package com.sap.cloud.yaas.servicesdk.security.basicauthorization;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.sap.cloud.yaas.servicesdk.logging.audit.ServletAuditLogger;
import com.sap.cloud.yaas.servicesdk.patternsupport.common.ErrorResponses;
import com.sap.cloud.yaas.servicesdk.patternsupport.schemas.ErrorMessage;
import java.io.IOException;
import java.io.PrintWriter;
import java.nio.charset.Charset;
import java.util.Base64;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sap/cloud/yaas/servicesdk/security/basicauthorization/EnforceBasicAuthenticationFilter.class */
public class EnforceBasicAuthenticationFilter implements Filter {
    private static final String HTTP_AUTHORIZATION_HEADER = "Authorization";
    private static final String HTTP_AUTHENTICATE_HEADER = "WWW-Authenticate";
    private static final String BASIC_AUTH_SCHEME_PREFIX = "Basic ";
    private static final String BASIC_AUTHENTICATION_CREDENTIALS = "basicAuthenticationCredentials";
    private static final String HTTP_AUTHENTICATION_REALM = "httpAuthenticationRealm";
    private String quotedRealm;
    private Set<String> userLookupTable;
    private static final Logger LOG = LoggerFactory.getLogger(EnforceBasicAuthenticationFilter.class);
    private static final Charset UTF8 = Charset.forName("UTF-8");
    private static final Base64.Encoder BASE64_ENCODER = Base64.getEncoder();
    private static final ObjectMapper JSON_MAPPER = new ObjectMapper();
    private static final Pattern BASIC_AUTH_CREDENTIALS_PATTERN = Pattern.compile("^\\s*basic\\s+([a-z0-9+/]+={0,2})\\s*$", 2);
    private static final Pattern HTTP_QUOTED_PAIR_CHARACTERS_PATTERN = Pattern.compile("\\p{Cntrl}|\"");
    private static final Pattern REALM_PATTERN = Pattern.compile("^\\p{ASCII}*$");
    private static final Pattern USER_PATTERN = Pattern.compile("^[[\\u0020-\\u007E]&&[^:]]*$");
    private static final Pattern PASSWORD_PATTERN = Pattern.compile("^[\\u0020-\\u007E]*$");
    private static final Pattern USERID_AND_PASSWORD_CONFIG_PATTERN = Pattern.compile("^([^:]*):(.*)$");
    private static final Pattern USERID_AND_PASSWORD_CONFIG_DELIMITER = Pattern.compile("[\\s]+");

    public EnforceBasicAuthenticationFilter() {
        this.quotedRealm = "\"\"";
        this.userLookupTable = Collections.emptySet();
    }

    public EnforceBasicAuthenticationFilter(String str, Map<String, String> map) {
        this.quotedRealm = "\"\"";
        this.userLookupTable = Collections.emptySet();
        this.quotedRealm = prepareRealmQuotedString(str);
        this.userLookupTable = prepareUserLookupTable(map);
    }

    public EnforceBasicAuthenticationFilter(String str, String str2) {
        this.quotedRealm = "\"\"";
        this.userLookupTable = Collections.emptySet();
        this.quotedRealm = prepareRealmQuotedString(str);
        this.userLookupTable = prepareUserLookupTable(parseUsersAndPasswords(str2));
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.quotedRealm = prepareRealmQuotedString(filterConfig.getInitParameter(HTTP_AUTHENTICATION_REALM));
        this.userLookupTable = prepareUserLookupTable(parseUsersAndPasswords(filterConfig.getInitParameter(BASIC_AUTHENTICATION_CREDENTIALS)));
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (this.userLookupTable.isEmpty()) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (!(servletRequest instanceof HttpServletRequest)) {
            LOG.error("This Filter can only handle requests of type HttpServletRequest.");
            throw new ServletException("This Filter can only handle requests of type HttpServletRequest.");
        }
        if (servletResponse instanceof HttpServletResponse) {
            doHttpFilter((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
        } else {
            LOG.error("This Filter can only handle responses of type HttpServletResponse.");
            throw new ServletException("This Filter can only handle responses of type HttpServletResponse.");
        }
    }

    private void doHttpFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (!httpServletRequest.isSecure()) {
            sendSslRequiredError(httpServletRequest, httpServletResponse);
        } else if (hasAuthorizedUser(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } else {
            sendChallenge(httpServletRequest, httpServletResponse);
        }
    }

    private boolean hasAuthorizedUser(HttpServletRequest httpServletRequest) {
        Iterator it = Collections.list(httpServletRequest.getHeaders(HTTP_AUTHORIZATION_HEADER)).iterator();
        while (it.hasNext()) {
            Matcher matcher = BASIC_AUTH_CREDENTIALS_PATTERN.matcher((String) it.next());
            if (matcher.matches()) {
                if (this.userLookupTable.contains(matcher.group(1))) {
                    return true;
                }
            }
        }
        return false;
    }

    private void sendChallenge(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        ServletAuditLogger.newInstance(LOG, new String[]{"BasicAuth"}).addRequest(httpServletRequest).warn("YaaS Basic Authentication for trusted clients failed due to missing or unauthorized credentials. Ignoring request and responding with HTTP Status 401 instead.", new Object[0]);
        ErrorMessage errorMessage = new ErrorMessage();
        errorMessage.setStatus(401);
        errorMessage.setMessage("YaaS Basic Authentication for trusted clients failed. Retry with authorized credentials, or, consider using the YaaS API Proxy and OAuth2 instead.");
        errorMessage.setType("insufficient_credentials");
        errorMessage.setMoreInfo(ErrorResponses.DOCUMENTATION_LINK);
        errorMessage.setDetails(Collections.emptyList());
        httpServletResponse.setStatus(401);
        httpServletResponse.setContentType("application/json");
        httpServletResponse.addHeader(HTTP_AUTHENTICATE_HEADER, "Basic realm=" + this.quotedRealm);
        PrintWriter writer = httpServletResponse.getWriter();
        Throwable th = null;
        try {
            try {
                writer.append((CharSequence) toJson(errorMessage));
                if (writer != null) {
                    if (0 == 0) {
                        writer.close();
                        return;
                    }
                    try {
                        writer.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (writer != null) {
                if (th != null) {
                    try {
                        writer.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    writer.close();
                }
            }
            throw th4;
        }
    }

    private void sendSslRequiredError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        ServletAuditLogger.newInstance(LOG, new String[]{"BasicAuth"}).addRequest(httpServletRequest).warn("YaaS Basic Authentication for trusted clients failed due to insecure (i.e. non-SSL) connection. Ignoring request and responding with HTTP Status 403 instead.", new Object[0]);
        ErrorMessage errorMessage = new ErrorMessage();
        errorMessage.setStatus(403);
        errorMessage.setMessage("This request requires YaaS Basic Authentication and thus required the use of SSL. Please try again using the https protocol, and never send Basic Authentication credentials over non-https connections.");
        errorMessage.setType("insufficient_permissions");
        errorMessage.setMoreInfo(ErrorResponses.DOCUMENTATION_LINK);
        errorMessage.setDetails(Collections.emptyList());
        httpServletResponse.setStatus(403);
        httpServletResponse.setContentType("application/json");
        PrintWriter writer = httpServletResponse.getWriter();
        Throwable th = null;
        try {
            try {
                writer.append((CharSequence) toJson(errorMessage));
                if (writer != null) {
                    if (0 == 0) {
                        writer.close();
                        return;
                    }
                    try {
                        writer.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (writer != null) {
                if (th != null) {
                    try {
                        writer.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    writer.close();
                }
            }
            throw th4;
        }
    }

    private static String prepareRealmQuotedString(String str) {
        if (str == null) {
            LOG.error("Realm may not be null.");
            throw new IllegalArgumentException("Realm may not be null.");
        }
        if (!REALM_PATTERN.matcher(str).matches()) {
            String str2 = "Given realm '" + str + "', which does not match the pattern " + REALM_PATTERN + ". Only ASCII characters are allowed.";
            LOG.error(str2);
            throw new IllegalArgumentException(str2);
        }
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append('\"');
        stringBuffer.append(HTTP_QUOTED_PAIR_CHARACTERS_PATTERN.matcher(str).replaceAll("\\\\$0"));
        stringBuffer.append('\"');
        return stringBuffer.toString();
    }

    private static Set<String> prepareUserLookupTable(Map<String, String> map) {
        if (map == null || map.isEmpty()) {
            ServletAuditLogger.newInstance(LOG, new String[]{"Configuration"}).warn("Filter has been configured without any authorized userids and passwords. Thus it has been rendered inactive, and will NOT enforce HTTP Basic Authentication.\n This is a configuration flaw that most likely renders your service vulnerable to unauthorized access.\n (Inactive mode is intended for development and testing purposes only; please configure at least one pair of user and password in any other situation!)", new Object[0]);
            return Collections.emptySet();
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (Map.Entry<String, String> entry : map.entrySet()) {
            String key = entry.getKey();
            String value = entry.getValue();
            if (!USER_PATTERN.matcher(key).matches()) {
                String str = "Given userids and passwords contains userid '" + key + "', which does not match the pattern " + USER_PATTERN + ". Only ASCII characters are allowed, excluding control-characters and the colon (:).";
                LOG.error(str);
                throw new IllegalArgumentException(str);
            }
            if (!PASSWORD_PATTERN.matcher(value).matches()) {
                String str2 = "Given userids and passwords contains a password that does not match the pattern " + PASSWORD_PATTERN + ". Only ASCII characters are allowed, excluding control-characters.";
                LOG.error(str2);
                throw new IllegalArgumentException(str2);
            }
            linkedHashSet.add(new String(BASE64_ENCODER.encode((key + ":" + value).getBytes(UTF8)), UTF8));
        }
        ServletAuditLogger.newInstance(LOG, new String[]{"Configuration"}).info("Filter has been configured to enforce HTTP Basic Authentication. The following userids are authorized, when using their respective passwords:{}", new Object[]{map.keySet().stream().collect(Collectors.joining("\n", "\n", ""))});
        return Collections.unmodifiableSet(linkedHashSet);
    }

    public static Map<String, String> parseUsersAndPasswords(String str) {
        if (str == null) {
            LOG.error("The uses and passwords list may not be null.");
            throw new IllegalArgumentException("The uses and passwords list may not be null.");
        }
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (String str2 : USERID_AND_PASSWORD_CONFIG_DELIMITER.split(str)) {
            if (str2 != null && !str2.isEmpty()) {
                Matcher matcher = USERID_AND_PASSWORD_CONFIG_PATTERN.matcher(str2);
                if (matcher.matches()) {
                    linkedHashMap.put(matcher.group(1), matcher.group(2));
                } else {
                    LOG.warn("Ignoring malformed entry of authorized users and passwords configuration. Expected a pair of the form <username>:<password>, consisting of non-control, non-white-space, ASCII characters. (Other white-space delimited entries are being processed normally, unless reported separately.)");
                }
            }
        }
        return linkedHashMap;
    }

    private static String toJson(Object obj) throws IllegalArgumentException {
        try {
            return JSON_MAPPER.writeValueAsString(obj);
        } catch (JsonProcessingException e) {
            throw new IllegalArgumentException("Failed to serialize value " + obj + " to JSON.", e);
        }
    }
}
