package io.antmedia.console.rest;

import com.auth0.jwk.JwkException;
import com.auth0.jwk.UrlJwkProvider;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import io.antmedia.console.datastore.AbstractConsoleDataStore;
import io.antmedia.console.datastore.ConsoleDataStoreFactory;
import io.antmedia.datastore.db.IDataStoreFactory;
import io.antmedia.datastore.db.types.User;
import io.antmedia.filter.AbstractFilter;
import io.antmedia.rest.model.UserType;
import io.antmedia.settings.ServerSettings;
import java.io.IOException;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.springframework.web.context.ConfigurableWebApplicationContext;

/* loaded from: input_file:io/antmedia/console/rest/AuthenticationFilter.class */
public class AuthenticationFilter extends AbstractFilter {
    public static final String DISPATCH_PATH_URL = "_path";
    public static final String PROXY_AUTHORIZATION_HEADER_JWT_TOKEN = "ProxyAuthorization";
    public static final String FORBIDDEN_ERROR = "Not allowed to access this resource. Contact system admin";

    public AbstractConsoleDataStore getAbstractConsoleDataStore() {
        AbstractConsoleDataStore abstractConsoleDataStore = null;
        ConfigurableWebApplicationContext webApplicationContext = getWebApplicationContext();
        if (webApplicationContext != null && webApplicationContext.isRunning()) {
            Object bean = webApplicationContext.getBean(IDataStoreFactory.BEAN_NAME);
            if (bean instanceof ConsoleDataStoreFactory) {
                AbstractConsoleDataStore dataStore = ((ConsoleDataStoreFactory) bean).getDataStore();
                if (dataStore.isAvailable()) {
                    abstractConsoleDataStore = dataStore;
                } else {
                    logger.warn("DataStore is not available. It may be closed or not initialized");
                }
            }
        }
        return abstractConsoleDataStore;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String requestURI = ((HttpServletRequest) servletRequest).getRequestURI();
        ServerSettings serverSettings = getServerSettings();
        String header = httpServletRequest.getHeader(PROXY_AUTHORIZATION_HEADER_JWT_TOKEN);
        if (serverSettings != null && serverSettings.isJwtServerControlEnabled() && !StringUtils.isBlank(header)) {
            if (checkJWT(header)) {
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            } else {
                ((HttpServletResponse) servletResponse).sendError(403, "Invalid Server JWT Token");
                return;
            }
        }
        if (requestURI.equals("/rest/isAuthenticated") || requestURI.equals("/rest/authenticateUser") || requestURI.equals("/rest/addInitialUser") || requestURI.equals("/rest/isFirstLogin") || requestURI.equals("/rest/v2/authentication-status") || requestURI.equals("/rest/v2/users/initial") || requestURI.equals("/rest/v2/first-login-status") || requestURI.equals("/rest/v2/users/authenticate") || requestURI.equals("/rest/v2/liveness") || (requestURI.startsWith("/rest/v2/users/") && requestURI.endsWith("/blocked"))) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (!CommonRestService.isAuthenticated(((HttpServletRequest) servletRequest).getSession())) {
            ((HttpServletResponse) servletResponse).sendError(403, "Not authenticated user");
            return;
        }
        String method = httpServletRequest.getMethod();
        String str = (String) httpServletRequest.getSession().getAttribute(CommonRestService.USER_EMAIL);
        AbstractConsoleDataStore abstractConsoleDataStore = getAbstractConsoleDataStore();
        if (abstractConsoleDataStore == null) {
            ((HttpServletResponse) servletResponse).sendError(500, "Database is not available. Please try again");
            return;
        }
        User user = abstractConsoleDataStore.getUser(str);
        if (user == null) {
            ((HttpServletResponse) servletResponse).sendError(403, "No user in this session");
            return;
        }
        String scope = user.getScope();
        String parameter = httpServletRequest.getParameter(DISPATCH_PATH_URL);
        boolean scopeAccessGranted = scopeAccessGranted(scope, parameter);
        if ("GET".equals(method)) {
            if (scopeAccessGranted || requestURI.equals("/rest/v2/applications/settings/" + scope) || requestURI.equals("/rest/v2/version") || requestURI.equals("/rest/v2/enterprise-edition") || requestURI.equals("/rest/v2/admin-status")) {
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            } else {
                ((HttpServletResponse) servletResponse).sendError(403, FORBIDDEN_ERROR);
                return;
            }
        }
        if (requestURI.equals("/rest/v2/users/password") || requestURI.startsWith("/rest/v2/support/request")) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (!scopeAccessGranted) {
            if (UserType.ADMIN.equals(user.getUserType()) && (requestURI.startsWith("/rest/v2/applications/settings/" + scope) || requestURI.startsWith(scope) || requestURI.startsWith(scope, 1))) {
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            } else {
                ((HttpServletResponse) servletResponse).sendError(403, FORBIDDEN_ERROR);
                return;
            }
        }
        if (UserType.ADMIN.equals(user.getUserType()) || user.getUserType() == null) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (UserType.USER.equals(user.getUserType()) && parameter != null && (parameter.contains("/rest/v2/broadcasts") || parameter.contains("/rest/v2/vods"))) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            ((HttpServletResponse) servletResponse).sendError(403, FORBIDDEN_ERROR);
        }
    }

    private boolean scopeAccessGranted(String str, String str2) {
        boolean z = false;
        if (str == null || str.equals(CommonRestService.SCOPE_SYSTEM)) {
            z = true;
        } else if (str2 != null && (str2.startsWith(str) || str2.startsWith(str, 1))) {
            z = true;
        }
        return z;
    }

    private boolean checkJWT(String str) {
        boolean z = true;
        try {
            String jwksURL = getServerSettings().getJwksURL();
            if (jwksURL == null || jwksURL.isEmpty()) {
                JWT.require(Algorithm.HMAC256(getServerSettings().getJwtServerSecretKey())).build().verify(str);
            } else {
                DecodedJWT decode = JWT.decode(str);
                Algorithm.RSA256((RSAPublicKey) new UrlJwkProvider(getServerSettings().getJwksURL()).get(decode.getKeyId()).getPublicKey(), (RSAPrivateKey) null).verify(decode);
            }
        } catch (JWTVerificationException e) {
            logger.error(e.toString());
            z = false;
        } catch (JwkException e2) {
            logger.error(e2.toString());
            z = false;
        }
        return z;
    }
}
