package org.eclipse.scout.rt.server.commons.authentication;

import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Set;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.eclipse.scout.rt.platform.ApplicationScoped;
import org.eclipse.scout.rt.platform.security.IPrincipalProducer;
import org.eclipse.scout.rt.platform.util.Base64Utility;
import org.eclipse.scout.rt.platform.util.StringUtility;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ApplicationScoped
/* loaded from: input_file:org/eclipse/scout/rt/server/commons/authentication/ServletFilterHelper.class */
public class ServletFilterHelper {
    public static final String HTTP_HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
    public static final String HTTP_HEADER_AUTHORIZATION = "Authorization";
    public static final String HTTP_HEADER_AUTHORIZED = "Authorized";
    public static final String HTTP_BASIC_AUTH_NAME = "Basic";
    public static final String JSON_SESSION_TIMEOUT_RESPONSE = "{\"error\":{\"code\":10,\"message\":\"The session has expired, please reload the page.\"}}";
    private static final Logger LOG = LoggerFactory.getLogger(ServletFilterHelper.class);
    public static final String SESSION_ATTRIBUTE_FOR_PRINCIPAL = String.valueOf(ServletFilterHelper.class.getName()) + ".PRINCIPAL";
    public static final Charset HTTP_BASIC_AUTH_CHARSET = StandardCharsets.ISO_8859_1;
    public static final Set<String> IDEMPOTENT_HTTP_REQUEST_METHODS = (Set) Arrays.stream(new String[]{"GET", "HEAD", "PUT", "DELETE", "OPTIONS", "TRACE"}).collect(Collectors.toSet());

    public boolean redirectIncompleteBasePath(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws IOException {
        if (!IDEMPOTENT_HTTP_REQUEST_METHODS.contains(httpServletRequest.getMethod())) {
            return false;
        }
        String contextPath = httpServletRequest.getServletContext().getContextPath();
        if (z) {
            contextPath = String.valueOf(contextPath) + httpServletRequest.getServletPath();
        }
        if (!StringUtility.hasText(contextPath) || !httpServletRequest.getRequestURI().endsWith(contextPath)) {
            return false;
        }
        String str = String.valueOf(httpServletRequest.getRequestURI()) + "/";
        if (StringUtility.hasText(httpServletRequest.getQueryString())) {
            str = String.valueOf(str) + "?" + httpServletRequest.getQueryString();
        }
        httpServletResponse.sendRedirect(str);
        return true;
    }

    public Principal getPrincipalOnSession(HttpServletRequest httpServletRequest) {
        Principal principal;
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null || (principal = (Principal) session.getAttribute(SESSION_ATTRIBUTE_FOR_PRINCIPAL)) == null) {
            return null;
        }
        return principal;
    }

    public void putPrincipalOnSession(HttpServletRequest httpServletRequest, Principal principal) {
        httpServletRequest.getSession().setAttribute(SESSION_ATTRIBUTE_FOR_PRINCIPAL, principal);
    }

    public boolean isRunningWithValidSubject(HttpServletRequest httpServletRequest) {
        Subject subject;
        String remoteUser = httpServletRequest.getRemoteUser();
        if (remoteUser == null || remoteUser.isEmpty() || (subject = Subject.getSubject(AccessController.getContext())) == null || subject.getPrincipals().isEmpty()) {
            return false;
        }
        Iterator<Principal> it = subject.getPrincipals().iterator();
        while (it.hasNext()) {
            if (remoteUser.equalsIgnoreCase(it.next().getName())) {
                return true;
            }
        }
        return false;
    }

    public Principal findPrincipal(HttpServletRequest httpServletRequest, IPrincipalProducer iPrincipalProducer) {
        Principal principalOnSession = getPrincipalOnSession(httpServletRequest);
        if (principalOnSession != null) {
            return principalOnSession;
        }
        Principal userPrincipal = httpServletRequest.getUserPrincipal();
        if (userPrincipal != null && StringUtility.hasText(userPrincipal.getName())) {
            return userPrincipal;
        }
        String remoteUser = httpServletRequest.getRemoteUser();
        if (StringUtility.hasText(remoteUser)) {
            return iPrincipalProducer.produce(remoteUser);
        }
        return null;
    }

    public Subject createSubject(Principal principal) {
        Subject subject = Subject.getSubject(AccessController.getContext());
        if (subject == null || subject.isReadOnly()) {
            subject = new Subject();
        }
        subject.getPrincipals().add(principal);
        subject.setReadOnly();
        return subject;
    }

    public void continueChainAsSubject(Principal principal, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        try {
            Subject.doAs(createSubject(principal), () -> {
                filterChain.doFilter(new SecureHttpServletRequestWrapper(httpServletRequest, principal), httpServletResponse);
                return null;
            });
        } catch (PrivilegedActionException e) {
            ServletException cause = e.getCause();
            if (cause instanceof IOException) {
                throw ((IOException) cause);
            }
            if (!(cause instanceof ServletException)) {
                throw new ServletException(cause);
            }
            throw cause;
        }
    }

    public String createBasicAuthRequest(String str, char[] cArr) {
        return "Basic " + Base64Utility.encode((String.valueOf(str) + ':' + String.valueOf(cArr)).getBytes(HTTP_BASIC_AUTH_CHARSET));
    }

    public String[] parseBasicAuthRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(HTTP_HEADER_AUTHORIZATION);
        if (header == null || !header.matches("Basic .*")) {
            return null;
        }
        return new String(Base64Utility.decode(header.substring(6)), HTTP_BASIC_AUTH_CHARSET).split(":", 2);
    }

    public void forwardToLoginForm(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        forwardTo(httpServletRequest, httpServletResponse, "/login.html");
    }

    public void forwardToLogoutForm(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        forwardTo(httpServletRequest, httpServletResponse, "/logout.html");
    }

    public void forwardTo(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException, ServletException {
        forwardOrRedirectTo(httpServletRequest, httpServletResponse, str, false);
    }

    public void redirectTo(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException, ServletException {
        forwardOrRedirectTo(httpServletRequest, httpServletResponse, str, true);
    }

    protected void forwardOrRedirectTo(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, boolean z) throws IOException, ServletException {
        String header = httpServletRequest.getHeader("Accept");
        if (StringUtility.containsString(header, "application/json")) {
            LOG.debug("Returning session timeout error as json for path {}, based on Accept header {}.", httpServletRequest.getPathInfo(), header);
            sendJsonSessionTimeout(httpServletResponse);
            return;
        }
        if ("POST".equals(httpServletRequest.getMethod())) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("The request for '{}' is a POST request. " + (z ? "Redirecting" : "Forwarding") + " to '{}' will most likely fail. Sending HTTP status '403 Forbidden' instead.", httpServletRequest.getPathInfo(), str);
            }
            httpServletResponse.sendError(403);
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.valueOf(z ? "Redirecting" : "Forwarding") + " '{}' to '{}'", httpServletRequest.getPathInfo(), str);
            }
            if (z) {
                httpServletResponse.sendRedirect(str);
            } else {
                httpServletRequest.getRequestDispatcher(str).forward(httpServletRequest, httpServletResponse);
            }
        }
    }

    protected void sendJsonSessionTimeout(HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.setContentType("application/json");
        httpServletResponse.setCharacterEncoding(StandardCharsets.UTF_8.name());
        httpServletResponse.getWriter().print(JSON_SESSION_TIMEOUT_RESPONSE);
    }

    public void doLogout(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            LOG.info("Invalidating HTTP session with ID {}", session.getId());
            session.invalidate();
        }
    }
}
