package com.alibaba.nacos.core.auth;

import com.alibaba.nacos.auth.HttpProtocolAuthService;
import com.alibaba.nacos.auth.annotation.Secured;
import com.alibaba.nacos.auth.config.AuthConfigs;
import com.alibaba.nacos.auth.serveridentity.ServerIdentityResult;
import com.alibaba.nacos.common.utils.ExceptionUtil;
import com.alibaba.nacos.core.code.ControllerMethodsCache;
import com.alibaba.nacos.core.context.RequestContext;
import com.alibaba.nacos.core.context.RequestContextHolder;
import com.alibaba.nacos.core.utils.Loggers;
import com.alibaba.nacos.plugin.auth.api.IdentityContext;
import com.alibaba.nacos.plugin.auth.api.Permission;
import com.alibaba.nacos.plugin.auth.api.Resource;
import com.alibaba.nacos.plugin.auth.exception.AccessException;
import java.io.IOException;
import java.lang.reflect.Method;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:com/alibaba/nacos/core/auth/AuthFilter.class */
public class AuthFilter implements Filter {
    private final AuthConfigs authConfigs;
    private final ControllerMethodsCache methodsCache;
    private final HttpProtocolAuthService protocolAuthService;

    /* renamed from: com.alibaba.nacos.core.auth.AuthFilter$1, reason: invalid class name */
    /* loaded from: input_file:com/alibaba/nacos/core/auth/AuthFilter$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$alibaba$nacos$auth$serveridentity$ServerIdentityResult$ResultStatus = new int[ServerIdentityResult.ResultStatus.values().length];

        static {
            try {
                $SwitchMap$com$alibaba$nacos$auth$serveridentity$ServerIdentityResult$ResultStatus[ServerIdentityResult.ResultStatus.FAIL.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$alibaba$nacos$auth$serveridentity$ServerIdentityResult$ResultStatus[ServerIdentityResult.ResultStatus.MATCHED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public AuthFilter(AuthConfigs authConfigs, ControllerMethodsCache controllerMethodsCache) {
        this.authConfigs = authConfigs;
        this.methodsCache = controllerMethodsCache;
        this.protocolAuthService = new HttpProtocolAuthService(authConfigs);
        this.protocolAuthService.initialize();
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!this.authConfigs.isAuthEnabled()) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        try {
            Method method = this.methodsCache.getMethod(httpServletRequest);
            if (method == null) {
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }
            if (method.isAnnotationPresent(Secured.class)) {
                if (Loggers.AUTH.isDebugEnabled()) {
                    Loggers.AUTH.debug("auth start, request: {} {}", httpServletRequest.getMethod(), httpServletRequest.getRequestURI());
                }
                Secured annotation = method.getAnnotation(Secured.class);
                ServerIdentityResult checkServerIdentity = this.protocolAuthService.checkServerIdentity(httpServletRequest, annotation);
                switch (AnonymousClass1.$SwitchMap$com$alibaba$nacos$auth$serveridentity$ServerIdentityResult$ResultStatus[checkServerIdentity.getStatus().ordinal()]) {
                    case 1:
                        httpServletResponse.sendError(403, checkServerIdentity.getMessage());
                        return;
                    case 2:
                        filterChain.doFilter(servletRequest, servletResponse);
                        return;
                    default:
                        if (!this.protocolAuthService.enableAuth(annotation)) {
                            filterChain.doFilter(servletRequest, servletResponse);
                            return;
                        }
                        Resource parseResource = this.protocolAuthService.parseResource(httpServletRequest, annotation);
                        IdentityContext parseIdentity = this.protocolAuthService.parseIdentity(httpServletRequest);
                        boolean validateIdentity = this.protocolAuthService.validateIdentity(parseIdentity, parseResource);
                        RequestContext context = RequestContextHolder.getContext();
                        context.getAuthContext().setIdentityContext(parseIdentity);
                        context.getAuthContext().setResource(parseResource);
                        if (null == context.getAuthContext().getAuthResult()) {
                            context.getAuthContext().setAuthResult(Boolean.valueOf(validateIdentity));
                        }
                        if (!validateIdentity) {
                            throw new AccessException("Validate Identity failed.");
                        }
                        if (!this.protocolAuthService.validateAuthority(parseIdentity, new Permission(parseResource, annotation.action().toString()))) {
                            throw new AccessException("Validate Authority failed.");
                        }
                        break;
                }
            }
            filterChain.doFilter(servletRequest, servletResponse);
        } catch (Exception e) {
            Loggers.AUTH.warn("[AUTH-FILTER] Server failed: ", e);
            httpServletResponse.sendError(500, "Server failed, " + e.getMessage());
        } catch (AccessException e2) {
            if (Loggers.AUTH.isDebugEnabled()) {
                Loggers.AUTH.debug("access denied, request: {} {}, reason: {}", new Object[]{httpServletRequest.getMethod(), httpServletRequest.getRequestURI(), e2.getErrMsg()});
            }
            httpServletResponse.sendError(403, e2.getErrMsg());
        } catch (IllegalArgumentException e3) {
            httpServletResponse.sendError(400, ExceptionUtil.getAllExceptionMsg(e3));
        }
    }
}
