package net.aequologica.neo.geppaequo.oauth;

import com.sap.cloud.security.oauth2.OAuthAuthorization;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.aequologica.neo.geppaequo.config.ConfigRegistry;
import net.aequologica.neo.geppaequo.config.geppaequo.GeppaequoConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@WebFilter(urlPatterns = {"/api/*"}, asyncSupported = true)
/* loaded from: input_file:net/aequologica/neo/geppaequo/oauth/OAuthFilter.class */
public class OAuthFilter implements Filter {
    private static final Logger log = LoggerFactory.getLogger(OAuthFilter.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/aequologica/neo/geppaequo/oauth/OAuthFilter$AccessTokenParser.class */
    public static class AccessTokenParser {
        private static final String BEARER_TOKEN_PREFIX = "Bearer";

        private AccessTokenParser() {
        }

        public static String parse(HttpServletRequest httpServletRequest) throws IOException {
            String header = httpServletRequest.getHeader("Authorization");
            OAuthFilter.log.trace("[OAuth Filter] authzHeader is '{}'", header);
            if (header == null) {
                throw new IOException("Missing Authorization header");
            }
            String[] split = header.split(" ", 2);
            if (split.length < 2) {
                throw new IOException("Invalid Authorization header content");
            }
            String str = split[0];
            String str2 = split[1];
            if (!BEARER_TOKEN_PREFIX.equals(str)) {
                throw new IOException("Unrecognized Access Token Type");
            }
            if (str2 == null || str2.trim().equals("")) {
                throw new IOException("Invalid Authorization header content");
            }
            return str2;
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if ((servletRequest instanceof HttpServletRequest) && (servletResponse instanceof HttpServletResponse) && !hasPermission((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse)) {
            return;
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private boolean hasPermission(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        GeppaequoConfig geppaequoConfig = (GeppaequoConfig) ConfigRegistry.CONFIG_REGISTRY.getConfig(GeppaequoConfig.class);
        try {
            String remoteUser = httpServletRequest.getRemoteUser();
            if (remoteUser != null && !remoteUser.isEmpty()) {
                log.trace("[OAuth Filter] user '{}' logged in, skip OAuth authentication", remoteUser);
                return true;
            }
            String method = httpServletRequest.getMethod();
            if (!method.equalsIgnoreCase("POST") && !method.equalsIgnoreCase("PUT") && !method.equalsIgnoreCase("DELETE") && !method.equalsIgnoreCase("PATCH")) {
                log.trace("[OAuth Filter] request method is '{}', not POST|PUT|DELETE|PATCH, skip OAuth authentication", method);
                return true;
            }
            GeppaequoConfig.OAuth oAuth = geppaequoConfig.getOAuth();
            log.trace("[OAuth Filter] oauth is {}", oAuth.getActive().booleanValue() ? "ACTIVE" : "INACTIVE");
            if (!oAuth.getActive().booleanValue()) {
                log.trace("[OAuth Filter] oauth config is desactivated, skip OAuth authentication");
                return true;
            }
            try {
                AccessTokenParser.parse(httpServletRequest);
            } catch (IOException e) {
                log.error("[OAuth Filter] exception parsing Authorization header: '{}'", e);
            }
            OAuthAuthorization oAuthAuthorizationService = OAuthAuthorization.getOAuthAuthorizationService();
            log.trace("[OAuth Filter] OAuthAuthorizationService is '{}', class '{}'", oAuthAuthorizationService, oAuthAuthorizationService == null ? "n/a" : oAuthAuthorizationService.getClass().getName());
            boolean isAuthorized = oAuthAuthorizationService.isAuthorized(httpServletRequest, "everything");
            log.trace("[OAuth Filter] method hasPermission returns {}", Boolean.valueOf(isAuthorized));
            if (!isAuthorized) {
                httpServletResponse.sendError(403);
            }
            return isAuthorized;
        } catch (Exception e2) {
            log.error("[OAuth Filter] caught exception, method hasPermission returns false ", e2);
            httpServletResponse.sendError(400);
            return false;
        }
    }
}
