package org.artifactory.webapp.servlet.authentication;

import java.io.IOException;
import java.util.Objects;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.artifactory.api.security.UserInfoBuilder;
import org.artifactory.security.SimpleUser;
import org.artifactory.security.signature.SignedUrlAuthenticationToken;
import org.artifactory.signature.SignedUrlService;
import org.artifactory.webapp.servlet.RequestUtils;
import org.jfrog.client.util.PathUtils;
import org.jfrog.storage.binstore.exceptions.SignedUrlException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;

/* loaded from: input_file:org/artifactory/webapp/servlet/authentication/ArtifactorySignedUrlAuthenticationFilter.class */
public class ArtifactorySignedUrlAuthenticationFilter implements ArtifactoryAuthenticationFilter {
    private static final Logger log = LoggerFactory.getLogger(ArtifactorySignedUrlAuthenticationFilter.class);
    private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();

    @Autowired
    SignedUrlService signedUrlService;

    public void init(FilterConfig filterConfig) {
    }

    @Override // org.artifactory.webapp.servlet.authentication.ArtifactoryAuthenticationFilter
    public boolean requiresReAuthentication(ServletRequest servletRequest, Authentication authentication) {
        return true;
    }

    @Override // org.artifactory.webapp.servlet.authentication.ArtifactoryAuthenticationFilter
    public boolean acceptFilter(ServletRequest servletRequest) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        return isDownloadRequest(httpServletRequest) && StringUtils.isNotBlank(httpServletRequest.getParameter("sig"));
    }

    private boolean isDownloadRequest(HttpServletRequest httpServletRequest) {
        return (httpServletRequest.getServletPath().equals("/api") || RequestUtils.isUiRequest(httpServletRequest)) ? false : true;
    }

    @Override // org.artifactory.webapp.servlet.authentication.ArtifactoryAuthenticationFilter
    public String getCacheKey(ServletRequest servletRequest) {
        return null;
    }

    @Override // org.artifactory.webapp.servlet.authentication.ArtifactoryAuthenticationFilter
    public String getLoginIdentifier(ServletRequest servletRequest) {
        return null;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        String str = (String) Objects.requireNonNull(PathUtils.trimLeadingSlashes(((HttpServletRequest) servletRequest).getServletPath()), "Servlet path should not be null");
        String parameter = servletRequest.getParameter("sig");
        try {
            log.trace("Trying to authenticate with query param signature {}", parameter);
            SignedUrlAuthenticationToken signedUrlAuthenticationToken = new SignedUrlAuthenticationToken(new SimpleUser(new UserInfoBuilder(this.signedUrlService.verifySignedToken(str, parameter)).transientUser().build()), parameter);
            signedUrlAuthenticationToken.setDetails(this.authenticationDetailsSource.buildDetails((HttpServletRequest) servletRequest));
            SecurityContextHolder.getContext().setAuthentication(signedUrlAuthenticationToken);
            log.trace("Authentication with query param signature {} succeeded", parameter);
            filterChain.doFilter(servletRequest, servletResponse);
        } catch (SignedUrlException e) {
            sendForbiddenError(servletResponse, "Authentication of signed URL failed: " + e.getMessage());
        } catch (Exception e2) {
            log.debug("Unable to authenticate signed URL for repo path " + str, e2);
            sendForbiddenError(servletResponse, "Authentication of signed URL failed for repo path " + str + " : " + e2.getMessage());
        }
    }

    private void sendForbiddenError(ServletResponse servletResponse, String str) throws IOException {
        log.debug(str);
        ((HttpServletResponse) servletResponse).sendError(403, str);
    }

    public void destroy() {
    }
}
