package org.neo4j.server.rest.security;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.neo4j.server.configuration.Configurator;

/* loaded from: input_file:org/neo4j/server/rest/security/SecurityFilter.class */
public class SecurityFilter implements Filter {
    private final HashMap<UriPathWildcardMatcher, HashSet<ForbiddingSecurityRule>> rules;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/neo4j/server/rest/security/SecurityFilter$ForbiddenRuleDecorator.class */
    public static class ForbiddenRuleDecorator implements ForbiddingSecurityRule {
        private final SecurityRule innerRule;

        public ForbiddenRuleDecorator(SecurityRule securityRule) {
            this.innerRule = securityRule;
        }

        @Override // org.neo4j.server.rest.security.ForbiddingSecurityRule
        public boolean isForbidden(HttpServletRequest httpServletRequest) {
            return false;
        }

        @Override // org.neo4j.server.rest.security.SecurityRule
        public boolean isAuthorized(HttpServletRequest httpServletRequest) {
            return this.innerRule.isAuthorized(httpServletRequest);
        }

        @Override // org.neo4j.server.rest.security.SecurityRule
        public String forUriPath() {
            return this.innerRule.forUriPath();
        }

        @Override // org.neo4j.server.rest.security.SecurityRule
        public String wwwAuthenticateHeader() {
            return this.innerRule.wwwAuthenticateHeader();
        }
    }

    public SecurityFilter(SecurityRule securityRule, SecurityRule... securityRuleArr) {
        this(merge(securityRule, securityRuleArr));
    }

    public SecurityFilter(Iterable<SecurityRule> iterable) {
        this.rules = new HashMap<>();
        for (SecurityRule securityRule : iterable) {
            String forUriPath = securityRule.forUriPath();
            UriPathWildcardMatcher uriPathWildcardMatcher = new UriPathWildcardMatcher(forUriPath.endsWith("*") ? forUriPath : forUriPath + "*");
            HashSet<ForbiddingSecurityRule> hashSet = this.rules.get(uriPathWildcardMatcher);
            if (hashSet == null) {
                hashSet = new HashSet<>();
                this.rules.put(uriPathWildcardMatcher, hashSet);
            }
            hashSet.add(fromSecurityRule(securityRule));
        }
    }

    private static ForbiddingSecurityRule fromSecurityRule(SecurityRule securityRule) {
        return securityRule instanceof ForbiddingSecurityRule ? (ForbiddingSecurityRule) securityRule : new ForbiddenRuleDecorator(securityRule);
    }

    private static Iterable<SecurityRule> merge(SecurityRule securityRule, SecurityRule[] securityRuleArr) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(securityRule);
        Collections.addAll(arrayList, securityRuleArr);
        return arrayList;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        validateRequestType(servletRequest);
        validateResponseType(servletResponse);
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String str = httpServletRequest.getContextPath() + (httpServletRequest.getPathInfo() == null ? Configurator.DEFAULT_WEBSERVER_KEYSTORE_PATH : httpServletRequest.getPathInfo());
        boolean z = false;
        for (UriPathWildcardMatcher uriPathWildcardMatcher : this.rules.keySet()) {
            if (uriPathWildcardMatcher.matches(str)) {
                Iterator<ForbiddingSecurityRule> it = this.rules.get(uriPathWildcardMatcher).iterator();
                while (it.hasNext()) {
                    ForbiddingSecurityRule next = it.next();
                    if (!next.isAuthorized(httpServletRequest)) {
                        createUnauthorizedChallenge(servletResponse, next);
                        return;
                    }
                    z |= next.isForbidden(httpServletRequest);
                }
            }
        }
        if (z) {
            createForbiddenResponse(servletResponse);
        } else {
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    private void validateRequestType(ServletRequest servletRequest) throws ServletException {
        if (!(servletRequest instanceof HttpServletRequest)) {
            throw new ServletException(String.format("Expected HttpServletRequest, received [%s]", servletRequest.getClass().getCanonicalName()));
        }
    }

    private void validateResponseType(ServletResponse servletResponse) throws ServletException {
        if (!(servletResponse instanceof HttpServletResponse)) {
            throw new ServletException(String.format("Expected HttpServletResponse, received [%s]", servletResponse.getClass().getCanonicalName()));
        }
    }

    private void createUnauthorizedChallenge(ServletResponse servletResponse, SecurityRule securityRule) {
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        httpServletResponse.setStatus(401);
        httpServletResponse.addHeader("WWW-Authenticate", securityRule.wwwAuthenticateHeader());
    }

    private void createForbiddenResponse(ServletResponse servletResponse) {
        ((HttpServletResponse) servletResponse).setStatus(403);
    }

    public synchronized void destroy() {
        this.rules.clear();
    }

    public static String basicAuthenticationResponse(String str) {
        return "Basic realm=\"" + str + "\"";
    }
}
