package org.apache.brooklyn.rest.filter;

import com.google.common.collect.ImmutableSet;
import java.io.IOException;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.Priority;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.ext.ContextResolver;
import javax.ws.rs.ext.Provider;
import org.apache.brooklyn.api.mgmt.ManagementContext;
import org.apache.brooklyn.rest.security.provider.SecurityProvider;
import org.apache.brooklyn.util.text.Strings;
import org.eclipse.jetty.http.HttpHeader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Provider
@Priority(100)
/* loaded from: input_file:org/apache/brooklyn/rest/filter/BrooklynSecurityProviderFilterJersey.class */
public class BrooklynSecurityProviderFilterJersey implements ContainerRequestFilter {
    public static final String LOGIN_PAGE_HEADER = "X_BROOKLYN_LOGIN_PAGE";
    private final Set<String> headersToForward = ImmutableSet.of("WWW-Authenticate", SecurityProvider.UNAUTHORIZED_MESSAGE_HEADER);

    @Context
    HttpServletRequest webRequest;

    @Context
    private ContextResolver<ManagementContext> mgmtC;
    private static final Logger log = LoggerFactory.getLogger(BrooklynSecurityProviderFilterJersey.class);
    private static boolean LOGGED_LOGIN_FORM_WITH_INCOMPATIBLE_AUTH_WARNING = false;

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        log.trace("BrooklynSecurityProviderFilterJersey.filter {}", containerRequestContext);
        ManagementContext managementContext = (ManagementContext) this.mgmtC.getContext(ManagementContext.class);
        try {
            new BrooklynSecurityProviderFilterHelper().run(this.webRequest, managementContext);
        } catch (SecurityProvider.SecurityProviderDeniedAuthentication e) {
            Response response = e.getResponse();
            if (response == null) {
                response = Response.status(Response.Status.UNAUTHORIZED).build();
            }
            if (response.getStatus() == Response.Status.FOUND.getStatusCode()) {
                String headerString = response.getHeaderString(HttpHeader.LOCATION.asString());
                if (headerString != null) {
                    log.trace("Redirect to {} for authentication", headerString);
                    response = Response.temporaryRedirect(UriBuilder.fromPath(headerString).build(new Object[0])).entity("Authentication is required at " + headerString).build();
                } else {
                    log.trace("Unauthorized");
                    response = Response.status(Response.Status.UNAUTHORIZED).entity("Authentication is required").build();
                }
            }
            MultivaluedMap headers = e.getResponse().getHeaders();
            if (headers != null && !headers.isEmpty()) {
                for (String str : this.headersToForward) {
                    if (headers.containsKey(str)) {
                        response = Response.fromResponse(response).header(str, ((List) headers.get(str)).stream().map((v0) -> {
                            return v0.toString();
                        }).collect(Collectors.joining(", "))).build();
                    }
                }
            }
            if (response.getStatus() == Response.Status.UNAUTHORIZED.getStatusCode()) {
                String str2 = (String) managementContext.getConfig().getConfig(BrooklynSecurityProviderFilterJavax.LOGIN_FORM);
                if (Strings.isNonBlank(str2)) {
                    if (!LOGGED_LOGIN_FORM_WITH_INCOMPATIBLE_AUTH_WARNING) {
                        List list = (List) response.getHeaders().get(HttpHeader.WWW_AUTHENTICATE);
                        if (!list.isEmpty() && list.stream().noneMatch(obj -> {
                            return ("" + obj).toLowerCase().startsWith("basic ");
                        })) {
                            LOGGED_LOGIN_FORM_WITH_INCOMPATIBLE_AUTH_WARNING = true;
                            log.warn(BrooklynSecurityProviderFilterJavax.LOGIN_FORM.getName() + " " + str2 + " being used with incompatible auth scheme (logging once only): " + list);
                        }
                    }
                    response = Response.fromResponse(response).status(Response.Status.UNAUTHORIZED).entity("Authentication is required using form at " + str2).header(LOGIN_PAGE_HEADER, str2).header("WWW-Authenticate", (Object) null).header("WWW-Authenticate", "X-Basic realm=\"login-form\"").build();
                }
            }
            containerRequestContext.abortWith(response);
        }
    }
}
