package org.geoserver.security.filter;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.logging.Level;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jetty.util.StringUtil;
import org.geoserver.security.config.CredentialsFromRequestHeaderFilterConfig;
import org.geoserver.security.config.SecurityNamedServiceConfig;
import org.geoserver.security.impl.GeoServerRole;
import org.springframework.security.authentication.ProviderNotFoundException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.crypto.codec.Hex;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.Http403ForbiddenEntryPoint;

/* loaded from: input_file:WEB-INF/lib/gs-main-2.18.7-georchestra.jar:org/geoserver/security/filter/GeoServerCredentialsFromRequestHeaderFilter.class */
public class GeoServerCredentialsFromRequestHeaderFilter extends GeoServerSecurityFilter implements AuthenticationCachingFilter, GeoServerAuthenticationFilter {
    private String userNameHeaderName;
    private String passwordHeaderName;
    private Pattern userNameRegex;
    private Pattern passwordRegex;
    private boolean decodeURI = true;
    private MessageDigest digest;
    protected AuthenticationEntryPoint aep;

    @Override // org.geoserver.security.impl.AbstractGeoServerSecurityService, org.geoserver.security.GeoServerSecurityService
    public void initializeFromConfig(SecurityNamedServiceConfig securityNamedServiceConfig) throws IOException {
        super.initializeFromConfig(securityNamedServiceConfig);
        this.aep = new Http403ForbiddenEntryPoint();
        CredentialsFromRequestHeaderFilterConfig credentialsFromRequestHeaderFilterConfig = (CredentialsFromRequestHeaderFilterConfig) securityNamedServiceConfig;
        this.userNameHeaderName = credentialsFromRequestHeaderFilterConfig.getUserNameHeaderName();
        this.passwordHeaderName = credentialsFromRequestHeaderFilterConfig.getPasswordHeaderName();
        this.userNameRegex = Pattern.compile(credentialsFromRequestHeaderFilterConfig.getUserNameRegex());
        this.passwordRegex = Pattern.compile(credentialsFromRequestHeaderFilterConfig.getPasswordRegex());
        this.decodeURI = credentialsFromRequestHeaderFilterConfig.isParseAsUriComponents();
        try {
            this.digest = MessageDigest.getInstance("MD5");
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("No MD5 algorithm available!");
        }
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String authenticateFromCache = authenticateFromCache(this, (HttpServletRequest) servletRequest);
        if (SecurityContextHolder.getContext().getAuthentication() == null) {
            doAuthenticate((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse);
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication != null && authenticateFromCache != null && cacheAuthentication(authentication, (HttpServletRequest) servletRequest)) {
                getSecurityManager().getAuthenticationCache().put(getName(), authenticateFromCache, authentication);
            }
        }
        servletRequest.setAttribute(GeoServerSecurityFilter.AUTHENTICATION_ENTRY_POINT_HEADER, this.aep);
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private String parseHeader(String str, Pattern pattern) {
        Matcher matcher = pattern.matcher(str);
        if (matcher.find() && matcher.groupCount() == 1) {
            return matcher.group(1);
        }
        return null;
    }

    protected void doAuthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String header = httpServletRequest.getHeader(this.userNameHeaderName);
        String header2 = httpServletRequest.getHeader(this.passwordHeaderName);
        if (header == null || header2 == null) {
            return;
        }
        String parseHeader = parseHeader(header, this.userNameRegex);
        String parseHeader2 = parseHeader(header2, this.passwordRegex);
        if (parseHeader == null || parseHeader2 == null) {
            return;
        }
        if (this.decodeURI) {
            parseHeader = URLDecoder.decode(parseHeader, "UTF-8");
            parseHeader2 = URLDecoder.decode(parseHeader2, "UTF-8");
        }
        try {
            Authentication authenticate = getSecurityManager().authenticationManager().authenticate(new UsernamePasswordAuthenticationToken(parseHeader, parseHeader2, new ArrayList()));
            LOGGER.log(Level.FINER, "logged in as {0}", parseHeader);
            ArrayList arrayList = new ArrayList();
            Iterator<? extends GrantedAuthority> it2 = authenticate.getAuthorities().iterator();
            while (it2.hasNext()) {
                arrayList.add((GeoServerRole) it2.next());
            }
            if (!arrayList.contains(GeoServerRole.AUTHENTICATED_ROLE)) {
                arrayList.add(GeoServerRole.AUTHENTICATED_ROLE);
            }
            httpServletResponse.addHeader("X-GeoServer-Auth-User", parseHeader);
            UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(authenticate.getPrincipal(), authenticate.getCredentials(), arrayList);
            usernamePasswordAuthenticationToken.setDetails(authenticate.getDetails());
            SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
        } catch (ProviderNotFoundException e) {
            LOGGER.log(Level.WARNING, "couldn't to authenticate user:" + parseHeader);
        }
    }

    @Override // org.geoserver.security.filter.GeoServerAuthenticationFilter
    public boolean applicableForHtml() {
        return true;
    }

    @Override // org.geoserver.security.filter.GeoServerAuthenticationFilter
    public boolean applicableForServices() {
        return true;
    }

    @Override // org.geoserver.security.filter.AuthenticationCachingFilter
    public String getCacheKey(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(this.userNameHeaderName);
        String header2 = httpServletRequest.getHeader(this.passwordHeaderName);
        if (header == null || header2 == null) {
            return null;
        }
        String parseHeader = parseHeader(header, this.userNameRegex);
        String parseHeader2 = parseHeader(header2, this.passwordRegex);
        if (parseHeader == null && parseHeader2 == null) {
            return null;
        }
        if (this.decodeURI) {
            try {
                parseHeader = URLDecoder.decode(parseHeader, "UTF-8");
            } catch (UnsupportedEncodingException e) {
                LOGGER.log(Level.WARNING, "unsupported decode user name");
            }
        }
        if (parseHeader == null || parseHeader2 == null) {
            return null;
        }
        StringBuffer stringBuffer = new StringBuffer(parseHeader2);
        stringBuffer.append(":");
        stringBuffer.append(getName());
        try {
            String str = new String(Hex.encode(((MessageDigest) this.digest.clone()).digest(stringBuffer.toString().getBytes(StringUtil.__UTF8))));
            StringBuffer stringBuffer2 = new StringBuffer(parseHeader);
            stringBuffer2.append(":");
            stringBuffer2.append(str);
            return stringBuffer2.toString();
        } catch (UnsupportedEncodingException e2) {
            throw new RuntimeException(e2);
        } catch (CloneNotSupportedException e3) {
            throw new RuntimeException(e3);
        }
    }

    protected boolean cacheAuthentication(Authentication authentication, HttpServletRequest httpServletRequest) {
        return httpServletRequest.getSession(false) == null;
    }
}
