package org.neo4j.server.rest.dbms;

import java.io.IOException;
import java.util.Arrays;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.UriBuilder;
import org.neo4j.helpers.collection.MapUtil;
import org.neo4j.kernel.api.exceptions.Status;
import org.neo4j.kernel.impl.util.Charsets;
import org.neo4j.kernel.logging.ConsoleLogger;
import org.neo4j.server.rest.domain.JsonHelper;
import org.neo4j.server.rest.security.UriPathWildcardMatcher;
import org.neo4j.server.rrd.RrdFactory;
import org.neo4j.server.security.auth.AuthManager;
import org.neo4j.server.security.auth.AuthenticationResult;
import org.neo4j.server.web.XForwardUtil;

/* loaded from: input_file:org/neo4j/server/rest/dbms/AuthorizationFilter.class */
public class AuthorizationFilter implements Filter {
    private final UriPathWildcardMatcher[] whitelist = {new UriPathWildcardMatcher("/browser*"), new UriPathWildcardMatcher("/webadmin*"), new UriPathWildcardMatcher("/")};
    private final UriPathWildcardMatcher passwordChangeWhitelist = new UriPathWildcardMatcher("/user/*");
    private final AuthManager authManager;
    private final ConsoleLogger log;
    private static final ErrorResponse NO_HEADER = new ErrorResponse(401) { // from class: org.neo4j.server.rest.dbms.AuthorizationFilter.1
        @Override // org.neo4j.server.rest.dbms.AuthorizationFilter.ErrorResponse
        void addHeaders(HttpServletResponse httpServletResponse) {
            httpServletResponse.addHeader("WWW-Authenticate", "None");
        }

        @Override // org.neo4j.server.rest.dbms.AuthorizationFilter.ErrorResponse
        Object body() {
            return MapUtil.map(new Object[]{"errors", Arrays.asList(MapUtil.map(new Object[]{"code", Status.Security.AuthorizationFailed.code().serialize(), "message", "No authorization header supplied."}))});
        }
    };
    private static final ErrorResponse BAD_HEADER = new ErrorResponse(400) { // from class: org.neo4j.server.rest.dbms.AuthorizationFilter.2
        @Override // org.neo4j.server.rest.dbms.AuthorizationFilter.ErrorResponse
        Object body() {
            return MapUtil.map(new Object[]{"errors", Arrays.asList(MapUtil.map(new Object[]{"code", Status.Request.InvalidFormat.code().serialize(), "message", "Invalid Authorization header."}))});
        }
    };
    private static final ErrorResponse INVALID_CREDENTIAL = new ErrorResponse(401) { // from class: org.neo4j.server.rest.dbms.AuthorizationFilter.3
        @Override // org.neo4j.server.rest.dbms.AuthorizationFilter.ErrorResponse
        void addHeaders(HttpServletResponse httpServletResponse) {
            httpServletResponse.addHeader("WWW-Authenticate", "None");
        }

        @Override // org.neo4j.server.rest.dbms.AuthorizationFilter.ErrorResponse
        Object body() {
            return MapUtil.map(new Object[]{"errors", Arrays.asList(MapUtil.map(new Object[]{"code", Status.Security.AuthorizationFailed.code().serialize(), "message", "Invalid username or password."}))});
        }
    };
    private static final ErrorResponse TOO_MANY_ATTEMPTS = new ErrorResponse(429) { // from class: org.neo4j.server.rest.dbms.AuthorizationFilter.4
        @Override // org.neo4j.server.rest.dbms.AuthorizationFilter.ErrorResponse
        Object body() {
            return MapUtil.map(new Object[]{"errors", Arrays.asList(MapUtil.map(new Object[]{"code", Status.Security.AuthenticationRateLimit.code().serialize(), "message", "Too many failed authentication requests. Please wait 5 seconds and try again."}))});
        }
    };

    /* renamed from: org.neo4j.server.rest.dbms.AuthorizationFilter$6, reason: invalid class name */
    /* loaded from: input_file:org/neo4j/server/rest/dbms/AuthorizationFilter$6.class */
    static /* synthetic */ class AnonymousClass6 {
        static final /* synthetic */ int[] $SwitchMap$org$neo4j$server$security$auth$AuthenticationResult = new int[AuthenticationResult.values().length];

        static {
            try {
                $SwitchMap$org$neo4j$server$security$auth$AuthenticationResult[AuthenticationResult.PASSWORD_CHANGE_REQUIRED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$neo4j$server$security$auth$AuthenticationResult[AuthenticationResult.SUCCESS.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$neo4j$server$security$auth$AuthenticationResult[AuthenticationResult.TOO_MANY_ATTEMPTS.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/neo4j/server/rest/dbms/AuthorizationFilter$ErrorResponse.class */
    public static abstract class ErrorResponse {
        private final int statusCode;

        private ErrorResponse(int i) {
            this.statusCode = i;
        }

        void addHeaders(HttpServletResponse httpServletResponse) {
        }

        abstract Object body();

        void writeResponse(HttpServletResponse httpServletResponse) throws IOException {
            httpServletResponse.setStatus(this.statusCode);
            httpServletResponse.addHeader("Content-Type", "application/json; charset=UTF-8");
            addHeaders(httpServletResponse);
            httpServletResponse.getOutputStream().write(JsonHelper.createJsonFrom(body()).getBytes(Charsets.UTF_8));
        }
    }

    public AuthorizationFilter(AuthManager authManager, ConsoleLogger consoleLogger) {
        this.authManager = authManager;
        this.log = consoleLogger;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        validateRequestType(servletRequest);
        validateResponseType(servletResponse);
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String str = httpServletRequest.getContextPath() + (httpServletRequest.getPathInfo() == null ? "" : httpServletRequest.getPathInfo());
        if (httpServletRequest.getMethod().equals("OPTIONS") || whitelisted(str)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            noHeader().writeResponse(httpServletResponse);
            return;
        }
        String[] extractCredential = extractCredential(header);
        if (extractCredential == null) {
            badHeader().writeResponse(httpServletResponse);
            return;
        }
        String str2 = extractCredential[0];
        switch (AnonymousClass6.$SwitchMap$org$neo4j$server$security$auth$AuthenticationResult[this.authManager.authenticate(str2, extractCredential[1]).ordinal()]) {
            case RrdFactory.STEP_SIZE /* 1 */:
                if (!this.passwordChangeWhitelist.matches(str)) {
                    passwordChangeRequired(str2, baseURL(httpServletRequest)).writeResponse(httpServletResponse);
                    return;
                }
                break;
            case 2:
                break;
            case 3:
                tooManyAttemptes().writeResponse(httpServletResponse);
                return;
            default:
                this.log.warn("Failed authentication attempt for '%s' from %s", new Object[]{str2, httpServletRequest.getRemoteAddr()});
                invalidCredential().writeResponse(httpServletResponse);
                return;
        }
        filterChain.doFilter(new AuthorizedRequestWrapper("BASIC", str2, httpServletRequest), servletResponse);
    }

    private static ErrorResponse noHeader() {
        return NO_HEADER;
    }

    private static ErrorResponse badHeader() {
        return BAD_HEADER;
    }

    private static ErrorResponse invalidCredential() {
        return INVALID_CREDENTIAL;
    }

    private static ErrorResponse tooManyAttemptes() {
        return TOO_MANY_ATTEMPTS;
    }

    private static ErrorResponse passwordChangeRequired(final String str, final String str2) {
        return new ErrorResponse(403) { // from class: org.neo4j.server.rest.dbms.AuthorizationFilter.5
            @Override // org.neo4j.server.rest.dbms.AuthorizationFilter.ErrorResponse
            Object body() {
                return MapUtil.map(new Object[]{"errors", Arrays.asList(MapUtil.map(new Object[]{"code", Status.Security.AuthorizationFailed.code().serialize(), "message", "User is required to change their password."})), "password_change", UriBuilder.fromUri(str2).path(String.format("/user/%s/password", str)).build(new Object[0]).toString()});
            }
        };
    }

    private String baseURL(HttpServletRequest httpServletRequest) {
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        return XForwardUtil.externalUri(requestURL.substring(0, requestURL.length() - httpServletRequest.getRequestURI().length()) + "/", httpServletRequest.getHeader(XForwardUtil.X_FORWARD_HOST_HEADER_KEY), httpServletRequest.getHeader(XForwardUtil.X_FORWARD_PROTO_HEADER_KEY));
    }

    public void destroy() {
    }

    private boolean whitelisted(String str) {
        for (UriPathWildcardMatcher uriPathWildcardMatcher : this.whitelist) {
            if (uriPathWildcardMatcher.matches(str)) {
                return true;
            }
        }
        return false;
    }

    private String[] extractCredential(String str) {
        if (str == null) {
            return null;
        }
        return AuthorizationHeaders.decode(str);
    }

    private void validateRequestType(ServletRequest servletRequest) throws ServletException {
        if (!(servletRequest instanceof HttpServletRequest)) {
            throw new ServletException(String.format("Expected HttpServletRequest, received [%s]", servletRequest.getClass().getCanonicalName()));
        }
    }

    private void validateResponseType(ServletResponse servletResponse) throws ServletException {
        if (!(servletResponse instanceof HttpServletResponse)) {
            throw new ServletException(String.format("Expected HttpServletResponse, received [%s]", servletResponse.getClass().getCanonicalName()));
        }
    }
}
