package org.apache.camel.component.netty4.http.handlers;

import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.base64.Base64;
import io.netty.handler.codec.http.DefaultHttpResponse;
import io.netty.handler.codec.http.HttpRequest;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.handler.codec.http.HttpVersion;
import java.net.URI;
import java.nio.channels.ClosedChannelException;
import java.nio.charset.Charset;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import org.apache.camel.Exchange;
import org.apache.camel.LoggingLevel;
import org.apache.camel.component.netty4.NettyConverter;
import org.apache.camel.component.netty4.NettyHelper;
import org.apache.camel.component.netty4.handlers.ServerChannelHandler;
import org.apache.camel.component.netty4.http.HttpPrincipal;
import org.apache.camel.component.netty4.http.NettyHttpConsumer;
import org.apache.camel.component.netty4.http.NettyHttpSecurityConfiguration;
import org.apache.camel.component.netty4.http.SecurityAuthenticator;
import org.apache.camel.util.CamelLogger;
import org.apache.camel.util.ObjectHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/camel/component/netty4/http/handlers/HttpServerChannelHandler.class */
public class HttpServerChannelHandler extends ServerChannelHandler {
    private static final Logger LOG = LoggerFactory.getLogger(NettyHttpConsumer.class);
    private final NettyHttpConsumer consumer;
    private HttpRequest request;

    public HttpServerChannelHandler(NettyHttpConsumer nettyHttpConsumer) {
        super(nettyHttpConsumer);
        this.consumer = nettyHttpConsumer;
    }

    public NettyHttpConsumer getConsumer() {
        return this.consumer;
    }

    protected void channelRead0(ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
        this.request = (HttpRequest) obj;
        LOG.debug("Message received: {}", this.request);
        if (this.consumer.isSuspended()) {
            LOG.debug("Consumer suspended, cannot service request {}", this.request);
            DefaultHttpResponse defaultHttpResponse = new DefaultHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.SERVICE_UNAVAILABLE);
            defaultHttpResponse.headers().set("Content-Type", "text/plain");
            defaultHttpResponse.headers().set("Content-Length", 0);
            channelHandlerContext.writeAndFlush(defaultHttpResponse);
            channelHandlerContext.channel().close();
            return;
        }
        if ("OPTIONS".equals(this.request.getMethod().name())) {
            String str = this.consumer.m11getEndpoint().getHttpMethodRestrict() != null ? "OPTIONS," + this.consumer.m11getEndpoint().getHttpMethodRestrict() : "GET,HEAD,POST,PUT,DELETE,TRACE,OPTIONS,CONNECT,PATCH";
            DefaultHttpResponse defaultHttpResponse2 = new DefaultHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.OK);
            defaultHttpResponse2.headers().set("Allow", str);
            defaultHttpResponse2.headers().set("Content-Type", "text/plain");
            defaultHttpResponse2.headers().set("Content-Length", 0);
            channelHandlerContext.writeAndFlush(defaultHttpResponse2);
            return;
        }
        if (this.consumer.m11getEndpoint().getHttpMethodRestrict() != null && !this.consumer.m11getEndpoint().getHttpMethodRestrict().contains(this.request.getMethod().name())) {
            DefaultHttpResponse defaultHttpResponse3 = new DefaultHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.METHOD_NOT_ALLOWED);
            defaultHttpResponse3.headers().set("Content-Type", "text/plain");
            defaultHttpResponse3.headers().set("Content-Length", 0);
            channelHandlerContext.writeAndFlush(defaultHttpResponse3);
            channelHandlerContext.channel().close();
            return;
        }
        if ("TRACE".equals(this.request.getMethod().name()) && !this.consumer.m11getEndpoint().isTraceEnabled()) {
            DefaultHttpResponse defaultHttpResponse4 = new DefaultHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.METHOD_NOT_ALLOWED);
            defaultHttpResponse4.headers().set("Content-Type", "text/plain");
            defaultHttpResponse4.headers().set("Content-Length", 0);
            channelHandlerContext.writeAndFlush(defaultHttpResponse4);
            channelHandlerContext.channel().close();
            return;
        }
        if (!this.request.headers().names().contains("Host")) {
            DefaultHttpResponse defaultHttpResponse5 = new DefaultHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.BAD_REQUEST);
            defaultHttpResponse5.headers().set("Content-Type", "text/plain");
            defaultHttpResponse5.headers().set("Content-Length", 0);
            channelHandlerContext.writeAndFlush(defaultHttpResponse5);
            channelHandlerContext.channel().close();
            return;
        }
        NettyHttpSecurityConfiguration securityConfiguration = this.consumer.m11getEndpoint().getSecurityConfiguration();
        if (securityConfiguration != null && securityConfiguration.isAuthenticate() && "Basic".equalsIgnoreCase(securityConfiguration.getConstraint())) {
            String uri = this.request.getUri();
            if (uri.contains("?")) {
                uri = ObjectHelper.before(uri, "?");
            }
            String path = new URI(this.request.getUri()).getPath();
            String path2 = this.consumer.m9getConfiguration().getPath();
            if (path2 != null && path.startsWith(path2)) {
                path = path.substring(path2.length());
            }
            String restricted = securityConfiguration.getSecurityConstraint() != null ? securityConfiguration.getSecurityConstraint().restricted(path) : "*";
            if (restricted != null) {
                HttpPrincipal extractBasicAuthSubject = extractBasicAuthSubject(this.request);
                Subject subject = null;
                boolean z = true;
                if (extractBasicAuthSubject != null) {
                    subject = authenticate(securityConfiguration.getSecurityAuthenticator(), securityConfiguration.getLoginDeniedLoggingLevel(), extractBasicAuthSubject);
                    if (subject != null) {
                        z = matchesRoles(restricted, securityConfiguration.getSecurityAuthenticator().getUserRoles(subject));
                    }
                }
                if (extractBasicAuthSubject == null || subject == null || !z) {
                    if (extractBasicAuthSubject == null) {
                        LOG.debug("Http Basic Auth required for resource: {}", uri);
                    } else if (subject == null) {
                        LOG.debug("Http Basic Auth not authorized for username: {}", extractBasicAuthSubject.getUsername());
                    } else {
                        LOG.debug("Http Basic Auth not in role for username: {}", extractBasicAuthSubject.getUsername());
                    }
                    DefaultHttpResponse defaultHttpResponse6 = new DefaultHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED);
                    defaultHttpResponse6.headers().set("WWW-Authenticate", "Basic realm=\"" + securityConfiguration.getRealm() + "\"");
                    defaultHttpResponse6.headers().set("Content-Type", "text/plain");
                    defaultHttpResponse6.headers().set("Content-Length", 0);
                    channelHandlerContext.writeAndFlush(defaultHttpResponse6);
                    channelHandlerContext.channel().close();
                    return;
                }
                LOG.debug("Http Basic Auth authorized for username: {}", extractBasicAuthSubject.getUsername());
            }
        }
        super.channelRead0(channelHandlerContext, obj);
    }

    protected boolean matchesRoles(String str, String str2) {
        if (str.equals("*")) {
            return true;
        }
        Iterator createIterator = ObjectHelper.createIterator(str2);
        while (createIterator.hasNext()) {
            if (str.contains(createIterator.next().toString())) {
                return true;
            }
        }
        return false;
    }

    protected static HttpPrincipal extractBasicAuthSubject(HttpRequest httpRequest) {
        String before;
        String str = httpRequest.headers().get("Authorization");
        if (str == null || (before = ObjectHelper.before(str, " ")) == null || !"Basic".equalsIgnoreCase(before.trim())) {
            return null;
        }
        String byteBuf = Base64.decode(NettyConverter.toByteBuffer(ObjectHelper.after(str, " ").getBytes())).toString(Charset.defaultCharset());
        HttpPrincipal httpPrincipal = new HttpPrincipal(ObjectHelper.before(byteBuf, ":"), ObjectHelper.after(byteBuf, ":"));
        LOG.debug("Extracted Basic Auth principal from HTTP header: {}", httpPrincipal);
        return httpPrincipal;
    }

    protected Subject authenticate(SecurityAuthenticator securityAuthenticator, LoggingLevel loggingLevel, HttpPrincipal httpPrincipal) {
        try {
            return securityAuthenticator.login(httpPrincipal);
        } catch (LoginException e) {
            new CamelLogger(LOG, loggingLevel).log("Cannot login " + httpPrincipal.getName() + " due " + e.getMessage(), e);
            return null;
        }
    }

    protected void beforeProcess(Exchange exchange, ChannelHandlerContext channelHandlerContext, Object obj) {
        if (this.consumer.m9getConfiguration().isBridgeEndpoint()) {
            exchange.setProperty("CamelSkipGzipEncoding", Boolean.TRUE);
            exchange.setProperty("CamelSkipWwwFormUrlEncoding", Boolean.TRUE);
        }
    }

    public void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
        if (this.consumer.isRunAllowed()) {
            if (th instanceof ClosedChannelException) {
                LOG.debug("Channel already closed. Ignoring this exception.");
            } else {
                LOG.warn("Closing channel as an exception was thrown from Netty", th);
                NettyHelper.close(channelHandlerContext.channel());
            }
        }
    }

    protected Object getResponseBody(Exchange exchange) throws Exception {
        return exchange.hasOut() ? this.consumer.m11getEndpoint().getNettyHttpBinding().toNettyResponse(exchange.getOut(), this.consumer.m9getConfiguration()) : this.consumer.m11getEndpoint().getNettyHttpBinding().toNettyResponse(exchange.getIn(), this.consumer.m9getConfiguration());
    }
}
