package org.apache.archiva.redback.rest.services.interceptors;

import java.lang.annotation.Annotation;
import javax.inject.Inject;
import javax.inject.Named;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.PathParam;
import javax.ws.rs.QueryParam;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;
import org.apache.archiva.redback.authentication.AuthenticationException;
import org.apache.archiva.redback.authentication.AuthenticationResult;
import org.apache.archiva.redback.authorization.AuthorizationException;
import org.apache.archiva.redback.authorization.AuthorizationResult;
import org.apache.archiva.redback.authorization.RedbackAuthorization;
import org.apache.archiva.redback.integration.filter.authentication.basic.HttpBasicAuthentication;
import org.apache.archiva.redback.policy.AccountLockedException;
import org.apache.archiva.redback.policy.MustChangePasswordException;
import org.apache.archiva.redback.system.SecuritySession;
import org.apache.archiva.redback.system.SecuritySystem;
import org.apache.commons.lang.StringUtils;
import org.apache.cxf.jaxrs.model.OperationResourceInfo;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;

@Provider
@Service("permissionInterceptor#rest")
/* loaded from: input_file:WEB-INF/lib/redback-rest-services-2.6.2.jar:org/apache/archiva/redback/rest/services/interceptors/PermissionsInterceptor.class */
public class PermissionsInterceptor extends AbstractInterceptor implements ContainerRequestFilter {

    @Inject
    @Named("securitySystem")
    private SecuritySystem securitySystem;

    @Inject
    @Named("httpAuthenticator#basic")
    private HttpBasicAuthentication httpAuthenticator;
    private final Logger log = LoggerFactory.getLogger(getClass());

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) {
        Message currentMessage = JAXRSUtils.getCurrentMessage();
        RedbackAuthorization redbackAuthorization = getRedbackAuthorization(currentMessage);
        if (redbackAuthorization != null) {
            if (redbackAuthorization.noRestriction()) {
                this.log.debug("redbackAuthorization.noRestriction() so skip permission check");
                return;
            }
            String[] permissions = redbackAuthorization.permissions();
            if (permissions == null || permissions.length <= 0 || (permissions.length == 1 && StringUtils.isEmpty(permissions[0]))) {
                if (redbackAuthorization.noPermission()) {
                    this.log.debug("path {} doesn't need special permission", currentMessage.get(Message.REQUEST_URI));
                    return;
                } else {
                    containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
                    return;
                }
            }
            HttpServletRequest httpServletRequest = getHttpServletRequest(currentMessage);
            SecuritySession securitySession = this.httpAuthenticator.getSecuritySession(httpServletRequest.getSession());
            AuthenticationResult authenticationResult = (AuthenticationResult) currentMessage.get(AuthenticationResult.class);
            this.log.debug("authenticationResult from message: {}", authenticationResult);
            if (authenticationResult == null) {
                try {
                    authenticationResult = this.httpAuthenticator.getAuthenticationResult(httpServletRequest, getHttpServletResponse(currentMessage));
                    this.log.debug("authenticationResult from request: {}", authenticationResult);
                } catch (AuthenticationException e) {
                    this.log.debug("failed to authenticate for path {}", currentMessage.get(Message.REQUEST_URI));
                    containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
                    return;
                } catch (AccountLockedException e2) {
                    this.log.debug("account locked for path {}", currentMessage.get(Message.REQUEST_URI));
                    containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
                    return;
                } catch (MustChangePasswordException e3) {
                    this.log.debug("must change password for path {}", currentMessage.get(Message.REQUEST_URI));
                    containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
                    return;
                }
            }
            if (authenticationResult == null || !authenticationResult.isAuthenticated()) {
                if (securitySession == null || securitySession.getUser() == null) {
                    return;
                }
                this.log.debug("user {} not authenticated", securitySession.getUser().getUsername());
                return;
            }
            currentMessage.put((Class<Class>) AuthenticationResult.class, (Class) authenticationResult);
            for (String str : permissions) {
                this.log.debug("check permission: {} with securitySession {}", str, securitySession);
                if (!StringUtils.isBlank(str)) {
                    try {
                        String resource = redbackAuthorization.resource();
                        if (resource.startsWith("{") && resource.endsWith("}") && resource.length() > 2) {
                            resource = getMethodParameter(containerRequestContext, currentMessage, resource.substring(1, resource.length() - 1));
                            this.log.debug("Found resource from annotated parameter: {}", resource);
                        }
                        AuthorizationResult authorize = this.securitySystem.authorize(authenticationResult.getUser(), str, StringUtils.isBlank(resource) ? null : resource);
                        if (authenticationResult != null && authorize.isAuthorized()) {
                            this.log.debug("isAuthorized for permission {}", str);
                            return;
                        } else if (securitySession != null && securitySession.getUser() != null) {
                            this.log.debug("user {} not authorized for permission {}", securitySession.getUser().getUsername(), str);
                        }
                    } catch (AuthorizationException e4) {
                        this.log.debug(" AuthorizationException " + e4.getMessage() + " checking permission " + str, (Throwable) e4);
                        containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
                        return;
                    }
                }
            }
        }
        this.log.warn("http path {} doesn't contain any informations regarding permissions ", currentMessage.get(Message.REQUEST_URI));
        containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
    }

    private String getMethodParameter(ContainerRequestContext containerRequestContext, Message message, String str) {
        OperationResourceInfo operationResourceInfo = (OperationResourceInfo) message.getExchange().get(OperationResourceInfo.class);
        if (operationResourceInfo == null) {
            return "";
        }
        Annotation[][] inParameterAnnotations = operationResourceInfo.getInParameterAnnotations();
        for (int i = 0; i < inParameterAnnotations.length; i++) {
            int i2 = 0;
            while (true) {
                if (i2 >= inParameterAnnotations[i].length) {
                    break;
                }
                if ((inParameterAnnotations[i][i2] instanceof PathParam) && str.equals(((PathParam) inParameterAnnotations[i][i2]).value())) {
                    this.log.debug("Found PathParam annotation");
                    MultivaluedMap<String, String> pathParameters = containerRequestContext.getUriInfo().getPathParameters();
                    if (pathParameters.containsKey(str)) {
                        return pathParameters.getFirst(str);
                    }
                } else if ((inParameterAnnotations[i][i2] instanceof QueryParam) && str.equals(((QueryParam) inParameterAnnotations[i][i2]).value())) {
                    this.log.debug("Found QueryParam annotation");
                    MultivaluedMap<String, String> queryParameters = containerRequestContext.getUriInfo().getQueryParameters();
                    if (queryParameters.containsKey(str)) {
                        return queryParameters.getFirst(str);
                    }
                } else {
                    i2++;
                }
            }
        }
        this.log.warn("No matching request parameter value found: {}", str);
        return "";
    }
}
