package de.otto.edison.authentication;

import de.otto.edison.authentication.configuration.LdapProperties;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Collection;
import java.util.Objects;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:de/otto/edison/authentication/LdapRoleAuthenticationFilter.class */
public class LdapRoleAuthenticationFilter extends OncePerRequestFilter {
    private static Logger LOG = LoggerFactory.getLogger(LdapRoleAuthenticationFilter.class);
    private final Collection<String> allowlistedPaths;
    private final String requiredRole;

    public LdapRoleAuthenticationFilter(LdapProperties ldapProperties) {
        this.allowlistedPaths = (Collection) Objects.requireNonNull(ldapProperties.getAllowlistedPaths(), "white listed paths must not be null");
        this.requiredRole = (String) Objects.requireNonNull(ldapProperties.getRequiredRole(), "required role must not be null");
    }

    protected boolean shouldNotFilter(HttpServletRequest httpServletRequest) throws ServletException {
        String servletPath = httpServletRequest.getServletPath();
        Stream<String> stream = this.allowlistedPaths.stream();
        Objects.requireNonNull(servletPath);
        return stream.anyMatch(servletPath::startsWith);
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (httpServletRequest.isUserInRole(this.requiredRole)) {
            LOG.debug("Found correct role for login.");
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } else {
            LOG.warn("Did not find correct role for login.");
            unauthorized(httpServletResponse);
        }
    }

    void unauthorized(HttpServletResponse httpServletResponse) {
        httpServletResponse.addHeader("WWW-Authenticate", "Basic realm=Authorization Required");
        httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
    }
}
