package org.eclipse.scout.rt.server.commons.authentication;

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.scout.rt.platform.BEANS;
import org.eclipse.scout.rt.platform.security.IPrincipalProducer2;
import org.eclipse.scout.rt.platform.util.StringUtility;
import org.eclipse.scout.rt.shared.servicetunnel.http.DefaultAuthToken;
import org.eclipse.scout.rt.shared.servicetunnel.http.DefaultAuthTokenPrincipalProducer;
import org.eclipse.scout.rt.shared.servicetunnel.http.DefaultAuthTokenVerifier;

/* loaded from: input_file:org/eclipse/scout/rt/server/commons/authentication/ServiceTunnelAccessTokenAccessController.class */
public class ServiceTunnelAccessTokenAccessController implements IAccessController {
    private ServiceTunnelAccessTokenAuthConfig m_config;
    private boolean m_enabled;

    /* loaded from: input_file:org/eclipse/scout/rt/server/commons/authentication/ServiceTunnelAccessTokenAccessController$ServiceTunnelAccessTokenAuthConfig.class */
    public static class ServiceTunnelAccessTokenAuthConfig {
        private Class<? extends DefaultAuthToken> m_tokenClazz = DefaultAuthToken.class;
        private DefaultAuthTokenVerifier m_tokenVerifier = (DefaultAuthTokenVerifier) BEANS.get(DefaultAuthTokenVerifier.class);
        private boolean m_enabled = true;
        private IPrincipalProducer2 m_principalProducer = (IPrincipalProducer2) BEANS.get(DefaultAuthTokenPrincipalProducer.class);

        public Class<? extends DefaultAuthToken> getTokenClazz() {
            return this.m_tokenClazz;
        }

        public ServiceTunnelAccessTokenAuthConfig withTokenClazz(Class<? extends DefaultAuthToken> cls) {
            this.m_tokenClazz = cls;
            return this;
        }

        public DefaultAuthTokenVerifier getTokenVerifier() {
            return this.m_tokenVerifier;
        }

        public ServiceTunnelAccessTokenAuthConfig withTokenVerifier(DefaultAuthTokenVerifier defaultAuthTokenVerifier) {
            this.m_tokenVerifier = defaultAuthTokenVerifier;
            return this;
        }

        public boolean isEnabled() {
            return this.m_enabled;
        }

        public ServiceTunnelAccessTokenAuthConfig withEnabled(boolean z) {
            this.m_enabled = z;
            return this;
        }

        public IPrincipalProducer2 getPrincipalProducer2() {
            return this.m_principalProducer;
        }

        public ServiceTunnelAccessTokenAuthConfig withPrincipalProducer2(IPrincipalProducer2 iPrincipalProducer2) {
            this.m_principalProducer = iPrincipalProducer2;
            return this;
        }
    }

    public ServiceTunnelAccessTokenAccessController init() {
        init(new ServiceTunnelAccessTokenAuthConfig());
        return this;
    }

    public ServiceTunnelAccessTokenAccessController init(ServiceTunnelAccessTokenAuthConfig serviceTunnelAccessTokenAuthConfig) {
        this.m_config = serviceTunnelAccessTokenAuthConfig;
        this.m_enabled = (!serviceTunnelAccessTokenAuthConfig.isEnabled() || serviceTunnelAccessTokenAuthConfig.getTokenClazz() == null || serviceTunnelAccessTokenAuthConfig.getTokenVerifier() == null || !serviceTunnelAccessTokenAuthConfig.getTokenVerifier().isEnabled() || serviceTunnelAccessTokenAuthConfig.getPrincipalProducer2() == null) ? false : true;
        return this;
    }

    @Override // org.eclipse.scout.rt.server.commons.authentication.IAccessController
    public boolean handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!this.m_enabled) {
            return false;
        }
        String header = httpServletRequest.getHeader("X-ScoutAccessToken");
        if (StringUtility.isNullOrEmpty(header)) {
            return false;
        }
        DefaultAuthToken read = ((DefaultAuthToken) BEANS.get(this.m_config.getTokenClazz())).read(header);
        if (!this.m_config.getTokenVerifier().verify(read)) {
            fail(httpServletResponse);
            return true;
        }
        ((ServletFilterHelper) BEANS.get(ServletFilterHelper.class)).continueChainAsSubject(this.m_config.getPrincipalProducer2().produce(read.getUserId(), read.getCustomArgs()), httpServletRequest, httpServletResponse, filterChain);
        return true;
    }

    @Override // org.eclipse.scout.rt.server.commons.authentication.IAccessController
    public void destroy() {
    }

    public boolean isEnabled() {
        return this.m_enabled;
    }

    protected void fail(HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.sendError(403);
    }
}
