package org.opencastproject.security.urlsigning.filter;

import java.io.IOException;
import java.util.Dictionary;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.opencastproject.security.urlsigning.exception.UrlSigningException;
import org.opencastproject.security.urlsigning.verifier.UrlSigningVerifier;
import org.opencastproject.urlsigning.common.ResourceRequest;
import org.opencastproject.util.OsgiUtil;
import org.opencastproject.util.data.Option;
import org.osgi.service.cm.ConfigurationException;
import org.osgi.service.cm.ManagedService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/opencastproject/security/urlsigning/filter/UrlSigningFilter.class */
public class UrlSigningFilter implements Filter, ManagedService {
    public static final String URL_REGEX_PREFIX = "url.regex";
    public static final String ENABLE_FILTER_CONFIG_KEY = "enabled";
    public static final String STRICT_FILTER_CONFIG_KEY = "strict";
    private static final Logger logger = LoggerFactory.getLogger(UrlSigningFilter.class);
    private UrlSigningVerifier urlSigningVerifier;
    private List<String> urlRegularExpressions = new LinkedList();
    private boolean enabled = true;
    private boolean strict = true;

    /* renamed from: org.opencastproject.security.urlsigning.filter.UrlSigningFilter$1, reason: invalid class name */
    /* loaded from: input_file:org/opencastproject/security/urlsigning/filter/UrlSigningFilter$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$opencastproject$urlsigning$common$ResourceRequest$Status = new int[ResourceRequest.Status.values().length];

        static {
            try {
                $SwitchMap$org$opencastproject$urlsigning$common$ResourceRequest$Status[ResourceRequest.Status.Ok.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$opencastproject$urlsigning$common$ResourceRequest$Status[ResourceRequest.Status.BadRequest.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$opencastproject$urlsigning$common$ResourceRequest$Status[ResourceRequest.Status.Forbidden.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$opencastproject$urlsigning$common$ResourceRequest$Status[ResourceRequest.Status.Gone.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public void setUrlSigningVerifier(UrlSigningVerifier urlSigningVerifier) {
        this.urlSigningVerifier = urlSigningVerifier;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!this.enabled) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (this.urlRegularExpressions.size() == 0) {
            logger.debug("There are no regular expressions configured to protect endpoints, skipping filter.");
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (!"GET".equalsIgnoreCase(httpServletRequest.getMethod()) && !"HEAD".equalsIgnoreCase(httpServletRequest.getMethod())) {
            logger.debug("The request '{}' is not a GET or HEAD request so skipping the filter.", httpServletRequest.getRequestURL());
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        boolean z = false;
        Iterator<String> it = this.urlRegularExpressions.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            } else if (Pattern.compile(it.next()).matcher(httpServletRequest.getRequestURL()).matches()) {
                z = true;
                break;
            }
        }
        if (!z) {
            logger.debug("The request '{}' doesn't match any of the configured regular expressions so skipping the filter.", httpServletRequest.getRequestURL());
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        try {
            ResourceRequest verify = this.urlSigningVerifier.verify(httpServletRequest.getQueryString(), httpServletRequest.getRemoteAddr(), httpServletRequest.getRequestURL().toString(), this.strict);
            if (verify == null) {
                logger.error("Unable to process httpRequest '{}' because we got a null object as the verification.", httpServletRequest.getRequestURL());
                httpServletResponse.sendError(500, "Unable to process http request because we got a null object as the verification.");
                return;
            }
            switch (AnonymousClass1.$SwitchMap$org$opencastproject$urlsigning$common$ResourceRequest$Status[verify.getStatus().ordinal()]) {
                case 1:
                    logger.trace("The request '{}' matched a regular expression path and was accepted as a properly signed url.", httpServletRequest.getRequestURL());
                    filterChain.doFilter(httpServletRequest, servletResponse);
                    return;
                case 2:
                    logger.debug("Unable to process httpRequest '{}' because it was rejected as a Bad Request, usually a problem with query string: {}", httpServletRequest.getRequestURL(), verify.getRejectionReason());
                    httpServletResponse.sendError(400);
                    return;
                case 3:
                    logger.debug("Unable to process httpRequest '{}' because is was rejected as Forbidden, usually a problem with making policy matching the signature: {}", httpServletRequest.getRequestURL(), verify.getRejectionReason());
                    httpServletResponse.sendError(403);
                    return;
                case 4:
                    logger.debug("Unable to process httpRequest '{}' because is was rejected as Gone: {}", httpServletRequest.getRequestURL(), verify.getRejectionReason());
                    httpServletResponse.sendError(410);
                    return;
                default:
                    logger.error("Unable to process httpRequest '{}' because is was rejected as status {} which is not a status we should be handling here. This must be due to a code change and is a bug.: {}", new Object[]{httpServletRequest.getRequestURL(), verify.getStatus(), verify.getRejectionReason()});
                    httpServletResponse.sendError(500);
                    return;
            }
        } catch (UrlSigningException e) {
            logger.error("Unable to verify request for '{}' with query string '{}' from host '{}' because:", new Object[]{httpServletRequest.getRequestURL(), httpServletRequest.getQueryString(), httpServletRequest.getRemoteAddr(), e});
            httpServletResponse.sendError(500, String.format("%s is unable to verify request for '%s' with query string '%s' from host '%s' because: %s", getName(), httpServletRequest.getRequestURL(), httpServletRequest.getQueryString(), httpServletRequest.getRemoteAddr(), ExceptionUtils.getStackTrace(e)));
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    private String getName() {
        return getClass().getSimpleName();
    }

    public void updated(Dictionary<String, ?> dictionary) throws ConfigurationException {
        logger.info("Updating UrlSigningFilter");
        Option optCfg = OsgiUtil.getOptCfg(dictionary, ENABLE_FILTER_CONFIG_KEY);
        if (optCfg.isSome()) {
            this.enabled = Boolean.parseBoolean((String) optCfg.get());
            if (this.enabled) {
                logger.info("The UrlSigningFilter is configured to be enabled.");
            } else {
                logger.info("The UrlSigningFilter is configured to be disabled.");
            }
        } else {
            this.enabled = true;
            logger.info("The UrlSigningFilter is enabled by default. Use the '{}' property in its properties file to enable or disable it.", ENABLE_FILTER_CONFIG_KEY);
        }
        Option optCfg2 = OsgiUtil.getOptCfg(dictionary, STRICT_FILTER_CONFIG_KEY);
        if (optCfg2.isSome()) {
            this.strict = Boolean.parseBoolean((String) optCfg2.get());
            if (this.strict) {
                logger.info("The UrlSigningFilter is configured to use strict checking of resource URLs.");
            } else {
                logger.info("The UrlSigningFilter is configured to not use strict checking of resource URLs.");
            }
        } else {
            this.strict = true;
            logger.info("The UrlSigningFilter is using strict checking of resource URLs by default. Use the '{}' property in its properties file to enable or disable it.", STRICT_FILTER_CONFIG_KEY);
        }
        this.urlRegularExpressions.clear();
        if (dictionary == null) {
            logger.warn("UrlSigningFilter has no paths to match");
            return;
        }
        Enumeration<String> keys = dictionary.keys();
        while (true) {
            if (!keys.hasMoreElements()) {
                break;
            }
            String nextElement = keys.nextElement();
            if (nextElement.startsWith(URL_REGEX_PREFIX)) {
                String trimToNull = StringUtils.trimToNull((String) dictionary.get(nextElement));
                logger.debug("Looking for configuration of {} and found '{}'", nextElement, trimToNull);
                if (trimToNull == null) {
                    logger.debug("Unable to configure url regular expression with id '{}' because it is missing. Stopping to look for new keys.", nextElement);
                    break;
                }
                this.urlRegularExpressions.add(trimToNull);
            }
        }
        if (this.urlRegularExpressions.size() == 0) {
            logger.info("UrlSigningFilter configured to not verify any urls.");
        } else {
            logger.info("Finished updating UrlSigningFilter");
        }
    }
}
