package org.craftercms.engine.util.spring.security.preview;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import java.beans.ConstructorProperties;
import java.io.IOException;
import java.util.Arrays;
import org.apache.commons.lang3.StringUtils;
import org.craftercms.commons.crypto.CryptoException;
import org.craftercms.commons.crypto.TextEncryptor;
import org.craftercms.commons.http.HttpUtils;
import org.craftercms.engine.exception.PreviewAccessException;
import org.craftercms.engine.service.context.SiteContext;
import org.springframework.http.HttpStatus;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:WEB-INF/classes/org/craftercms/engine/util/spring/security/preview/PreviewAccessTokenFilter.class */
public class PreviewAccessTokenFilter extends GenericFilterBean {
    private static final String PREVIEW_SITE_TOKEN_NAME = "crafterPreview";
    private static final String PREVIEW_SITE_TOKEN_HEADER_NAME = "X-Crafter-Preview";
    private final TextEncryptor textEncryptor;

    @ConstructorProperties({"textEncryptor"})
    public PreviewAccessTokenFilter(TextEncryptor textEncryptor) {
        this.textEncryptor = textEncryptor;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String siteName = SiteContext.getCurrent().getSiteName();
        if (StringUtils.isEmpty(siteName)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        String header = httpServletRequest.getHeader(PREVIEW_SITE_TOKEN_HEADER_NAME);
        if (StringUtils.isEmpty(header)) {
            header = httpServletRequest.getParameter(PREVIEW_SITE_TOKEN_NAME);
        }
        if (StringUtils.isEmpty(header)) {
            header = HttpUtils.getCookieValue(PREVIEW_SITE_TOKEN_NAME, httpServletRequest);
        }
        if (StringUtils.isEmpty(header)) {
            String format = String.format("User is not authorized to preview site. '%s' header or '%s' token not found", PREVIEW_SITE_TOKEN_HEADER_NAME, PREVIEW_SITE_TOKEN_NAME);
            this.logger.debug(format);
            throw new PreviewAccessException(HttpStatus.UNAUTHORIZED, format);
        }
        String[] decryptPreviewToken = decryptPreviewToken(header);
        if (decryptPreviewToken.length != 2) {
            String format2 = String.format("Failed to validate preview site token. Found '%s' header or '%s' token elements but expecting 2", PREVIEW_SITE_TOKEN_HEADER_NAME, PREVIEW_SITE_TOKEN_NAME);
            this.logger.debug(format2);
            throw new PreviewAccessException(HttpStatus.UNAUTHORIZED, format2);
        }
        if (Long.parseLong(decryptPreviewToken[1]) < System.currentTimeMillis()) {
            String format3 = String.format("User is not authorized to preview site '%s', '%s' header or '%s' token has expired", siteName, PREVIEW_SITE_TOKEN_HEADER_NAME, PREVIEW_SITE_TOKEN_NAME);
            this.logger.debug(format3);
            throw new PreviewAccessException(HttpStatus.FORBIDDEN, format3);
        }
        if (Arrays.asList(decryptPreviewToken[0].split(",")).contains(siteName)) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            String format4 = String.format("User is not authorized to preview site '%s', '%s' header or '%s' token does not match", siteName, PREVIEW_SITE_TOKEN_HEADER_NAME, PREVIEW_SITE_TOKEN_NAME);
            this.logger.debug(format4);
            throw new PreviewAccessException(HttpStatus.FORBIDDEN, format4);
        }
    }

    private String[] decryptPreviewToken(String str) {
        try {
            return this.textEncryptor.decrypt(str).split("\\|");
        } catch (CryptoException e) {
            this.logger.debug("Failed to decrypt preview site token", e);
            throw new PreviewAccessException(HttpStatus.UNAUTHORIZED, "Failed to decrypt preview site token");
        }
    }
}
