package org.opencastproject.kernel.security;

import com.entwinemedia.fn.Fn2;
import com.entwinemedia.fn.Stream;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.opencastproject.security.api.JaxbOrganization;
import org.opencastproject.security.api.JaxbRole;
import org.opencastproject.security.api.JaxbUser;
import org.opencastproject.security.api.Organization;
import org.opencastproject.security.api.OrganizationDirectoryService;
import org.opencastproject.security.api.SecurityConstants;
import org.opencastproject.security.api.SecurityService;
import org.opencastproject.security.api.User;
import org.opencastproject.security.api.UserDirectoryService;
import org.opencastproject.security.util.SecurityUtil;
import org.opencastproject.util.NotFoundException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/opencastproject/kernel/security/RemoteUserAndOrganizationFilter.class */
public class RemoteUserAndOrganizationFilter implements Filter {
    protected SecurityService securityService = null;
    protected OrganizationDirectoryService organizationDirectory = null;
    protected UserDirectoryService userDirectory = null;
    private static final Logger logger = LoggerFactory.getLogger(OrganizationFilter.class);
    private static final Fn2<String, Organization, JaxbRole> toJaxbRole = new Fn2<String, Organization, JaxbRole>() { // from class: org.opencastproject.kernel.security.RemoteUserAndOrganizationFilter.1
        public JaxbRole apply(String str, Organization organization) {
            return new JaxbRole(str, JaxbOrganization.fromOrganization(organization));
        }
    };

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        Organization organization = this.securityService.getOrganization();
        User user = this.securityService.getUser();
        Organization organization2 = organization;
        User user2 = user;
        try {
            String header = httpServletRequest.getHeader("X-Opencast-Matterhorn-Organization");
            if (!StringUtils.isNotBlank(header)) {
                logger.trace("Request organization remains '{}'", organization.getId());
            } else {
                if (!user.hasRole("ROLE_ADMIN")) {
                    logger.warn("An unauthorized request is trying to switch from organization '{}' to '{}'", organization.getId(), header);
                    ((HttpServletResponse) servletResponse).sendError(403);
                    this.securityService.setOrganization(organization);
                    this.securityService.setUser(user);
                    return;
                }
                try {
                    organization2 = this.organizationDirectory.getOrganization(header);
                    this.securityService.setOrganization(organization2);
                    logger.trace("Switching to organization '{}' from request header {}", organization2.getId(), "X-Opencast-Matterhorn-Organization");
                } catch (NotFoundException e) {
                    logger.warn("Non-existing organization '{}' specified in request header {}", header, "X-Opencast-Matterhorn-Organization");
                    ((HttpServletResponse) servletResponse).sendError(403);
                    this.securityService.setOrganization(organization);
                    this.securityService.setUser(user);
                    return;
                }
            }
            String header2 = httpServletRequest.getHeader("X-Opencast-Matterhorn-User");
            if (StringUtils.isBlank(header2)) {
                header2 = httpServletRequest.getHeader("X-RUN-AS-USER");
            }
            if (StringUtils.isNotBlank(header2)) {
                if (!user.hasRole("ROLE_SUDO")) {
                    logger.warn("An unauthorized request is trying to switch from user '{}' to '{}'", user.getUsername(), header2);
                    ((HttpServletResponse) servletResponse).sendError(403);
                    this.securityService.setOrganization(organization);
                    this.securityService.setUser(user);
                    return;
                }
                if ("anonymous".equals(header2)) {
                    user2 = SecurityUtil.createAnonymousUser(organization2);
                    logger.trace("Request user is switched to '{}'", user2.getUsername());
                } else {
                    user2 = this.userDirectory.loadUser(header2);
                    if (user2 == null) {
                        logger.warn("Unable to switch to non-existing user '{}' as specified in request header {}", header2, "X-Opencast-Matterhorn-User");
                        ((HttpServletResponse) servletResponse).sendError(403);
                        this.securityService.setOrganization(organization);
                        this.securityService.setUser(user);
                        return;
                    }
                    if (!user.hasRole("ROLE_ADMIN")) {
                        for (String str : SecurityConstants.GLOBAL_SYSTEM_ROLES) {
                            if (user2.hasRole(str)) {
                                logger.warn("An unauthorized request is trying to switch to an admin user, from '{}' to '{}'", user.getUsername(), header2);
                                ((HttpServletResponse) servletResponse).sendError(403);
                                this.securityService.setOrganization(organization);
                                this.securityService.setUser(user);
                                return;
                            }
                        }
                        String adminRole = organization2.getAdminRole();
                        if (!user.hasRole(adminRole) && user2.hasRole(adminRole)) {
                            logger.warn("An unauthorized request is trying to switch to an admin user, from '{}' to '{}'", user.getUsername(), header2);
                            ((HttpServletResponse) servletResponse).sendError(403);
                            this.securityService.setOrganization(organization);
                            this.securityService.setUser(user);
                            return;
                        }
                    }
                }
                logger.trace("Switching from user '{}' to user '{}' from request header '{}'", new Object[]{user.getUsername(), user2.getUsername(), "X-Opencast-Matterhorn-User"});
                this.securityService.setUser(user2);
            }
            String header3 = httpServletRequest.getHeader("X-Opencast-Matterhorn-Roles");
            if (StringUtils.isBlank(header3)) {
                header3 = httpServletRequest.getHeader("X-RUN-WITH-ROLES");
            }
            if (StringUtils.isNotBlank(header3)) {
                if (!user.hasRole("ROLE_SUDO")) {
                    logger.warn("An unauthorized request is trying to switch roles from '{}' to '{}'", user2.getRoles(), header3);
                    ((HttpServletResponse) servletResponse).sendError(403);
                    this.securityService.setOrganization(organization);
                    this.securityService.setUser(user);
                    return;
                }
                List asList = Arrays.asList(StringUtils.split(header3, ","));
                if (!user.hasRole("ROLE_ADMIN")) {
                    for (String str2 : SecurityConstants.GLOBAL_SYSTEM_ROLES) {
                        if (asList.contains(str2)) {
                            logger.warn("An unauthorized request by user '{}' is trying to gain admin role '{}'", user.getUsername(), str2);
                            ((HttpServletResponse) servletResponse).sendError(403);
                            this.securityService.setOrganization(organization);
                            this.securityService.setUser(user);
                            return;
                        }
                    }
                    String adminRole2 = organization2.getAdminRole();
                    if (!user.hasRole(adminRole2) && asList.contains(adminRole2)) {
                        logger.warn("An unauthorized request by user '{}' is trying to gain admin role '{}'", user.getUsername(), adminRole2);
                        ((HttpServletResponse) servletResponse).sendError(403);
                        this.securityService.setOrganization(organization);
                        this.securityService.setUser(user);
                        return;
                    }
                }
                if (StringUtils.isBlank(header2)) {
                    user2 = SecurityUtil.createAnonymousUser(organization2);
                }
                user2 = new JaxbUser(user2.getUsername(), user2.getPassword(), user2.getName(), user2.getEmail(), user2.getProvider(), user2.canLogin(), JaxbOrganization.fromOrganization(user2.getOrganization()), Stream.$(asList).map(toJaxbRole._2(organization2)).toSet());
                logger.trace("Request roles '{}' are amended to user '{}'", header3, user2.getUsername());
                this.securityService.setUser(user2);
            }
            logger.trace("Executing the filter chain with user '{}@{}'", user2.getUsername(), organization2.getId());
            filterChain.doFilter(httpServletRequest, servletResponse);
            this.securityService.setOrganization(organization);
            this.securityService.setUser(user);
        } catch (Throwable th) {
            this.securityService.setOrganization(organization);
            this.securityService.setUser(user);
            throw th;
        }
    }

    public void destroy() {
    }

    void setSecurityService(SecurityService securityService) {
        this.securityService = securityService;
    }

    void setOrganizationDirectoryService(OrganizationDirectoryService organizationDirectoryService) {
        this.organizationDirectory = organizationDirectoryService;
    }

    void setUserDirectoryService(UserDirectoryService userDirectoryService) {
        this.userDirectory = userDirectoryService;
    }
}
