package org.dataone.solr.servlet;

import java.io.IOException;
import java.text.DateFormat;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.dataone.client.auth.CertificateManager;
import org.dataone.cn.servlet.http.ProxyServletRequestWrapper;
import org.dataone.configuration.Settings;
import org.dataone.service.cn.impl.v1.CNIdentityLDAPImpl;
import org.dataone.service.cn.impl.v1.NodeRegistryService;
import org.dataone.service.exceptions.InvalidToken;
import org.dataone.service.exceptions.NotAuthorized;
import org.dataone.service.exceptions.NotFound;
import org.dataone.service.exceptions.NotImplemented;
import org.dataone.service.exceptions.ServiceFailure;
import org.dataone.service.types.v1.Group;
import org.dataone.service.types.v1.Node;
import org.dataone.service.types.v1.NodeState;
import org.dataone.service.types.v1.NodeType;
import org.dataone.service.types.v1.Person;
import org.dataone.service.types.v1.Session;
import org.dataone.service.types.v1.Subject;
import org.dataone.service.types.v1.SubjectInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dataone/solr/servlet/SessionAuthorizationFilter.class */
public class SessionAuthorizationFilter implements Filter {
    Logger logger = LoggerFactory.getLogger(SessionAuthorizationFilter.class);
    NodeRegistryService nodeRegistryService = new NodeRegistryService();
    CNIdentityLDAPImpl identityService = new CNIdentityLDAPImpl();
    private long lastRefreshTimeMS = 0;
    private long nodelistRefreshIntervalSeconds = 300000;
    private static DateFormat df = DateFormat.getDateTimeInstance();
    private static List<Subject> administrativeSubjects = new ArrayList();
    static String adminToken = Settings.getConfiguration().getString("cn.solrAdministrator.token");

    public void init(FilterConfig filterConfig) throws ServletException {
        this.logger.info("init SessionAuthorizationFilter");
        try {
            cacheAdministrativeSubjectList();
        } catch (ServiceFailure e) {
            this.logger.error(e.serialize(0));
        } catch (NotImplemented e2) {
            this.logger.error(e2.serialize(0));
        }
        this.lastRefreshTimeMS = new Date().getTime();
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        SubjectInfo subjectInfo;
        try {
            this.logger.debug("Authorization certificate filter");
            String[] strArr = new String[0];
            ProxyServletRequestWrapper proxyServletRequestWrapper = new ProxyServletRequestWrapper((HttpServletRequest) servletRequest);
            Map parameterMap = proxyServletRequestWrapper.getParameterMap();
            if (parameterMap.containsKey("authorizedSubjects")) {
                this.logger.warn("removing attempt at supplying authorized user by client");
                proxyServletRequestWrapper.setParameterValues("authorizedSubjects", strArr);
            }
            if (parameterMap.containsKey("isCnAdministrator")) {
                this.logger.warn("removing attempt at supplying authorized administrative user by client");
                proxyServletRequestWrapper.setParameterValues("isCnAdministrator", strArr);
            }
            Session session = CertificateManager.getInstance().getSession((HttpServletRequest) servletRequest);
            if (session != null) {
                if (isTimeForRefresh().booleanValue()) {
                    cacheAdministrativeSubjectList();
                }
                Subject subject = session.getSubject();
                if (administrativeSubjects.contains(subject)) {
                    this.logger.info("found administrative subject");
                    proxyServletRequestWrapper.setParameterValues("isCnAdministrator", new String[]{adminToken});
                } else {
                    ArrayList arrayList = new ArrayList();
                    arrayList.add("public");
                    arrayList.add("authenticatedUser");
                    try {
                        subjectInfo = this.identityService.getSubjectInfo(session, subject);
                    } catch (NotFound e) {
                        subjectInfo = session.getSubjectInfo();
                    }
                    if (subjectInfo == null) {
                        arrayList.add(CertificateManager.getInstance().standardizeDN(subject.getValue()));
                    } else {
                        if (subjectInfo.sizeGroupList() > 0) {
                            for (Group group : subjectInfo.getGroupList()) {
                                try {
                                    arrayList.add(CertificateManager.getInstance().standardizeDN(group.getSubject().getValue()));
                                    this.logger.info("found administrative subject");
                                } catch (IllegalArgumentException e2) {
                                    this.logger.warn("Found improperly formatted group subject: " + group.getSubject().getValue() + "\n" + e2.getMessage());
                                    arrayList.add(group.getSubject().getValue());
                                }
                            }
                        }
                        if (subjectInfo.sizePersonList() > 0) {
                            for (Person person : subjectInfo.getPersonList()) {
                                if (person.getVerified() != null && person.getVerified().booleanValue()) {
                                    arrayList.add("verifiedUser");
                                }
                                try {
                                    arrayList.add(CertificateManager.getInstance().standardizeDN(person.getSubject().getValue()));
                                } catch (IllegalArgumentException e3) {
                                    this.logger.error("Found improperly formatted person subject: " + person.getSubject().getValue() + "\n" + e3.getMessage());
                                }
                            }
                        }
                    }
                    if (!arrayList.isEmpty()) {
                        proxyServletRequestWrapper.setParameterValues("authorizedSubjects", (String[]) arrayList.toArray(new String[0]));
                    }
                }
                filterChain.doFilter(proxyServletRequestWrapper, servletResponse);
            } else {
                this.logger.info("session is null: default to public");
                filterChain.doFilter(proxyServletRequestWrapper, servletResponse);
            }
        } catch (ServiceFailure e4) {
            e4.setDetail_code("1490");
            String serialize = e4.serialize(0);
            ((HttpServletResponse) servletResponse).setStatus(500);
            servletResponse.getOutputStream().write(serialize.getBytes());
            servletResponse.getOutputStream().flush();
            servletResponse.getOutputStream().close();
        } catch (NotImplemented e5) {
            e5.setDetail_code("1461");
            String serialize2 = e5.serialize(0);
            ((HttpServletResponse) servletResponse).setStatus(400);
            servletResponse.getOutputStream().write(serialize2.getBytes());
            servletResponse.getOutputStream().flush();
            servletResponse.getOutputStream().close();
        } catch (InvalidToken e6) {
            e6.setDetail_code("1470");
            String serialize3 = e6.serialize(0);
            ((HttpServletResponse) servletResponse).setStatus(401);
            servletResponse.getOutputStream().write(serialize3.getBytes());
            servletResponse.getOutputStream().flush();
            servletResponse.getOutputStream().close();
        } catch (NotAuthorized e7) {
            e7.setDetail_code("1460");
            String serialize4 = e7.serialize(0);
            ((HttpServletResponse) servletResponse).setStatus(401);
            servletResponse.getOutputStream().write(serialize4.getBytes());
            servletResponse.getOutputStream().flush();
            servletResponse.getOutputStream().close();
        }
    }

    public void cacheAdministrativeSubjectList() throws NotImplemented, ServiceFailure {
        administrativeSubjects.clear();
        for (Node node : this.nodeRegistryService.listNodes().getNodeList()) {
            if (node.getType().equals(NodeType.CN) && node.getState().equals(NodeState.UP)) {
                administrativeSubjects.addAll(node.getSubjectList());
            }
        }
    }

    private Boolean isTimeForRefresh() {
        Date date = new Date();
        long time = date.getTime();
        if (time - this.lastRefreshTimeMS <= this.nodelistRefreshIntervalSeconds) {
            return false;
        }
        this.lastRefreshTimeMS = time;
        this.logger.info("nodelist refresh: new cached time: " + df.format(date));
        return true;
    }

    public void destroy() {
        this.logger.info("destroy SessionAuthorizationFilter");
    }
}
