package org.apache.brooklyn.rest.filter;

import com.google.common.collect.ImmutableList;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import java.util.function.Supplier;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.apache.brooklyn.api.mgmt.ManagementContext;
import org.apache.brooklyn.config.ConfigKey;
import org.apache.brooklyn.core.config.ConfigKeys;
import org.apache.brooklyn.rest.BrooklynWebConfig;
import org.apache.brooklyn.rest.security.provider.DelegatingSecurityProvider;
import org.apache.brooklyn.rest.security.provider.SecurityProvider;
import org.apache.brooklyn.rest.util.MultiSessionAttributeAdapter;
import org.apache.brooklyn.util.exceptions.Exceptions;
import org.apache.brooklyn.util.text.StringEscapes;
import org.apache.brooklyn.util.text.Strings;
import org.apache.commons.codec.binary.Base64;
import org.eclipse.jetty.http.HttpHeader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterHelper.class */
public class BrooklynSecurityProviderFilterHelper {
    public static final String AUTHENTICATED_USER_SESSION_ATTRIBUTE = "brooklyn.user";
    private static final ConfigKey<String> UNAUTHENTICATED_ENDPOINTS = ConfigKeys.newStringConfigKey("brooklyn.webconsole.security.unauthenticated.endpoints", "List of endpoints available without authentication e.g. a login page", "");
    private static final List<String> STATIC_CONTENT_EXTENSIONS = ImmutableList.of(".html", ".htm", ".js", ".png", ".gif", ".jpg", ".svg");
    private static final Logger log = LoggerFactory.getLogger(BrooklynSecurityProviderFilterHelper.class);
    public static final String BASIC_REALM_NAME = "brooklyn";
    public static final String BASIC_REALM_HEADER_VALUE = "BASIC realm=" + StringEscapes.JavaStringEscapes.wrapJavaString(BASIC_REALM_NAME);

    /* loaded from: input_file:org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterHelper$Responder.class */
    public interface Responder {
        void error(String str, boolean z) throws SecurityProvider.SecurityProviderDeniedAuthentication;
    }

    public void run(HttpServletRequest httpServletRequest, ManagementContext managementContext) throws SecurityProvider.SecurityProviderDeniedAuthentication {
        SecurityProvider provider = getProvider(managementContext);
        MultiSessionAttributeAdapter multiSessionAttributeAdapter = null;
        try {
            multiSessionAttributeAdapter = MultiSessionAttributeAdapter.of(httpServletRequest, false);
        } catch (WebApplicationException e) {
            abort(e.getResponse());
        }
        String str = (String) managementContext.getConfig().getConfig(UNAUTHENTICATED_ENDPOINTS);
        if (Strings.isNonBlank(str)) {
            for (String str2 : str.split(",")) {
                if (httpServletRequest.getContextPath().equals(str2.startsWith("/") ? str2 : "/" + str2)) {
                    return;
                }
            }
        }
        if (Strings.isNonBlank((CharSequence) managementContext.getConfig().getConfig(BrooklynSecurityProviderFilterJavax.LOGIN_FORM)) && isStaticContent(httpServletRequest)) {
            return;
        }
        HttpSession preferredSession = multiSessionAttributeAdapter == null ? null : multiSessionAttributeAdapter.getPreferredSession();
        if (log.isTraceEnabled()) {
            log.trace("{} checking {}", this, MultiSessionAttributeAdapter.info(httpServletRequest));
        }
        if (provider.isAuthenticated(preferredSession)) {
            log.trace("{} already authenticated - {}", this, preferredSession);
            return;
        }
        String str3 = null;
        String str4 = null;
        if (provider.requiresUserPass()) {
            String header = httpServletRequest.getHeader("Authorization");
            if (header == null) {
                throw abort("Authorization required", provider.requiresUserPass());
            }
            if (header.length() < 6) {
                throw abort("Invalid authorization string (too short)", provider.requiresUserPass());
            }
            try {
                String str5 = new String(Base64.decodeBase64(header.substring(6)));
                int indexOf = str5.indexOf(":");
                if (indexOf < 0) {
                    throw abort("Invalid authorization string (no colon after decoding)", provider.requiresUserPass());
                }
                str3 = str5.substring(0, indexOf);
                str4 = str5.substring(indexOf + 1);
            } catch (Exception e2) {
                Exceptions.propagateIfFatal(e2);
                throw abort("Invalid authorization string (not Base64)", provider.requiresUserPass());
            }
        }
        Supplier<HttpSession> supplier = () -> {
            return preferredSession != null ? preferredSession : MultiSessionAttributeAdapter.of(httpServletRequest, true).getPreferredSession();
        };
        try {
            if (provider.authenticate(httpServletRequest, supplier, str3, str4)) {
                HttpSession httpSession = supplier.get();
                httpSession.setAttribute(BrooklynWebConfig.REMOTE_ADDRESS_SESSION_ATTRIBUTE, httpServletRequest.getRemoteAddr());
                if (str3 != null) {
                    httpSession.setAttribute(AUTHENTICATED_USER_SESSION_ATTRIBUTE, str3);
                    return;
                }
                return;
            }
        } catch (WebApplicationException e3) {
            abort(e3.getResponse());
        }
        throw abort("Authentication failed", provider.requiresUserPass());
    }

    boolean isStaticContent(HttpServletRequest httpServletRequest) {
        String servletPath = httpServletRequest.getServletPath();
        if (servletPath == null || servletPath.matches("\\/v[0-9]+\\/")) {
            return false;
        }
        if (Objects.equals(stripTrailingSlash(httpServletRequest.getContextPath()), stripTrailingSlash(servletPath))) {
            return true;
        }
        String lowerCase = servletPath.toLowerCase(Locale.ROOT);
        Stream<String> stream = STATIC_CONTENT_EXTENSIONS.stream();
        lowerCase.getClass();
        return stream.anyMatch(lowerCase::endsWith);
    }

    private String stripTrailingSlash(String str) {
        return Strings.removeFromEnd(str, "/");
    }

    SecurityProvider.SecurityProviderDeniedAuthentication abort(String str, boolean z) throws SecurityProvider.SecurityProviderDeniedAuthentication {
        Response.ResponseBuilder status = Response.status(Response.Status.UNAUTHORIZED);
        if (z) {
            status.header(HttpHeader.WWW_AUTHENTICATE.asString(), BASIC_REALM_HEADER_VALUE);
        }
        status.header(HttpHeader.CONTENT_TYPE.asString(), "text/plain");
        status.entity(str);
        throw new SecurityProvider.SecurityProviderDeniedAuthentication(status.build());
    }

    void abort(Response response) throws SecurityProvider.SecurityProviderDeniedAuthentication {
        throw new SecurityProvider.SecurityProviderDeniedAuthentication(response);
    }

    SecurityProvider.SecurityProviderDeniedAuthentication redirect(String str, String str2) throws SecurityProvider.SecurityProviderDeniedAuthentication {
        Response.ResponseBuilder status = Response.status(Response.Status.FOUND);
        status.header(HttpHeader.LOCATION.asString(), str);
        status.entity(str2);
        throw new SecurityProvider.SecurityProviderDeniedAuthentication(status.build());
    }

    protected SecurityProvider getProvider(ManagementContext managementContext) {
        return new DelegatingSecurityProvider(managementContext);
    }
}
