package org.gbif.ws.server.filter;

import com.google.inject.Inject;
import com.google.inject.name.Named;
import com.sun.jersey.spi.container.ContainerRequest;
import com.sun.jersey.spi.container.ContainerRequestFilter;
import java.security.Principal;
import java.util.ArrayList;
import java.util.List;
import javax.annotation.Nullable;
import javax.validation.constraints.NotNull;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.lang3.StringUtils;
import org.gbif.api.model.common.AppPrincipal;
import org.gbif.api.model.common.ExtendedPrincipal;
import org.gbif.api.vocabulary.AppRole;
import org.gbif.ws.security.GbifAuthService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/gbif-common-ws-0.41.jar:org/gbif/ws/server/filter/AppIdentityFilter.class */
public class AppIdentityFilter implements ContainerRequestFilter {
    public static final String APPKEYS_WHITELIST = "identity.appkeys.whitelist";
    private static final String GBIF_SCHEME_PREFIX = "GBIF ";
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) AppIdentityFilter.class);
    private final GbifAuthService authService;
    private final List<String> appKeyWhitelist;

    @Inject
    public AppIdentityFilter(@NotNull GbifAuthService gbifAuthService, @Named("identity.appkeys.whitelist") @Nullable List<String> list) {
        this.authService = gbifAuthService;
        this.appKeyWhitelist = list != null ? new ArrayList(list) : new ArrayList();
    }

    @Override // com.sun.jersey.spi.container.ContainerRequestFilter
    public ContainerRequest filter(final ContainerRequest containerRequest) {
        if (containerRequest.getSecurityContext() != null && containerRequest.getUserPrincipal() != null) {
            return containerRequest;
        }
        if (StringUtils.startsWith(containerRequest.getHeaderValue("Authorization"), GBIF_SCHEME_PREFIX)) {
            if (!this.authService.isValidRequest(containerRequest)) {
                LOG.warn("Invalid GBIF authenticated request");
                throw new WebApplicationException(Response.Status.UNAUTHORIZED);
            }
            String headerValue = containerRequest.getHeaderValue(GbifAuthService.HEADER_GBIF_USER);
            containerRequest.getClass();
            final String appKeyFromRequest = GbifAuthService.getAppKeyFromRequest(containerRequest::getHeaderValue);
            if (StringUtils.equals(appKeyFromRequest, headerValue) && this.appKeyWhitelist.contains(appKeyFromRequest)) {
                containerRequest.setSecurityContext(new SecurityContext() { // from class: org.gbif.ws.server.filter.AppIdentityFilter.1
                    private final ExtendedPrincipal principal;

                    {
                        this.principal = new AppPrincipal(appKeyFromRequest, AppRole.APP.name());
                    }

                    @Override // javax.ws.rs.core.SecurityContext
                    public Principal getUserPrincipal() {
                        return this.principal;
                    }

                    @Override // javax.ws.rs.core.SecurityContext
                    public boolean isUserInRole(String str) {
                        return this.principal.hasRole(str);
                    }

                    @Override // javax.ws.rs.core.SecurityContext
                    public boolean isSecure() {
                        return containerRequest.isSecure();
                    }

                    @Override // javax.ws.rs.core.SecurityContext
                    public String getAuthenticationScheme() {
                        return GbifAuthService.GBIF_SCHEME;
                    }
                });
            }
        }
        return containerRequest;
    }
}
