package org.gbif.ws.server.filter;

import com.google.common.base.Strings;
import com.google.inject.Inject;
import com.sun.jersey.core.util.Base64;
import com.sun.jersey.spi.container.ContainerRequest;
import com.sun.jersey.spi.container.ContainerRequestFilter;
import java.security.Principal;
import java.util.Objects;
import java.util.Optional;
import java.util.UUID;
import java.util.regex.Pattern;
import javax.annotation.Nullable;
import javax.validation.constraints.NotNull;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.tika.metadata.Metadata;
import org.gbif.api.model.common.ExtendedPrincipal;
import org.gbif.api.model.common.GbifUser;
import org.gbif.api.model.common.GbifUserPrincipal;
import org.gbif.api.service.common.IdentityAccessService;
import org.gbif.ws.security.GbifAuthService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/gbif-common-ws-0.41.jar:org/gbif/ws/server/filter/IdentityFilter.class */
public class IdentityFilter implements ContainerRequestFilter {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) IdentityFilter.class);
    private static final Pattern COLON_PATTERN = Pattern.compile(Metadata.NAMESPACE_PREFIX_DELIMITER);
    private final IdentityAccessService identityAccessService;
    private final GbifAuthService authService;
    private static final String GBIF_SCHEME_PREFIX = "GBIF ";
    private static final String BASIC_SCHEME_PREFIX = "Basic ";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/gbif-common-ws-0.41.jar:org/gbif/ws/server/filter/IdentityFilter$Authorizer.class */
    public static class Authorizer implements SecurityContext {
        private final ExtendedPrincipal principal;
        private final String authenticationScheme;
        private final boolean isSecure;

        private Authorizer(ExtendedPrincipal extendedPrincipal, String str, boolean z) {
            this.principal = extendedPrincipal;
            this.authenticationScheme = str;
            this.isSecure = z;
        }

        static Authorizer getAuthorizer(GbifUser gbifUser, String str, boolean z) {
            return new Authorizer(new GbifUserPrincipal(gbifUser), str, z);
        }

        static Authorizer getAnonymous(boolean z) {
            return new Authorizer(null, "", z);
        }

        @Override // javax.ws.rs.core.SecurityContext
        public String getAuthenticationScheme() {
            return this.authenticationScheme;
        }

        @Override // javax.ws.rs.core.SecurityContext
        public Principal getUserPrincipal() {
            return this.principal;
        }

        @Override // javax.ws.rs.core.SecurityContext
        public boolean isSecure() {
            return this.isSecure;
        }

        @Override // javax.ws.rs.core.SecurityContext
        public boolean isUserInRole(String str) {
            return this.principal != null && this.principal.hasRole(str);
        }
    }

    @Inject
    public IdentityFilter(@NotNull IdentityAccessService identityAccessService, @Nullable GbifAuthService gbifAuthService) {
        Objects.requireNonNull(identityAccessService, "identityAccessService shall be provided");
        this.identityAccessService = identityAccessService;
        this.authService = gbifAuthService;
    }

    @Override // com.sun.jersey.spi.container.ContainerRequestFilter
    public ContainerRequest filter(ContainerRequest containerRequest) {
        Authorizer authenticate = authenticate(containerRequest);
        if (authenticate == null) {
            authenticate = Authorizer.getAnonymous(containerRequest.isSecure());
        }
        containerRequest.setSecurityContext(authenticate);
        return containerRequest;
    }

    private Authorizer authenticate(ContainerRequest containerRequest) {
        String headerValue = containerRequest.getHeaderValue("Authorization");
        if (headerValue != null) {
            if (headerValue.startsWith(BASIC_SCHEME_PREFIX)) {
                return basicAuthentication(headerValue.substring(BASIC_SCHEME_PREFIX.length()), containerRequest.isSecure());
            }
            if (headerValue.startsWith(GBIF_SCHEME_PREFIX)) {
                return gbifAuthentication(containerRequest);
            }
        }
        return Authorizer.getAnonymous(containerRequest.isSecure());
    }

    private Authorizer basicAuthentication(String str, boolean z) {
        String[] split = COLON_PATTERN.split(Base64.base64Decode(str));
        if (split.length < 2) {
            LOG.warn("Invalid syntax for username and password: {}", str);
            throw new WebApplicationException(Response.Status.BAD_REQUEST);
        }
        String str2 = split[0];
        String str3 = split[1];
        if (str2 == null || str3 == null) {
            LOG.warn("Missing basic authentication username or password: {}", str);
            throw new WebApplicationException(Response.Status.BAD_REQUEST);
        }
        try {
            UUID.fromString(str2);
            return null;
        } catch (IllegalArgumentException e) {
            GbifUser authenticate = this.identityAccessService.authenticate(str2, str3);
            if (authenticate == null) {
                throw new WebApplicationException(Response.Status.UNAUTHORIZED);
            }
            LOG.debug("Authenticating user {} via scheme {}", str2, SecurityContext.BASIC_AUTH);
            return Authorizer.getAuthorizer(authenticate, SecurityContext.BASIC_AUTH, z);
        }
    }

    private Authorizer gbifAuthentication(ContainerRequest containerRequest) {
        String headerValue = containerRequest.getHeaderValue(GbifAuthService.HEADER_GBIF_USER);
        if (Strings.isNullOrEmpty(headerValue)) {
            LOG.warn("Missing gbif username header {}", GbifAuthService.HEADER_GBIF_USER);
            throw new WebApplicationException(Response.Status.BAD_REQUEST);
        }
        if (this.authService == null) {
            LOG.warn("No GbifAuthService defined.");
            throw new WebApplicationException(Response.Status.UNAUTHORIZED);
        }
        if (!this.authService.isValidRequest(containerRequest)) {
            LOG.warn("Invalid GBIF authenticated request");
            throw new WebApplicationException(Response.Status.UNAUTHORIZED);
        }
        LOG.debug("Authenticating user {} via scheme {}", headerValue, GbifAuthService.GBIF_SCHEME);
        if (this.identityAccessService == null) {
            LOG.debug("No identityService configured! No roles assigned, using anonymous user instead.");
            return Authorizer.getAnonymous(containerRequest.isSecure());
        }
        GbifUser gbifUser = this.identityAccessService.get(headerValue);
        return gbifUser == null ? Authorizer.getAnonymous(containerRequest.isSecure()) : Authorizer.getAuthorizer(gbifUser, GbifAuthService.GBIF_SCHEME, ((Boolean) Optional.ofNullable(containerRequest.getSecurityContext()).map(securityContext -> {
            return Boolean.valueOf(containerRequest.isSecure());
        }).orElse(Boolean.FALSE)).booleanValue());
    }
}
