package org.apache.sling.cms.core.internal.filters;

import java.io.IOException;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.cms.CMSUtils;
import org.apache.sling.cms.PublishableResource;
import org.apache.sling.cms.publication.PUBLICATION_MODE;
import org.apache.sling.cms.publication.PublicationManagerFactory;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {Filter.class}, property = {"sling.filter.scope=request"}, immediate = true)
/* loaded from: input_file:org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.class */
public class CMSSecurityFilter implements Filter {
    private static final Logger log = LoggerFactory.getLogger(CMSSecurityFilter.class);

    @Reference(cardinality = ReferenceCardinality.MULTIPLE, policyOption = ReferencePolicyOption.GREEDY)
    private List<CMSSecurityConfigInstance> securityConfigInstances;

    @Reference
    private PublicationManagerFactory pubMgrFactory;

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (this.pubMgrFactory.getPublicationMode() == PUBLICATION_MODE.STANDALONE) {
            SlingHttpServletRequest slingHttpServletRequest = (SlingHttpServletRequest) servletRequest;
            for (CMSSecurityConfigInstance cMSSecurityConfigInstance : this.securityConfigInstances) {
                log.trace("Checking to see if security config {} applies to request", cMSSecurityConfigInstance);
                if (cMSSecurityConfigInstance.applies(slingHttpServletRequest) && !checkAllowed(cMSSecurityConfigInstance, slingHttpServletRequest)) {
                    log.trace("Request to {} not allowed for user {}", slingHttpServletRequest.getRequestURI(), slingHttpServletRequest.getResourceResolver().getUserID());
                    ((HttpServletResponse) servletResponse).sendError(401);
                    return;
                }
            }
        } else {
            log.trace("Publication mode {} is not standalone", this.pubMgrFactory.getPublicationMode());
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private boolean checkAllowed(CMSSecurityConfigInstance cMSSecurityConfigInstance, SlingHttpServletRequest slingHttpServletRequest) {
        log.trace("Filtering requests to host {}", slingHttpServletRequest.getServerName());
        String requestURI = slingHttpServletRequest.getRequestURI();
        boolean z = false;
        if (cMSSecurityConfigInstance.isUriAllowed(requestURI)) {
            log.trace("Allowing request to uri {} based on allow patterns", requestURI);
            z = true;
        }
        PublishableResource publishableResource = (PublishableResource) Optional.ofNullable(CMSUtils.findPublishableParent(slingHttpServletRequest.getResource())).map(resource -> {
            return (PublishableResource) resource.adaptTo(PublishableResource.class);
        }).orElse(null);
        if (publishableResource != null && publishableResource.isPublished()) {
            log.trace("Resource is published");
            z = true;
        }
        if (z) {
            log.trace("Request to {} allowed", requestURI);
        } else {
            log.trace("Request to {} not public, checking user permissions", requestURI);
            if (StringUtils.isNotBlank(cMSSecurityConfigInstance.getGroupName())) {
                z = checkGroupMembership(cMSSecurityConfigInstance, slingHttpServletRequest);
            } else if (!"anonymous".equals(slingHttpServletRequest.getResourceResolver().getUserID())) {
                z = true;
            }
        }
        return z;
    }

    private boolean checkGroupMembership(CMSSecurityConfigInstance cMSSecurityConfigInstance, SlingHttpServletRequest slingHttpServletRequest) {
        boolean z = false;
        try {
            JackrabbitSession jackrabbitSession = (Session) slingHttpServletRequest.getResourceResolver().adaptTo(Session.class);
            UserManager userManager = null;
            if (jackrabbitSession instanceof JackrabbitSession) {
                userManager = jackrabbitSession.getUserManager();
            }
            if (userManager == null) {
                log.warn("Unable to retrieve user manager");
                return false;
            }
            log.trace("Retrieved user manager {} with session {}", userManager, jackrabbitSession);
            User authorizable = userManager.getAuthorizable(slingHttpServletRequest.getUserPrincipal());
            if (authorizable == null) {
                log.warn("Unable to retrieve user from principal {}", slingHttpServletRequest.getUserPrincipal());
                return false;
            }
            log.trace("Checking to see if user {} is in required group {}", authorizable.getID(), cMSSecurityConfigInstance.getGroupName());
            Iterator memberOf = authorizable.memberOf();
            while (true) {
                if (!memberOf.hasNext()) {
                    break;
                }
                if (((Group) memberOf.next()).getID().equals(cMSSecurityConfigInstance.getGroupName())) {
                    z = true;
                    break;
                }
            }
            return z;
        } catch (RepositoryException e) {
            log.error("Unexpected exception checking group membership", e);
            return false;
        }
    }

    public void destroy() {
    }
}
