package com.erudika.para.server.security;

import com.erudika.para.core.App;
import com.erudika.para.core.User;
import com.erudika.para.core.rest.Signer;
import com.erudika.para.core.utils.Para;
import com.erudika.para.core.utils.Utils;
import com.erudika.para.server.rest.RestUtils;
import com.erudika.para.server.utils.BufferedRequestWrapper;
import java.io.IOException;
import java.util.Date;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:BOOT-INF/lib/para-server-1.46.1.jar:com/erudika/para/server/security/RestAuthFilter.class */
public class RestAuthFilter extends GenericFilterBean implements InitializingBean {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SecurityUtils.class);
    private final boolean apiSecurityEnabled;

    public RestAuthFilter() {
        this.apiSecurityEnabled = true;
    }

    public RestAuthFilter(boolean z) {
        this.apiSecurityEnabled = z;
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        BufferedRequestWrapper bufferedRequestWrapper = new BufferedRequestWrapper((HttpServletRequest) servletRequest);
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        boolean z = true;
        try {
            String extractAccessKey = RestUtils.extractAccessKey(bufferedRequestWrapper);
            boolean z2 = !StringUtils.isBlank(extractAccessKey);
            if (RestUtils.isAnonymousRequest(bufferedRequestWrapper) && RestRequestMatcher.INSTANCE.matches(bufferedRequestWrapper)) {
                z = guestAuthRequestHandler(extractAccessKey, (HttpServletRequest) servletRequest, httpServletResponse);
            } else if (!z2 && RestRequestMatcher.INSTANCE.matches(bufferedRequestWrapper)) {
                z = userAuthRequestHandler((HttpServletRequest) servletRequest, httpServletResponse);
            } else if (z2 && RestRequestMatcher.INSTANCE_STRICT.matches(bufferedRequestWrapper)) {
                z = appAuthRequestHandler(extractAccessKey, bufferedRequestWrapper, httpServletResponse);
            }
        } catch (Exception e) {
            LOG.error("Failed to authorize request.", (Throwable) e);
        }
        if (z || !this.apiSecurityEnabled) {
            filterChain.doFilter(bufferedRequestWrapper, servletResponse);
        }
    }

    private boolean guestAuthRequestHandler(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String requestURI = httpServletRequest.getRequestURI();
        String method = httpServletRequest.getMethod();
        if (StringUtils.isBlank(str)) {
            RestUtils.returnStatusResponse(httpServletResponse, 401, Utils.formatMessage("You don't have permission to access this resource. [{0} {1}]", method, requestURI));
            return false;
        }
        App app = (App) Para.getDAO().read(App.id(str));
        if (hasPermission(app, null, httpServletRequest)) {
            SecurityContextHolder.getContext().setAuthentication(new AppAuthentication(app));
            return true;
        }
        RestUtils.returnStatusResponse(httpServletResponse, 403, Utils.formatMessage("You don't have permission to access this resource. [user: {0}, resource: {1} {2}]", "[GUEST]", method, requestURI));
        return false;
    }

    private boolean userAuthRequestHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        User authenticatedUser = SecurityUtils.getAuthenticatedUser(authentication);
        String requestURI = httpServletRequest.getRequestURI();
        String method = httpServletRequest.getMethod();
        App app = authentication instanceof JWTAuthentication ? ((JWTAuthentication) authentication).getApp() : SecurityUtils.getAuthenticatedApp();
        if (authentication != null) {
            if (authenticatedUser == null) {
                Object[] doAppChecks = doAppChecks(app, httpServletRequest);
                if (doAppChecks == null) {
                    return true;
                }
                RestUtils.returnStatusResponse(httpServletResponse, ((Integer) doAppChecks[0]).intValue(), (String) doAppChecks[1]);
                return false;
            }
            if (authenticatedUser.getActive().booleanValue()) {
                if (app == null) {
                    app = (App) Para.getDAO().read(App.id(authenticatedUser.getAppid()));
                }
                if (hasPermission(app, authenticatedUser, httpServletRequest)) {
                    return true;
                }
                RestUtils.returnStatusResponse(httpServletResponse, 403, Utils.formatMessage("You don't have permission to access this resource. [user: {0}, resource: {1} {2}]", authenticatedUser.getId(), method, requestURI));
                return false;
            }
        }
        RestUtils.returnStatusResponse(httpServletResponse, 401, Utils.formatMessage("You don't have permission to access this resource. [{0} {1}]", method, requestURI));
        return false;
    }

    private boolean appAuthRequestHandler(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String extractDate = RestUtils.extractDate(httpServletRequest);
        Date parseAWSDate = Signer.parseAWSDate(extractDate);
        boolean z = parseAWSDate != null && System.currentTimeMillis() > parseAWSDate.getTime() + ((long) (Para.getConfig().requestExpiresAfterSec() * 1000));
        if (this.apiSecurityEnabled && (StringUtils.isBlank(extractDate) || z)) {
            RestUtils.returnStatusResponse(httpServletResponse, 400, "Request has expired.");
            return false;
        }
        App app = (App) Para.getDAO().read(App.id(str));
        Object[] doAppChecks = doAppChecks(app, httpServletRequest);
        if (doAppChecks != null) {
            RestUtils.returnStatusResponse(httpServletResponse, ((Integer) doAppChecks[0]).intValue(), (String) doAppChecks[1]);
            return false;
        }
        if (!this.apiSecurityEnabled || SecurityUtils.isValidSignature(httpServletRequest, app.getSecret())) {
            SecurityContextHolder.getContext().setAuthentication(new AppAuthentication(app));
            return true;
        }
        RestUtils.returnStatusResponse(httpServletResponse, 403, Utils.formatMessage("Invalid signature for request {0} {1} coming from app {2}", httpServletRequest.getMethod(), httpServletRequest.getRequestURI(), app.getAppIdentifier()));
        Logger logger = LOG;
        Object[] objArr = new Object[4];
        objArr[0] = httpServletRequest.getMethod();
        objArr[1] = httpServletRequest.getRequestURI() + (StringUtils.isBlank(httpServletRequest.getQueryString()) ? "" : "?" + httpServletRequest.getQueryString());
        objArr[2] = app.getAppIdentifier();
        objArr[3] = httpServletRequest.getHeader("User-Agent");
        logger.warn("Invalid signature for request {} {} coming from app '{}' ({})", objArr);
        return false;
    }

    private boolean hasPermission(App app, User user, HttpServletRequest httpServletRequest) {
        if (app == null) {
            return false;
        }
        if (user != null && user.isAdmin()) {
            return true;
        }
        String extractResourcePath = RestUtils.extractResourcePath(httpServletRequest);
        if (extractResourcePath.matches("^_permissions/.+") && httpServletRequest.getMethod().equals("GET")) {
            return true;
        }
        return app.isAllowedTo(user == null ? "" : user.getId(), extractResourcePath, httpServletRequest.getMethod());
    }

    private Object[] doAppChecks(App app, HttpServletRequest httpServletRequest) {
        if (app == null) {
            return new Object[]{404, "App not found."};
        }
        if (!app.getActive().booleanValue()) {
            return new Object[]{403, Utils.formatMessage("App not active. [{0}]", app.getId())};
        }
        if (app.getReadOnly().booleanValue() && isWriteRequest(httpServletRequest)) {
            return new Object[]{403, Utils.formatMessage("App is in read-only mode. [{0}]", app.getId())};
        }
        return null;
    }

    private boolean isWriteRequest(HttpServletRequest httpServletRequest) {
        return httpServletRequest != null && ("POST".equals(httpServletRequest.getMethod()) || "PUT".equals(httpServletRequest.getMethod()) || "DELETE".equals(httpServletRequest.getMethod()) || "PATCH".equals(httpServletRequest.getMethod()));
    }
}
