package com.systematic.sitaware.configurator.webserver.internal;

import com.systematic.sitaware.configurator.webserver.settings.WebServerSettings;
import com.systematic.sitaware.framework.configuration.ConfigurationService;
import com.systematic.sitaware.framework.webresources.settings.PasswordHandler;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.stream.Stream;
import javax.annotation.Priority;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.ext.Provider;
import org.apache.commons.lang3.StringUtils;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;

@PreMatching
@Component(property = {"org.apache.cxf.dosgi.IntentName=SwflRestAuthenticator"}, immediate = true)
@Provider
@Priority(1000)
/* loaded from: input_file:com/systematic/sitaware/configurator/webserver/internal/SwflRestAuthenticator.class */
public class SwflRestAuthenticator implements ContainerRequestFilter {
    private static final List<String> PATHS_WHITE_LISTED_FOR_BASIC_AUTH = Arrays.asList("/restservices/systemstatus", "/restservices/saconsole", "/restservices/network_configuration");
    public static final String AUTHENTICATION_SCHEME_BASIC = "Basic";
    public static final String AUTHENTICATION_SCHEME_CLIENT_CERTIFICATE = "ClientCertificate";
    public static final String AUTHENTICATION_REALM = " realm=\"SitaWare Tactical Communications\"";

    @Reference
    ConfigurationService configurationService;

    public void filter(ContainerRequestContext containerRequestContext) {
        Object property = containerRequestContext.getProperty("javax.servlet.request.X509Certificate");
        if (!(property instanceof X509Certificate[])) {
            if (isBasicAuthAllowed(containerRequestContext)) {
                handleBasicAuthentication(containerRequestContext);
                return;
            } else {
                containerRequestContext.abortWith(createUnauthorizedResponse(AUTHENTICATION_SCHEME_CLIENT_CERTIFICATE));
                return;
            }
        }
        X509Certificate[] x509CertificateArr = (X509Certificate[]) property;
        if (x509CertificateArr.length < 1) {
            containerRequestContext.abortWith(createUnauthorizedResponse(AUTHENTICATION_SCHEME_CLIENT_CERTIFICATE));
        } else {
            containerRequestContext.setSecurityContext(createSecurityContext(containerRequestContext, x509CertificateArr[0]));
        }
    }

    private boolean isBasicAuthAllowed(ContainerRequestContext containerRequestContext) {
        URI absolutePath = containerRequestContext.getUriInfo().getAbsolutePath();
        boolean isPasswordEnabled = PasswordHandler.PASSWORD_HANDLER.isPasswordEnabled(this.configurationService);
        Stream<String> stream = PATHS_WHITE_LISTED_FOR_BASIC_AUTH.stream();
        String lowerCase = absolutePath.getPath().toLowerCase();
        lowerCase.getClass();
        return isPasswordEnabled && (stream.anyMatch((v1) -> {
            return r1.contains(v1);
        }) || (String.valueOf(absolutePath.getPort()).equals(this.configurationService.readSetting(WebServerSettings.FELIX_JETTY_PORT_PROPERTY)) && absolutePath.getScheme().equals("http")));
    }

    private void handleBasicAuthentication(ContainerRequestContext containerRequestContext) {
        List list = (List) containerRequestContext.getHeaders().get("Authorization");
        String trim = (list == null || list.isEmpty()) ? null : ((String) list.get(0)).trim();
        if (!StringUtils.startsWithIgnoreCase(trim, AUTHENTICATION_SCHEME_BASIC)) {
            containerRequestContext.abortWith(createUnauthorizedResponse(AUTHENTICATION_SCHEME_BASIC));
            return;
        }
        if (PasswordHandler.PASSWORD_HANDLER.validatePassword(StringUtils.substringAfter(new String(Base64.getDecoder().decode(StringUtils.removeStartIgnoreCase(trim, AUTHENTICATION_SCHEME_BASIC).trim()), StandardCharsets.UTF_8), ":"), this.configurationService)) {
            containerRequestContext.setSecurityContext(createSecurityContext(containerRequestContext, null));
        } else {
            containerRequestContext.abortWith(createUnauthorizedResponse(AUTHENTICATION_SCHEME_BASIC));
        }
    }

    private Response createUnauthorizedResponse(String str) {
        return Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", str + AUTHENTICATION_REALM).build();
    }

    private SecurityContext createSecurityContext(final ContainerRequestContext containerRequestContext, final X509Certificate x509Certificate) {
        return new SecurityContext() { // from class: com.systematic.sitaware.configurator.webserver.internal.SwflRestAuthenticator.1
            public Principal getUserPrincipal() {
                if (x509Certificate != null) {
                    return x509Certificate.getSubjectX500Principal();
                }
                return null;
            }

            public boolean isUserInRole(String str) {
                return false;
            }

            public boolean isSecure() {
                return containerRequestContext.getUriInfo().getAbsolutePath().getScheme().equals("https");
            }

            public String getAuthenticationScheme() {
                return x509Certificate != null ? "CLIENT_CERT" : "BASIC";
            }
        };
    }
}
