package org.gcube.common.authorizationservice.filters;

import java.io.IOException;
import javassist.compiler.TokenId;
import javax.inject.Inject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.HttpHeaders;
import org.gcube.accounting.datamodel.UsageRecord;
import org.gcube.accounting.datamodel.usagerecords.ServiceUsageRecord;
import org.gcube.accounting.persistence.AccountingPersistence;
import org.gcube.accounting.persistence.AccountingPersistenceFactory;
import org.gcube.common.authorization.library.AuthorizationEntry;
import org.gcube.common.authorization.library.provider.CalledMethodProvider;
import org.gcube.common.authorizationservice.configuration.AllowedEntity;
import org.gcube.common.authorizationservice.configuration.AuthorizationRule;
import org.gcube.common.authorizationservice.configuration.ConfigurationHolder;
import org.gcube.common.authorizationservice.util.TokenPersistence;
import org.gcube.common.scope.api.ScopeProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@WebFilter(urlPatterns = {"/*"}, filterName = "authorizationFilter")
/* loaded from: input_file:WEB-INF/classes/org/gcube/common/authorizationservice/filters/AuthorizedCallFilter.class */
public class AuthorizedCallFilter implements Filter {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AuthorizedCallFilter.class);
    private static final String TOKEN_HEADER = "gcube-token";
    public static final String AUTH_ATTRIBUTE = "authorizationInfo";

    @Inject
    TokenPersistence persistence;

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String header = servletRequest.getParameter(TOKEN_HEADER) == null ? ((HttpServletRequest) servletRequest).getHeader(TOKEN_HEADER) : servletRequest.getParameter(TOKEN_HEADER);
        System.currentTimeMillis();
        String header2 = ((HttpServletRequest) servletRequest).getHeader("x-forwarded-for");
        if (header2 == null) {
            header2 = servletRequest.getRemoteHost();
        }
        log.info("caller ip {}", header2);
        AuthorizationEntry authorizationEntry = null;
        if (header != null) {
            authorizationEntry = this.persistence.getAuthorizationEntry(header);
            log.info("call from {} ", authorizationEntry);
        } else {
            log.info("call without token");
        }
        servletRequest.setAttribute(AUTH_ATTRIBUTE, authorizationEntry);
        String pathInfo = ((HttpServletRequest) servletRequest).getPathInfo();
        String servletPath = ((HttpServletRequest) servletRequest).getServletPath();
        if (pathInfo == null || pathInfo.isEmpty()) {
            pathInfo = servletPath.replace("/gcube/service", "");
            log.info("called path info {} ", pathInfo);
            if (pathInfo == null || pathInfo.isEmpty()) {
                log.info("call rejected from filters: invalid path");
                return;
            }
        }
        if (requiresToken(pathInfo) && header == null) {
            ((HttpServletResponse) servletResponse).sendError(TokenId.CharConstant);
            log.info("call rejected from filters, call requires caller token");
        } else if (checkAllowed(pathInfo, header2, authorizationEntry)) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            ((HttpServletResponse) servletResponse).sendError(TokenId.CharConstant);
            log.info("call rejected from filters");
        }
    }

    private boolean requiresToken(String str) {
        for (AuthorizationRule authorizationRule : ConfigurationHolder.getConfiguration().getAuthorizationRules()) {
            if (str.startsWith(authorizationRule.getServletPath()) || str.equals(authorizationRule.getServletPath())) {
                return authorizationRule.isTokenRequired();
            }
        }
        return false;
    }

    private boolean checkAllowed(String str, String str2, AuthorizationEntry authorizationEntry) {
        for (AuthorizationRule authorizationRule : ConfigurationHolder.getConfiguration().getAuthorizationRules()) {
            if (str.startsWith(authorizationRule.getServletPath()) || str.equals(authorizationRule.getServletPath())) {
                if (!authorizationRule.getAcceptedTokenType().isEmpty() && !authorizationRule.getAcceptedTokenType().contains(authorizationEntry.getClientInfo().getType())) {
                    log.info("rejecting the call: callerType {} is not in the allowed types defined {} ", authorizationEntry.getClientInfo().getType(), authorizationRule.getAcceptedTokenType());
                    return false;
                }
                if (!authorizationRule.getEntities().isEmpty()) {
                    for (AllowedEntity allowedEntity : authorizationRule.getEntities()) {
                        switch (allowedEntity.getType()) {
                            case IP:
                                log.trace("checking ip rule : {} -> {}", allowedEntity.getValue(), str2);
                                if (checkIpInRange(str2, allowedEntity.getValue())) {
                                    return true;
                                }
                                break;
                            case USER:
                                log.trace("checking user rule : {} -> {}", allowedEntity.getValue(), authorizationEntry.getClientInfo().getId());
                                if (allowedEntity.getValue().equals(authorizationEntry.getClientInfo().getId())) {
                                    return true;
                                }
                                break;
                            case ROLE:
                                log.trace("checking role rule : {} -> {}", allowedEntity.getValue(), authorizationEntry.getClientInfo().getRoles());
                                if (authorizationEntry.getClientInfo().getRoles().contains(allowedEntity.getValue())) {
                                    return true;
                                }
                                break;
                        }
                    }
                    return false;
                }
            }
        }
        return true;
    }

    private static boolean checkIpInRange(String str, String str2) {
        String[] split = str2.split("\\.");
        String[] split2 = str.split("\\.");
        int[] iArr = new int[4];
        int[] iArr2 = new int[4];
        for (int i = 0; i < 4; i++) {
            iArr[i] = Integer.valueOf(Integer.parseInt(split[i])).byteValue();
            iArr2[i] = Integer.valueOf(Integer.parseInt(split2[i])).byteValue();
        }
        return (iArr[0] == 0 || iArr[0] == iArr2[0]) && (iArr[1] == 0 || iArr[1] == iArr2[1]) && ((iArr[2] == 0 || iArr[2] == iArr2[2]) && (iArr[3] == 0 || iArr[3] == iArr2[3]));
    }

    public void destroy() {
    }

    void generateAccounting(String str, String str2, String str3, boolean z, long j, String str4) {
        AccountingPersistenceFactory.setFallbackLocation(ConfigurationHolder.getConfiguration().getAccountingDir());
        AccountingPersistence persistence = AccountingPersistenceFactory.getPersistence();
        ServiceUsageRecord serviceUsageRecord = new ServiceUsageRecord();
        try {
            serviceUsageRecord.setConsumerId(str);
            serviceUsageRecord.setCallerQualifier(str2);
            serviceUsageRecord.setScope(ScopeProvider.instance.get());
            serviceUsageRecord.setServiceClass("Common");
            serviceUsageRecord.setServiceName(HttpHeaders.AUTHORIZATION);
            serviceUsageRecord.setHost(str4);
            serviceUsageRecord.setCalledMethod(CalledMethodProvider.instance.get());
            serviceUsageRecord.setCallerHost(str3);
            serviceUsageRecord.setOperationResult(z ? UsageRecord.OperationResult.SUCCESS : UsageRecord.OperationResult.FAILED);
            serviceUsageRecord.setDuration(Long.valueOf(System.currentTimeMillis() - j));
            persistence.account(serviceUsageRecord);
        } catch (Exception e) {
            log.warn("invalid record passed to accounting ", (Throwable) e);
        }
    }
}
