package com.erudika.para.security;

import com.erudika.para.Para;
import com.erudika.para.core.App;
import com.erudika.para.core.User;
import com.erudika.para.rest.RestUtils;
import com.erudika.para.rest.Signer;
import com.erudika.para.utils.BufferedRequestWrapper;
import com.erudika.para.utils.Config;
import com.erudika.para.utils.Utils;
import com.erudika.para.utils.filters.CORSFilter;
import java.io.IOException;
import java.util.Date;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:com/erudika/para/security/RestAuthFilter.class */
public class RestAuthFilter extends GenericFilterBean implements InitializingBean {
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        BufferedRequestWrapper bufferedRequestWrapper = new BufferedRequestWrapper((HttpServletRequest) servletRequest);
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String extractAccessKey = RestUtils.extractAccessKey(bufferedRequestWrapper);
        boolean z = !StringUtils.isBlank(extractAccessKey);
        boolean z2 = true;
        if (RestUtils.isAnonymousRequest(bufferedRequestWrapper) && RestRequestMatcher.INSTANCE.matches(bufferedRequestWrapper)) {
            z2 = guestAuthRequestHandler(extractAccessKey, (HttpServletRequest) servletRequest, httpServletResponse);
        } else if (!z && RestRequestMatcher.INSTANCE.matches(bufferedRequestWrapper)) {
            z2 = userAuthRequestHandler((HttpServletRequest) servletRequest, httpServletResponse);
        } else if (z && RestRequestMatcher.INSTANCE_STRICT.matches(bufferedRequestWrapper)) {
            z2 = appAuthRequestHandler(extractAccessKey, bufferedRequestWrapper, httpServletResponse);
        }
        if (z2) {
            filterChain.doFilter(bufferedRequestWrapper, servletResponse);
        }
    }

    private boolean guestAuthRequestHandler(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String requestURI = httpServletRequest.getRequestURI();
        String method = httpServletRequest.getMethod();
        if (StringUtils.isBlank(str) && Config.getConfigBoolean("clients_can_access_root_app", false)) {
            str = App.id(Config.getRootAppIdentifier());
        }
        if (StringUtils.isBlank(str)) {
            RestUtils.returnStatusResponse(httpServletResponse, 401, Utils.formatMessage("You don't have permission to access this resource. [{0} {1}]", new Object[]{method, requestURI}));
            return false;
        }
        App app = (App) Para.getDAO().read(App.id(str));
        if (hasPermission(app, null, httpServletRequest)) {
            SecurityContextHolder.getContext().setAuthentication(new AppAuthentication(app));
            return true;
        }
        RestUtils.returnStatusResponse(httpServletResponse, 403, Utils.formatMessage("You don't have permission to access this resource. [user: {0}, resource: {1} {2}]", new Object[]{"[GUEST]", method, requestURI}));
        return false;
    }

    private boolean userAuthRequestHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        User authenticatedUser = SecurityUtils.getAuthenticatedUser(authentication);
        String requestURI = httpServletRequest.getRequestURI();
        String method = httpServletRequest.getMethod();
        App app = authentication instanceof JWTAuthentication ? ((JWTAuthentication) authentication).getApp() : SecurityUtils.getAuthenticatedApp();
        if (authentication != null) {
            if (authenticatedUser == null) {
                Object[] doAppChecks = doAppChecks(app, httpServletRequest);
                if (doAppChecks == null) {
                    return true;
                }
                RestUtils.returnStatusResponse(httpServletResponse, ((Integer) doAppChecks[0]).intValue(), (String) doAppChecks[1]);
                return false;
            }
            if (authenticatedUser.getActive().booleanValue()) {
                if (app == null) {
                    app = (App) Para.getDAO().read(App.id(authenticatedUser.getAppid()));
                }
                if (hasPermission(app, authenticatedUser, httpServletRequest)) {
                    return true;
                }
                RestUtils.returnStatusResponse(httpServletResponse, 403, Utils.formatMessage("You don't have permission to access this resource. [user: {0}, resource: {1} {2}]", new Object[]{authenticatedUser.getId(), method, requestURI}));
                return false;
            }
        }
        RestUtils.returnStatusResponse(httpServletResponse, 401, Utils.formatMessage("You don't have permission to access this resource. [{0} {1}]", new Object[]{method, requestURI}));
        return false;
    }

    private boolean appAuthRequestHandler(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String extractDate = RestUtils.extractDate(httpServletRequest);
        Date parseAWSDate = Signer.parseAWSDate(extractDate);
        boolean z = parseAWSDate != null && System.currentTimeMillis() > parseAWSDate.getTime() + ((long) (Config.REQUEST_EXPIRES_AFTER_SEC * 1000));
        if (StringUtils.isBlank(extractDate) || z) {
            RestUtils.returnStatusResponse(httpServletResponse, 400, "Request has expired.");
            return false;
        }
        App app = (App) Para.getDAO().read(App.id(str));
        Object[] doAppChecks = doAppChecks(app, httpServletRequest);
        if (doAppChecks != null) {
            RestUtils.returnStatusResponse(httpServletResponse, ((Integer) doAppChecks[0]).intValue(), (String) doAppChecks[1]);
            return false;
        }
        if (SecurityUtils.isValidSignature(httpServletRequest, app.getSecret())) {
            SecurityContextHolder.getContext().setAuthentication(new AppAuthentication(app));
            return true;
        }
        RestUtils.returnStatusResponse(httpServletResponse, 403, "Request signature is invalid.");
        return false;
    }

    private boolean hasPermission(App app, User user, HttpServletRequest httpServletRequest) {
        if (app == null) {
            return false;
        }
        if (user != null && user.isAdmin()) {
            return Config.getConfigBoolean("admins_have_full_api_access", true);
        }
        String extractResourcePath = RestUtils.extractResourcePath(httpServletRequest);
        if (extractResourcePath.matches("^_permissions/.+") && httpServletRequest.getMethod().equals("GET")) {
            return true;
        }
        return app.isAllowedTo(user == null ? CORSFilter.DEFAULT_EXPOSED_HEADERS : user.getId(), extractResourcePath, httpServletRequest.getMethod());
    }

    private Object[] doAppChecks(App app, HttpServletRequest httpServletRequest) {
        if (app == null) {
            return new Object[]{404, "App not found."};
        }
        if (!app.getActive().booleanValue()) {
            return new Object[]{403, Utils.formatMessage("App not active. [{0}]", new Object[]{app.getId()})};
        }
        if (app.getReadOnly().booleanValue() && isWriteRequest(httpServletRequest)) {
            return new Object[]{403, Utils.formatMessage("App is in read-only mode. [{0}]", new Object[]{app.getId()})};
        }
        return null;
    }

    private boolean isWriteRequest(HttpServletRequest httpServletRequest) {
        return httpServletRequest != null && ("POST".equals(httpServletRequest.getMethod()) || "PUT".equals(httpServletRequest.getMethod()) || "DELETE".equals(httpServletRequest.getMethod()) || "PATCH".equals(httpServletRequest.getMethod()));
    }
}
