package org.apache.jena.fuseki.main.auth;

import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletRequestWrapper;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.Principal;
import java.util.Objects;
import java.util.function.Function;
import org.apache.jena.atlas.web.AuthScheme;
import org.apache.jena.fuseki.Fuseki;
import org.apache.jena.fuseki.servlets.ServletOps;
import org.apache.jena.http.auth.AuthHeader;
import org.apache.jena.riot.web.HttpNames;
import org.slf4j.Logger;

/* loaded from: input_file:org/apache/jena/fuseki/main/auth/AuthBearerFilter.class */
public class AuthBearerFilter implements Filter {
    private static Logger log = Fuseki.serverLog;
    private final Function<String, String> verifiedUser;
    private final boolean requireBearer;

    /* loaded from: input_file:org/apache/jena/fuseki/main/auth/AuthBearerFilter$BearerMode.class */
    public enum BearerMode {
        REQUIRED,
        OPTIONAL
    }

    /* loaded from: input_file:org/apache/jena/fuseki/main/auth/AuthBearerFilter$HttpServletRequestWithPrincipal.class */
    private static class HttpServletRequestWithPrincipal extends HttpServletRequestWrapper {
        private final String username;

        HttpServletRequestWithPrincipal(HttpServletRequest httpServletRequest, String str) {
            super(httpServletRequest);
            this.username = str;
        }

        @Override // jakarta.servlet.http.HttpServletRequestWrapper, jakarta.servlet.http.HttpServletRequest
        public String getRemoteUser() {
            return this.username;
        }

        @Override // jakarta.servlet.http.HttpServletRequestWrapper, jakarta.servlet.http.HttpServletRequest
        public Principal getUserPrincipal() {
            return () -> {
                return this.username;
            };
        }
    }

    public AuthBearerFilter(Function<String, String> function) {
        this(function, BearerMode.REQUIRED);
    }

    public AuthBearerFilter(Function<String, String> function, BearerMode bearerMode) {
        Objects.requireNonNull(bearerMode);
        Objects.requireNonNull(function);
        this.verifiedUser = function;
        this.requireBearer = bearerMode == BearerMode.REQUIRED;
    }

    @Override // jakarta.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override // jakarta.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        try {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            String httpAuthField = getHttpAuthField(httpServletRequest);
            if (httpAuthField == null && this.requireBearer) {
                sendResponseNoAuthPresent(httpServletResponse);
                return;
            }
            if (httpAuthField == null && !this.requireBearer) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
            AuthHeader authToken = getAuthToken(httpServletRequest, httpAuthField);
            if (this.requireBearer && !AuthScheme.BEARER.equals(authToken.getAuthScheme())) {
                sendResponseBearerRequired(httpServletResponse);
                return;
            }
            switch (authToken.getAuthScheme()) {
                case BEARER:
                    String bearerToken = authToken.getBearerToken();
                    if (bearerToken == null) {
                        log.warn("Not a legal bearer token: " + authToken.getAuthArgs());
                        httpServletResponse.sendError(400);
                        return;
                    } else {
                        if (this.verifiedUser == null) {
                            httpServletResponse.sendError(400);
                            return;
                        }
                        String apply = this.verifiedUser.apply(bearerToken);
                        if (apply == null) {
                            httpServletResponse.sendError(403);
                            return;
                        } else {
                            filterChain.doFilter(new HttpServletRequestWithPrincipal(httpServletRequest, apply), servletResponse);
                            return;
                        }
                    }
                case UNKNOWN:
                case BASIC:
                case DIGEST:
                default:
                    filterChain.doFilter(httpServletRequest, httpServletResponse);
                    return;
            }
        } catch (Throwable th) {
            log.info("Filter: unexpected exception: " + th.getMessage(), th);
            ServletOps.error(500);
        }
    }

    @Override // jakarta.servlet.Filter
    public void destroy() {
    }

    protected String getHttpAuthField(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getHeader(HttpNames.hAuthorization);
    }

    protected void sendResponseNoAuthPresent(HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.setHeader(HttpNames.hWWWAuthenticate, "Bearer");
        httpServletResponse.sendError(401);
    }

    protected void sendResponseBearerRequired(HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.sendError(403);
    }

    protected AuthHeader getAuthToken(HttpServletRequest httpServletRequest, String str) {
        return AuthHeader.parseAuth(str);
    }
}
