package org.apache.unomi.graphql.servlet.auth;

import graphql.language.Definition;
import graphql.language.Field;
import graphql.language.OperationDefinition;
import graphql.parser.Parser;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Base64;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/unomi/graphql/servlet/auth/GraphQLServletSecurityValidator.class */
public class GraphQLServletSecurityValidator {
    private static final Logger LOG = LoggerFactory.getLogger(GraphQLServletSecurityValidator.class);
    private final Parser parser = new Parser();

    public boolean validate(String str, String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (isPublicOperation(str)) {
            return true;
        }
        if (httpServletRequest.getHeader("Authorization") == null) {
            httpServletResponse.addHeader("WWW-Authenticate", "Basic realm=\"karaf\"");
            httpServletResponse.sendError(401);
            return false;
        }
        if (isAuthenticatedUser(httpServletRequest)) {
            return true;
        }
        httpServletResponse.sendError(401);
        return false;
    }

    private boolean isPublicOperation(String str) {
        Field field;
        OperationDefinition operationDefinition = (Definition) this.parser.parseDocument(str).getDefinitions().get(0);
        if (!(operationDefinition instanceof OperationDefinition)) {
            return true;
        }
        OperationDefinition operationDefinition2 = operationDefinition;
        if (OperationDefinition.Operation.SUBSCRIPTION.equals(operationDefinition2.getOperation())) {
            return false;
        }
        if ("IntrospectionQuery".equals(operationDefinition2.getName()) || (field = (Field) operationDefinition2.getSelectionSet().getChildren().stream().filter(node -> {
            return (node instanceof Field) && "cdp".equals(((Field) node).getName());
        }).findFirst().orElse(null)) == null) {
            return true;
        }
        ArrayList arrayList = new ArrayList();
        if (OperationDefinition.Operation.QUERY.equals(operationDefinition2.getOperation())) {
            arrayList.add("getProfile");
        } else if (OperationDefinition.Operation.MUTATION.equals(operationDefinition2.getOperation())) {
            arrayList.add("processEvents");
        }
        return field.getSelectionSet().getChildren().stream().allMatch(node2 -> {
            return (node2 instanceof Field) && arrayList.contains(((Field) node2).getName());
        });
    }

    private boolean isAuthenticatedUser(HttpServletRequest httpServletRequest) {
        httpServletRequest.setAttribute("org.osgi.service.http.authentication.type", "BASIC");
        String str = new String(Base64.getDecoder().decode(httpServletRequest.getHeader("Authorization").substring(6).getBytes()));
        int indexOf = str.indexOf(":");
        String substring = str.substring(0, indexOf);
        String substring2 = str.substring(indexOf + 1);
        try {
            LoginContext loginContext = new LoginContext("karaf", callbackArr -> {
                for (Callback callback : callbackArr) {
                    if (callback instanceof NameCallback) {
                        ((NameCallback) callback).setName(substring);
                    } else {
                        if (!(callback instanceof PasswordCallback)) {
                            throw new UnsupportedCallbackException(callback);
                        }
                        ((PasswordCallback) callback).setPassword(substring2.toCharArray());
                    }
                }
            });
            loginContext.login();
            Subject subject = loginContext.getSubject();
            boolean z = subject != null;
            if (z) {
                httpServletRequest.setAttribute("org.osgi.service.http.authentication.remote.user", subject);
            }
            return z;
        } catch (LoginException e) {
            LOG.warn("Login failed", e);
            return false;
        }
    }
}
