package org.apache.sling.cms.core.internal.filters;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import javax.jcr.Session;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.jcr.base.util.AccessControlUtil;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.metatype.annotations.Designate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = CMSSecurityFilterConfig.class)
@Component(service = {Filter.class}, property = {"sling.filter.scope=request"})
/* loaded from: input_file:org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.class */
public class CMSSecurityFilter implements Filter {
    private static final Logger log = LoggerFactory.getLogger(CMSSecurityFilter.class);
    private CMSSecurityFilterConfig config;
    private List<Pattern> patterns = new ArrayList();

    @Activate
    @Modified
    public void activate(CMSSecurityFilterConfig cMSSecurityFilterConfig) {
        if (cMSSecurityFilterConfig.hostDomains() == null || cMSSecurityFilterConfig.hostDomains().length <= 0) {
            this.config = null;
            log.info("No host domains supplied, CMS Security Filter not enabled");
            return;
        }
        log.info("Applying CMS Security Filter for domains {}", Arrays.toString(cMSSecurityFilterConfig.hostDomains()));
        this.config = cMSSecurityFilterConfig;
        for (String str : cMSSecurityFilterConfig.allowedPatterns()) {
            this.patterns.add(Pattern.compile(str));
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        SlingHttpServletRequest slingHttpServletRequest = (SlingHttpServletRequest) servletRequest;
        if (this.config == null || !ArrayUtils.contains(this.config.hostDomains(), servletRequest.getServerName())) {
            log.trace("Not filtering request to host {}", servletRequest.getServerName());
        } else {
            log.trace("Filtering requests to host {}", servletRequest.getServerName());
            String requestURI = slingHttpServletRequest.getRequestURI();
            boolean z = false;
            Iterator<Pattern> it = this.patterns.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Pattern next = it.next();
                if (next.matcher(requestURI).matches()) {
                    log.trace("Allowing request matching pattern {}", next);
                    z = true;
                    break;
                }
            }
            if (!z) {
                if (StringUtils.isNotBlank(this.config.group())) {
                    try {
                        Session session = (Session) slingHttpServletRequest.getResourceResolver().adaptTo(Session.class);
                        UserManager userManager = AccessControlUtil.getUserManager(session);
                        log.trace("Retrieved user manager {} with session {}", userManager, session);
                        User authorizable = userManager.getAuthorizable(slingHttpServletRequest.getUserPrincipal());
                        if (authorizable != null) {
                            log.trace("Checking to see if user {} is in required group {}", authorizable.getID(), this.config.group());
                            Iterator memberOf = authorizable.memberOf();
                            while (true) {
                                if (!memberOf.hasNext()) {
                                    break;
                                } else if (((Group) memberOf.next()).getID().equals(this.config.group())) {
                                    z = true;
                                    break;
                                }
                            }
                        }
                    } catch (Exception e) {
                        log.error("Exception determing group membership", e);
                    }
                } else if (!"anonymous".equals(slingHttpServletRequest.getResourceResolver().getUserID())) {
                    z = true;
                }
            }
            if (!z) {
                log.trace("Request to {} not allowed for user {}", slingHttpServletRequest.getRequestURI(), slingHttpServletRequest.getResourceResolver().getUserID());
                ((HttpServletResponse) servletResponse).sendError(401);
                return;
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    public void destroy() {
    }
}
