package org.lockss.spring.auth;

import java.io.IOException;
import java.security.AccessControlException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.lockss.account.AccountManager;
import org.lockss.account.UserAccount;
import org.lockss.app.LockssDaemon;
import org.lockss.config.ConfigManager;
import org.lockss.config.Configuration;
import org.lockss.log.L4JLogger;
import org.lockss.util.IpFilter;
import org.lockss.util.ListUtil;
import org.lockss.util.StringUtil;
import org.lockss.util.time.Deadline;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:org/lockss/spring/auth/SpringAuthenticationFilter.class */
public class SpringAuthenticationFilter extends GenericFilterBean {
    private static final String MISSING_AUTH_HEADER = "No authentication header.";
    private static final String MISSING_CREDENTIALS = "No userid/password credentials.";
    private static final String BAD_CREDENTIALS = "Bad userid/password credentials.";
    private static final String INVALID_AUTH_TYPE = "Invalid Authentication Type (must be \"basic\" or \"none\").";
    private static final String ACCESS_PREFIX = "org.lockss.ui.access.";
    public static final String PARAM_IP_INCLUDE = "org.lockss.ui.access.ip.include";
    public static final String PARAM_IP_EXCLUDE = "org.lockss.ui.access.ip.exclude";
    private static final String AUTH_PREFIX = "org.lockss.restAuth.";
    public static final String BASIC_AUTH_TYPE = "basic";
    public static final String NONE_AUTH_TYPE = "none";
    public static final String PARAM_AUTH_TYPE = "org.lockss.restAuth.authenticationType";
    public static final String DEFAULT_AUTH_TYPE = "none";
    public static final String PARAM_ALLOW_UNAUTHENTICATED_READ = "org.lockss.restAuth.allowUnauthenticatedRead";
    public static final boolean DEFAULT_ALLOW_UNAUTHENTICATED_READ = false;
    public static final String PARAM_ALLOW_LOOPBACK = "org.lockss.ui.access.allowLoopback";
    public static final boolean DEFAULT_ALLOW_LOOPBACK = true;
    public static final String PARAM_LOG_FORBIDDEN = "org.lockss.ui.access.logForbidden";
    public static final boolean DEFAULT_LOG_FORBIDDEN = true;
    private Environment env;
    private LockssDaemon daemon;
    private boolean isConfigSet = false;
    private String authType = "none";
    private boolean allowUnauthenticatedRead = false;
    private boolean logForbidden = true;
    private boolean allowLocal = true;
    private IpFilter ipFilter;
    private IpFilter localFilter;
    private static final L4JLogger log = L4JLogger.getLogger();
    private static List<String> LOCAL_IP_FILTERS = ListUtil.list(new String[]{"127.0.0.0/8", "::1"});
    public static String PARAM_READY_WAIT_TIME = "org.lockss.service.readyWait";
    public static long DEFAULT_READY_WAIT_TIME = 60000;
    public static String PARAM_CONFIG_WAIT_TIME = "org.lockss.service.configWait";
    public static long DEFAULT_CONFIG_WAIT_TIME = 60000;

    public SpringAuthenticationFilter() {
        createLocalFilter(Collections.emptyList());
    }

    public void setConfig(Configuration configuration, Configuration configuration2, Configuration.Differences differences) {
        log.debug2("setConfig: {}, {}", this, configuration);
        if (differences.contains(AUTH_PREFIX) || differences.contains(ACCESS_PREFIX) || differences.contains("org.lockss.platform.containerSubnets")) {
            this.authType = configuration.get(PARAM_AUTH_TYPE, "none");
            this.allowUnauthenticatedRead = configuration.getBoolean(PARAM_ALLOW_UNAUTHENTICATED_READ, false);
            this.logForbidden = configuration.getBoolean(PARAM_LOG_FORBIDDEN, true);
            this.allowLocal = configuration.getBoolean(PARAM_ALLOW_LOOPBACK, true);
            createLocalFilter(ConfigManager.getPlatformContainerSubnets());
            setIpFilter(configuration.get(PARAM_IP_INCLUDE), configuration.get(PARAM_IP_EXCLUDE));
        }
        this.isConfigSet = true;
    }

    private void setIpFilter(String str, String str2) {
        log.debug("Installing new ip filter: incl: {}, excl: {}", str, str2);
        try {
            IpFilter ipFilter = new IpFilter();
            ipFilter.setFilters(str, str2);
            this.ipFilter = ipFilter;
        } catch (IpFilter.MalformedException e) {
            log.warn("Malformed IP filter, filters not changed", e);
        }
    }

    private void createLocalFilter(List<String> list) {
        if (this.allowLocal) {
            IpFilter ipFilter = new IpFilter();
            try {
                ArrayList arrayList = new ArrayList(LOCAL_IP_FILTERS);
                arrayList.addAll(list);
                ipFilter.setFilters(arrayList, (List) null);
            } catch (IpFilter.MalformedException e) {
                log.error("Failed to allow local addresses", e);
            }
            this.localFilter = ipFilter;
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        log.debug2("Invoked {}.", this);
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (log.isTraceEnabled()) {
            StringBuffer requestURL = httpServletRequest.getRequestURL();
            if (httpServletRequest.getQueryString() != null) {
                requestURL.append("?").append(httpServletRequest.getQueryString());
            }
            log.trace("originalUrl = {}", requestURL);
        }
        String requestURI = httpServletRequest.getRequestURI();
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String remoteAddr = servletRequest.getRemoteAddr();
        if (requiresIpAuthorization(httpServletRequest)) {
            log.trace("Access to {} requested from {}", requestURI, remoteAddr);
            if (!this.isConfigSet) {
                log.debug2("Config not yet loaded, waiting ...");
                if (!waitConfig(servletRequest)) {
                    log.warn("Timed out waiting for config, can't check IP access");
                    sendNotReady(httpServletResponse);
                    return;
                }
            }
            try {
                if (!isIpAuthorized(remoteAddr)) {
                    if (this.logForbidden) {
                        log.info("Access to {} forbidden from {}", requestURI, remoteAddr);
                    }
                    sendForbidden(httpServletResponse, "Forbidden");
                    return;
                }
                String header = httpServletRequest.getHeader("X-Forwarded-For");
                if (!StringUtils.isEmpty(header)) {
                    String lastElement = lastElement(header);
                    if (!isIpAuthorized(lastElement)) {
                        if (this.logForbidden) {
                            log.info("Access to {} forbidden for request forwarded from {}", requestURI, lastElement);
                        }
                        sendForbidden(httpServletResponse, "Forbidden");
                        return;
                    }
                }
            } catch (Exception e) {
                log.warn("Error checking IP", e);
                httpServletResponse.sendError(500);
            }
        } else {
            log.trace("Allowing unchecked access from {} to {}", remoteAddr, requestURI);
        }
        try {
            if (!isAuthenticationOn()) {
                log.trace("Authorization is disabled");
                SecurityContextHolder.getContext().setAuthentication(getPrivilegedUnauthenticatedUserToken());
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }
            if (!requiresAuthentication(httpServletRequest)) {
                log.trace("Authentication not required for {}", requestURI);
                SecurityContextHolder.getContext().setAuthentication(getUnprivilegedUnauthenticatedUserToken());
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }
            if (!this.isConfigSet) {
                log.debug2("Config not yet loaded, waiting ...");
                if (!waitConfig(servletRequest)) {
                    log.warn("Timed out waiting for config, can't check user auth");
                    sendNotReady(httpServletResponse);
                    return;
                }
            }
            AccountManager accountManager = (AccountManager) getLockssDaemon().waitManagerByKey(LockssDaemon.managerKey(AccountManager.class), Deadline.in(getReadyWaitTime(servletRequest)));
            if (accountManager == null) {
                log.warn("Timed out waiting for AccountManager, can't check user auth");
                sendNotReady(httpServletResponse);
                return;
            }
            if (!accountManager.isStarted()) {
                log.debug2("AccountManager not started, waiting ...");
                if (!waitUserAccounts(accountManager, servletRequest)) {
                    log.warn("Timed out waiting for AccountManager, can't check user auth");
                    sendNotReady(httpServletResponse);
                    return;
                }
            }
            String header2 = httpServletRequest.getHeader("authorization");
            log.trace("authorizationHeader = {}", header2);
            if (header2 == null) {
                log.info(MISSING_AUTH_HEADER);
                sendUnauthenticated(httpServletResponse, MISSING_AUTH_HEADER);
                return;
            }
            String[] decodeBasicAuthorizationHeader = org.lockss.util.auth.AuthUtil.decodeBasicAuthorizationHeader(header2);
            if (decodeBasicAuthorizationHeader == null) {
                log.info(MISSING_CREDENTIALS);
                sendUnauthenticated(httpServletResponse, MISSING_CREDENTIALS);
                return;
            }
            if (decodeBasicAuthorizationHeader.length != 2) {
                log.info("Malformed user credentials: {}", Arrays.toString(decodeBasicAuthorizationHeader));
                sendUnauthenticated(httpServletResponse, "Malformed user credentials");
                return;
            }
            log.trace("credentials[0] = {}", decodeBasicAuthorizationHeader[0]);
            UserAccount userOrNull = accountManager.getUserOrNull(decodeBasicAuthorizationHeader[0]);
            if (userOrNull == null) {
                log.info("User not found: {}", decodeBasicAuthorizationHeader[0]);
                sendUnauthenticated(httpServletResponse, BAD_CREDENTIALS);
                return;
            }
            log.trace("userAccount.getName() = {}", userOrNull.getName());
            if (!userOrNull.check(decodeBasicAuthorizationHeader[1])) {
                log.info("Invalid credentials = {}", Arrays.toString(decodeBasicAuthorizationHeader));
                sendUnauthenticated(httpServletResponse, BAD_CREDENTIALS);
                return;
            }
            HashSet hashSet = new HashSet();
            Iterator it = userOrNull.getRoleSet().iterator();
            while (it.hasNext()) {
                hashSet.add(new SimpleGrantedAuthority((String) it.next()));
            }
            log.trace("roles = {}", hashSet);
            UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(decodeBasicAuthorizationHeader[0], decodeBasicAuthorizationHeader[1], hashSet);
            log.trace("authentication = {}", usernamePasswordAuthenticationToken);
            SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
            log.debug2("User successfully authenticated");
            filterChain.doFilter(servletRequest, servletResponse);
            log.debug2("Done.");
        } catch (AccessControlException e2) {
            String message = e2.getMessage();
            log.error(message);
            SecurityContextHolder.clearContext();
            httpServletResponse.sendError(403, message);
        }
    }

    String lastElement(String str) {
        String[] split = str.split(",");
        return split[split.length - 1].trim();
    }

    boolean isAuthenticationOn() {
        String str = this.authType;
        boolean z = -1;
        switch (str.hashCode()) {
            case 3387192:
                if (str.equals("none")) {
                    z = false;
                    break;
                }
                break;
            case 93508654:
                if (str.equals(BASIC_AUTH_TYPE)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case DEFAULT_ALLOW_UNAUTHENTICATED_READ /* 0 */:
                return false;
            case true:
                return true;
            default:
                log.error("authenticationType = {}", this.authType);
                throw new AccessControlException(this.authType + ": " + INVALID_AUTH_TYPE);
        }
    }

    boolean isIpAuthorized(String str) throws IpFilter.MalformedException {
        return (this.ipFilter != null && this.ipFilter.isIpAllowed(str)) || (this.allowLocal && this.localFilter.isIpAllowed(str));
    }

    private void sendNotReady(HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.setHeader("Retry-After", "60");
        httpServletResponse.sendError(503, "Request requires authorization/authentication but service is still starting and cannot perform authentication yet.");
    }

    private void sendUnauthenticated(HttpServletResponse httpServletResponse, String str) throws IOException {
        SecurityContextHolder.clearContext();
        httpServletResponse.setHeader("WWW-Authenticate", "Basic");
        httpServletResponse.sendError(401, str);
    }

    private void sendForbidden(HttpServletResponse httpServletResponse, String str) throws IOException {
        SecurityContextHolder.clearContext();
        httpServletResponse.sendError(403, str);
    }

    UsernamePasswordAuthenticationToken getPrivilegedUnauthenticatedUserToken() {
        HashSet hashSet = new HashSet();
        hashSet.add(new SimpleGrantedAuthority("userAdminRole"));
        return new UsernamePasswordAuthenticationToken("unauthenticatedPrivUser", "unauthenticatedPassword", hashSet);
    }

    UsernamePasswordAuthenticationToken getUnprivilegedUnauthenticatedUserToken() {
        HashSet hashSet = new HashSet();
        hashSet.add(new SimpleGrantedAuthority(Roles.ROLE_CONTENT_ACCESS));
        return new UsernamePasswordAuthenticationToken("unauthenticatedUnprivUser", "unauthenticatedPassword", hashSet);
    }

    boolean requiresAuthentication(HttpServletRequest httpServletRequest) {
        return requiresAuthentication(httpServletRequest.getMethod().toUpperCase(), httpServletRequest.getRequestURI().toLowerCase());
    }

    boolean requiresAuthentication(String str, String str2) {
        log.trace("requiresAuthentication({}, {})", str, str2);
        boolean z = !isStatusOrDocFetch(str, str2);
        if (z && this.allowUnauthenticatedRead && isReadRequest(str, str2)) {
            z = false;
        }
        log.trace("result = {}", Boolean.valueOf(z));
        return z;
    }

    boolean requiresIpAuthorization(HttpServletRequest httpServletRequest) {
        return requiresIpAuthorization(httpServletRequest.getMethod().toUpperCase(), httpServletRequest.getRequestURI().toLowerCase());
    }

    boolean requiresIpAuthorization(String str, String str2) {
        return !isStatusOrDocFetch(str, str2);
    }

    boolean isStatusOrDocFetch(String str, String str2) {
        boolean z = "GET".equals(str) && ("/status".equals(str2) || "/v2/api-docs".equals(str2) || "/swagger-ui.html".equals(str2) || str2.startsWith("/swagger-resources") || str2.startsWith("/webjars/springfox-swagger-ui"));
        if (z) {
            log.trace("Is status or doc request: {} {}", str, str2);
        }
        return z;
    }

    boolean isReadRequest(String str, String str2) {
        return "GET".equals(str);
    }

    public static void checkAuthorization(String... strArr) {
        AuthUtil.checkHasRole(strArr);
    }

    WebApplicationContext getApplicationContext(ServletRequest servletRequest) {
        return WebApplicationContextUtils.getWebApplicationContext(servletRequest.getServletContext());
    }

    protected long getReadyWaitTime(ServletRequest servletRequest) {
        return getWaitTime(getEnvironment(servletRequest).getProperty(PARAM_READY_WAIT_TIME), DEFAULT_READY_WAIT_TIME);
    }

    protected long getConfigWaitTime(ServletRequest servletRequest) {
        return getWaitTime(getEnvironment(servletRequest).getProperty(PARAM_CONFIG_WAIT_TIME), DEFAULT_CONFIG_WAIT_TIME);
    }

    protected long getWaitTime(String str, long j) {
        if (!StringUtil.isNullString(str)) {
            try {
                return Long.parseLong(str);
            } catch (NumberFormatException e) {
                log.warn("Can't parse wait time", e);
            }
        }
        return j;
    }

    protected boolean waitReady(ServletRequest servletRequest) {
        return waitReady(getReadyWaitTime(servletRequest));
    }

    protected boolean waitReady(long j) {
        try {
            return getLockssDaemon().waitUntilAppRunning(Deadline.in(j));
        } catch (InterruptedException e) {
            return false;
        }
    }

    protected boolean waitConfig(ServletRequest servletRequest) {
        return waitConfig(getConfigWaitTime(servletRequest));
    }

    protected boolean waitConfig(long j) {
        return getConfigManager().waitConfig(Deadline.in(j));
    }

    protected boolean waitUserAccounts(AccountManager accountManager, ServletRequest servletRequest) {
        return waitUserAccounts(accountManager, getConfigWaitTime(servletRequest));
    }

    protected boolean waitUserAccounts(AccountManager accountManager, long j) {
        return accountManager.waitStarted(Deadline.in(j));
    }

    private ConfigManager getConfigManager() {
        return ConfigManager.getConfigManager();
    }

    private LockssDaemon getLockssDaemon() {
        return LockssDaemon.getLockssDaemon();
    }

    Environment getEnvironment(ServletRequest servletRequest) {
        if (this.env == null) {
            this.env = getApplicationContext(servletRequest).getEnvironment();
        }
        return this.env;
    }
}
