package org.geoserver.rest.security;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.thoughtworks.xstream.XStream;
import java.io.IOException;
import java.lang.reflect.Type;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import org.geoserver.config.util.XStreamPersister;
import org.geoserver.rest.RestBaseController;
import org.geoserver.rest.converters.XStreamMessageConverter;
import org.geoserver.rest.security.xml.AuthFilterChain;
import org.geoserver.rest.wrapper.RestWrapper;
import org.geoserver.security.GeoServerSecurityFilterChain;
import org.geoserver.security.GeoServerSecurityManager;
import org.geoserver.security.RequestFilterChain;
import org.geoserver.security.config.SecurityManagerConfig;
import org.springframework.core.MethodParameter;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.util.UriComponentsBuilder;

@RequestMapping(path = {"/rest/security/filterChains"})
@ControllerAdvice(assignableTypes = {AuthenticationFilterChainRestController.class})
@RestController("authenticationFilterChainRestController")
/* loaded from: input_file:org/geoserver/rest/security/AuthenticationFilterChainRestController.class */
public class AuthenticationFilterChainRestController extends RestBaseController {
    private final GeoServerSecurityManager securityManager;

    /* loaded from: input_file:org/geoserver/rest/security/AuthenticationFilterChainRestController$BadRequest.class */
    public static class BadRequest extends RuntimeException {
        public BadRequest(String str) {
            super(str);
        }
    }

    /* loaded from: input_file:org/geoserver/rest/security/AuthenticationFilterChainRestController$CannotMakeChain.class */
    public static class CannotMakeChain extends RuntimeException {
        public CannotMakeChain(String str, Exception exc) {
            super("Cannot make class " + str, exc);
        }
    }

    /* loaded from: input_file:org/geoserver/rest/security/AuthenticationFilterChainRestController$CannotReadConfig.class */
    public static class CannotReadConfig extends RuntimeException {
        public CannotReadConfig(Exception exc) {
            super("Cannot read the Security configuration ", exc);
        }
    }

    /* loaded from: input_file:org/geoserver/rest/security/AuthenticationFilterChainRestController$CannotSaveConfig.class */
    public static class CannotSaveConfig extends RuntimeException {
        public CannotSaveConfig(Exception exc) {
            super("Cannot save the Security configuration ", exc);
        }
    }

    /* loaded from: input_file:org/geoserver/rest/security/AuthenticationFilterChainRestController$CannotUpdateConfig.class */
    public static class CannotUpdateConfig extends RuntimeException {
        public CannotUpdateConfig(Exception exc) {
            super("Cannot update the Security configuration ", exc);
        }
    }

    /* loaded from: input_file:org/geoserver/rest/security/AuthenticationFilterChainRestController$DuplicateChainName.class */
    public static class DuplicateChainName extends RuntimeException {
        public DuplicateChainName(String str) {
            super("Cannot create the filter chain " + str + " because one with that name already exists.");
        }
    }

    /* loaded from: input_file:org/geoserver/rest/security/AuthenticationFilterChainRestController$ErrorResponse.class */
    public static class ErrorResponse {
        private int status;
        private String message;

        public ErrorResponse(int i, String str) {
            this.status = i;
            this.message = str;
        }

        public int getStatus() {
            return this.status;
        }

        public void setStatus(int i) {
            this.status = i;
        }

        public String getMessage() {
            return this.message;
        }

        public void setMessage(String str) {
            this.message = str;
        }
    }

    /* loaded from: input_file:org/geoserver/rest/security/AuthenticationFilterChainRestController$FilterChainNotFound.class */
    public static class FilterChainNotFound extends RuntimeException {
        public FilterChainNotFound(String str) {
            super("Cannot find the filter chain " + str + " in the Security configuration.");
        }
    }

    /* loaded from: input_file:org/geoserver/rest/security/AuthenticationFilterChainRestController$NotAuthorised.class */
    public static class NotAuthorised extends RuntimeException {
        public NotAuthorised() {
            super("Admin role required to access this resource");
        }
    }

    /* loaded from: input_file:org/geoserver/rest/security/AuthenticationFilterChainRestController$NothingToDelete.class */
    public static class NothingToDelete extends RuntimeException {
        public NothingToDelete(String str) {
            super("Cannot delete " + str + " as no filter exists");
        }
    }

    public AuthenticationFilterChainRestController(GeoServerSecurityManager geoServerSecurityManager) {
        this.securityManager = geoServerSecurityManager;
    }

    @GetMapping(produces = {"application/json", "application/xml"})
    public RestWrapper<AuthFilterChain> list() {
        checkAuthorisation();
        return wrapList(listFilterChains(), AuthFilterChain.class);
    }

    @GetMapping(value = {"/{chainName}"}, produces = {"application/json", "application/xml"})
    public RestWrapper<AuthFilterChain> view(@PathVariable("chainName") String str) {
        checkAuthorisation();
        return wrapObject(viewFilterChain(str), AuthFilterChain.class);
    }

    @PostMapping(consumes = {"application/json", "application/xml"})
    public ResponseEntity<String> create(@RequestBody AuthFilterChain authFilterChain, UriComponentsBuilder uriComponentsBuilder) {
        checkAuthorisation();
        AuthFilterChain saveFilterChain = saveFilterChain(authFilterChain.toRequestFilterChain(), authFilterChain.getPosition());
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setLocation(uriComponentsBuilder.path("/security/filterChains/{chainName}").buildAndExpand(new Object[]{saveFilterChain.getName()}).toUri());
        httpHeaders.setContentType(MediaType.TEXT_PLAIN);
        return new ResponseEntity<>(authFilterChain.getName(), httpHeaders, HttpStatus.CREATED);
    }

    @PutMapping(value = {"/{chainName}"}, consumes = {"application/json", "application/xml"})
    @ResponseStatus(HttpStatus.OK)
    public void update(@PathVariable("chainName") String str, @RequestBody AuthFilterChain authFilterChain) {
        checkAuthorisation();
        updateFilterChain(str, authFilterChain.toRequestFilterChain(), authFilterChain.getPosition());
    }

    @DeleteMapping(value = {"/{chainName}"}, produces = {"application/json", "application/xml"})
    @ResponseStatus(HttpStatus.OK)
    public void delete(@PathVariable("chainName") String str) {
        checkAuthorisation();
        deleteFilterChain(str);
    }

    @ExceptionHandler({CannotMakeChain.class})
    public ResponseEntity<ErrorResponse> handleRestException(CannotMakeChain cannotMakeChain) {
        return new ResponseEntity<>(new ErrorResponse(HttpStatus.INTERNAL_SERVER_ERROR.value(), cannotMakeChain.getMessage()), HttpStatus.INTERNAL_SERVER_ERROR);
    }

    @ExceptionHandler({CannotSaveConfig.class})
    public ResponseEntity<ErrorResponse> handleRestException(CannotSaveConfig cannotSaveConfig) {
        return new ResponseEntity<>(new ErrorResponse(HttpStatus.INTERNAL_SERVER_ERROR.value(), cannotSaveConfig.getMessage()), HttpStatus.INTERNAL_SERVER_ERROR);
    }

    @ExceptionHandler({CannotUpdateConfig.class})
    public ResponseEntity<ErrorResponse> handleRestException(CannotUpdateConfig cannotUpdateConfig) {
        return new ResponseEntity<>(new ErrorResponse(HttpStatus.INTERNAL_SERVER_ERROR.value(), cannotUpdateConfig.getMessage()), HttpStatus.INTERNAL_SERVER_ERROR);
    }

    @ExceptionHandler({CannotReadConfig.class})
    public ResponseEntity<ErrorResponse> handleRestException(CannotReadConfig cannotReadConfig) {
        return new ResponseEntity<>(new ErrorResponse(HttpStatus.INTERNAL_SERVER_ERROR.value(), cannotReadConfig.getMessage()), HttpStatus.INTERNAL_SERVER_ERROR);
    }

    @ExceptionHandler({BadRequest.class})
    public ResponseEntity<ErrorResponse> handleRestException(BadRequest badRequest) {
        return new ResponseEntity<>(new ErrorResponse(HttpStatus.BAD_REQUEST.value(), badRequest.getMessage()), HttpStatus.BAD_REQUEST);
    }

    @ExceptionHandler({NothingToDelete.class})
    public ResponseEntity<ErrorResponse> handleRestException(NothingToDelete nothingToDelete) {
        return new ResponseEntity<>(new ErrorResponse(HttpStatus.GONE.value(), nothingToDelete.getMessage()), HttpStatus.GONE);
    }

    @ExceptionHandler({DuplicateChainName.class})
    public ResponseEntity<ErrorResponse> handleRestException(DuplicateChainName duplicateChainName) {
        return new ResponseEntity<>(new ErrorResponse(HttpStatus.BAD_REQUEST.value(), duplicateChainName.getMessage()), HttpStatus.BAD_REQUEST);
    }

    @ExceptionHandler({FilterChainNotFound.class})
    public ResponseEntity<ErrorResponse> handleRestException(FilterChainNotFound filterChainNotFound) {
        return new ResponseEntity<>(new ErrorResponse(HttpStatus.NOT_FOUND.value(), filterChainNotFound.getMessage()), HttpStatus.NOT_FOUND);
    }

    @ExceptionHandler({NotAuthorised.class})
    public ResponseEntity<ErrorResponse> handleRestException(NotAuthorised notAuthorised) {
        return new ResponseEntity<>(new ErrorResponse(HttpStatus.FORBIDDEN.value(), notAuthorised.getMessage()), HttpStatus.FORBIDDEN);
    }

    public boolean supports(MethodParameter methodParameter, Type type, Class<? extends HttpMessageConverter<?>> cls) {
        checkAuthorisation();
        return AuthFilterChain.class.isAssignableFrom(methodParameter.getParameterType());
    }

    public void configurePersister(XStreamPersister xStreamPersister, XStreamMessageConverter xStreamMessageConverter) {
        XStream xStream = xStreamPersister.getXStream();
        xStream.allowTypesByWildcard(new String[]{"org.geoserver.rest.security.xml.*"});
        xStream.processAnnotations(new Class[]{AuthFilterChain.class});
    }

    private List<AuthFilterChain> listFilterChains() {
        try {
            Preconditions.checkState(this.securityManager != null, "GeoServerSecurityManager not initialized");
            List requestChains = this.securityManager.loadSecurityConfig().getFilterChain().getRequestChains();
            return (List) requestChains.stream().filter((v0) -> {
                return Objects.nonNull(v0);
            }).map(AuthFilterChain::new).peek(authFilterChain -> {
                RequestFilterChain requestFilterChain = (RequestFilterChain) requestChains.stream().filter(requestFilterChain2 -> {
                    return requestFilterChain2.getName().equals(authFilterChain.getName());
                }).findFirst().orElse(null);
                authFilterChain.setPosition(requestFilterChain != null ? requestChains.indexOf(requestFilterChain) : 0);
            }).collect(Collectors.toList());
        } catch (IOException e) {
            throw new CannotReadConfig(e);
        } catch (IllegalArgumentException e2) {
            throw new BadRequest(e2.getMessage());
        }
    }

    private AuthFilterChain viewFilterChain(String str) {
        try {
            Preconditions.checkState(this.securityManager != null, "GeoServerSecurityManager not initialized");
            Preconditions.checkArgument(!Strings.isNullOrEmpty(str), "chainName is required");
            SecurityManagerConfig loadSecurityConfig = this.securityManager.loadSecurityConfig();
            RequestFilterChain requestChainByName = loadSecurityConfig.getFilterChain().getRequestChainByName(str);
            if (requestChainByName == null) {
                throw new FilterChainNotFound(str);
            }
            AuthFilterChain authFilterChain = new AuthFilterChain(requestChainByName);
            authFilterChain.setPosition(loadSecurityConfig.getFilterChain().getRequestChains().indexOf(requestChainByName));
            return authFilterChain;
        } catch (IOException e) {
            throw new CannotReadConfig(e);
        } catch (IllegalArgumentException e2) {
            throw new BadRequest(e2.getMessage());
        }
    }

    private void deleteFilterChain(String str) {
        try {
            Preconditions.checkState(this.securityManager != null, "GeoServerSecurityManager not initialized");
            Preconditions.checkArgument(!Strings.isNullOrEmpty(str), "chainName is required");
            SecurityManagerConfig loadSecurityConfig = this.securityManager.loadSecurityConfig();
            GeoServerSecurityFilterChain filterChain = loadSecurityConfig.getFilterChain();
            RequestFilterChain requestFilterChain = (RequestFilterChain) filterChain.getRequestChains().stream().filter(requestFilterChain2 -> {
                return requestFilterChain2.getName().equals(str);
            }).findFirst().orElse(null);
            if (requestFilterChain == null) {
                throw new NothingToDelete(str);
            }
            Preconditions.checkArgument(requestFilterChain.canBeRemoved(), "Filter chain " + str + " cannot be removed.");
            if (!filterChain.getRequestChains().remove(requestFilterChain)) {
                throw new NothingToDelete(str);
            }
            saveAndReturnAuthFilterChain(requestFilterChain, loadSecurityConfig, filterChain.getRequestChains());
        } catch (IOException e) {
            throw new CannotUpdateConfig(e);
        } catch (IllegalArgumentException e2) {
            throw new BadRequest(e2.getMessage());
        }
    }

    private void updateFilterChain(String str, RequestFilterChain requestFilterChain, int i) throws CannotSaveConfig {
        try {
            Preconditions.checkState(this.securityManager != null, "GeoServerSecurityManager not initialized");
            Preconditions.checkArgument(!Strings.isNullOrEmpty(str), "chainName is required");
            Preconditions.checkArgument(Objects.equals(requestFilterChain.getName(), str), "chainName must be the same as the name of the filter chain to be updated");
            Preconditions.checkArgument(i >= 0, "position must be greater than or equal to 0");
            SecurityManagerConfig loadSecurityConfig = this.securityManager.loadSecurityConfig();
            List requestChains = loadSecurityConfig.getFilterChain().getRequestChains();
            Preconditions.checkArgument(i < requestChains.size(), "position must be less than the number of filter chains");
            List<RequestFilterChain> list = (List) requestChains.stream().map(requestFilterChain2 -> {
                return requestFilterChain2.getName().equals(str) ? requestFilterChain : requestFilterChain2;
            }).collect(Collectors.toList());
            if (i != list.indexOf(requestFilterChain)) {
                list.remove(requestFilterChain);
                list.add(i, requestFilterChain);
            }
            saveAndReturnAuthFilterChain(requestFilterChain, loadSecurityConfig, list);
        } catch (IOException | IllegalStateException e) {
            throw new CannotSaveConfig(e);
        } catch (IllegalArgumentException e2) {
            throw new BadRequest(e2.getMessage());
        }
    }

    private AuthFilterChain saveFilterChain(RequestFilterChain requestFilterChain, int i) {
        try {
            Preconditions.checkState(this.securityManager != null, "GeoServerSecurityManager not initialized");
            Preconditions.checkArgument(Objects.nonNull(requestFilterChain), "filterChain is required");
            Preconditions.checkArgument(i >= 0, "position must be greater than or equal to 0");
            SecurityManagerConfig loadSecurityConfig = this.securityManager.loadSecurityConfig();
            List<RequestFilterChain> requestChains = loadSecurityConfig.getFilterChain().getRequestChains();
            if (requestChains.contains(requestFilterChain)) {
                throw new DuplicateChainName(requestFilterChain.getName());
            }
            requestChains.add(i, requestFilterChain);
            return saveAndReturnAuthFilterChain(requestFilterChain, loadSecurityConfig, requestChains);
        } catch (IOException | IllegalStateException e) {
            throw new CannotSaveConfig(e);
        } catch (IllegalArgumentException e2) {
            throw new BadRequest(e2.getMessage());
        }
    }

    private AuthFilterChain saveAndReturnAuthFilterChain(RequestFilterChain requestFilterChain, SecurityManagerConfig securityManagerConfig, List<RequestFilterChain> list) {
        securityManagerConfig.setFilterChain(new GeoServerSecurityFilterChain(list));
        try {
            this.securityManager.saveSecurityConfig(securityManagerConfig);
            this.securityManager.reload();
            AuthFilterChain authFilterChain = new AuthFilterChain(requestFilterChain);
            authFilterChain.setPosition(list.indexOf(requestFilterChain));
            return authFilterChain;
        } catch (Exception e) {
            throw new CannotSaveConfig(e);
        }
    }

    private void checkAuthorisation() {
        if (!this.securityManager.checkAuthenticationForAdminRole()) {
            throw new NotAuthorised();
        }
    }
}
