package org.apache.brooklyn.rest.filter;

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.brooklyn.core.mgmt.entitlement.Entitlements;
import org.apache.brooklyn.core.mgmt.entitlement.WebEntitlementContext;
import org.apache.brooklyn.rest.security.provider.DelegatingSecurityProvider;
import org.apache.brooklyn.rest.util.OsgiCompat;
import org.apache.brooklyn.util.text.Strings;
import org.apache.commons.codec.binary.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/brooklyn/rest/filter/BrooklynPropertiesSecurityFilter.class */
public class BrooklynPropertiesSecurityFilter implements Filter {
    public static final String AUTHENTICATED_USER_SESSION_ATTRIBUTE = "brooklyn.user";

    @Deprecated
    public static final String REMOTE_ADDRESS_SESSION_ATTRIBUTE = "request.remoteAddress";
    protected DelegatingSecurityProvider provider;
    private static final Logger log = LoggerFactory.getLogger(BrooklynPropertiesSecurityFilter.class);
    private static ThreadLocal<String> originalRequest = new ThreadLocal<>();

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String requestURI = httpServletRequest.getRequestURI();
        if (this.provider == null) {
            log.warn("No security provider available: disallowing web access to brooklyn");
            httpServletResponse.sendError(503);
            return;
        }
        if (originalRequest.get() != null) {
            Entitlements.clearEntitlementContext();
        } else {
            originalRequest.set(requestURI);
        }
        boolean isAuthenticated = this.provider.isAuthenticated(httpServletRequest.getSession());
        if ("/logout".equals(requestURI) || "/v1/logout".equals(requestURI)) {
            httpServletResponse.setHeader("WWW-Authenticate", "Basic realm=\"brooklyn\"");
            if (isAuthenticated && httpServletRequest.getSession().getAttributeNames().hasMoreElements()) {
                logout(httpServletRequest);
                httpServletResponse.sendError(401);
                return;
            } else {
                RequestDispatcher requestDispatcher = httpServletRequest.getRequestDispatcher("/");
                log.debug("Not authenticated, forwarding request for {} to {}", requestURI, requestDispatcher);
                requestDispatcher.forward(httpServletRequest, httpServletResponse);
                return;
            }
        }
        if (!httpServletRequest.getSession().getAttributeNames().hasMoreElements() || !this.provider.isAuthenticated(httpServletRequest.getSession()) || "/logout".equals(originalRequest.get())) {
            isAuthenticated = authenticate(httpServletRequest);
        }
        if (!isAuthenticated) {
            httpServletResponse.setHeader("WWW-Authenticate", "Basic realm=\"brooklyn\"");
            httpServletResponse.sendError(401);
            return;
        }
        String tag = RequestTaggingFilter.getTag();
        try {
            try {
                Entitlements.setEntitlementContext(new WebEntitlementContext(Strings.toString(httpServletRequest.getSession().getAttribute(AUTHENTICATED_USER_SESSION_ATTRIBUTE)), httpServletRequest.getRemoteAddr(), requestURI, tag));
                filterChain.doFilter(servletRequest, servletResponse);
                originalRequest.remove();
                Entitlements.clearEntitlementContext();
            } catch (Throwable th) {
                if (!servletResponse.isCommitted()) {
                    httpServletResponse.sendError(500);
                }
                originalRequest.remove();
                Entitlements.clearEntitlementContext();
            }
        } catch (Throwable th2) {
            originalRequest.remove();
            Entitlements.clearEntitlementContext();
            throw th2;
        }
    }

    protected boolean authenticate(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession();
        if (this.provider.isAuthenticated(session)) {
            return true;
        }
        session.setAttribute(REMOTE_ADDRESS_SESSION_ATTRIBUTE, httpServletRequest.getRemoteAddr());
        String str = null;
        String str2 = null;
        String header = httpServletRequest.getHeader("Authorization");
        if (header != null) {
            String str3 = new String(Base64.decodeBase64(header.substring(6)));
            str = str3.substring(0, str3.indexOf(":"));
            str2 = str3.substring(str3.indexOf(":") + 1);
        }
        if (!this.provider.authenticate(session, str, str2)) {
            return false;
        }
        if (str == null) {
            return true;
        }
        session.setAttribute(AUTHENTICATED_USER_SESSION_ATTRIBUTE, str);
        return true;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.provider = new DelegatingSecurityProvider(OsgiCompat.getManagementContext(filterConfig.getServletContext()));
    }

    public void destroy() {
    }

    protected void logout(HttpServletRequest httpServletRequest) {
        log.info("REST logging {} out of session {}", httpServletRequest.getSession().getAttribute(AUTHENTICATED_USER_SESSION_ATTRIBUTE), httpServletRequest.getSession().getId());
        this.provider.logout(httpServletRequest.getSession());
        httpServletRequest.getSession().removeAttribute(AUTHENTICATED_USER_SESSION_ATTRIBUTE);
        httpServletRequest.getSession().removeAttribute(REMOTE_ADDRESS_SESSION_ATTRIBUTE);
        httpServletRequest.getSession().invalidate();
    }
}
