package org.neo4j.server.rest.dbms;

import java.io.IOException;
import java.util.Collections;
import java.util.function.Supplier;
import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.UriBuilder;
import org.neo4j.function.ThrowingConsumer;
import org.neo4j.graphdb.security.AuthProviderFailedException;
import org.neo4j.graphdb.security.AuthProviderTimeoutException;
import org.neo4j.graphdb.security.AuthorizationViolationException;
import org.neo4j.helpers.collection.MapUtil;
import org.neo4j.internal.kernel.api.security.AuthenticationResult;
import org.neo4j.internal.kernel.api.security.LoginContext;
import org.neo4j.kernel.api.exceptions.Status;
import org.neo4j.kernel.api.security.AuthManager;
import org.neo4j.kernel.api.security.AuthToken;
import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
import org.neo4j.logging.Log;
import org.neo4j.logging.LogProvider;
import org.neo4j.server.web.XForwardUtil;

/* loaded from: input_file:org/neo4j/server/rest/dbms/AuthorizationEnabledFilter.class */
public class AuthorizationEnabledFilter extends AuthorizationFilter {
    private final Supplier<AuthManager> authManagerSupplier;
    private final Log log;
    private final Pattern[] uriWhitelist;
    private static final Pattern PASSWORD_CHANGE_WHITELIST = Pattern.compile("/user/.*");
    private static final ThrowingConsumer<HttpServletResponse, IOException> noHeader = error(401, MapUtil.map(new Object[]{"errors", Collections.singletonList(MapUtil.map(new Object[]{"code", Status.Security.Unauthorized.code().serialize(), "message", "No authentication header supplied."}))}));
    private static final ThrowingConsumer<HttpServletResponse, IOException> badHeader = error(400, MapUtil.map(new Object[]{"errors", Collections.singletonList(MapUtil.map(new Object[]{"code", Status.Request.InvalidFormat.code().serialize(), "message", "Invalid authentication header."}))}));
    private static final ThrowingConsumer<HttpServletResponse, IOException> invalidCredential = error(401, MapUtil.map(new Object[]{"errors", Collections.singletonList(MapUtil.map(new Object[]{"code", Status.Security.Unauthorized.code().serialize(), "message", "Invalid username or password."}))}));
    private static final ThrowingConsumer<HttpServletResponse, IOException> tooManyAttempts = error(429, MapUtil.map(new Object[]{"errors", Collections.singletonList(MapUtil.map(new Object[]{"code", Status.Security.AuthenticationRateLimit.code().serialize(), "message", "Too many failed authentication requests. Please wait 5 seconds and try again."}))}));
    private static final ThrowingConsumer<HttpServletResponse, IOException> authProviderFailed = error(502, MapUtil.map(new Object[]{"errors", Collections.singletonList(MapUtil.map(new Object[]{"code", Status.Security.AuthProviderFailed.code().serialize(), "message", "An auth provider request failed."}))}));
    private static final ThrowingConsumer<HttpServletResponse, IOException> authProviderTimeout = error(504, MapUtil.map(new Object[]{"errors", Collections.singletonList(MapUtil.map(new Object[]{"code", Status.Security.AuthProviderTimeout.code().serialize(), "message", "An auth provider request timed out."}))}));

    /* renamed from: org.neo4j.server.rest.dbms.AuthorizationEnabledFilter$1, reason: invalid class name */
    /* loaded from: input_file:org/neo4j/server/rest/dbms/AuthorizationEnabledFilter$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$neo4j$internal$kernel$api$security$AuthenticationResult = new int[AuthenticationResult.values().length];

        static {
            try {
                $SwitchMap$org$neo4j$internal$kernel$api$security$AuthenticationResult[AuthenticationResult.PASSWORD_CHANGE_REQUIRED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$neo4j$internal$kernel$api$security$AuthenticationResult[AuthenticationResult.SUCCESS.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$neo4j$internal$kernel$api$security$AuthenticationResult[AuthenticationResult.TOO_MANY_ATTEMPTS.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public AuthorizationEnabledFilter(Supplier<AuthManager> supplier, LogProvider logProvider, Pattern... patternArr) {
        this.authManagerSupplier = supplier;
        this.log = logProvider.getLog(getClass());
        this.uriWhitelist = patternArr;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        validateRequestType(servletRequest);
        validateResponseType(servletResponse);
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String str = httpServletRequest.getContextPath() + (httpServletRequest.getPathInfo() == null ? "" : httpServletRequest.getPathInfo());
        if (httpServletRequest.getMethod().equals("OPTIONS") || whitelisted(str)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            requestAuthentication(httpServletRequest, noHeader).accept(httpServletResponse);
            return;
        }
        String[] extractCredential = extractCredential(header);
        if (extractCredential == null) {
            badHeader.accept(httpServletResponse);
            return;
        }
        String str2 = extractCredential[0];
        try {
            LoginContext authenticate = authenticate(str2, extractCredential[1]);
            switch (AnonymousClass1.$SwitchMap$org$neo4j$internal$kernel$api$security$AuthenticationResult[authenticate.subject().getAuthenticationResult().ordinal()]) {
                case 1:
                    if (!PASSWORD_CHANGE_WHITELIST.matcher(str).matches()) {
                        passwordChangeRequired(str2, baseURL(httpServletRequest)).accept(httpServletResponse);
                        return;
                    }
                    break;
                case 2:
                    break;
                case 3:
                    tooManyAttempts.accept(httpServletResponse);
                    return;
                default:
                    this.log.warn("Failed authentication attempt for '%s' from %s", new Object[]{str2, httpServletRequest.getRemoteAddr()});
                    requestAuthentication(httpServletRequest, invalidCredential).accept(httpServletResponse);
                    return;
            }
            try {
                filterChain.doFilter(new AuthorizedRequestWrapper("BASIC", str2, httpServletRequest, authenticate), servletResponse);
            } catch (AuthorizationViolationException e) {
                unauthorizedAccess(e.getMessage()).accept(httpServletResponse);
            }
        } catch (AuthProviderTimeoutException e2) {
            authProviderTimeout.accept(httpServletResponse);
        } catch (AuthProviderFailedException e3) {
            authProviderFailed.accept(httpServletResponse);
        } catch (InvalidAuthTokenException e4) {
            requestAuthentication(httpServletRequest, invalidAuthToken(e4.getMessage())).accept(httpServletResponse);
        }
    }

    private LoginContext authenticate(String str, String str2) throws InvalidAuthTokenException {
        return this.authManagerSupplier.get().login(AuthToken.newBasicAuthToken(str, str2));
    }

    private static ThrowingConsumer<HttpServletResponse, IOException> invalidAuthToken(String str) {
        return error(401, MapUtil.map(new Object[]{"errors", Collections.singletonList(MapUtil.map(new Object[]{"code", Status.Security.Unauthorized.code().serialize(), "message", str}))}));
    }

    private static ThrowingConsumer<HttpServletResponse, IOException> passwordChangeRequired(String str, String str2) {
        return error(403, MapUtil.map(new Object[]{"errors", Collections.singletonList(MapUtil.map(new Object[]{"code", Status.Security.Forbidden.code().serialize(), "message", "User is required to change their password."})), "password_change", UriBuilder.fromUri(str2).path(String.format("/user/%s/password", str)).build(new Object[0]).toString()}));
    }

    private static ThrowingConsumer<HttpServletResponse, IOException> requestAuthentication(HttpServletRequest httpServletRequest, ThrowingConsumer<HttpServletResponse, IOException> throwingConsumer) {
        return "true".equals(httpServletRequest.getHeader("X-Ajax-Browser-Auth")) ? httpServletResponse -> {
            throwingConsumer.accept(httpServletResponse);
            httpServletResponse.addHeader("WWW-Authenticate", "None");
        } : httpServletResponse2 -> {
            throwingConsumer.accept(httpServletResponse2);
            httpServletResponse2.addHeader("WWW-Authenticate", "Basic realm=\"Neo4j\"");
        };
    }

    private String baseURL(HttpServletRequest httpServletRequest) {
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        return XForwardUtil.externalUri(requestURL.substring(0, requestURL.length() - httpServletRequest.getRequestURI().length()) + "/", httpServletRequest.getHeader(XForwardUtil.X_FORWARD_HOST_HEADER_KEY), httpServletRequest.getHeader(XForwardUtil.X_FORWARD_PROTO_HEADER_KEY));
    }

    private boolean whitelisted(String str) {
        for (Pattern pattern : this.uriWhitelist) {
            if (pattern.matcher(str).matches()) {
                return true;
            }
        }
        return false;
    }

    private String[] extractCredential(String str) {
        if (str == null) {
            return null;
        }
        return AuthorizationHeaders.decode(str);
    }
}
