package org.opencms.security;

import com.google.common.base.Joiner;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Set;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.codec.binary.Base64;
import org.opencms.crypto.CmsEncryptionException;
import org.opencms.file.CmsGroup;
import org.opencms.file.CmsObject;
import org.opencms.file.CmsUser;
import org.opencms.i18n.CmsEncoder;
import org.opencms.main.A_CmsAuthorizationHandler;
import org.opencms.main.CmsException;
import org.opencms.main.CmsHttpAuthenticationSettings;
import org.opencms.main.OpenCms;
import org.opencms.search.CmsSearchManager;
import org.opencms.security.I_CmsAuthorizationHandler;
import org.opencms.ui.login.CmsLoginHelper;
import org.opencms.util.CmsMacroResolver;
import org.opencms.util.CmsRequestUtil;
import org.opencms.util.CmsStringUtil;
import org.opencms.workplace.CmsWorkplaceManager;

/* loaded from: input_file:org/opencms/security/CmsDefaultAuthorizationHandler.class */
public class CmsDefaultAuthorizationHandler extends A_CmsAuthorizationHandler {
    public static final String PARAM_HTTP_BASICAUTH_USESTARTSETTINGS_PATHS = "http.basicauth.usestartsettings.paths";
    public static final String PARAM_HTTP_BASICAUTH_USESTARTSETTINGS_USERS = "http.basicauth.usestartsettings.users";
    public static final String AUTHORIZATION_BASIC_PREFIX = "BASIC ";
    public static final String HEADER_AUTHORIZATION = "Authorization";
    public static final String PARAM_ENCRYPTED_REQUESTED_RESOURCE = "encryptedRequestedResource";
    public static final String SEPARATOR_CREDENTIALS = ":";

    protected static boolean checkPath(String str, String str2) {
        if (CmsStringUtil.isEmptyOrWhitespaceOnly(str2)) {
            return false;
        }
        for (String str3 : new CmsMacroResolver().resolveMacros(str2).split(",")) {
            if (CmsStringUtil.isPrefixPath(str3, str)) {
                return true;
            }
        }
        return false;
    }

    protected static boolean checkUser(CmsObject cmsObject, String str) {
        if (CmsStringUtil.isEmptyOrWhitespaceOnly(str)) {
            return false;
        }
        Set set = null;
        for (String str2 : str.split(",")) {
            String trim = str2.trim();
            if ("*".equals(trim)) {
                return true;
            }
            if (trim.startsWith(I_CmsPrincipal.PRINCIPAL_USER)) {
                if (cmsObject.getRequestContext().getCurrentUser().getName().equals(CmsUser.removePrefix(trim))) {
                    return true;
                }
            } else if (trim.startsWith(CmsRole.PRINCIPAL_ROLE)) {
                String removePrefix = CmsRole.removePrefix(trim);
                if (OpenCms.getRoleManager().hasRole(cmsObject, removePrefix.contains("/") ? CmsRole.valueOfRoleName(removePrefix) : CmsRole.valueOfRoleName(removePrefix).forOrgUnit(null))) {
                    return true;
                }
            } else if (trim.startsWith(I_CmsPrincipal.PRINCIPAL_GROUP)) {
                String removePrefix2 = CmsGroup.removePrefix(trim);
                if (set == null) {
                    try {
                        set = (Set) cmsObject.getGroupsOfUser(cmsObject.getRequestContext().getCurrentUser().getName(), false).stream().map(cmsGroup -> {
                            return cmsGroup.getName();
                        }).collect(Collectors.toSet());
                    } catch (Exception e) {
                        LOG.error(e.getLocalizedMessage(), e);
                    }
                }
                if (set.contains(removePrefix2)) {
                    return true;
                }
            } else {
                continue;
            }
        }
        return false;
    }

    @Override // org.opencms.security.I_CmsAuthorizationHandler
    public String getLoginFormURL(String str, String str2, String str3) {
        if (str == null) {
            return null;
        }
        StringBuffer stringBuffer = new StringBuffer(str);
        if (str3 != null) {
            stringBuffer.append(CmsRequestUtil.URL_DELIMITER);
            stringBuffer.append(CmsWorkplaceManager.PARAM_LOGIN_REQUESTED_RESOURCE);
            stringBuffer.append(CmsRequestUtil.PARAMETER_ASSIGNMENT);
            stringBuffer.append(str3);
        }
        ArrayList arrayList = str2 != null ? new ArrayList(Arrays.asList(str2.split(CmsRequestUtil.PARAMETER_DELIMITER))) : new ArrayList();
        if (str3 != null) {
            try {
                arrayList.add("encryptedRequestedResource=" + OpenCms.getDefaultTextEncryption().encrypt(CmsEncoder.decode(str3)));
            } catch (CmsEncryptionException e) {
                LOG.error(e.getLocalizedMessage(), e);
            }
        }
        stringBuffer.append(str3 != null ? CmsRequestUtil.PARAMETER_DELIMITER : CmsRequestUtil.URL_DELIMITER);
        stringBuffer.append(Joiner.on(CmsRequestUtil.PARAMETER_DELIMITER).join(arrayList));
        return stringBuffer.toString();
    }

    @Override // org.opencms.security.I_CmsAuthorizationHandler
    public CmsObject initCmsObject(HttpServletRequest httpServletRequest) {
        CmsObject checkBasicAuthorization = checkBasicAuthorization(httpServletRequest);
        if (checkBasicAuthorization == null) {
            return null;
        }
        try {
            return registerSession(httpServletRequest, checkBasicAuthorization);
        } catch (CmsException e) {
            return null;
        }
    }

    @Override // org.opencms.security.I_CmsAuthorizationHandler
    public CmsObject initCmsObject(HttpServletRequest httpServletRequest, I_CmsAuthorizationHandler.I_PrivilegedLoginAction i_PrivilegedLoginAction) {
        return initCmsObject(httpServletRequest);
    }

    @Override // org.opencms.security.I_CmsAuthorizationHandler
    public CmsObject initCmsObject(HttpServletRequest httpServletRequest, String str, String str2) throws CmsException {
        CmsObject initCmsObjectFromSession = initCmsObjectFromSession(httpServletRequest);
        if (initCmsObjectFromSession != null) {
            return initCmsObjectFromSession;
        }
        CmsObject initCmsObject = OpenCms.initCmsObject(OpenCms.getDefaultUsers().getUserGuest());
        initCmsObject.loginUser(str, str2);
        return registerSession(httpServletRequest, initCmsObject);
    }

    @Override // org.opencms.security.I_CmsAuthorizationHandler
    public void requestAuthorization(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
        CmsHttpAuthenticationSettings httpAuthenticationSettings = OpenCms.getSystemInfo().getHttpAuthenticationSettings();
        if (str == null) {
            if (httpAuthenticationSettings.useBrowserBasedHttpAuthentication()) {
                httpServletResponse.setHeader(CmsRequestUtil.HEADER_WWW_AUTHENTICATE, "BASIC realm=\"" + OpenCms.getSystemInfo().getServerName() + "\"");
                httpServletResponse.setStatus(401);
                return;
            } else {
                if (httpAuthenticationSettings.getFormBasedHttpAuthenticationUri() == null) {
                    LOG.error(Messages.get().getBundle().key(Messages.ERR_UNSUPPORTED_AUTHENTICATION_MECHANISM_1, httpAuthenticationSettings.getBrowserBasedAuthenticationMechanism()));
                    httpServletResponse.setStatus(CmsSearchManager.DEFAULT_MAX_MODIFICATIONS_BEFORE_COMMIT);
                    return;
                }
                str = httpAuthenticationSettings.getFormBasedHttpAuthenticationUri();
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(Messages.get().getBundle().key(Messages.LOG_AUTHENTICATE_PROPERTY_2, str, httpServletRequest.getRequestURI()));
        }
        httpServletResponse.sendRedirect(str);
    }

    protected CmsObject checkBasicAuthorization(HttpServletRequest httpServletRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Checking for basic authorization.");
        }
        try {
            CmsObject initCmsObject = OpenCms.initCmsObject(OpenCms.getDefaultUsers().getUserGuest());
            if (OpenCms.getSystemInfo().getHttpAuthenticationSettings().getBrowserBasedAuthenticationMechanism() == null) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Browser based authorization not enabled.");
                }
                return initCmsObject;
            }
            String header = httpServletRequest.getHeader(HEADER_AUTHORIZATION);
            if (header == null || !header.toUpperCase().startsWith(AUTHORIZATION_BASIC_PREFIX)) {
                return initCmsObject;
            }
            String str = new String(Base64.decodeBase64(header.substring(6).getBytes()));
            String str2 = null;
            String str3 = null;
            int indexOf = str.indexOf(":");
            if (indexOf != -1) {
                str2 = str.substring(0, indexOf);
                str3 = str.substring(indexOf + 1);
            }
            initCmsObject.loginUser(str2, str3);
            HttpSession session = httpServletRequest.getSession(true);
            String requestURI = httpServletRequest.getRequestURI();
            boolean z = (requestURI.startsWith(OpenCms.getSystemInfo().getWorkplaceContext()) || requestURI.startsWith(CmsStringUtil.joinPaths(OpenCms.getSystemInfo().getOpenCmsContext(), "/system/workplace"))) && OpenCms.getRoleManager().hasRole(initCmsObject, CmsRole.ELEMENT_AUTHOR);
            LOG.debug("isWorkplace = " + z);
            boolean z2 = z || shouldUseStartSettingsForHttpBasicAuth(initCmsObject, httpServletRequest);
            LOG.debug("initStartSettings = " + z2);
            OpenCms.getSiteManager().isWorkplaceRequest(httpServletRequest);
            if (z2) {
                session.setAttribute(CmsWorkplaceManager.SESSION_WORKPLACE_SETTINGS, CmsLoginHelper.initSiteAndProject(initCmsObject));
            }
            return initCmsObject;
        } catch (CmsException e) {
            return null;
        }
    }

    protected boolean shouldUseStartSettingsForHttpBasicAuth(CmsObject cmsObject, HttpServletRequest httpServletRequest) {
        String str = this.m_parameters.get(PARAM_HTTP_BASICAUTH_USESTARTSETTINGS_USERS);
        String str2 = this.m_parameters.get(PARAM_HTTP_BASICAUTH_USESTARTSETTINGS_PATHS);
        if (!checkPath(httpServletRequest.getRequestURI(), str2)) {
            LOG.debug("checkPath returned false for " + httpServletRequest.getRequestURI() + ", pathSpec=" + str2);
            return false;
        }
        if (checkUser(cmsObject, str)) {
            return true;
        }
        LOG.debug("checkUser returned false for " + cmsObject.getRequestContext().getCurrentUser().getName() + ", userSpec = " + str);
        return false;
    }
}
