package org.gbif.ws.server.filter;

import com.google.common.base.Strings;
import com.google.inject.Inject;
import com.sun.jersey.core.util.Base64;
import com.sun.jersey.spi.container.ContainerRequest;
import com.sun.jersey.spi.container.ContainerRequestFilter;
import java.security.Principal;
import java.util.UUID;
import java.util.regex.Pattern;
import javax.annotation.Nullable;
import javax.validation.constraints.NotNull;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriInfo;
import org.apache.struts2.views.util.DefaultUrlHelper;
import org.apache.tika.metadata.Metadata;
import org.gbif.api.model.common.User;
import org.gbif.api.model.common.UserPrincipal;
import org.gbif.api.service.common.UserService;
import org.gbif.ws.security.GbifAuthService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Deprecated
/* loaded from: input_file:WEB-INF/lib/gbif-common-ws-0.41.jar:org/gbif/ws/server/filter/AuthFilter.class */
public class AuthFilter implements ContainerRequestFilter {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) AuthFilter.class);
    private static final Pattern COLON_PATTERN = Pattern.compile(Metadata.NAMESPACE_PREFIX_DELIMITER);
    private final UserService userService;
    private final GbifAuthService authService;

    @Context
    private UriInfo uriInfo;
    private static final String GBIF_SCHEME_PREFIX = "GBIF ";
    private static final String BASIC_SCHEME_PREFIX = "Basic ";

    /* loaded from: input_file:WEB-INF/lib/gbif-common-ws-0.41.jar:org/gbif/ws/server/filter/AuthFilter$Authorizer.class */
    public class Authorizer implements SecurityContext {
        private final UserPrincipal principal;
        private final String authenticationScheme;

        public Authorizer() {
            this.principal = null;
            this.authenticationScheme = "";
        }

        public Authorizer(@Nullable String str, String str2) {
            if (AuthFilter.this.userService == null) {
                AuthFilter.LOG.debug("No user service configured! No roles assigned, using anonymous user instead.");
                this.principal = null;
            } else {
                User user = AuthFilter.this.userService.get(str);
                if (user == null) {
                    this.principal = null;
                    AuthFilter.LOG.debug("Authorized user {} not found in user service! No roles could be assigned, using anonymous user instead.", str);
                } else {
                    this.principal = new UserPrincipal(user);
                }
            }
            this.authenticationScheme = str2;
        }

        public Authorizer(User user, String str) {
            this.principal = new UserPrincipal(user);
            this.authenticationScheme = str;
        }

        @Override // javax.ws.rs.core.SecurityContext
        public String getAuthenticationScheme() {
            return this.authenticationScheme;
        }

        @Override // javax.ws.rs.core.SecurityContext
        public Principal getUserPrincipal() {
            return this.principal;
        }

        @Override // javax.ws.rs.core.SecurityContext
        public boolean isSecure() {
            return DefaultUrlHelper.HTTPS_PROTOCOL.equals(AuthFilter.this.uriInfo.getRequestUri().getScheme());
        }

        @Override // javax.ws.rs.core.SecurityContext
        public boolean isUserInRole(String str) {
            return this.principal != null && this.principal.hasRole(str);
        }
    }

    @Inject
    public AuthFilter(@NotNull UserService userService, @Nullable GbifAuthService gbifAuthService) {
        this.userService = userService;
        this.authService = gbifAuthService;
    }

    @Override // com.sun.jersey.spi.container.ContainerRequestFilter
    public ContainerRequest filter(ContainerRequest containerRequest) {
        Authorizer authorizer = null;
        if (this.userService != null) {
            authorizer = authenticate(containerRequest);
        }
        if (authorizer == null) {
            authorizer = new Authorizer();
        }
        containerRequest.setSecurityContext(authorizer);
        return containerRequest;
    }

    private Authorizer authenticate(ContainerRequest containerRequest) {
        String headerValue = containerRequest.getHeaderValue("Authorization");
        if (headerValue != null) {
            if (headerValue.startsWith(BASIC_SCHEME_PREFIX)) {
                return basicAuthentication(headerValue.substring(BASIC_SCHEME_PREFIX.length()));
            }
            if (headerValue.startsWith(GBIF_SCHEME_PREFIX)) {
                return gbifAuthentication(containerRequest);
            }
        }
        return new Authorizer();
    }

    private Authorizer basicAuthentication(String str) {
        String[] split = COLON_PATTERN.split(Base64.base64Decode(str));
        if (split.length < 2) {
            LOG.warn("Invalid syntax for username and password: {}", str);
            throw new WebApplicationException(Response.Status.BAD_REQUEST);
        }
        String str2 = split[0];
        String str3 = split[1];
        if (str2 == null || str3 == null) {
            LOG.warn("Missing basic authentication username or password: {}", str);
            throw new WebApplicationException(Response.Status.BAD_REQUEST);
        }
        try {
            UUID.fromString(str2);
            return null;
        } catch (IllegalArgumentException e) {
            User authenticate = this.userService.authenticate(str2, str3);
            if (authenticate == null) {
                throw new WebApplicationException(Response.Status.UNAUTHORIZED);
            }
            LOG.debug("Authenticating user {} via scheme {}", str2, SecurityContext.BASIC_AUTH);
            return new Authorizer(authenticate, SecurityContext.BASIC_AUTH);
        }
    }

    private Authorizer gbifAuthentication(ContainerRequest containerRequest) {
        String headerValue = containerRequest.getHeaderValue(GbifAuthService.HEADER_GBIF_USER);
        if (Strings.isNullOrEmpty(headerValue)) {
            LOG.warn("Missing gbif username header {}", GbifAuthService.HEADER_GBIF_USER);
            throw new WebApplicationException(Response.Status.BAD_REQUEST);
        }
        if (this.authService == null) {
            LOG.warn("No GbifAuthService defined.");
            throw new WebApplicationException(Response.Status.UNAUTHORIZED);
        }
        if (this.authService.isValidRequest(containerRequest)) {
            LOG.debug("Authenticating user {} via scheme {}", headerValue, GbifAuthService.GBIF_SCHEME);
            return new Authorizer(headerValue, GbifAuthService.GBIF_SCHEME);
        }
        LOG.warn("Invalid GBIF authenticated request");
        throw new WebApplicationException(Response.Status.UNAUTHORIZED);
    }
}
