package org.eclipse.scout.rt.server.commons.authentication;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.concurrent.TimeUnit;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.scout.rt.platform.BEANS;
import org.eclipse.scout.rt.platform.Bean;
import org.eclipse.scout.rt.platform.util.Assertions;
import org.eclipse.scout.rt.platform.util.Base64Utility;
import org.eclipse.scout.rt.platform.util.CollectionUtility;
import org.eclipse.scout.rt.platform.util.SleepUtil;
import org.eclipse.scout.rt.platform.util.StringUtility;
import org.eclipse.scout.rt.server.commons.authentication.token.ITokenPrincipalProducer;
import org.eclipse.scout.rt.server.commons.authentication.token.ITokenVerifier;
import org.eclipse.scout.rt.server.commons.servlet.cache.HttpCacheControl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Bean
/* loaded from: input_file:org/eclipse/scout/rt/server/commons/authentication/BearerAuthAccessController.class */
public class BearerAuthAccessController implements IAccessController {
    public static final String HTTP_BEARER_AUTH_NAME = "Bearer";
    private static final Logger LOG = LoggerFactory.getLogger(BearerAuthAccessController.class);
    protected HttpBearerAuthConfig m_config;

    /* loaded from: input_file:org/eclipse/scout/rt/server/commons/authentication/BearerAuthAccessController$HttpBearerAuthConfig.class */
    public static class HttpBearerAuthConfig {
        private ITokenVerifier m_tokenVerifier;
        private boolean m_enabled = true;
        private ITokenPrincipalProducer m_principalProducer = null;
        private long m_status403WaitMillis = 500;

        public boolean isEnabled() {
            return this.m_enabled;
        }

        public HttpBearerAuthConfig withEnabled(boolean z) {
            this.m_enabled = z;
            return this;
        }

        public ITokenVerifier getTokenVerifier() {
            return this.m_tokenVerifier;
        }

        public HttpBearerAuthConfig withTokenVerifier(ITokenVerifier iTokenVerifier) {
            this.m_tokenVerifier = iTokenVerifier;
            return this;
        }

        public ITokenPrincipalProducer getPrincipalProducer() {
            return this.m_principalProducer;
        }

        public HttpBearerAuthConfig withPrincipalProducer(ITokenPrincipalProducer iTokenPrincipalProducer) {
            this.m_principalProducer = iTokenPrincipalProducer;
            return this;
        }

        public long getStatus403WaitMillis() {
            return this.m_status403WaitMillis;
        }

        public HttpBearerAuthConfig withStatus403WaitMillis(long j) {
            this.m_status403WaitMillis = j;
            return this;
        }
    }

    public BearerAuthAccessController init(HttpBearerAuthConfig httpBearerAuthConfig) {
        this.m_config = httpBearerAuthConfig;
        Assertions.assertNotNull(this.m_config.getTokenVerifier(), "TokenVerifier must not be null", new Object[0]);
        return this;
    }

    @Override // org.eclipse.scout.rt.server.commons.authentication.IAccessController
    public boolean handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (this.m_config.isEnabled()) {
            return handleInternal(httpServletRequest, httpServletResponse, filterChain);
        }
        return false;
    }

    @Override // org.eclipse.scout.rt.server.commons.authentication.IAccessController
    public void destroy() {
    }

    protected boolean handleInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        httpServletResponse.setHeader(HttpCacheControl.CACHE_CONTROL, "no-cache");
        httpServletResponse.setHeader("Pragma", "no-cache");
        httpServletResponse.setDateHeader("Expires", 0L);
        List<byte[]> readBearerToken = readBearerToken(httpServletRequest);
        if (CollectionUtility.isEmpty(readBearerToken)) {
            handleForbidden(8, httpServletResponse);
            return true;
        }
        int verify = this.m_config.getTokenVerifier().verify(readBearerToken);
        if (verify != 1) {
            handleForbidden(verify, httpServletResponse);
            return true;
        }
        if (this.m_config.getPrincipalProducer() == null) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return true;
        }
        ((ServletFilterHelper) BEANS.get(ServletFilterHelper.class)).continueChainAsSubject(this.m_config.getPrincipalProducer().produce(readBearerToken), httpServletRequest, httpServletResponse, filterChain);
        return true;
    }

    protected void handleForbidden(int i, HttpServletResponse httpServletResponse) throws IOException {
        if (i == 8) {
            httpServletResponse.addHeader(ServletFilterHelper.HTTP_HEADER_WWW_AUTHENTICATE, HTTP_BEARER_AUTH_NAME);
            httpServletResponse.sendError(401);
        } else {
            if (this.m_config.getStatus403WaitMillis() > 0) {
                SleepUtil.sleepSafe(this.m_config.getStatus403WaitMillis(), TimeUnit.MILLISECONDS);
            }
            httpServletResponse.sendError(403);
        }
    }

    protected List<byte[]> readBearerToken(HttpServletRequest httpServletRequest) {
        String parseBearerAuthRequest = parseBearerAuthRequest(httpServletRequest);
        if (StringUtility.isNullOrEmpty(parseBearerAuthRequest)) {
            return null;
        }
        String[] split = StringUtility.split(parseBearerAuthRequest, "[-._~]");
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < split.length; i++) {
            try {
                arrayList.add(Base64Utility.decode(split[i]));
            } catch (IllegalArgumentException e) {
                LOG.error("Token is not a valid base64 encoded value. Check part {} of the token", Integer.valueOf(i), e);
            }
        }
        return arrayList;
    }

    public String parseBearerAuthRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(ServletFilterHelper.HTTP_HEADER_AUTHORIZATION);
        if (header == null || !header.startsWith("Bearer ")) {
            return null;
        }
        return header.substring(HTTP_BEARER_AUTH_NAME.length() + 1);
    }
}
