package org.craftercms.studio.impl.v1.web.security.access;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.configuration2.HierarchicalConfiguration;
import org.apache.commons.configuration2.tree.ImmutableNode;
import org.apache.commons.lang3.StringUtils;
import org.craftercms.studio.api.v1.service.security.SecurityService;
import org.craftercms.studio.api.v2.utils.StudioConfiguration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:org/craftercms/studio/impl/v1/web/security/access/StudioUrlRestrictionFilter.class */
public class StudioUrlRestrictionFilter extends OncePerRequestFilter {
    private static final Logger logger = LoggerFactory.getLogger(StudioUrlRestrictionFilter.class);
    public static final String STUDIO_SECURITY_RESTRICTION_URLS = "studio.security.restrictedUrls";
    public static final String STUDIO_SECURITY_RESTRICTION_CONFIG_KEY_URL = "url";
    public static final String STUDIO_SECURITY_RESTRICTION_CONFIG_KEY_PATH = "path";
    public static final String STUDIO_SECURITY_RESTRICTION_CONFIG_KEY_ROLES = "roles";
    private SecurityService securityService;
    private List<StudioRestrictionRule> restrictionList;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/craftercms/studio/impl/v1/web/security/access/StudioUrlRestrictionFilter$StudioRestrictionRule.class */
    public class StudioRestrictionRule {
        protected String url;
        protected String path;
        protected List<String> roles;

        private StudioRestrictionRule() {
        }

        public void setUrl(String str) {
            this.url = str;
        }

        public void setPath(String str) {
            this.path = str;
        }

        public void setRoles(List<String> list) {
            this.roles = list;
        }
    }

    public StudioUrlRestrictionFilter(StudioConfiguration studioConfiguration, SecurityService securityService) {
        this.securityService = securityService;
        this.restrictionList = getRestrictionRule(studioConfiguration);
    }

    protected boolean shouldNotFilter(HttpServletRequest httpServletRequest) {
        try {
            String currentUser = this.securityService.getCurrentUser();
            if (currentUser != null) {
                if (this.securityService.isSystemAdmin(currentUser)) {
                    return true;
                }
            }
        } catch (Exception e) {
            logger.warn("Error while checking logging user permissions.", e);
        }
        String requestUri = getRequestUri(httpServletRequest);
        return this.restrictionList.stream().noneMatch(studioRestrictionRule -> {
            return studioRestrictionRule.url.equalsIgnoreCase(requestUri);
        });
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        String requestUri = getRequestUri(httpServletRequest);
        String siteParam = getSiteParam(httpServletRequest);
        String pathParam = getPathParam(httpServletRequest);
        String currentUser = this.securityService.getCurrentUser();
        for (StudioRestrictionRule studioRestrictionRule : (List) this.restrictionList.stream().filter(studioRestrictionRule2 -> {
            return studioRestrictionRule2.url.equalsIgnoreCase(requestUri);
        }).collect(Collectors.toList())) {
            if (studioRestrictionRule.path == null || pathParam == null || studioRestrictionRule.path.equalsIgnoreCase(pathParam)) {
                if ((currentUser == null || StringUtils.isEmpty(siteParam)) && studioRestrictionRule.roles.size() > 0) {
                    logger.info("Restricted url '{}' for non authenticated user", requestUri);
                    httpServletResponse.sendError(403, "Unauthorized");
                    return;
                } else {
                    Set<String> userRoles = this.securityService.getUserRoles(siteParam, currentUser);
                    if (!studioRestrictionRule.roles.stream().anyMatch(str -> {
                        return userRoles.contains(str);
                    })) {
                        logger.info("Restricted url '{}', path '{}' for user '{}'", new Object[]{requestUri, pathParam, currentUser});
                        httpServletResponse.sendError(403, "Unauthorized");
                        return;
                    }
                }
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    protected List<StudioRestrictionRule> getRestrictionRule(StudioConfiguration studioConfiguration) {
        ArrayList arrayList = new ArrayList();
        List<HierarchicalConfiguration<ImmutableNode>> subConfigs = studioConfiguration.getSubConfigs(STUDIO_SECURITY_RESTRICTION_URLS);
        if (CollectionUtils.isNotEmpty(subConfigs)) {
            subConfigs.forEach(hierarchicalConfiguration -> {
                StudioRestrictionRule studioRestrictionRule = new StudioRestrictionRule();
                studioRestrictionRule.setUrl(hierarchicalConfiguration.getString("url", (String) null));
                studioRestrictionRule.setPath(hierarchicalConfiguration.getString("path", (String) null));
                studioRestrictionRule.setRoles(Arrays.asList(hierarchicalConfiguration.getString("roles", "").trim().split("\\s*,\\s*")));
                arrayList.add(studioRestrictionRule);
            });
        }
        return arrayList;
    }

    protected String getRequestUri(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().replace(httpServletRequest.getContextPath(), "");
    }

    protected String getPathParam(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("path");
        if (parameter != null) {
            parameter = parameter.replaceAll("/+", "/");
            if (!parameter.startsWith("/")) {
                parameter = "/" + parameter;
            }
        }
        return parameter;
    }

    protected String getSiteParam(HttpServletRequest httpServletRequest) {
        Cookie[] cookies;
        String parameter = httpServletRequest.getParameter("site_id");
        if (StringUtils.isEmpty(parameter)) {
            parameter = httpServletRequest.getParameter("site");
        }
        if (StringUtils.isEmpty(parameter) && (cookies = httpServletRequest.getCookies()) != null) {
            int length = cookies.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Cookie cookie = cookies[i];
                if (cookie.getName().equals("crafterSite")) {
                    parameter = cookie.getValue();
                    break;
                }
                i++;
            }
        }
        return parameter;
    }
}
