUrl && booleanValue && checkTokenValidity(servletResponse, keycloakSecurityRealm)) {
            return;
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private boolean checkTokenValidity(ServletResponse servletResponse, KeycloakSecurityRealm keycloakSecurityRealm) throws IOException {
        boolean z = false;
        LOGGER.log(Level.FINE, "KeycloakFilter is active");
        KeycloakDeployment keycloakDeployment = keycloakSecurityRealm.getKeycloakDeployment();
        SecurityContext context = SecurityContextHolder.getContext();
        if (context != null) {
            KeycloakAuthentication authentication = context.getAuthentication();
            if (authentication instanceof KeycloakAuthentication) {
                KeycloakAuthentication keycloakAuthentication = authentication;
                if (keycloakAuthentication.isRefreshExpired()) {
                    LOGGER.log(Level.FINE, "Keycloak refresh token is expired. Refresh token expiry " + keycloakAuthentication.getAccessTokenResponse().getRefreshExpiresIn() + " seconds. Last refresh " + keycloakAuthentication.getLastRefresh() + ". Current Time " + new Date());
                    z = true;
                    redirectToJenkinsLogoutUrl(servletResponse);
                }
                try {
                    boolean respectAccessTokenTimeout = keycloakSecurityRealm.respectAccessTokenTimeout();
                    Calendar calendar = Calendar.getInstance();
                    calendar.add(13, -1);
                    boolean after = calendar.after(keycloakAuthentication.getLastRefreshDateAsCalendar());
                    boolean isAccessExpired = keycloakAuthentication.isAccessExpired();
                    if ((respectAccessTokenTimeout && isAccessExpired) || (!respectAccessTokenTimeout && after)) {
                        LOGGER.log(Level.FINE, "KeycloakFilter refresh token. Respect access token timeout: " + respectAccessTokenTimeout + ". Access token expired " + isAccessExpired + ". Renew after 1 second:" + after);
                        keycloakAuthentication.setAccessTokenResponse(ServerRequest.invokeRefresh(keycloakDeployment, keycloakAuthentication.getRefreshToken()));
                    }
                } catch (ServerRequest.HttpFailure e) {
                    LOGGER.log(Level.INFO, "Refresh Token failed, message is: " + e.getMessage() + ", error is:" + e.getError() + ", statuscode is:" + e.getStatus());
                    z = true;
                    redirectToJenkinsLogoutUrl(servletResponse);
                }
            }
        }
        return z;
    }

    private void redirectToJenkinsLogoutUrl(ServletResponse servletResponse) throws IOException {
        servletResponse.reset();
        Jenkins activeInstance = Jenkins.getActiveInstance();
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        LOGGER.log(Level.INFO, "KeycloakFilter logout requested");
        String rootUrl = activeInstance.getRootUrl();
        if (rootUrl == null) {
            rootUrl = JsonProperty.USE_DEFAULT_NAME;
        }
        String str = rootUrl + "logout";
        LOGGER.log(Level.INFO, "Redirect to " + str);
        httpServletResponse.sendRedirect(str);
    }

    public void destroy() {
    }

    public boolean isInitCalled() {
        return this.initCalled;
    }
}
