package com.composum.sling.core.service.impl;

import com.composum.sling.core.service.ServiceRestrictions;
import java.io.IOException;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Config.class)
@Component(service = {Filter.class}, property = {"service.description=Composum Service Restrictions POST Filter", "sling.filter.scope=REQUEST"}, configurationPolicy = ConfigurationPolicy.REQUIRE, immediate = true)
/* loaded from: input_file:lib/slingcms.far:com/composum/nodes/composum-nodes-commons/4.2.2/composum-nodes-commons-4.2.2.jar:com/composum/sling/core/service/impl/PostServletRestrictionsFilter.class */
public class PostServletRestrictionsFilter implements Filter {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) PostServletRestrictionsFilter.class);

    @Reference
    private ServiceRestrictions restrictions;
    private Config config;
    private final Map<Pattern, ServiceRestrictions.Key> restrictedPaths = new LinkedHashMap();

    @ObjectClassDefinition(name = "Composum Service Restrictions POST Filter Configuration")
    /* loaded from: input_file:lib/slingcms.far:com/composum/nodes/composum-nodes-commons/4.2.2/composum-nodes-commons-4.2.2.jar:com/composum/sling/core/service/impl/PostServletRestrictionsFilter$Config.class */
    @interface Config {
        @AttributeDefinition(name = "Enabled", description = "the on/off switch for the Restrictions Filter (default: true)")
        boolean enabled() default true;

        @AttributeDefinition(name = "Path Restrictions", description = "the mapping of repository path patterns to service keys (e.g. '^/content(/.*)?$=pages/content/edit')")
        String[] restictedPaths() default {};

        @AttributeDefinition(name = "Service Ranking", description = "the ranking of the service to place the servlet filter at the right place in the filter chain")
        int service_ranking() default 2600;
    }

    @Activate
    @Modified
    public final void activate(Config config) {
        this.config = config;
        this.restrictedPaths.clear();
        for (String str : config.restictedPaths()) {
            String[] split = StringUtils.split(str, "=", 2);
            if (split.length == 2 && StringUtils.isNotBlank(split[0]) && StringUtils.isNotBlank(split[1])) {
                this.restrictedPaths.put(Pattern.compile(split[0]), new ServiceRestrictions.Key(split[1]));
            }
        }
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (this.config.enabled() && this.restrictedPaths.size() > 0 && (servletRequest instanceof SlingHttpServletRequest)) {
            SlingHttpServletRequest slingHttpServletRequest = (SlingHttpServletRequest) servletRequest;
            if ("POST".equals(slingHttpServletRequest.getMethod())) {
                String path = slingHttpServletRequest.getResource().getPath();
                for (Map.Entry<Pattern, ServiceRestrictions.Key> entry : this.restrictedPaths.entrySet()) {
                    if (entry.getKey().matcher(path).matches() && !this.restrictions.isPermissible(slingHttpServletRequest, entry.getValue(), ServiceRestrictions.Permission.write)) {
                        LOG.warn("POST request to {} denied due to restrictions for service {}", path, entry.getValue());
                        ((SlingHttpServletResponse) servletResponse).sendError(405);
                        return;
                    }
                }
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }
}
