package monasca.api.infrastructure.servlet;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Nullable;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.ws.rs.core.MediaType;
import monasca.api.infrastructure.servlet.PreAuthenticationFilter;

/* loaded from: input_file:monasca/api/infrastructure/servlet/PostAuthenticationFilter.class */
public class PostAuthenticationFilter implements Filter {
    static final String CONFIRMED_STATUS = "CONFIRMED";
    static final String X_ROLES_ATTRIBUTE = "X-ROLES";
    static final String X_MONASCA_AGENT = "X-MONASCA_AGENT";
    static final String X_IDENTITY_STATUS_ATTRIBUTE = "X-IDENTITY-STATUS";
    private static final String X_TENANT_ID_ATTRIBUTE = "X-PROJECT-ID";
    static final String X_TENANT_ID_HEADER = "X-Tenant-Id";
    static final String X_ROLES_HEADER = "X-Roles";
    private final List<String> defaultAuthorizedRoles = new ArrayList();
    private final List<String> agentAuthorizedRoles = new ArrayList();
    private final List<String> readOnlyAuthorizedRoles = new ArrayList();

    public PostAuthenticationFilter(List<String> list, List<String> list2, List<String> list3) {
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            this.defaultAuthorizedRoles.add(it.next().toLowerCase());
        }
        Iterator<String> it2 = list2.iterator();
        while (it2.hasNext()) {
            this.agentAuthorizedRoles.add(it2.next().toLowerCase());
        }
        if (null != list3) {
            Iterator<String> it3 = list3.iterator();
            while (it3.hasNext()) {
                this.readOnlyAuthorizedRoles.add(it3.next().toLowerCase());
            }
        }
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        PreAuthenticationFilter.ErrorCapturingServletResponseWrapper errorCapturingServletResponseWrapper = (PreAuthenticationFilter.ErrorCapturingServletResponseWrapper) servletResponse;
        try {
            if (httpServletRequest.getMethod().equals("OPTIONS")) {
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }
            Object attribute = servletRequest.getAttribute("X-PROJECT-ID");
            if (attribute == null) {
                sendAuthError(errorCapturingServletResponseWrapper, null, null, null);
                return;
            }
            String obj = attribute.toString();
            boolean isAuthenticated = isAuthenticated(httpServletRequest);
            boolean isAuthorized = isAuthorized(httpServletRequest);
            if (isAuthenticated && isAuthorized) {
                filterChain.doFilter(requestWrapperFor(httpServletRequest), servletResponse);
                return;
            }
            if (isAuthorized) {
                sendAuthError(errorCapturingServletResponseWrapper, obj, null, null);
            } else {
                sendAuthError(errorCapturingServletResponseWrapper, obj, "Tenant is missing a required role to access this service", null);
            }
        } catch (Exception e) {
            try {
                sendAuthError(errorCapturingServletResponseWrapper, null, null, e);
            } catch (IOException e2) {
            }
        }
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    private boolean isAuthenticated(HttpServletRequest httpServletRequest) {
        Object attribute = httpServletRequest.getAttribute("X-IDENTITY-STATUS");
        return attribute != null && CONFIRMED_STATUS.equalsIgnoreCase(attribute.toString());
    }

    private boolean isAuthorized(HttpServletRequest httpServletRequest) {
        Object attribute = httpServletRequest.getAttribute("X-ROLES");
        if (attribute == null) {
            return false;
        }
        boolean z = false;
        boolean z2 = false;
        for (String str : attribute.toString().split(",")) {
            String lowerCase = str.toLowerCase();
            if (this.defaultAuthorizedRoles != null && this.defaultAuthorizedRoles.contains(lowerCase)) {
                return true;
            }
            if (this.agentAuthorizedRoles != null && this.agentAuthorizedRoles.contains(lowerCase)) {
                z = true;
            }
            if (this.readOnlyAuthorizedRoles != null && this.readOnlyAuthorizedRoles.contains(lowerCase)) {
                z2 = true;
            }
        }
        if (!z) {
            return z2 && httpServletRequest.getMethod().equals("GET");
        }
        httpServletRequest.setAttribute(X_MONASCA_AGENT, true);
        return true;
    }

    private HttpServletRequestWrapper requestWrapperFor(final HttpServletRequest httpServletRequest) {
        return new HttpServletRequestWrapper(httpServletRequest) { // from class: monasca.api.infrastructure.servlet.PostAuthenticationFilter.1
            @Override // javax.servlet.http.HttpServletRequestWrapper, javax.servlet.http.HttpServletRequest
            public String getHeader(String str) {
                return str.equalsIgnoreCase(PostAuthenticationFilter.X_TENANT_ID_HEADER) ? httpServletRequest.getAttribute("X-PROJECT-ID").toString() : str.equalsIgnoreCase(PostAuthenticationFilter.X_ROLES_HEADER) ? httpServletRequest.getAttribute("X-ROLES").toString() : super.getHeader(str);
            }

            @Override // javax.servlet.http.HttpServletRequestWrapper, javax.servlet.http.HttpServletRequest
            public Enumeration<String> getHeaderNames() {
                ArrayList list = Collections.list(super.getHeaderNames());
                list.add(PostAuthenticationFilter.X_TENANT_ID_HEADER);
                list.add(PostAuthenticationFilter.X_ROLES_HEADER);
                return Collections.enumeration(list);
            }

            @Override // javax.servlet.http.HttpServletRequestWrapper, javax.servlet.http.HttpServletRequest
            public Enumeration<String> getHeaders(String str) {
                return str.equalsIgnoreCase(PostAuthenticationFilter.X_TENANT_ID_HEADER) ? Collections.enumeration(Collections.singleton(httpServletRequest.getAttribute("X-PROJECT-ID").toString())) : str.equalsIgnoreCase(PostAuthenticationFilter.X_ROLES_HEADER) ? Collections.enumeration(Collections.singleton(httpServletRequest.getAttribute("X-ROLES").toString())) : super.getHeaders(str);
            }
        };
    }

    private void sendAuthError(PreAuthenticationFilter.ErrorCapturingServletResponseWrapper errorCapturingServletResponseWrapper, @Nullable String str, @Nullable String str2, @Nullable Exception exc) throws IOException {
        errorCapturingServletResponseWrapper.setContentType(MediaType.APPLICATION_JSON);
        if (str2 == null) {
            errorCapturingServletResponseWrapper.sendError(401, str == null ? "Failed to authenticate request" : "Failed to authenticate request for " + str, exc);
        } else {
            errorCapturingServletResponseWrapper.sendError(401, String.format(str2, str));
        }
    }
}
