package org.lockss.spring.auth;

import java.io.IOException;
import java.security.AccessControlException;
import java.util.Arrays;
import java.util.HashSet;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.lockss.account.UserAccount;
import org.lockss.app.LockssDaemon;
import org.lockss.config.ConfigManager;
import org.lockss.log.L4JLogger;
import org.lockss.util.StringUtil;
import org.lockss.util.time.Deadline;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.context.support.WebApplicationContextUtils;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:org/lockss/spring/auth/SpringAuthenticationFilter.class */
public class SpringAuthenticationFilter extends GenericFilterBean {
    private static final String noAuthorizationHeader = "No authorization header.";
    private static final String noCredentials = "No userid/password credentials.";
    private static final String badCredentials = "Bad userid/password credentials.";
    private static final String noUser = "User not found.";
    private Environment env;
    private static final L4JLogger log = L4JLogger.getLogger();
    public static String PARAM_READY_WAIT_TIME = "org.lockss.service.readyWait";
    public static long DEFAULT_READY_WAIT_TIME = 60000;
    public static String PARAM_CONFIG_WAIT_TIME = "org.lockss.service.configWait";
    public static long DEFAULT_CONFIG_WAIT_TIME = 60000;

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        log.debug2("Invoked.");
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (log.isTraceEnabled()) {
            StringBuffer requestURL = httpServletRequest.getRequestURL();
            if (httpServletRequest.getQueryString() != null) {
                requestURL.append("?").append(httpServletRequest.getQueryString());
            }
            log.trace("originalUrl = {}", requestURL);
        }
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        try {
            if (!AuthUtil.isAuthenticationOn()) {
                log.trace("Authorized (like everybody else).");
                SecurityContextHolder.getContext().setAuthentication(getUnauthenticatedUserToken());
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }
            if (isWorldReachable(httpServletRequest)) {
                log.trace("Authenticated (like everybody else).");
                SecurityContextHolder.getContext().setAuthentication(getUnauthenticatedUserToken());
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }
            String header = httpServletRequest.getHeader("authorization");
            log.trace("authorizationHeader = {}", header);
            if (header == null) {
                log.info(noAuthorizationHeader);
                sendUnauthenticated(httpServletResponse, noAuthorizationHeader);
                return;
            }
            String[] decodeBasicAuthorizationHeader = AuthUtil.decodeBasicAuthorizationHeader(header);
            if (decodeBasicAuthorizationHeader == null) {
                log.info(noCredentials);
                sendUnauthenticated(httpServletResponse, noCredentials);
                return;
            }
            if (decodeBasicAuthorizationHeader.length != 2) {
                log.info(badCredentials);
                log.info("bad credentials = " + Arrays.toString(decodeBasicAuthorizationHeader));
                sendUnauthenticated(httpServletResponse, badCredentials);
                return;
            }
            log.trace("credentials[0] = {}", decodeBasicAuthorizationHeader[0]);
            if (!waitReady()) {
                httpServletResponse.sendError(503, "Not Ready");
                return;
            }
            try {
                UserAccount user = LockssDaemon.getLockssDaemon().getAccountManager().getUser(decodeBasicAuthorizationHeader[0]);
                if (user == null) {
                    log.info(noUser);
                    sendUnauthenticated(httpServletResponse, badCredentials);
                    return;
                }
                log.trace("userAccount.getName() = {}", user.getName());
                boolean check = user.check(decodeBasicAuthorizationHeader[1]);
                log.trace("goodCredentials = {}", Boolean.valueOf(check));
                if (!check) {
                    log.info(badCredentials);
                    log.info("userAccount.getName() = {}", user.getName());
                    log.info("bad credentials = {}", Arrays.toString(decodeBasicAuthorizationHeader));
                    sendUnauthenticated(httpServletResponse, badCredentials);
                    return;
                }
                HashSet hashSet = new HashSet();
                for (Object obj : user.getRoleSet()) {
                    log.trace("role = {}", obj);
                    hashSet.add(new SimpleGrantedAuthority((String) obj));
                }
                log.trace("roles = {}", hashSet);
                UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(decodeBasicAuthorizationHeader[0], decodeBasicAuthorizationHeader[1], hashSet);
                log.trace("authentication = {}", usernamePasswordAuthenticationToken);
                SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
                log.debug2("User successfully authenticated");
                filterChain.doFilter(servletRequest, servletResponse);
                log.debug2("Done.");
            } catch (Exception e) {
                log.error("credentials[0] = {}", decodeBasicAuthorizationHeader[0]);
                log.error("credentials[1] = {}", decodeBasicAuthorizationHeader[1]);
                log.error("LockssDaemon.getLockssDaemon().getAccountManager().getUser(credentials[0])", e);
                httpServletResponse.sendError(500, "AccountManager not available");
            }
        } catch (AccessControlException e2) {
            String message = e2.getMessage();
            log.error(message);
            SecurityContextHolder.clearContext();
            httpServletResponse.sendError(403, message);
        }
    }

    private void sendUnauthenticated(HttpServletResponse httpServletResponse, String str) throws IOException {
        SecurityContextHolder.clearContext();
        httpServletResponse.setHeader("WWW-Authenticate", "Basic");
        httpServletResponse.sendError(401, str);
    }

    private UsernamePasswordAuthenticationToken getUnauthenticatedUserToken() {
        HashSet hashSet = new HashSet();
        hashSet.add(new SimpleGrantedAuthority("unauthenticatedRole"));
        return new UsernamePasswordAuthenticationToken("unauthenticatedUser", "unauthenticatedPassword", hashSet);
    }

    private boolean isWorldReachable(HttpServletRequest httpServletRequest) {
        log.debug2("Invoked.");
        String upperCase = httpServletRequest.getMethod().toUpperCase();
        log.trace("httpMethodName = {}", upperCase);
        String lowerCase = httpServletRequest.getRequestURI().toLowerCase();
        log.trace("requestUri = {}", lowerCase);
        boolean isWorldReachable = getRequestUriAuthenticationBypass().isWorldReachable(upperCase, lowerCase);
        log.debug2("result = {}", Boolean.valueOf(isWorldReachable));
        return isWorldReachable;
    }

    public static void checkAuthorization(String... strArr) {
        log.debug2("permissibleRoles = {}", Arrays.toString(strArr));
        AuthUtil.checkAuthorization(SecurityContextHolder.getContext().getAuthentication().getName(), strArr);
        log.debug2("Done.");
    }

    public RequestUriAuthenticationBypass getRequestUriAuthenticationBypass() {
        return new RequestUriAuthenticationBypassImpl();
    }

    Environment getEnvironment(ServletRequest servletRequest) {
        if (this.env == null) {
            this.env = WebApplicationContextUtils.getWebApplicationContext(servletRequest.getServletContext()).getEnvironment();
        }
        return this.env;
    }

    protected long getReadyWaitTime() {
        return getWaitTime(getEnvironment().getProperty(PARAM_READY_WAIT_TIME), DEFAULT_READY_WAIT_TIME);
    }

    protected long getConfigWaitTime() {
        return getWaitTime(getEnvironment().getProperty(PARAM_CONFIG_WAIT_TIME), DEFAULT_CONFIG_WAIT_TIME);
    }

    protected long getWaitTime(String str, long j) {
        if (!StringUtil.isNullString(str)) {
            try {
                return Long.parseLong(str);
            } catch (NumberFormatException e) {
                log.warn("Can't parse wait time", e);
            }
        }
        return j;
    }

    protected boolean waitReady() {
        return waitReady(getReadyWaitTime());
    }

    protected boolean waitReady(long j) {
        try {
            return getLockssDaemon().waitUntilAppRunning(Deadline.in(j));
        } catch (InterruptedException e) {
            return false;
        }
    }

    protected boolean waitConfig() {
        return waitConfig(getConfigWaitTime());
    }

    protected boolean waitConfig(long j) {
        return getConfigManager().waitConfig(Deadline.in(j));
    }

    private ConfigManager getConfigManager() {
        return ConfigManager.getConfigManager();
    }

    private LockssDaemon getLockssDaemon() {
        return LockssDaemon.getLockssDaemon();
    }
}
