package alpine.server.filters;

import alpine.common.logging.Logger;
import alpine.model.ApiKey;
import alpine.model.LdapUser;
import alpine.model.ManagedUser;
import alpine.model.OidcUser;
import alpine.persistence.AlpineQueryManager;
import alpine.server.auth.PermissionRequired;
import java.security.Principal;
import javax.annotation.Priority;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.glassfish.jersey.server.ContainerRequest;
import org.owasp.security.logging.SecurityMarkers;

@Priority(2000)
/* loaded from: input_file:alpine/server/filters/AuthorizationFilter.class */
public class AuthorizationFilter implements ContainerRequestFilter {
    private static final Logger LOGGER = Logger.getLogger(AuthorizationFilter.class);

    @Context
    private ResourceInfo resourceInfo;

    public void filter(ContainerRequestContext containerRequestContext) {
        if (containerRequestContext instanceof ContainerRequest) {
            ApiKey apiKey = (Principal) containerRequestContext.getProperty("Principal");
            if (apiKey == null) {
                LOGGER.info(SecurityMarkers.SECURITY_FAILURE, "A request was made without the assertion of a valid user principal");
                containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
                return;
            }
            String[] value = ((PermissionRequired) this.resourceInfo.getResourceMethod().getDeclaredAnnotation(PermissionRequired.class)).value();
            AlpineQueryManager alpineQueryManager = new AlpineQueryManager();
            try {
                if (apiKey instanceof ApiKey) {
                    ApiKey apiKey2 = apiKey;
                    for (String str : value) {
                        if (alpineQueryManager.hasPermission(apiKey2, str)) {
                            alpineQueryManager.close();
                            return;
                        }
                    }
                    LOGGER.info(SecurityMarkers.SECURITY_FAILURE, "Unauthorized access attempt made by API Key " + apiKey2.getKey().replaceAll("\\w(?=\\w{4})", "*") + " to " + ((ContainerRequest) containerRequestContext).getRequestUri().toString());
                } else {
                    ManagedUser managedUser = null;
                    if (apiKey instanceof ManagedUser) {
                        managedUser = alpineQueryManager.getManagedUser(((ManagedUser) apiKey).getUsername());
                    } else if (apiKey instanceof LdapUser) {
                        managedUser = alpineQueryManager.getLdapUser(((LdapUser) apiKey).getUsername());
                    } else if (apiKey instanceof OidcUser) {
                        managedUser = alpineQueryManager.getOidcUser(((OidcUser) apiKey).getUsername());
                    }
                    if (managedUser == null) {
                        LOGGER.info(SecurityMarkers.SECURITY_FAILURE, "A request was made but the system in unable to find the user principal");
                        containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
                        alpineQueryManager.close();
                        return;
                    }
                    for (String str2 : value) {
                        if (alpineQueryManager.hasPermission(managedUser, str2, true)) {
                            alpineQueryManager.close();
                            return;
                        }
                    }
                    LOGGER.info(SecurityMarkers.SECURITY_FAILURE, "Unauthorized access attempt made by " + managedUser.getUsername() + " to " + ((ContainerRequest) containerRequestContext).getRequestUri().toString());
                }
                alpineQueryManager.close();
                containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
            } catch (Throwable th) {
                try {
                    alpineQueryManager.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
    }
}
