package org.eclipse.dirigible.runtime.security.filter;

import java.io.IOException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.dirigible.api.v3.utils.EscapeFacade;
import org.eclipse.dirigible.commons.api.module.StaticInjector;
import org.eclipse.dirigible.commons.api.service.AbstractRestService;
import org.eclipse.dirigible.core.security.api.AccessException;
import org.eclipse.dirigible.core.security.api.ISecurityCoreService;
import org.eclipse.dirigible.core.security.definition.AccessDefinition;
import org.eclipse.dirigible.core.security.service.SecurityCoreService;
import org.eclipse.dirigible.core.security.verifier.AccessVerifier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@WebFilter(urlPatterns = {"/services/v3/js/*", "/services/v3/rhino/*", "/services/v3/nashorn/*", "/services/v3/v8/*", "/services/v3/public/*", "/services/v3/web/*", "/services/v3/wiki/*"}, filterName = "SecurityFilter", description = "Check all the URIs for access permissions")
/* loaded from: input_file:WEB-INF/lib/dirigible-service-security-3.2.2.jar:org/eclipse/dirigible/runtime/security/filter/SecurityFilter.class */
public class SecurityFilter implements Filter {
    private static final Logger logger = LoggerFactory.getLogger(SecurityFilter.class);
    private static ISecurityCoreService securityCoreService = (ISecurityCoreService) StaticInjector.getInjector().getInstance(SecurityCoreService.class);
    private static final Set<String> SECURED_PREFIXES = new HashSet();

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
        SECURED_PREFIXES.add("/js");
        SECURED_PREFIXES.add("/rhino");
        SECURED_PREFIXES.add("/nashorn");
        SECURED_PREFIXES.add("/v8");
        SECURED_PREFIXES.add("/public");
        SECURED_PREFIXES.add("/web");
        SECURED_PREFIXES.add("/wiki");
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        try {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            String pathInfo = httpServletRequest.getPathInfo() != null ? httpServletRequest.getPathInfo() : "/";
            Iterator<String> it = SECURED_PREFIXES.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String next = it.next();
                if (pathInfo.startsWith(next)) {
                    pathInfo = pathInfo.substring(next.length());
                    break;
                }
            }
            List<AccessDefinition> matchingAccessDefinitions = AccessVerifier.getMatchingAccessDefinitions(securityCoreService, "HTTP", pathInfo, httpServletRequest.getMethod());
            if (!matchingAccessDefinitions.isEmpty()) {
                if (httpServletRequest.getUserPrincipal() == null) {
                    forbidden(pathInfo, AbstractRestService.NO_LOGGED_IN_USER, httpServletResponse);
                    return;
                }
                boolean z = false;
                Iterator<AccessDefinition> it2 = matchingAccessDefinitions.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    } else if (httpServletRequest.isUserInRole(it2.next().getRole())) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    forbidden(pathInfo, "The logged in user does not have any of the required roles for the requested URI", httpServletResponse);
                    return;
                }
            }
            filterChain.doFilter(servletRequest, servletResponse);
        } catch (IllegalArgumentException e) {
            throw new ServletException(e);
        } catch (AccessException e2) {
            throw new ServletException(e2);
        }
    }

    private void forbidden(String str, String str2, HttpServletResponse httpServletResponse) throws IOException {
        String format = String.format("Requested URI [%s] is forbidden: %s", str, str2);
        logger.warn(format);
        httpServletResponse.sendError(403, EscapeFacade.escapeJavascript(EscapeFacade.escapeHtml4(format)));
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }
}
