package io.hawt.web.auth;

import io.hawt.system.AuthenticateResult;
import io.hawt.system.Authenticator;
import io.hawt.web.ForbiddenReason;
import io.hawt.web.ServletHelpers;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletContext;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import java.io.IOException;
import java.security.PrivilegedActionException;
import javax.security.auth.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/hawtio-system-4.1.0.jar:io/hawt/web/auth/AuthenticationFilter.class */
public class AuthenticationFilter implements Filter {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) AuthenticationFilter.class);
    protected AuthenticationConfiguration authConfiguration;
    protected int timeout;
    private int pathIndex;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:BOOT-INF/lib/hawtio-system-4.1.0.jar:io/hawt/web/auth/AuthenticationFilter$ProxyRequestType.class */
    public enum ProxyRequestType {
        PROXY,
        PROXY_ENABLED,
        NOT_PROXY
    }

    @Override // jakarta.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
        ServletContext servletContext = filterConfig.getServletContext();
        this.authConfiguration = AuthenticationConfiguration.getConfiguration(servletContext);
        this.timeout = AuthSessionHelpers.getSessionTimeout(servletContext);
        this.pathIndex = ServletHelpers.hawtioPathIndex(servletContext);
    }

    @Override // jakarta.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        LOG.trace("Applying {}", getClass().getSimpleName());
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if ("OPTIONS".equals(httpServletRequest.getMethod())) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        String servletPath = httpServletRequest.getServletPath();
        LOG.debug("Handling request for path: {}", servletPath);
        if (!this.authConfiguration.isEnabled() || this.authConfiguration.getRealm() == null || this.authConfiguration.getRealm().isEmpty()) {
            LOG.debug("No authentication needed for path: {}", servletPath);
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        ProxyRequestType isProxyMode = isProxyMode(httpServletRequest);
        if (isProxyMode == ProxyRequestType.PROXY_ENABLED) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpSession session = httpServletRequest.getSession(false);
        if (isProxyMode == ProxyRequestType.PROXY && session == null) {
            ServletHelpers.doForbidden(httpServletResponse, ForbiddenReason.SESSION_EXPIRED);
            return;
        }
        if (session != null) {
            Subject subject = (Subject) session.getAttribute("subject");
            if (isProxyMode == ProxyRequestType.PROXY) {
                if (subject != null) {
                    filterChain.doFilter(servletRequest, servletResponse);
                    return;
                } else {
                    ServletHelpers.doForbidden(httpServletResponse);
                    return;
                }
            }
            if (AuthSessionHelpers.validate(httpServletRequest, session, subject)) {
                executeAs(servletRequest, servletResponse, filterChain, subject);
                return;
            }
        }
        LOG.debug("Doing authentication and authorization for path: {}", servletPath);
        AuthenticateResult authenticate = new Authenticator(httpServletRequest, this.authConfiguration).authenticate(subject2 -> {
            executeAs(servletRequest, servletResponse, filterChain, subject2);
        });
        switch (authenticate.getType()) {
            case AUTHORIZED:
            default:
                return;
            case NOT_AUTHORIZED:
                ServletHelpers.doForbidden(httpServletResponse);
                return;
            case NO_CREDENTIALS:
                if (this.authConfiguration.isNoCredentials401()) {
                    ServletHelpers.doAuthPrompt(httpServletResponse, this.authConfiguration.getRealm());
                    return;
                } else {
                    ServletHelpers.doForbidden(httpServletResponse);
                    return;
                }
            case THROTTLED:
                ServletHelpers.doTooManyRequests(httpServletResponse, authenticate.getRetryAfter());
                return;
        }
    }

    protected ProxyRequestType isProxyMode(HttpServletRequest httpServletRequest) {
        ProxyRequestType proxyRequestType = ProxyRequestType.NOT_PROXY;
        RelativeRequestUri relativeRequestUri = new RelativeRequestUri(httpServletRequest, this.pathIndex);
        if (relativeRequestUri.getComponents().length > 0 && "proxy".equals(relativeRequestUri.getComponents()[0])) {
            proxyRequestType = relativeRequestUri.getUri().equals("proxy/enabled") ? ProxyRequestType.PROXY_ENABLED : ProxyRequestType.PROXY;
        }
        return proxyRequestType;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void executeAs(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain, Subject subject) {
        try {
            Subject.doAs(subject, () -> {
                filterChain.doFilter(servletRequest, servletResponse);
                return null;
            });
        } catch (PrivilegedActionException e) {
            LOG.info("Failed to invoke action {} due to:", ((HttpServletRequest) servletRequest).getPathInfo(), e);
        }
    }

    @Override // jakarta.servlet.Filter
    public void destroy() {
        LOG.info("Destroying hawtio authentication filter");
    }
}
