package org.opends.server.protocols.http;

import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.charset.Charset;
import java.text.ParseException;
import java.util.SortedSet;
import javax.servlet.AsyncContext;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.json.resource.ResourceException;
import org.forgerock.opendj.adapter.server3x.Adapters;
import org.forgerock.opendj.ldap.AddressMask;
import org.forgerock.opendj.ldap.Connection;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.LdapException;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.ldap.requests.Requests;
import org.forgerock.opendj.ldap.requests.SearchRequest;
import org.forgerock.opendj.ldap.requests.SimpleBindRequest;
import org.forgerock.opendj.ldap.responses.BindResult;
import org.forgerock.opendj.ldap.responses.SearchResultEntry;
import org.forgerock.opendj.rest2ldap.Rest2LDAP;
import org.forgerock.util.AsyncFunction;
import org.forgerock.util.promise.ExceptionHandler;
import org.forgerock.util.promise.Promise;
import org.forgerock.util.promise.Promises;
import org.forgerock.util.promise.ResultHandler;
import org.opends.messages.ProtocolMessages;
import org.opends.server.admin.std.server.HTTPConnectionHandlerCfg;
import org.opends.server.extensions.ExtensionsConstants;
import org.opends.server.loggers.AccessLogger;
import org.opends.server.schema.SchemaConstants;
import org.opends.server.types.DisconnectReason;
import org.opends.server.util.Base64;
import org.opends.server.util.StaticUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/opends/server/protocols/http/CollectClientConnectionsFilter.class */
public final class CollectClientConnectionsFilter implements Filter {
    static final String HTTP_BASIC_AUTH_HEADER = "Authorization";
    private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
    private final HTTPConnectionHandler connectionHandler;
    private final HTTPAuthenticationConfig authConfig;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/opends/server/protocols/http/CollectClientConnectionsFilter$HTTPRequestContext.class */
    public static final class HTTPRequestContext {
        private AsyncContext asyncContext;
        private HttpServletRequest request;
        private HttpServletResponse response;
        private FilterChain chain;
        private HTTPClientConnection clientConnection;
        private Connection connection;
        private boolean prettyPrint;
        private String userName;
        private String password;

        private HTTPRequestContext() {
        }
    }

    public CollectClientConnectionsFilter(HTTPConnectionHandler hTTPConnectionHandler, HTTPAuthenticationConfig hTTPAuthenticationConfig) {
        this.connectionHandler = hTTPConnectionHandler;
        this.authConfig = hTTPAuthenticationConfig;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        final HTTPRequestContext hTTPRequestContext = new HTTPRequestContext();
        hTTPRequestContext.request = httpServletRequest;
        hTTPRequestContext.response = new HttpServletResponseWrapper((HttpServletResponse) servletResponse) { // from class: org.opends.server.protocols.http.CollectClientConnectionsFilter.1
            public void setStatus(int i) {
                hTTPRequestContext.clientConnection.log(i);
                super.setStatus(i);
            }

            public void setStatus(int i, String str) {
                hTTPRequestContext.clientConnection.log(i);
                super.setStatus(i, str);
            }
        };
        hTTPRequestContext.chain = filterChain;
        hTTPRequestContext.prettyPrint = Boolean.parseBoolean(httpServletRequest.getParameter("_prettyPrint"));
        HTTPClientConnection hTTPClientConnection = new HTTPClientConnection(this.connectionHandler, httpServletRequest);
        this.connectionHandler.addClientConnection(hTTPClientConnection);
        hTTPRequestContext.clientConnection = hTTPClientConnection;
        if (this.connectionHandler.keepStats()) {
            this.connectionHandler.getStatTracker().addRequest(hTTPRequestContext.clientConnection.getMethod());
        }
        try {
            if (canProcessRequest(httpServletRequest, hTTPClientConnection)) {
                AccessLogger.logConnect(hTTPClientConnection);
                hTTPRequestContext.connection = new SdkConnectionAdapter(hTTPClientConnection);
                String[] extractUsernamePassword = extractUsernamePassword(httpServletRequest);
                if (extractUsernamePassword != null && extractUsernamePassword.length == 2) {
                    hTTPRequestContext.userName = extractUsernamePassword[0];
                    hTTPRequestContext.password = extractUsernamePassword[1];
                    hTTPRequestContext.asyncContext = getAsyncContext(httpServletRequest);
                    Adapters.newRootConnection().searchSingleEntryAsync(buildSearchRequest(hTTPRequestContext.userName)).thenAsync(new AsyncFunction<SearchResultEntry, BindResult, LdapException>() { // from class: org.opends.server.protocols.http.CollectClientConnectionsFilter.4
                        /* renamed from: apply, reason: merged with bridge method [inline-methods] */
                        public Promise<BindResult, LdapException> m849apply(SearchResultEntry searchResultEntry) throws LdapException {
                            DN name = searchResultEntry.getName();
                            if (name == null) {
                                CollectClientConnectionsFilter.this.sendAuthenticationFailure(hTTPRequestContext);
                                return Promises.newExceptionPromise(LdapException.newLdapException(ResultCode.CANCELLED));
                            }
                            SimpleBindRequest newSimpleBindRequest = Requests.newSimpleBindRequest(name.toString(), hTTPRequestContext.password.getBytes(Charset.forName("UTF-8")));
                            hTTPRequestContext.password = null;
                            return hTTPRequestContext.connection.bindAsync(newSimpleBindRequest);
                        }
                    }).thenOnResult(new ResultHandler<BindResult>() { // from class: org.opends.server.protocols.http.CollectClientConnectionsFilter.3
                        public void handleResult(BindResult bindResult) {
                            hTTPRequestContext.clientConnection.setAuthUser(hTTPRequestContext.userName);
                            try {
                                CollectClientConnectionsFilter.this.doFilter(hTTPRequestContext);
                            } catch (Exception e) {
                                CollectClientConnectionsFilter.this.onException(e, hTTPRequestContext);
                            }
                        }
                    }).thenOnException(new ExceptionHandler<LdapException>() { // from class: org.opends.server.protocols.http.CollectClientConnectionsFilter.2
                        public void handleException(LdapException ldapException) {
                            ResultCode resultCode = ldapException.getResult().getResultCode();
                            if (ResultCode.CLIENT_SIDE_NO_RESULTS_RETURNED.equals(resultCode) || ResultCode.CLIENT_SIDE_UNEXPECTED_RESULTS_RETURNED.equals(resultCode)) {
                                CollectClientConnectionsFilter.this.sendAuthenticationFailure(hTTPRequestContext);
                            } else {
                                CollectClientConnectionsFilter.this.onException(ldapException, hTTPRequestContext);
                            }
                        }
                    });
                } else if (this.connectionHandler.acceptUnauthenticatedRequests()) {
                    doFilter(hTTPRequestContext);
                } else {
                    sendAuthenticationFailure(hTTPRequestContext);
                }
            }
        } catch (Exception e) {
            onException(e, hTTPRequestContext);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void doFilter(HTTPRequestContext hTTPRequestContext) throws Exception {
        hTTPRequestContext.request.setAttribute("org.forgerock.opendj.rest2ldap.authn-connection", hTTPRequestContext.connection);
        hTTPRequestContext.chain.doFilter(hTTPRequestContext.request, hTTPRequestContext.response);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void sendAuthenticationFailure(HTTPRequestContext hTTPRequestContext) {
        try {
            sendErrorReponse(hTTPRequestContext.response, hTTPRequestContext.prettyPrint, ResourceException.getException(401, "Invalid Credentials"));
            hTTPRequestContext.clientConnection.disconnect(DisconnectReason.INVALID_CREDENTIALS, false, null);
            hTTPRequestContext.clientConnection.log(401);
            if (hTTPRequestContext.asyncContext != null) {
                hTTPRequestContext.asyncContext.complete();
            }
        } catch (Throwable th) {
            hTTPRequestContext.clientConnection.log(401);
            if (hTTPRequestContext.asyncContext != null) {
                hTTPRequestContext.asyncContext.complete();
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void onException(Exception exc, HTTPRequestContext hTTPRequestContext) {
        ResourceException asResourceException = Rest2LDAP.asResourceException(exc);
        try {
            logger.traceException(exc);
            sendErrorReponse(hTTPRequestContext.response, hTTPRequestContext.prettyPrint, asResourceException);
            LocalizableMessage localizableMessage = ProtocolMessages.INFO_CONNHANDLER_UNABLE_TO_REGISTER_CLIENT.get(hTTPRequestContext.clientConnection.getClientHostPort(), hTTPRequestContext.clientConnection.getServerHostPort(), StaticUtils.getExceptionMessage(exc));
            logger.debug(localizableMessage);
            hTTPRequestContext.clientConnection.disconnect(DisconnectReason.SERVER_ERROR, false, localizableMessage);
            hTTPRequestContext.clientConnection.log(asResourceException.getCode());
            if (hTTPRequestContext.asyncContext != null) {
                hTTPRequestContext.asyncContext.complete();
            }
        } catch (Throwable th) {
            hTTPRequestContext.clientConnection.log(asResourceException.getCode());
            if (hTTPRequestContext.asyncContext != null) {
                hTTPRequestContext.asyncContext.complete();
            }
            throw th;
        }
    }

    private boolean canProcessRequest(HttpServletRequest httpServletRequest, HTTPClientConnection hTTPClientConnection) throws UnknownHostException {
        InetAddress byName = InetAddress.getByName(httpServletRequest.getRemoteAddr());
        if (hTTPClientConnection.getConnectionID() < 0) {
            hTTPClientConnection.disconnect(DisconnectReason.ADMIN_LIMIT_EXCEEDED, true, ProtocolMessages.ERR_CONNHANDLER_REJECTED_BY_SERVER.get());
            return false;
        }
        HTTPConnectionHandlerCfg currentConfig = this.connectionHandler.getCurrentConfig();
        SortedSet<AddressMask> allowedClient = currentConfig.getAllowedClient();
        SortedSet<AddressMask> deniedClient = currentConfig.getDeniedClient();
        if (!deniedClient.isEmpty() && AddressMask.matchesAny(deniedClient, byName)) {
            hTTPClientConnection.disconnect(DisconnectReason.CONNECTION_REJECTED, false, ProtocolMessages.ERR_CONNHANDLER_DENIED_CLIENT.get(hTTPClientConnection.getClientHostPort(), hTTPClientConnection.getServerHostPort()));
            return false;
        }
        if (allowedClient.isEmpty() || AddressMask.matchesAny(allowedClient, byName)) {
            return true;
        }
        hTTPClientConnection.disconnect(DisconnectReason.CONNECTION_REJECTED, false, ProtocolMessages.ERR_CONNHANDLER_DISALLOWED_CLIENT.get(hTTPClientConnection.getClientHostPort(), hTTPClientConnection.getServerHostPort()));
        return false;
    }

    String[] extractUsernamePassword(HttpServletRequest httpServletRequest) throws ResourceException {
        String header;
        String[] parseUsernamePassword;
        if (this.authConfig.isCustomHeadersAuthenticationSupported()) {
            String header2 = httpServletRequest.getHeader(this.authConfig.getCustomHeaderUsername());
            String header3 = httpServletRequest.getHeader(this.authConfig.getCustomHeaderPassword());
            if (header2 != null && header3 != null) {
                return new String[]{header2, header3};
            }
        }
        if (!this.authConfig.isBasicAuthenticationSupported() || (header = httpServletRequest.getHeader(HTTP_BASIC_AUTH_HEADER)) == null || (parseUsernamePassword = parseUsernamePassword(header)) == null) {
            return null;
        }
        return parseUsernamePassword;
    }

    void sendErrorReponse(HttpServletResponse httpServletResponse, boolean z, ResourceException resourceException) {
        httpServletResponse.setStatus(resourceException.getCode());
        if (resourceException.getCode() == 401 && this.authConfig.isBasicAuthenticationSupported()) {
            httpServletResponse.setHeader("WWW-Authenticate", "Basic realm=\"org.forgerock.opendj\"");
        }
        try {
            httpServletResponse.setHeader("Content-Type", "application/json");
            httpServletResponse.getOutputStream().println(toJSON(z, resourceException));
        } catch (IOException e) {
            logger.traceException(e);
        }
    }

    private String toJSON(boolean z, ResourceException resourceException) {
        StringBuilder sb = new StringBuilder();
        sb.append(ExtensionsConstants.STORAGE_SCHEME_PREFIX);
        if (z) {
            sb.append("\n    ");
        }
        sb.append("\"code\": ").append(resourceException.getCode()).append(",");
        if (z) {
            sb.append("\n    ");
        }
        sb.append("\"message\": \"").append(resourceException.getMessage()).append("\",");
        if (z) {
            sb.append("\n    ");
        }
        sb.append("\"reason\": \"").append(resourceException.getReason()).append("\"");
        if (z) {
            sb.append("\n");
        }
        sb.append(ExtensionsConstants.STORAGE_SCHEME_SUFFIX);
        return sb.toString();
    }

    String[] parseUsernamePassword(String str) throws ResourceException {
        if (str == null) {
            return null;
        }
        if (!str.startsWith("Basic") && !str.startsWith("basic")) {
            return null;
        }
        try {
            String[] split = new String(Base64.decode(str.substring("basic".length() + 1))).split(":");
            if (split.length == 2) {
                return split;
            }
            return null;
        } catch (ParseException e) {
            throw Rest2LDAP.asResourceException(e);
        }
    }

    private AsyncContext getAsyncContext(ServletRequest servletRequest) {
        return servletRequest.isAsyncStarted() ? servletRequest.getAsyncContext() : servletRequest.startAsync();
    }

    private SearchRequest buildSearchRequest(String str) {
        return Requests.newSearchRequest(this.authConfig.getSearchBaseDN(), this.authConfig.getSearchScope(), org.forgerock.opendj.ldap.Filter.format(this.authConfig.getSearchFilterTemplate(), new Object[]{str}), new String[]{SchemaConstants.NO_ATTRIBUTES});
    }

    public void destroy() {
    }
}
