package org.camunda.bpm.engine.rest.security.auth;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.Response;
import org.camunda.bpm.engine.ProcessEngine;
import org.camunda.bpm.engine.identity.Group;
import org.camunda.bpm.engine.identity.Tenant;
import org.camunda.bpm.engine.rest.dto.ExceptionDto;
import org.camunda.bpm.engine.rest.exception.InvalidRequestException;
import org.camunda.bpm.engine.rest.util.EngineUtil;

/* loaded from: input_file:WEB-INF/lib/camunda-engine-rest-core-7.12.0-alpha6.jar:org/camunda/bpm/engine/rest/security/auth/ProcessEngineAuthenticationFilter.class */
public class ProcessEngineAuthenticationFilter implements Filter {
    protected static final Pattern[] WHITE_LISTED_URL_PATTERNS = {Pattern.compile("^/engine/?")};
    protected static final Pattern ENGINE_REQUEST_URL_PATTERN = Pattern.compile("^/engine/(.*?)(/|$)");
    protected static final String DEFAULT_ENGINE_NAME = "default";
    public static final String AUTHENTICATION_PROVIDER_PARAM = "authentication-provider";
    public static final String SERVLET_PATH_PREFIX = "rest-url-pattern-prefix";
    protected AuthenticationProvider authenticationProvider;
    protected String servletPathPrefix;

    public void init(FilterConfig filterConfig) throws ServletException {
        String initParameter = filterConfig.getInitParameter(AUTHENTICATION_PROVIDER_PARAM);
        if (initParameter == null) {
            throw new ServletException("Cannot instantiate authentication filter: no authentication provider set. init-param authentication-provider missing");
        }
        try {
            this.authenticationProvider = (AuthenticationProvider) Class.forName(initParameter).newInstance();
            this.servletPathPrefix = filterConfig.getInitParameter(SERVLET_PATH_PREFIX);
        } catch (ClassCastException e) {
            throw new ServletException("Cannot instantiate authentication filter: authentication provider does not implement interface " + AuthenticationProvider.class.getName(), e);
        } catch (ClassNotFoundException e2) {
            throw new ServletException("Cannot instantiate authentication filter: authentication provider not found", e2);
        } catch (IllegalAccessException e3) {
            throw new ServletException("Cannot instantiate authentication filter: constructor not accessible", e3);
        } catch (InstantiationException e4) {
            throw new ServletException("Cannot instantiate authentication filter: cannot instantiate authentication provider", e4);
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String str = this.servletPathPrefix;
        if (str == null) {
            str = httpServletRequest.getServletPath();
        }
        String substring = httpServletRequest.getRequestURI().substring(httpServletRequest.getContextPath().length() + str.length());
        if (!requiresEngineAuthentication(substring)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        String extractEngineName = extractEngineName(substring);
        ProcessEngine addressedEngine = getAddressedEngine(extractEngineName);
        if (addressedEngine == null) {
            httpServletResponse.setStatus(Response.Status.NOT_FOUND.getStatusCode());
            ExceptionDto exceptionDto = new ExceptionDto();
            exceptionDto.setType(InvalidRequestException.class.getSimpleName());
            exceptionDto.setMessage("Process engine " + extractEngineName + " not available");
            ObjectMapper objectMapper = new ObjectMapper();
            httpServletResponse.setContentType("application/json");
            objectMapper.writer().writeValue(httpServletResponse.getWriter(), exceptionDto);
            httpServletResponse.getWriter().flush();
            return;
        }
        AuthenticationResult extractAuthenticatedUser = this.authenticationProvider.extractAuthenticatedUser(httpServletRequest, addressedEngine);
        if (!extractAuthenticatedUser.isAuthenticated()) {
            httpServletResponse.setStatus(Response.Status.UNAUTHORIZED.getStatusCode());
            this.authenticationProvider.augmentResponseByAuthenticationChallenge(httpServletResponse, addressedEngine);
            return;
        }
        try {
            setAuthenticatedUser(addressedEngine, extractAuthenticatedUser.getAuthenticatedUser(), extractAuthenticatedUser.getGroups(), extractAuthenticatedUser.getTenants());
            filterChain.doFilter(servletRequest, servletResponse);
            clearAuthentication(addressedEngine);
        } catch (Throwable th) {
            clearAuthentication(addressedEngine);
            throw th;
        }
    }

    public void destroy() {
    }

    protected void setAuthenticatedUser(ProcessEngine processEngine, String str, List<String> list, List<String> list2) {
        if (list == null) {
            list = getGroupsOfUser(processEngine, str);
        }
        if (list2 == null) {
            list2 = getTenantsOfUser(processEngine, str);
        }
        processEngine.getIdentityService().setAuthentication(str, list, list2);
    }

    protected List<String> getGroupsOfUser(ProcessEngine processEngine, String str) {
        List list = processEngine.getIdentityService().createGroupQuery().groupMember(str).list();
        ArrayList arrayList = new ArrayList();
        Iterator it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(((Group) it.next()).getId());
        }
        return arrayList;
    }

    protected List<String> getTenantsOfUser(ProcessEngine processEngine, String str) {
        List list = processEngine.getIdentityService().createTenantQuery().userMember(str).includingGroupsOfUser(true).list();
        ArrayList arrayList = new ArrayList();
        Iterator it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(((Tenant) it.next()).getId());
        }
        return arrayList;
    }

    protected void clearAuthentication(ProcessEngine processEngine) {
        processEngine.getIdentityService().clearAuthentication();
    }

    protected boolean requiresEngineAuthentication(String str) {
        for (Pattern pattern : WHITE_LISTED_URL_PATTERNS) {
            if (pattern.matcher(str).matches()) {
                return false;
            }
        }
        return true;
    }

    protected String extractEngineName(String str) {
        Matcher matcher = ENGINE_REQUEST_URL_PATTERN.matcher(str);
        return matcher.find() ? matcher.group(1) : DEFAULT_ENGINE_NAME;
    }

    protected ProcessEngine getAddressedEngine(String str) {
        return EngineUtil.lookupProcessEngine(str);
    }
}
