package org.opennms.newts.rest;

import com.google.common.base.Optional;
import com.google.common.base.Preconditions;
import com.google.common.base.Throwables;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/opennms/newts/rest/HttpBasicAuthenticationFilter.class */
public class HttpBasicAuthenticationFilter implements Filter {
    private static final Logger LOG = LoggerFactory.getLogger(HttpBasicAuthenticationFilter.class);
    private static final String REALM = "Newts";
    private final NewtsConfig m_config;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/opennms/newts/rest/HttpBasicAuthenticationFilter$Credentials.class */
    public static class Credentials {
        private static final Pattern s_headerPattern = Pattern.compile("Basic (?<token>.+)", 2);
        private static final Pattern s_credsPattern = Pattern.compile("(?<user>.+):(?<pass>.+)");
        private final String m_user;
        private final String m_pass;

        Credentials(String str, String str2) {
            this.m_user = (String) Preconditions.checkNotNull(str, "user argument");
            this.m_pass = (String) Preconditions.checkNotNull(str2, "pass argument");
        }

        String getUser() {
            return this.m_user;
        }

        String getPass() {
            return this.m_pass;
        }

        static Credentials fromHeader(String str) {
            Matcher matcher = s_headerPattern.matcher(str);
            if (!matcher.matches()) {
                throw new IllegalArgumentException("malformed credentials header");
            }
            try {
                Matcher matcher2 = s_credsPattern.matcher(new String(Base64.decodeBase64(matcher.group("token").getBytes("UTF-8")), "UTF-8"));
                if (matcher2.matches()) {
                    return new Credentials(matcher2.group("user"), matcher2.group("pass"));
                }
                throw new IllegalArgumentException("malformed credentials header");
            } catch (UnsupportedEncodingException e) {
                throw Throwables.propagate(e);
            }
        }
    }

    public HttpBasicAuthenticationFilter(NewtsConfig newtsConfig) {
        this.m_config = (NewtsConfig) Preconditions.checkNotNull(newtsConfig, "config argument");
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        LOG.info("HTTP Basic Auth servlet filter initialized");
    }

    public void destroy() {
        LOG.info("Shutting down HTTP Basic Auth servlet filter");
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        LOG.trace("doFilter()");
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (!enabled() || isCorsPreflight(httpServletRequest)) {
            LOG.trace("Authentication is NOT enabled (skipping...)");
        } else {
            LOG.trace("Authentication is enabled");
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            Optional<String> authorizationHeader = getAuthorizationHeader(httpServletRequest);
            if (!authorizationHeader.isPresent()) {
                LOG.trace("Missing Authorization HTTP header; Authorization failed");
                sendUnauthorized(httpServletResponse);
                return;
            }
            Credentials fromHeader = Credentials.fromHeader((String) authorizationHeader.get());
            if (!isAuthorized(fromHeader)) {
                LOG.trace("Credentials do NOT match; Authorizationi failed");
                sendUnauthorized(httpServletResponse);
                return;
            }
            LOG.trace("User {} is authorized", fromHeader.getUser());
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private void sendUnauthorized(HttpServletResponse httpServletResponse) throws IOException {
        sendUnauthorized(httpServletResponse, "Unauthorized");
    }

    private void sendUnauthorized(HttpServletResponse httpServletResponse, String str) throws IOException {
        httpServletResponse.setHeader("WWW-Authenticate", "Basic realm=\"Newts\"");
        httpServletResponse.sendError(401, str);
    }

    private boolean isAuthorized(Credentials credentials) {
        Map<String, String> credentials2 = this.m_config.getAuthenticationConfig().getCredentials();
        String user = credentials.getUser();
        String pass = credentials.getPass();
        if (!credentials2.containsKey(user) || credentials2.get(user) == null) {
            return false;
        }
        return credentials2.get(user).equals(pass);
    }

    private boolean isCorsPreflight(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getMethod().equals("OPTIONS") && httpServletRequest.getHeader("Access-Control-Request-Method") != null;
    }

    private boolean enabled() {
        return this.m_config.getAuthenticationConfig().isEnabled();
    }

    private static Optional<String> getAuthorizationHeader(HttpServletRequest httpServletRequest) {
        String trim = trim(httpServletRequest.getHeader("Authorization"));
        return trim != null ? Optional.of(trim) : Optional.absent();
    }

    private static String trim(String str) {
        return str != null ? str.trim() : str;
    }
}
