package li.strolch.rest.filters;

import jakarta.annotation.Priority;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.Cookie;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.ext.Provider;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import li.strolch.exception.StrolchAccessDeniedException;
import li.strolch.exception.StrolchNotAuthenticatedException;
import li.strolch.privilege.model.Certificate;
import li.strolch.privilege.model.Usage;
import li.strolch.rest.RestfulStrolchComponent;
import li.strolch.rest.StrolchRestfulConstants;
import li.strolch.rest.StrolchSessionHandler;
import li.strolch.utils.helper.StringHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Provider
@Priority(1000)
/* loaded from: input_file:li/strolch/rest/filters/AuthenticationRequestFilter.class */
public class AuthenticationRequestFilter implements ContainerRequestFilter {
    private static final Logger logger = LoggerFactory.getLogger(AuthenticationRequestFilter.class);

    @Context
    private HttpServletRequest request;
    private Set<String> unsecuredPaths;

    protected RestfulStrolchComponent getRestful() {
        return RestfulStrolchComponent.getInstance();
    }

    protected StrolchSessionHandler getSessionHandler() {
        return getRestful().getSessionHandler();
    }

    protected Set<String> getUnsecuredPaths() {
        HashSet hashSet = new HashSet();
        hashSet.add("strolch/authentication");
        hashSet.add("strolch/authentication/sso");
        hashSet.add("strolch/version");
        hashSet.add("strolch/languages");
        return hashSet;
    }

    protected boolean isUnsecuredPath(ContainerRequestContext containerRequestContext) {
        if (containerRequestContext.getMethod().equals("OPTIONS")) {
            return true;
        }
        List matchedURIs = containerRequestContext.getUriInfo().getMatchedURIs();
        if (this.unsecuredPaths == null) {
            this.unsecuredPaths = getUnsecuredPaths();
        }
        return matchedURIs.stream().anyMatch(str -> {
            return this.unsecuredPaths.contains(str);
        });
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        String remoteIp = getRemoteIp(this.request);
        logger.info("Remote IP: " + remoteIp + ": " + containerRequestContext.getMethod() + " " + String.valueOf(containerRequestContext.getUriInfo().getRequestUri()));
        try {
            if (isUnsecuredPath(containerRequestContext)) {
                setCertificateIfAvailable(containerRequestContext, remoteIp);
            } else {
                validateSession(containerRequestContext, remoteIp);
            }
        } catch (StrolchAccessDeniedException e) {
            logger.error(e.getMessage());
            containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).header("Content-Type", "text/plain").entity("User is not authorized!").build());
        } catch (Exception e2) {
            logger.error(e2.getMessage());
            containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).header("Content-Type", "text/plain").entity("User cannot access the resource.").build());
        } catch (StrolchNotAuthenticatedException e3) {
            logger.error(e3.getMessage());
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header("Content-Type", "text/plain").entity("User is not authenticated!").build());
        }
    }

    protected void setCertificateIfAvailable(ContainerRequestContext containerRequestContext, String str) {
        StrolchSessionHandler sessionHandler = getSessionHandler();
        String trimOrEmpty = StringHelper.trimOrEmpty(containerRequestContext.getHeaderString("Authorization"));
        if (StringHelper.isNotEmpty(trimOrEmpty)) {
            if (sessionHandler.isSessionKnown(trimOrEmpty)) {
                validateCertificate(containerRequestContext, trimOrEmpty, str);
                return;
            } else {
                logger.error("Session " + trimOrEmpty + " by authorization header does not exist anymore, ignoring!");
                return;
            }
        }
        String sessionIdFromCookie = getSessionIdFromCookie(containerRequestContext);
        if (StringHelper.isEmpty(sessionIdFromCookie)) {
            return;
        }
        if (sessionHandler.isSessionKnown(sessionIdFromCookie)) {
            validateCertificate(containerRequestContext, sessionIdFromCookie, str);
        } else {
            logger.error("Session " + sessionIdFromCookie + " by cookie does not exist anymore, ignoring!");
        }
    }

    protected Certificate validateSession(ContainerRequestContext containerRequestContext, String str) {
        String trimOrEmpty = StringHelper.trimOrEmpty(containerRequestContext.getHeaderString("Authorization"));
        return trimOrEmpty.isEmpty() ? validateCookie(containerRequestContext, str) : trimOrEmpty.startsWith("Basic ") ? authenticateBasic(containerRequestContext, trimOrEmpty, str) : validateCertificate(containerRequestContext, trimOrEmpty, str);
    }

    protected String getSessionIdFromCookie(ContainerRequestContext containerRequestContext) {
        String value;
        Cookie cookie = (Cookie) containerRequestContext.getCookies().get(StrolchRestfulConstants.STROLCH_AUTHORIZATION);
        return (cookie == null || (value = cookie.getValue()) == null) ? "" : value.trim();
    }

    protected Certificate validateCookie(ContainerRequestContext containerRequestContext, String str) {
        String sessionIdFromCookie = getSessionIdFromCookie(containerRequestContext);
        if (!StringHelper.isEmpty(sessionIdFromCookie)) {
            return validateCertificate(containerRequestContext, sessionIdFromCookie, str);
        }
        logger.error("No Authorization header or cookie on request to URL " + containerRequestContext.getUriInfo().getPath());
        containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).header("Content-Type", "text/plain").entity("Missing Authorization!").build());
        return null;
    }

    protected Certificate authenticateBasic(ContainerRequestContext containerRequestContext, String str, String str2) {
        if (!getRestful().isBasicAuthEnabled()) {
            logger.error("Basic Auth is not available for URL " + containerRequestContext.getUriInfo().getPath());
            containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).header("Content-Type", "text/plain").entity("Basic Auth not available").build());
            return null;
        }
        String[] split = new String(Base64.getDecoder().decode(str.substring("Basic ".length()).getBytes()), StandardCharsets.UTF_8).split(":");
        if (split.length != 2) {
            containerRequestContext.abortWith(Response.status(Response.Status.BAD_REQUEST).header("Content-Type", "text/plain").entity("Invalid Basic Authorization!").build());
            return null;
        }
        logger.info("Performing basic auth for user " + split[0] + "...");
        Certificate authenticate = getSessionHandler().authenticate(split[0], split[1].toCharArray(), str2, Usage.SINGLE, false);
        containerRequestContext.setProperty(StrolchRestfulConstants.STROLCH_CERTIFICATE, authenticate);
        containerRequestContext.setProperty(StrolchRestfulConstants.STROLCH_REQUEST_SOURCE, str2);
        return authenticate;
    }

    protected Certificate validateCertificate(ContainerRequestContext containerRequestContext, String str, String str2) {
        Certificate validate = getSessionHandler().validate(str, str2);
        if (validate.getUsage() == Usage.SET_PASSWORD && !containerRequestContext.getUriInfo().getMatchedURIs().contains("strolch/privilege/users/" + validate.getUsername() + "/password")) {
            containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).header("Content-Type", "text/plain").entity("Can only set password!").build());
            return null;
        }
        containerRequestContext.setProperty(StrolchRestfulConstants.STROLCH_CERTIFICATE, validate);
        containerRequestContext.setProperty(StrolchRestfulConstants.STROLCH_REQUEST_SOURCE, str2);
        return validate;
    }

    public static String getRemoteIp(HttpServletRequest httpServletRequest) {
        if (httpServletRequest == null) {
            logger.error("HttpServletRequest NOT AVAILABLE! Probably running in TEST!");
            return "(null)";
        }
        String remoteHost = httpServletRequest.getRemoteHost();
        String remoteAddr = httpServletRequest.getRemoteAddr();
        StringBuilder sb = new StringBuilder();
        if (remoteHost.equals(remoteAddr)) {
            sb.append(remoteAddr);
        } else {
            sb.append(remoteHost).append(": (").append(remoteAddr).append(")");
        }
        String header = httpServletRequest.getHeader("X-Forwarded-For");
        if (StringHelper.isNotEmpty(header)) {
            sb.append(" (fwd)=> ").append(header);
        }
        return sb.toString();
    }
}
