package io.camunda.authentication.filters;

import io.camunda.authentication.entity.CamundaPrincipal;
import io.camunda.security.configuration.SecurityConfiguration;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.List;
import java.util.Objects;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.UrlPathHelper;

/* loaded from: input_file:io/camunda/authentication/filters/WebApplicationAuthorizationCheckFilter.class */
public class WebApplicationAuthorizationCheckFilter extends OncePerRequestFilter {
    private static final Logger LOG = LoggerFactory.getLogger(WebApplicationAuthorizationCheckFilter.class);
    private static final List<String> WEB_APPLICATIONS = List.of("identity", "operate", "tasklist");
    private static final List<String> STATIC_RESOURCES = List.of(".css", ".js", ".jpg", ".png", "woff2", ".ico", ".svg");
    final UrlPathHelper urlPathHelper = new UrlPathHelper();
    private final SecurityConfiguration securityConfig;

    public WebApplicationAuthorizationCheckFilter(SecurityConfiguration securityConfiguration) {
        this.securityConfig = securityConfiguration;
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (isAllowed(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } else {
            LOG.warn("Access denied for request: {}", httpServletRequest.getRequestURI());
            httpServletResponse.sendRedirect(String.format("%s/%s/forbidden", httpServletRequest.getContextPath(), findWebApplication(httpServletRequest)));
        }
    }

    private boolean isAllowed(HttpServletRequest httpServletRequest) {
        String findWebApplication;
        CamundaPrincipal findCurrentCamundaPrincipal;
        return !this.securityConfig.getAuthorizations().isEnabled() || httpServletRequest.getRequestURL().toString().endsWith("/forbidden") || isStaticResource(httpServletRequest) || (findWebApplication = findWebApplication(httpServletRequest)) == null || (findCurrentCamundaPrincipal = findCurrentCamundaPrincipal()) == null || findCurrentCamundaPrincipal.getAuthenticationContext().authorizedApplications().contains(findWebApplication) || findCurrentCamundaPrincipal.getAuthenticationContext().authorizedApplications().contains("*");
    }

    private boolean isStaticResource(HttpServletRequest httpServletRequest) {
        String requestURI = httpServletRequest.getRequestURI();
        Stream<String> stream = STATIC_RESOURCES.stream();
        Objects.requireNonNull(requestURI);
        return stream.anyMatch(requestURI::endsWith);
    }

    private String findWebApplication(HttpServletRequest httpServletRequest) {
        String str = this.urlPathHelper.getPathWithinApplication(httpServletRequest).substring(1).split("/")[0];
        Stream<String> stream = WEB_APPLICATIONS.stream();
        Objects.requireNonNull(str);
        return stream.filter((v1) -> {
            return r1.equals(v1);
        }).findFirst().orElse(null);
    }

    private CamundaPrincipal findCurrentCamundaPrincipal() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null || !authentication.isAuthenticated()) {
            return null;
        }
        Object principal = authentication.getPrincipal();
        if (principal instanceof CamundaPrincipal) {
            return (CamundaPrincipal) principal;
        }
        return null;
    }
}
