package org.jivesoftware.openfire.plugin.rest;

import com.sun.jersey.spi.container.ContainerRequest;
import com.sun.jersey.spi.container.ContainerRequestFilter;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.HttpMethod;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.jivesoftware.openfire.XMPPServer;
import org.jivesoftware.openfire.admin.AdminManager;
import org.jivesoftware.openfire.auth.AuthFactory;
import org.jivesoftware.openfire.auth.ConnectionException;
import org.jivesoftware.openfire.auth.InternalUnauthenticatedException;
import org.jivesoftware.openfire.auth.UnauthorizedException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/restAPI-1.4.1-SNAPSHOT.jar:org/jivesoftware/openfire/plugin/rest/AuthFilter.class */
public class AuthFilter implements ContainerRequestFilter {
    private static Logger LOG = LoggerFactory.getLogger(AuthFilter.class);

    @Context
    private HttpServletRequest httpRequest;
    private RESTServicePlugin plugin = (RESTServicePlugin) XMPPServer.getInstance().getPluginManager().getPlugin("restapi");

    @Override // com.sun.jersey.spi.container.ContainerRequestFilter
    public ContainerRequest filter(ContainerRequest containerRequest) throws WebApplicationException {
        if (!this.plugin.isEnabled()) {
            LOG.debug("REST API Plugin is not enabled");
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
        if (HttpMethod.OPTIONS.equals(containerRequest.getMethod())) {
            LOG.debug("Authentication was bypassed because of OPTIONS request");
            return containerRequest;
        }
        if ("restapi/v1/userservice".equals(containerRequest.getPath())) {
            LOG.info("Deprecated 'userservice' endpoint was used. Please switch to the new endpoints");
            return containerRequest;
        }
        if (!this.plugin.getAllowedIPs().isEmpty()) {
            String header = this.httpRequest.getHeader("x-forwarded-for");
            if (header == null) {
                header = this.httpRequest.getHeader("X_FORWARDED_FOR");
                if (header == null) {
                    header = this.httpRequest.getHeader("X-Forward-For");
                    if (header == null) {
                        header = this.httpRequest.getRemoteAddr();
                    }
                }
            }
            if (!this.plugin.getAllowedIPs().contains(header)) {
                LOG.warn("REST API rejected service for IP address: " + header);
                throw new WebApplicationException(Response.Status.UNAUTHORIZED);
            }
        }
        String headerValue = containerRequest.getHeaderValue("authorization");
        if (headerValue == null) {
            throw new WebApplicationException(Response.Status.UNAUTHORIZED);
        }
        if ("basic".equals(this.plugin.getHttpAuth())) {
            String[] decode = BasicAuth.decode(headerValue);
            if (decode == null || decode.length != 2) {
                LOG.warn("Username or password is not set");
                throw new WebApplicationException(Response.Status.UNAUTHORIZED);
            }
            if (!AdminManager.getInstance().isUserAdmin(decode[0], true)) {
                LOG.warn("Provided User is not an admin");
                throw new WebApplicationException(Response.Status.UNAUTHORIZED);
            }
            try {
                AuthFactory.authenticate(decode[0], decode[1]);
            } catch (InternalUnauthenticatedException e) {
                LOG.error("Authentication went wrong", e);
                throw new WebApplicationException(Response.Status.UNAUTHORIZED);
            } catch (ConnectionException e2) {
                LOG.error("Authentication went wrong", e2);
                throw new WebApplicationException(Response.Status.UNAUTHORIZED);
            } catch (UnauthorizedException e3) {
                LOG.warn("Wrong HTTP Basic Auth authorization", e3);
                throw new WebApplicationException(Response.Status.UNAUTHORIZED);
            }
        } else if (!headerValue.equals(this.plugin.getSecret())) {
            LOG.warn("Wrong secret key authorization. Provided key: " + headerValue);
            throw new WebApplicationException(Response.Status.UNAUTHORIZED);
        }
        return containerRequest;
    }
}
