package com.erudika.para.security;

import com.erudika.para.core.App;
import com.erudika.para.core.User;
import com.erudika.para.rest.RestUtils;
import com.erudika.para.rest.Signer;
import com.erudika.para.utils.Config;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.util.Date;
import javax.servlet.FilterChain;
import javax.servlet.ReadListener;
import javax.servlet.ServletException;
import javax.servlet.ServletInputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:com/erudika/para/security/RestAuthFilter.class */
public class RestAuthFilter extends GenericFilterBean implements InitializingBean {
    private final Signer signer;

    /* loaded from: input_file:com/erudika/para/security/RestAuthFilter$BufferedRequestWrapper.class */
    private class BufferedRequestWrapper extends HttpServletRequestWrapper {
        ByteArrayInputStream bais;
        ByteArrayOutputStream baos;
        BufferedServletInputStream bsis;
        byte[] buffer;

        public BufferedRequestWrapper(HttpServletRequest httpServletRequest) throws IOException {
            super(httpServletRequest);
            ServletInputStream inputStream = httpServletRequest.getInputStream();
            this.baos = new ByteArrayOutputStream();
            byte[] bArr = new byte[1024];
            while (true) {
                int read = inputStream.read(bArr);
                if (read <= 0) {
                    this.buffer = this.baos.toByteArray();
                    return;
                }
                this.baos.write(bArr, 0, read);
            }
        }

        public ServletInputStream getInputStream() {
            try {
                this.bais = new ByteArrayInputStream(this.buffer);
                this.bsis = new BufferedServletInputStream(this.bais);
            } catch (Exception e) {
                RestAuthFilter.this.logger.error(e);
            }
            return this.bsis;
        }
    }

    /* loaded from: input_file:com/erudika/para/security/RestAuthFilter$BufferedServletInputStream.class */
    private class BufferedServletInputStream extends ServletInputStream {
        ByteArrayInputStream bais;

        public BufferedServletInputStream(ByteArrayInputStream byteArrayInputStream) {
            this.bais = byteArrayInputStream;
        }

        public int available() {
            return this.bais.available();
        }

        public int read() {
            return this.bais.read();
        }

        public int read(byte[] bArr, int i, int i2) {
            return this.bais.read(bArr, i, i2);
        }

        public boolean isFinished() {
            return this.bais.available() <= 0;
        }

        public boolean isReady() {
            return !isFinished();
        }

        public void setReadListener(ReadListener readListener) {
        }
    }

    public RestAuthFilter(Signer signer) {
        this.signer = signer;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        BufferedRequestWrapper bufferedRequestWrapper = new BufferedRequestWrapper((HttpServletRequest) servletRequest);
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (RestRequestMatcher.INSTANCE.matches(bufferedRequestWrapper)) {
            User authenticatedUser = SecurityUtils.getAuthenticatedUser();
            if (authenticatedUser == null || bufferedRequestWrapper.getHeader("Authorization") != null) {
                String extractAccessKey = RestUtils.extractAccessKey(bufferedRequestWrapper);
                String extractDate = RestUtils.extractDate(bufferedRequestWrapper);
                Date parseAWSDate = Signer.parseAWSDate(extractDate);
                boolean z = parseAWSDate != null && System.currentTimeMillis() > parseAWSDate.getTime() + (Config.REQUEST_EXPIRES_AFTER_SEC.longValue() * 1000);
                if (StringUtils.isBlank(extractAccessKey)) {
                    RestUtils.returnStatusResponse(httpServletResponse, 401, "Credentials are missing.");
                    return;
                }
                if (StringUtils.isBlank(extractDate)) {
                    RestUtils.returnStatusResponse(httpServletResponse, 400, "'X-Amz-Date' header/parameter is not set!");
                    return;
                }
                if (z) {
                    RestUtils.returnStatusResponse(httpServletResponse, 400, "Request has expired.");
                    return;
                }
                App app = new App(extractAccessKey);
                App read = app.getDao().read(app.getId());
                if (read == null) {
                    RestUtils.returnStatusResponse(httpServletResponse, 404, "App not found.");
                    return;
                }
                if (!read.getActive().booleanValue()) {
                    RestUtils.returnStatusResponse(httpServletResponse, 403, "App not active.");
                    return;
                }
                if (read.getReadOnly().booleanValue() && isWriteRequest(bufferedRequestWrapper)) {
                    RestUtils.returnStatusResponse(httpServletResponse, 403, "App is in read-only mode.");
                    return;
                } else {
                    if (!this.signer.isValidSignature(bufferedRequestWrapper, read.getSecret())) {
                        RestUtils.returnStatusResponse(httpServletResponse, 403, "Request signature is invalid.");
                        return;
                    }
                    SecurityContextHolder.getContext().setAuthentication(new AppAuthentication(read));
                }
            } else if (!authenticatedUser.getActive().booleanValue()) {
                RestUtils.returnStatusResponse(httpServletResponse, 403, "User doesn't have permission to access this resource.");
                return;
            }
        }
        filterChain.doFilter(bufferedRequestWrapper, servletResponse);
    }

    private boolean isWriteRequest(HttpServletRequest httpServletRequest) {
        return httpServletRequest != null && ("POST".equals(httpServletRequest.getMethod()) || "PUT".equals(httpServletRequest.getMethod()) || "DELETE".equals(httpServletRequest.getMethod()) || "PATCH".equals(httpServletRequest.getMethod()));
    }
}
