package be.personify.iam.scim.authentication;

import be.personify.iam.scim.util.Constants;
import be.personify.iam.scim.util.CryptUtils;
import be.personify.iam.scim.util.TokenUtils;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpMethod;
import org.springframework.util.Base64Utils;

/* loaded from: input_file:be/personify/iam/scim/authentication/PropertyFileAuthenticationFilter.class */
public class PropertyFileAuthenticationFilter implements Filter {
    private static final String SERVER = "Server";
    private static final String ROLE_READ = "read";
    private static final String ROLE_WRITE = "write";

    @Autowired
    private TokenUtils tokenUtils;

    @Autowired
    private CryptUtils cryptUtils;

    @Autowired
    private AuthenticationUtils authenticationUtils;
    private static final Logger logger = LogManager.getLogger(PropertyFileAuthenticationFilter.class);
    private static final List<String> UNAUTHENTICATED_ENDPOINTS = Arrays.asList("/scim/v2/token", "/scim/v2/Me");
    private static final String serverDescription = PropertyFileAuthenticationFilter.class.getPackage().getImplementationTitle() + " " + PropertyFileAuthenticationFilter.class.getPackage().getImplementationVersion();

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        ((HttpServletResponse) servletResponse).addHeader(SERVER, serverDescription);
        String header = httpServletRequest.getHeader("Authorization");
        boolean z = false;
        Consumer consumer = new Consumer(null, null);
        boolean z2 = false;
        if (UNAUTHENTICATED_ENDPOINTS.contains(httpServletRequest.getRequestURI())) {
            logger.debug("{} is a public endpoint", httpServletRequest.getRequestURI());
            filterChain.doFilter(servletRequest, servletResponse);
            z = true;
        } else if (header != null) {
            String[] split = header.split(" ");
            if (split.length == 2) {
                String method = httpServletRequest.getMethod();
                logger.debug("the auth method {}", split[0]);
                if (split[0].equalsIgnoreCase(Constants.BASIC)) {
                    String[] split2 = new String(Base64Utils.decode(split[1].getBytes())).split(":");
                    logger.debug("splitted {}", split2);
                    Map<String, Consumer> basicAuthConsumers = this.authenticationUtils.getBasicAuthConsumers();
                    if (basicAuthConsumers != null && basicAuthConsumers.containsKey(split2[0])) {
                        consumer = basicAuthConsumers.get(split2[0]);
                        logger.debug("consumer {}", consumer);
                        if (consumer.getSecret().equals(split2[1])) {
                            logger.debug("passwd match");
                            z2 = checkRole(servletRequest, servletResponse, filterChain, split2[0], method, basicAuthConsumers);
                        }
                    }
                } else if (split[0].equalsIgnoreCase(Constants.BEARER)) {
                    String str = split[1];
                    logger.debug("token {}", str);
                    if (this.tokenUtils.isValid(str)) {
                        String str2 = this.cryptUtils.decrypt(str, TokenUtils.SALT).split(":")[0];
                        String clientIdWithCredential = getClientIdWithCredential(str2, this.authenticationUtils.getBearerAuthConsumers());
                        consumer = this.authenticationUtils.getBearerAuthConsumers().get(str2);
                        z2 = checkRole(servletRequest, servletResponse, filterChain, clientIdWithCredential, method, this.authenticationUtils.getBearerAuthConsumers());
                    }
                }
            }
        }
        if (z) {
            return;
        }
        if (z2) {
            CurrentConsumer.setCurrent(consumer);
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            httpServletResponse.reset();
            httpServletResponse.setStatus(401);
            httpServletResponse.flushBuffer();
        }
    }

    private boolean checkRole(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain, String str, String str2, Map<String, Consumer> map) throws IOException, ServletException {
        logger.debug("clientid {}", str);
        List<String> roles = map.get(str).getRoles();
        if (roles != null) {
            return str2.equals(HttpMethod.GET.name()) ? roles.contains(ROLE_READ) : roles.contains(ROLE_WRITE);
        }
        return false;
    }

    private String getClientIdWithCredential(String str, Map<String, Consumer> map) {
        for (String str2 : map.keySet()) {
            if (str2.equals(str)) {
                return str2;
            }
        }
        return null;
    }
}
