package org.apache.hugegraph.api.filter;

import com.alipay.remoting.util.StringUtils;
import com.google.common.collect.ImmutableSet;
import jakarta.annotation.Priority;
import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.NotAuthorizedException;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.container.PreMatching;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.SecurityContext;
import jakarta.ws.rs.core.UriInfo;
import jakarta.ws.rs.ext.Provider;
import java.io.IOException;
import java.security.Principal;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import javax.xml.bind.DatatypeConverter;
import org.apache.hugegraph.auth.HugeAuthenticator;
import org.apache.hugegraph.auth.RolePermission;
import org.apache.hugegraph.config.HugeConfig;
import org.apache.hugegraph.config.ServerOptions;
import org.apache.hugegraph.core.GraphManager;
import org.apache.hugegraph.util.E;
import org.apache.hugegraph.util.Log;
import org.apache.tinkerpop.gremlin.server.auth.AuthenticationException;
import org.glassfish.grizzly.http.server.Request;
import org.glassfish.grizzly.utils.Charsets;
import org.gridkit.jvmtool.cmd.AntPathMatcher;
import org.slf4j.Logger;

@PreMatching
@Provider
@Priority(1000)
/* loaded from: input_file:org/apache/hugegraph/api/filter/AuthenticationFilter.class */
public class AuthenticationFilter implements ContainerRequestFilter {
    public static final String BASIC_AUTH_PREFIX = "Basic ";
    public static final String BEARER_TOKEN_PREFIX = "Bearer ";
    private static final Logger LOG = Log.logger(AuthenticationFilter.class);
    private static final AntPathMatcher MATCHER = new AntPathMatcher();
    private static final Set<String> FIXED_WHITE_API_SET = ImmutableSet.of("versions", "openapi.json");
    private static final Set<String> FLEXIBLE_WHITE_API_SET = ImmutableSet.of();
    private static Boolean enabledWhiteIpCheck;
    private static final String STRING_WHITE_IP_LIST = "whiteiplist";
    private static final String STRING_ENABLE = "enable";

    @Context
    private jakarta.inject.Provider<GraphManager> managerProvider;

    @Context
    private jakarta.inject.Provider<Request> requestProvider;

    @Context
    private jakarta.inject.Provider<HugeConfig> configProvider;

    /* loaded from: input_file:org/apache/hugegraph/api/filter/AuthenticationFilter$Authorizer.class */
    public static class Authorizer implements SecurityContext {
        private final UriInfo uri;
        private final HugeAuthenticator.User user;
        private final Principal principal;
        static final /* synthetic */ boolean $assertionsDisabled;

        /* loaded from: input_file:org/apache/hugegraph/api/filter/AuthenticationFilter$Authorizer$UserPrincipal.class */
        private final class UserPrincipal implements Principal {
            private UserPrincipal() {
            }

            @Override // java.security.Principal
            public String getName() {
                return Authorizer.this.user.getName();
            }

            @Override // java.security.Principal
            public String toString() {
                return Authorizer.this.user.toString();
            }

            @Override // java.security.Principal
            public int hashCode() {
                return Authorizer.this.user.hashCode();
            }

            @Override // java.security.Principal
            public boolean equals(Object obj) {
                return Authorizer.this.user.equals(obj);
            }
        }

        public Authorizer(HugeAuthenticator.User user, UriInfo uriInfo) {
            E.checkNotNull(user, "user");
            E.checkNotNull(uriInfo, "uri");
            this.uri = uriInfo;
            this.user = user;
            this.principal = new UserPrincipal();
        }

        public String username() {
            return this.user.username();
        }

        public RolePermission role() {
            return this.user.role();
        }

        public Principal getUserPrincipal() {
            return this.principal;
        }

        public boolean isUserInRole(String str) {
            if (str.equals(HugeAuthenticator.KEY_DYNAMIC)) {
                return true;
            }
            return matchPermission(str);
        }

        public boolean isSecure() {
            return "https".equals(this.uri.getRequestUri().getScheme());
        }

        public String getAuthenticationScheme() {
            return "BASIC";
        }

        private boolean matchPermission(String str) {
            HugeAuthenticator.RequiredPerm fromPermission;
            if (str.startsWith(HugeAuthenticator.KEY_OWNER)) {
                fromPermission = HugeAuthenticator.RequiredPerm.fromPermission(str);
                String owner = fromPermission.owner();
                if (owner.startsWith(HugeAuthenticator.VAR_PREFIX)) {
                    int length = HugeAuthenticator.VAR_PREFIX.length();
                    if (!$assertionsDisabled && owner.length() <= length) {
                        throw new AssertionError();
                    }
                    fromPermission.owner(getPathParameter(owner.substring(length)));
                }
            } else {
                fromPermission = new HugeAuthenticator.RequiredPerm();
                fromPermission.owner(str);
            }
            if (AuthenticationFilter.LOG.isDebugEnabled()) {
                AuthenticationFilter.LOG.debug("Verify permission {} {} for user '{}' with role {}", new Object[]{fromPermission.action().string(), fromPermission.resourceObject(), this.user.username(), this.user.role()});
            }
            boolean match = HugeAuthenticator.RolePerm.match(role(), fromPermission);
            if (!match && AuthenticationFilter.LOG.isInfoEnabled() && !str.equals(HugeAuthenticator.USER_ADMIN)) {
                AuthenticationFilter.LOG.info("User '{}' is denied to {} {}", new Object[]{this.user.username(), fromPermission.action().string(), fromPermission.resourceObject()});
            }
            return match;
        }

        private String getPathParameter(String str) {
            List list = (List) this.uri.getPathParameters().get(str);
            E.checkState(list != null && list.size() == 1, "There is no matched path parameter: '%s'", new Object[]{str});
            return (String) list.get(0);
        }

        static {
            $assertionsDisabled = !AuthenticationFilter.class.desiredAssertionStatus();
        }
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (isWhiteAPI(containerRequestContext)) {
            return;
        }
        containerRequestContext.setSecurityContext(new Authorizer(authenticate(containerRequestContext), containerRequestContext.getUriInfo()));
    }

    protected HugeAuthenticator.User authenticate(ContainerRequestContext containerRequestContext) {
        GraphManager graphManager = (GraphManager) this.managerProvider.get();
        E.checkState(graphManager != null, "Context GraphManager is absent", new Object[0]);
        if (!graphManager.requireAuthentication()) {
            return HugeAuthenticator.User.ANONYMOUS;
        }
        Request request = (Request) this.requestProvider.get();
        String str = null;
        String str2 = null;
        if (request != null) {
            str = request.getRemoteAddr() + ":" + request.getRemotePort();
            str2 = request.getRequestURI();
        }
        if (enabledWhiteIpCheck == null) {
            enabledWhiteIpCheck = Boolean.valueOf(Objects.equals((String) ((HugeConfig) this.configProvider.get()).get(ServerOptions.WHITE_IP_STATUS), STRING_ENABLE));
        }
        if (enabledWhiteIpCheck.booleanValue() && request != null) {
            str = request.getRemoteAddr() + ":" + request.getRemotePort();
            str2 = request.getRequestURI();
            String remoteAddr = request.getRemoteAddr();
            Set listWhiteIPs = graphManager.authManager().listWhiteIPs();
            boolean whiteIpStatus = graphManager.authManager().getWhiteIpStatus();
            if (!str2.contains(STRING_WHITE_IP_LIST) && whiteIpStatus && !listWhiteIPs.contains(remoteAddr)) {
                throw new ForbiddenException(String.format("Remote ip '%s' is not permitted", remoteAddr));
            }
        }
        HashMap hashMap = new HashMap();
        String headerString = containerRequestContext.getHeaderString("Authorization");
        if (headerString == null) {
            throw new NotAuthorizedException("Authentication credentials are required", "Missing authentication credentials", new Object[0]);
        }
        if (headerString.startsWith(BASIC_AUTH_PREFIX)) {
            String[] split = new String(DatatypeConverter.parseBase64Binary(headerString.substring(BASIC_AUTH_PREFIX.length())), Charsets.ASCII_CHARSET).split(":");
            if (split.length != 2) {
                throw new BadRequestException("Invalid syntax for username and password");
            }
            String str3 = split[0];
            String str4 = split[1];
            if (StringUtils.isEmpty(str3) || StringUtils.isEmpty(str4)) {
                throw new BadRequestException("Invalid syntax for username and password");
            }
            hashMap.put("username", str3);
            hashMap.put("password", str4);
        } else {
            if (!headerString.startsWith(BEARER_TOKEN_PREFIX)) {
                throw new BadRequestException("Only HTTP Basic or Bearer authentication is supported");
            }
            hashMap.put(HugeAuthenticator.KEY_TOKEN, headerString.substring(BEARER_TOKEN_PREFIX.length()));
        }
        hashMap.put(HugeAuthenticator.KEY_ADDRESS, str);
        hashMap.put(HugeAuthenticator.KEY_PATH, str2);
        try {
            return graphManager.authenticate(hashMap);
        } catch (AuthenticationException e) {
            throw new NotAuthorizedException("Authentication failed", e.getMessage(), new Object[0]);
        }
    }

    public static boolean isWhiteAPI(ContainerRequestContext containerRequestContext) {
        String path = containerRequestContext.getUriInfo().getPath();
        if (FIXED_WHITE_API_SET.contains(path)) {
            return true;
        }
        Iterator<String> it = FLEXIBLE_WHITE_API_SET.iterator();
        while (it.hasNext()) {
            if (MATCHER.match(it.next(), path)) {
                return true;
            }
        }
        return false;
    }
}
