package org.eclipse.dirigible.components.security.filter;

import com.google.common.html.HtmlEscapers;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.Principal;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.eclipse.dirigible.commons.config.Configuration;
import org.eclipse.dirigible.components.base.http.access.UserRequestVerifier;
import org.eclipse.dirigible.components.security.domain.Access;
import org.eclipse.dirigible.components.security.verifier.AccessVerifier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:org/eclipse/dirigible/components/security/filter/SecurityFilter.class */
public class SecurityFilter implements Filter {
    private static final String SKIP_PATH_ANGULAR_ARIA = "/services/js/resources-core/services/angular-aria.min.js.map";
    private static final String SKIP_PATH_SPLIT_JS = "/services/js/resources-core/services/split.min.js.map";
    private static final String PATH_WEB_RESOURCES = "/web/resources";
    public static final String CONSTRAINT_SCOPE_HTTP = "HTTP";
    public static final String ROLE_PUBLIC = "Public";
    private final AccessVerifier securityAccessVerifier;
    private static final Logger logger = LoggerFactory.getLogger(SecurityFilter.class);
    private static final Set<String> SECURED_PREFIXES = new HashSet();

    @Autowired
    public SecurityFilter(AccessVerifier accessVerifier) {
        this.securityAccessVerifier = accessVerifier;
    }

    public void init(FilterConfig filterConfig) {
        SECURED_PREFIXES.add("/js");
        SECURED_PREFIXES.add("/public");
        SECURED_PREFIXES.add("/web");
        SECURED_PREFIXES.add("/wiki");
        SECURED_PREFIXES.add("/command");
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws ServletException, IOException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String pathInfo = httpServletRequest.getPathInfo() != null ? httpServletRequest.getPathInfo() : "/";
        if (!pathInfo.startsWith(PATH_WEB_RESOURCES)) {
            Iterator<String> it = SECURED_PREFIXES.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String next = it.next();
                if (pathInfo.startsWith(next)) {
                    pathInfo = pathInfo.substring(next.length());
                    break;
                }
            }
            String method = httpServletRequest.getMethod();
            boolean z = false;
            Principal userPrincipal = httpServletRequest.getUserPrincipal();
            List<Access> matchingSecurityAccesses = this.securityAccessVerifier.getMatchingSecurityAccesses(CONSTRAINT_SCOPE_HTTP, pathInfo, method);
            if (matchingSecurityAccesses.isEmpty()) {
                if (!Configuration.isAnonymousModeEnabled() && userPrincipal == null && !Configuration.isJwtModeEnabled()) {
                    forbidden(pathInfo, "No logged in user and no white list constraints", httpServletResponse);
                    return;
                }
            } else if (userPrincipal != null || Configuration.isJwtModeEnabled()) {
                for (Access access : matchingSecurityAccesses) {
                    if (ROLE_PUBLIC.equalsIgnoreCase(access.getRole()) || UserRequestVerifier.isUserInRole(access.getRole())) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    forbidden(pathInfo, "The logged in user does not have any of the required roles for the requested URI", httpServletResponse);
                    return;
                }
            } else {
                Iterator<Access> it2 = matchingSecurityAccesses.iterator();
                while (true) {
                    if (it2.hasNext()) {
                        if (ROLE_PUBLIC.equalsIgnoreCase(it2.next().getRole())) {
                            z = true;
                            break;
                        }
                    } else {
                        break;
                    }
                }
                if (!z) {
                    forbidden(pathInfo, "No logged in user", httpServletResponse);
                    return;
                }
            }
        }
        if (SKIP_PATH_ANGULAR_ARIA.equals(((HttpServletRequest) servletRequest).getServletPath()) || SKIP_PATH_SPLIT_JS.equals(((HttpServletRequest) servletRequest).getServletPath())) {
            return;
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private void forbidden(String str, String str2, HttpServletResponse httpServletResponse) throws IOException {
        String format = String.format("Requested URI [%s] is forbidden: %s", str, str2);
        if (logger.isWarnEnabled()) {
            logger.warn(format);
        }
        httpServletResponse.sendError(403, HtmlEscapers.htmlEscaper().escape(format));
    }

    public void destroy() {
    }
}
