package org.neo4j.server.rest.dbms;

import java.io.IOException;
import java.util.Arrays;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.neo4j.helpers.collection.MapUtil;
import org.neo4j.kernel.api.exceptions.Status;
import org.neo4j.kernel.impl.util.Charsets;
import org.neo4j.server.rest.domain.JsonHelper;
import org.neo4j.server.rest.security.UriPathWildcardMatcher;
import org.neo4j.server.security.auth.SecurityCentral;

/* loaded from: input_file:org/neo4j/server/rest/dbms/AuthorizationFilter.class */
public class AuthorizationFilter implements Filter {
    private final UriPathWildcardMatcher[] whitelist = {new UriPathWildcardMatcher(AuthenticationService.AUTHENTICATION_PATH), new UriPathWildcardMatcher("/browser*"), new UriPathWildcardMatcher("/webadmin*"), new UriPathWildcardMatcher("/user/*/authorization_token"), new UriPathWildcardMatcher("/user/*/password"), new UriPathWildcardMatcher("/")};
    private final SecurityCentral security;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/neo4j/server/rest/dbms/AuthorizationFilter$ErrorType.class */
    public enum ErrorType {
        NO_HEADER(401, true) { // from class: org.neo4j.server.rest.dbms.AuthorizationFilter.ErrorType.1
            @Override // org.neo4j.server.rest.dbms.AuthorizationFilter.ErrorType
            Object body(String str) {
                return MapUtil.map(new Object[]{"errors", Arrays.asList(MapUtil.map(new Object[]{"code", Status.Security.AuthorizationFailed.code().serialize(), "message", "No authorization token supplied."})), "authentication", str});
            }
        },
        INVALID_TOKEN(401, true) { // from class: org.neo4j.server.rest.dbms.AuthorizationFilter.ErrorType.2
            @Override // org.neo4j.server.rest.dbms.AuthorizationFilter.ErrorType
            Object body(String str) {
                return MapUtil.map(new Object[]{"errors", Arrays.asList(MapUtil.map(new Object[]{"code", Status.Security.AuthorizationFailed.code().serialize(), "message", "Invalid authorization token supplied."})), "authentication", str});
            }
        },
        BAD_HEADER(400, false) { // from class: org.neo4j.server.rest.dbms.AuthorizationFilter.ErrorType.3
            @Override // org.neo4j.server.rest.dbms.AuthorizationFilter.ErrorType
            Object body(String str) {
                return MapUtil.map(new Object[]{"errors", Arrays.asList(MapUtil.map(new Object[]{"code", Status.Request.InvalidFormat.code().serialize(), "message", "Invalid Authorization header."}))});
            }
        };

        private final int statusCode;
        private final boolean includeWWWAuthenticateHeader;

        ErrorType(int i, boolean z) {
            this.statusCode = i;
            this.includeWWWAuthenticateHeader = z;
        }

        synchronized void reply(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws IOException {
            httpServletResponse.setStatus(this.statusCode);
            if (this.includeWWWAuthenticateHeader) {
                httpServletResponse.addHeader("WWW-Authenticate", "None");
            }
            httpServletResponse.getOutputStream().write(JsonHelper.createJsonFrom(body(httpServletRequest.getScheme() + "://" + httpServletRequest.getHeader("Host") + AuthenticationService.AUTHENTICATION_PATH)).getBytes(Charsets.UTF_8));
        }

        abstract Object body(String str);
    }

    public AuthorizationFilter(SecurityCentral securityCentral) {
        this.security = securityCentral;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        validateRequestType(servletRequest);
        validateResponseType(servletResponse);
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (authorized(httpServletRequest) || whitelisted(httpServletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            errorType(httpServletRequest).reply(httpServletResponse, httpServletRequest);
        }
    }

    public void destroy() {
    }

    private boolean whitelisted(HttpServletRequest httpServletRequest) {
        String str = httpServletRequest.getContextPath() + (httpServletRequest.getPathInfo() == null ? "" : httpServletRequest.getPathInfo());
        for (UriPathWildcardMatcher uriPathWildcardMatcher : this.whitelist) {
            if (uriPathWildcardMatcher.matches(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean authorized(HttpServletRequest httpServletRequest) {
        String extractToken = extractToken(httpServletRequest);
        return extractToken != null && this.security.userForToken(extractToken).privileges().APIAccess();
    }

    private ErrorType errorType(HttpServletRequest httpServletRequest) {
        String extractToken = extractToken(httpServletRequest);
        return extractToken == null ? ErrorType.NO_HEADER : extractToken.length() == 0 ? ErrorType.BAD_HEADER : ErrorType.INVALID_TOKEN;
    }

    private String extractToken(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            return null;
        }
        return AuthenticateHeaders.extractToken(header);
    }

    private void validateRequestType(ServletRequest servletRequest) throws ServletException {
        if (!(servletRequest instanceof HttpServletRequest)) {
            throw new ServletException(String.format("Expected HttpServletRequest, received [%s]", servletRequest.getClass().getCanonicalName()));
        }
    }

    private void validateResponseType(ServletResponse servletResponse) throws ServletException {
        if (!(servletResponse instanceof HttpServletResponse)) {
            throw new ServletException(String.format("Expected HttpServletResponse, received [%s]", servletResponse.getClass().getCanonicalName()));
        }
    }
}
