package org.eclipse.kura.internal.rest.provider;

import com.eclipsesource.jaxrs.provider.security.AuthenticationHandler;
import com.eclipsesource.jaxrs.provider.security.AuthorizationHandler;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Dictionary;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.StringTokenizer;
import javax.annotation.Priority;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.PathSegment;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.ext.Provider;
import org.eclipse.kura.audit.AuditConstants;
import org.eclipse.kura.audit.AuditContext;
import org.eclipse.kura.configuration.ConfigurableComponent;
import org.eclipse.kura.crypto.CryptoService;
import org.osgi.framework.FrameworkUtil;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.useradmin.Group;
import org.osgi.service.useradmin.Role;
import org.osgi.service.useradmin.User;
import org.osgi.service.useradmin.UserAdmin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Provider
/* loaded from: input_file:org/eclipse/kura/internal/rest/provider/RestService.class */
public class RestService implements AuthenticationHandler, AuthorizationHandler, ConfigurableComponent, ContainerResponseFilter {
    private static final String KURA_PASSWORD_CREDENTIAL = "kura.password";
    private static final String KURA_PERMISSION_PREFIX = "kura.permission.";
    private static final String KURA_PERMISSION_REST_PREFIX = "kura.permission.rest.";
    private static final String KURA_USER_PREFIX = "kura.user.";
    private static final String KURA_NEED_PASSWORD_CHANGE = "kura.need.password.change";
    private CryptoService cryptoService;
    private UserAdmin userAdmin;
    RestServiceOptions options;
    private final List<ServiceRegistration<?>> registeredServices = new ArrayList();

    @Context
    private HttpServletRequest sr;
    private static final Logger logger = LoggerFactory.getLogger(RestService.class);
    private static final Logger auditLogger = LoggerFactory.getLogger("AuditLogger");
    private static final Base64.Decoder BASE64_DECODER = Base64.getDecoder();
    private static final Response UNAUTHORIZED_RESPONSE = Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", "Basic realm=\"kura-rest-api\"").build();
    private static final Response NOT_FOUND_RESPONSE = Response.status(Response.Status.NOT_FOUND).build();

    @Provider
    @Priority(900)
    /* loaded from: input_file:org/eclipse/kura/internal/rest/provider/RestService$IncomingPortCheckFilter.class */
    private class IncomingPortCheckFilter implements ContainerRequestFilter {

        @Context
        private HttpServletRequest sr;

        private IncomingPortCheckFilter() {
        }

        public void filter(ContainerRequestContext containerRequestContext) throws IOException {
            RestService.this.initAuditContext(containerRequestContext);
            Set<Integer> allowedPorts = RestService.this.options.getAllowedPorts();
            if (allowedPorts.isEmpty() || allowedPorts.contains(Integer.valueOf(this.sr.getLocalPort()))) {
                return;
            }
            containerRequestContext.abortWith(RestService.NOT_FOUND_RESPONSE);
        }

        /* synthetic */ IncomingPortCheckFilter(RestService restService, IncomingPortCheckFilter incomingPortCheckFilter) {
            this();
        }
    }

    public void setUserAdmin(UserAdmin userAdmin) {
        this.userAdmin = userAdmin;
    }

    public void setCryptoService(CryptoService cryptoService) {
        this.cryptoService = cryptoService;
    }

    public void activate(Map<String, Object> map) {
        logger.info("activating...");
        this.registeredServices.add(FrameworkUtil.getBundle(RestService.class).getBundleContext().registerService(ContainerRequestFilter.class, new IncomingPortCheckFilter(this, null), (Dictionary) null));
        this.options = new RestServiceOptions(map);
        logger.info("activating...done");
    }

    public void update(Map<String, Object> map) {
        logger.info("updating...");
        this.options = new RestServiceOptions(map);
        logger.info("updating...done");
    }

    public void deactivate() {
        logger.info("deactivating...");
        Iterator<ServiceRegistration<?>> it = this.registeredServices.iterator();
        while (it.hasNext()) {
            it.next().unregister();
        }
        logger.info("deactivating...done");
    }

    public boolean isUserInRole(Principal principal, String str) {
        try {
            User role = this.userAdmin.getRole(KURA_USER_PREFIX + principal.getName());
            if (containsBasicMember(this.userAdmin.getRole(KURA_PERMISSION_REST_PREFIX + str), role)) {
                return true;
            }
            return containsBasicMember(this.userAdmin.getRole("kura.permission.kura.admin"), role);
        } catch (Exception unused) {
            return false;
        }
    }

    public Principal authenticate(ContainerRequestContext containerRequestContext) {
        AuditContext initAuditContext = initAuditContext(containerRequestContext);
        try {
            Optional<Principal> performCertificateAuthentication = performCertificateAuthentication(containerRequestContext);
            if (performCertificateAuthentication.isPresent()) {
                return performCertificateAuthentication.get();
            }
            Optional<Principal> performBasicAuthentication = performBasicAuthentication(containerRequestContext);
            if (!performBasicAuthentication.isPresent()) {
                throw new IllegalStateException();
            }
            auditLogger.info("{} Rest - Success - Password Authentication succeeded", initAuditContext);
            return performBasicAuthentication.get();
        } catch (Exception unused) {
            auditLogger.warn("{} Rest - Failure - Received unauthorized REST request", initAuditContext);
            containerRequestContext.abortWith(UNAUTHORIZED_RESPONSE);
            return null;
        }
    }

    public String getAuthenticationScheme() {
        return null;
    }

    private Optional<Principal> performBasicAuthentication(ContainerRequestContext containerRequestContext) throws NoSuchAlgorithmException, UnsupportedEncodingException {
        AuditContext currentOrInternal = AuditContext.currentOrInternal();
        String headerString = containerRequestContext.getHeaderString("Authorization");
        if (headerString == null) {
            return Optional.empty();
        }
        StringTokenizer stringTokenizer = new StringTokenizer(headerString);
        if (!"Basic".equals(stringTokenizer.nextToken())) {
            return Optional.empty();
        }
        String str = new String(BASE64_DECODER.decode(stringTokenizer.nextToken()), StandardCharsets.UTF_8);
        int indexOf = str.indexOf(58);
        String substring = str.substring(0, indexOf);
        String substring2 = str.substring(indexOf + 1);
        currentOrInternal.getProperties().put(AuditConstants.KEY_IDENTITY.getValue(), substring);
        User role = this.userAdmin.getRole(KURA_USER_PREFIX + substring);
        if ("true".equals(role.getProperties().get(KURA_NEED_PASSWORD_CHANGE))) {
            return Optional.empty();
        }
        return this.cryptoService.sha256Hash(substring2).equals((String) role.getCredentials().get(KURA_PASSWORD_CREDENTIAL)) ? Optional.of(() -> {
            return substring;
        }) : Optional.empty();
    }

    private Optional<Principal> performCertificateAuthentication(ContainerRequestContext containerRequestContext) {
        AuditContext currentOrInternal = AuditContext.currentOrInternal();
        try {
            Object property = containerRequestContext.getProperty("javax.servlet.request.X509Certificate");
            if (!(property instanceof X509Certificate[])) {
                return Optional.empty();
            }
            X509Certificate[] x509CertificateArr = (X509Certificate[]) property;
            if (x509CertificateArr.length == 0) {
                throw new IllegalArgumentException("Certificate chain is empty");
            }
            Optional findAny = new LdapName(x509CertificateArr[0].getSubjectX500Principal().getName()).getRdns().stream().filter(rdn -> {
                return "cn".equalsIgnoreCase(rdn.getType());
            }).findAny();
            if (!findAny.isPresent()) {
                throw new IllegalArgumentException("Certificate common name is not present");
            }
            String str = (String) ((Rdn) findAny.get()).getValue();
            currentOrInternal.getProperties().put(AuditConstants.KEY_IDENTITY.getValue(), str);
            if (this.userAdmin.getRole(KURA_USER_PREFIX + str) instanceof User) {
                auditLogger.info("{} Rest - Success - Certificate Authentication succeeded", currentOrInternal);
                return Optional.of(() -> {
                    return str;
                });
            }
            auditLogger.warn("{} Rest - Failure - Certificate Authentication failed", currentOrInternal);
            return Optional.empty();
        } catch (Exception unused) {
            auditLogger.warn("{} Rest - Failure - Certificate Authentication failed", currentOrInternal);
            return Optional.empty();
        }
    }

    private static boolean containsBasicMember(Role role, User user) {
        Role[] members;
        if (!(role instanceof Group) || (members = ((Group) role).getMembers()) == null) {
            return false;
        }
        for (Role role2 : members) {
            if (role2.getName().equals(user.getName())) {
                return true;
            }
        }
        return false;
    }

    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) throws IOException {
        int status = containerResponseContext.getStatus();
        SecurityContext securityContext = containerRequestContext.getSecurityContext();
        AuditContext initAuditContext = initAuditContext(containerRequestContext);
        try {
            if (containerResponseContext.getStatus() == 404) {
                auditLogger.warn("{} Rest - Failure - Service not found", initAuditContext);
                return;
            }
            if (securityContext == null) {
                auditLogger.warn("{} Rest - Failure - No security context", initAuditContext);
                return;
            }
            if (securityContext.getUserPrincipal() == null) {
                auditLogger.warn("{} Rest - Failure - User not authenticated", initAuditContext);
                return;
            }
            if (status < 200 || status >= 400) {
                auditLogger.warn("{} Rest - Failure - Request failed", initAuditContext);
            } else {
                auditLogger.info("{} Rest - Success - Rest request succeeded", initAuditContext);
            }
        } finally {
            closeAuditContext(containerRequestContext);
        }
    }

    private String getRequestPath(ContainerRequestContext containerRequestContext) {
        Iterator it = containerRequestContext.getUriInfo().getPathSegments().iterator();
        StringBuilder sb = new StringBuilder();
        while (it.hasNext()) {
            sb.append(((PathSegment) it.next()).getPath());
            if (it.hasNext()) {
                sb.append("/");
            }
        }
        return sb.toString();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AuditContext initAuditContext(ContainerRequestContext containerRequestContext) {
        Object property = containerRequestContext.getProperty("org.eclipse.kura.rest.audit.context");
        if (property != null) {
            return (AuditContext) property;
        }
        HashMap hashMap = new HashMap();
        String headerString = containerRequestContext.getHeaderString("X-FORWARDED-FOR");
        if (headerString == null) {
            headerString = this.sr.getRemoteAddr();
        }
        hashMap.put(AuditConstants.KEY_ENTRY_POINT.getValue(), "RestService");
        hashMap.put(AuditConstants.KEY_IP.getValue(), headerString);
        hashMap.put("rest.method", containerRequestContext.getMethod());
        hashMap.put("rest.path", getRequestPath(containerRequestContext));
        AuditContext auditContext = new AuditContext(hashMap);
        AuditContext.Scope openScope = AuditContext.openScope(auditContext);
        containerRequestContext.setProperty("org.eclipse.kura.rest.audit.context", auditContext);
        containerRequestContext.setProperty("org.eclipse.kura.rest.audit.scope", openScope);
        return auditContext;
    }

    private void closeAuditContext(ContainerRequestContext containerRequestContext) {
        Object property = containerRequestContext.getProperty("org.eclipse.kura.rest.audit.scope");
        if (property instanceof AuditContext.Scope) {
            ((AuditContext.Scope) property).close();
        }
    }
}
