package io.confluent.security.authentication.http;

import io.confluent.security.authentication.credential.HttpCredential;
import io.confluent.shaded.org.slf4j.Logger;
import io.confluent.shaded.org.slf4j.LoggerFactory;
import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.function.Supplier;
import javax.annotation.Priority;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;

@Priority(1000)
@PreMatching
/* loaded from: input_file:io/confluent/security/authentication/http/HttpServerAuthFilter.class */
public final class HttpServerAuthFilter implements ContainerRequestFilter {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) HttpServerAuthFilter.class);
    private final HttpAuthenticator<?> authenticator;
    private final Supplier<Collection<String>> whitelist;

    public HttpServerAuthFilter(HttpAuthenticator<?> httpAuthenticator) {
        this(httpAuthenticator, Collections::emptyList);
    }

    public HttpServerAuthFilter(HttpAuthenticator<?> httpAuthenticator, Supplier<Collection<String>> supplier) {
        this.authenticator = httpAuthenticator;
        this.whitelist = supplier;
    }

    /* JADX WARN: Type inference failed for: r0v11, types: [java.security.Principal] */
    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        Cookie cookie;
        try {
            HttpCredential read = HttpCredential.read(containerRequestContext.getHeaders().getFirst("Authorization"));
            if (read.credential() == null && (cookie = containerRequestContext.getCookies().get("auth_token")) != null) {
                read = HttpCredential.read(cookie.getValue().startsWith("Bearer ") ? cookie.getValue() : "Bearer " + cookie.getValue());
            }
            ?? authenticate = this.authenticator.authenticate(read);
            if (authenticate == 0 && !read.scheme().equals(HttpCredential.Scheme.NONE)) {
                log.debug("Incompatible authentication scheme " + read.scheme().toString());
                containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", this.authenticator.challenge()).build());
            }
            containerRequestContext.setSecurityContext(new ConfluentSecurityContext(read.scheme(), authenticate, containerRequestContext.getUriInfo().getRequestUri().toString().startsWith("https")));
            filterWhitelist(containerRequestContext);
        } catch (Throwable th) {
            log.debug("Unable to authenticate request");
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
        }
    }

    private void filterWhitelist(ContainerRequestContext containerRequestContext) {
        SecurityContext securityContext = containerRequestContext.getSecurityContext();
        if ((securityContext == null || securityContext.getUserPrincipal().equals(ConfluentSecurityContext.ANONYMOUS)) && !this.whitelist.get().stream().anyMatch(str -> {
            return containerRequestContext.getUriInfo().getPath(true).startsWith(str);
        })) {
            log.debug("Authentication required to access secured path");
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", this.authenticator.challenge()).build());
        }
    }
}
