package org.dataconservancy.pass.authz.roles;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Optional;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.dataconservancy.pass.authz.AuthUserProvider;
import org.dataconservancy.pass.authz.ConfigUtil;
import org.dataconservancy.pass.authz.LogUtil;
import org.dataconservancy.pass.client.PassClient;
import org.dataconservancy.pass.client.PassClientFactory;
import org.dataconservancy.pass.model.User;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dataconservancy/pass/authz/roles/PassRolesFilter.class */
public class PassRolesFilter implements Filter {
    public static final String DEFAULT_ROLE_HEADER = "pass-roles";
    public static final String PROP_ALLOW_EXTERNAL_ROLES = "authz.allow.external.roles";
    public static final String PROP_HEADER_NAME = "authz.header.name";
    public static final String PROP_HEADER_SEPARATOR = "authz.header.separator";
    public static final String PROP_USER_SERVICE_PATH = "authz.user.service.path";
    static final String USER_SERVICE_PATH = (String) Optional.ofNullable(ConfigUtil.getValue(PROP_USER_SERVICE_PATH)).orElse("/pass-user-service");
    boolean allowExternalRoles;
    final PassClient passClient;
    Logger LOG = LoggerFactory.getLogger(PassRolesFilter.class);
    final String authzHeader = (String) Optional.ofNullable(ConfigUtil.getValue(PROP_HEADER_NAME)).orElse(DEFAULT_ROLE_HEADER);
    final String authzRoleSeparator = (String) Optional.ofNullable(ConfigUtil.getValue(PROP_HEADER_SEPARATOR)).orElse(",");
    Function<ServletContext, AuthUserProvider> authUserProviderFactory = servletContext -> {
        ServletContext context = servletContext.getContext(USER_SERVICE_PATH);
        if (context == null) {
            throw new NullPointerException("Could not access the user service context");
        }
        AuthUserProvider authUserProvider = (AuthUserProvider) context.getAttribute("authUserProvider");
        if (authUserProvider == null) {
            throw new RuntimeException("Cannot get authUserProvider from /pass-user-service");
        }
        return authUserProvider;
    };

    /* loaded from: input_file:org/dataconservancy/pass/authz/roles/PassRolesFilter$AuthzRequestWrapper.class */
    class AuthzRequestWrapper extends HttpServletRequestWrapper {
        final String roles;

        public AuthzRequestWrapper(HttpServletRequest httpServletRequest) {
            super(httpServletRequest);
            HashSet hashSet = new HashSet();
            String header = httpServletRequest.getHeader(PassRolesFilter.this.authzHeader);
            if (PassRolesFilter.this.allowExternalRoles && header != null) {
                PassRolesFilter.this.LOG.warn("Accepting user-asserted roles '{}'", header);
                hashSet.addAll(Arrays.asList(header.split(PassRolesFilter.this.authzRoleSeparator)));
            } else if (header != null) {
                PassRolesFilter.this.LOG.warn("A request tried to assert roles '{}' in header '{}', but this is not allowed!  Discarding.", header, PassRolesFilter.this.authzHeader);
            }
            try {
                PassRolesFilter.this.LOG.debug("Getting user info for roles");
                hashSet.addAll((Collection) AuthRolesProvider.getRoles(PassRolesFilter.this.authUserProviderFactory.apply(httpServletRequest.getServletContext()).getUser(httpServletRequest, authUser -> {
                    PassRolesFilter.this.LOG.debug("Entering critical section");
                    if (authUser.getId() != null && authUser.getUser() == null) {
                        authUser.setUser(PassRolesFilter.this.passClient.readResource(authUser.getId(), User.class));
                    }
                    return authUser;
                }, true)).stream().map((v0) -> {
                    return v0.toString();
                }).collect(Collectors.toList()));
                this.roles = String.join(PassRolesFilter.this.authzRoleSeparator, hashSet);
                PassRolesFilter.this.LOG.debug("Using auth roles '{}'", this.roles);
            } catch (Exception e) {
                throw new RuntimeException("Error looking up user or roles ", e);
            }
        }

        public String getHeader(String str) {
            return PassRolesFilter.this.authzHeader.equals(str) ? this.roles : super.getHeader(str);
        }

        public Enumeration<String> getHeaderNames() {
            ArrayList list = Collections.list(super.getHeaderNames());
            if (!PassRolesFilter.this.allowExternalRoles) {
                list.add(PassRolesFilter.this.authzHeader);
            } else if (!list.contains(PassRolesFilter.this.authzHeader)) {
                list.add(PassRolesFilter.this.authzHeader);
            }
            return Collections.enumeration(list);
        }

        public Enumeration<String> getHeaders(String str) {
            return PassRolesFilter.this.authzHeader.equals(str) ? Collections.enumeration(Arrays.asList(this.roles)) : super.getHeaders(str);
        }
    }

    public PassRolesFilter() {
        LogUtil.adjustLogLevels();
        this.passClient = PassClientFactory.getPassClient();
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.LOG.info("Initializing filter");
        this.LOG.info("Using authz header {}", this.authzHeader);
        this.allowExternalRoles = new Boolean((String) Optional.ofNullable(ConfigUtil.getValue(PROP_ALLOW_EXTERNAL_ROLES)).orElse("false")).booleanValue();
        if (this.allowExternalRoles) {
            this.LOG.warn("Init: Allowing external values for authz header {}", this.authzHeader);
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        AuthzRequestWrapper authzRequestWrapper = null;
        try {
            if (httpServletRequest.getRequestURI().startsWith(USER_SERVICE_PATH)) {
                filterChain.doFilter(servletRequest, servletResponse);
            } else {
                this.LOG.debug("Preparing authorizations for {} {}", httpServletRequest.getMethod(), httpServletRequest.getRequestURL());
                authzRequestWrapper = new AuthzRequestWrapper(httpServletRequest);
            }
        } catch (Exception e) {
            this.LOG.warn("Could not apply roles filter", e);
            if (!httpServletResponse.isCommitted()) {
                httpServletResponse.sendError(500, "Error determining authorization roles.  This request has been logged.");
            }
        }
        if (authzRequestWrapper != null) {
            filterChain.doFilter(authzRequestWrapper, servletResponse);
        }
    }

    public void destroy() {
    }
}
