package com.gitblit;

import com.gitblit.AuthenticationFilter;
import com.gitblit.Constants;
import com.gitblit.Keys;
import com.gitblit.models.UserModel;
import java.io.IOException;
import java.text.MessageFormat;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:WEB-INF/lib/gitblit-1.2.0.wso2v1.jar:com/gitblit/RpcFilter.class */
public class RpcFilter extends AuthenticationFilter {
    @Override // com.gitblit.AuthenticationFilter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String fullUrl = getFullUrl(httpServletRequest);
        Constants.RpcRequest fromName = Constants.RpcRequest.fromName(httpServletRequest.getParameter("req"));
        if (fromName == null) {
            httpServletResponse.sendError(501);
            return;
        }
        boolean exceeds = fromName.exceeds(Constants.RpcRequest.LIST_SETTINGS);
        if (!GitBlit.getBoolean(Keys.web.enableRpcServlet, true)) {
            this.logger.warn("web.enableRpcServlet must be set TRUE for rpc requests.");
            httpServletResponse.sendError(403);
            return;
        }
        boolean z = GitBlit.getBoolean(Keys.web.authenticateViewPages, false);
        boolean z2 = GitBlit.getBoolean(Keys.web.authenticateAdminPages, true);
        AuthenticationFilter.AuthenticatedRequest authenticatedRequest = new AuthenticationFilter.AuthenticatedRequest(httpServletRequest);
        UserModel user = getUser(httpServletRequest);
        if (user != null) {
            authenticatedRequest.setUser(user);
        }
        if (exceeds && !GitBlit.getBoolean(Keys.web.enableRpcManagement, false)) {
            this.logger.warn(MessageFormat.format("{0} must be set TRUE for {1} rpc requests.", Keys.web.enableRpcManagement, fromName.toString()));
            httpServletResponse.sendError(403);
            return;
        }
        if (!(exceeds && z2) && (exceeds || !z)) {
            if (GitBlit.isDebugMode()) {
                this.logger.info(MessageFormat.format("RPC: {0} ({1}) unauthenticated", fullUrl, 100));
            }
            filterChain.doFilter(authenticatedRequest, httpServletResponse);
            return;
        }
        if (user == null) {
            if (GitBlit.isDebugMode()) {
                this.logger.info(MessageFormat.format("RPC: CHALLENGE {0}", fullUrl));
            }
            httpServletResponse.setHeader("WWW-Authenticate", "Basic realm=\"Gitblit\"");
            httpServletResponse.sendError(401);
            return;
        }
        if (user.canAdmin() || canAccess(user, fromName)) {
            newSession(authenticatedRequest, httpServletResponse);
            this.logger.info(MessageFormat.format("RPC: {0} ({1}) authenticated", fullUrl, 100));
            filterChain.doFilter(authenticatedRequest, httpServletResponse);
        } else {
            if (GitBlit.isDebugMode()) {
                this.logger.info(MessageFormat.format("RPC: {0} forbidden to access {1}", user.username, fullUrl));
            }
            httpServletResponse.sendError(403);
        }
    }

    private boolean canAccess(UserModel userModel, Constants.RpcRequest rpcRequest) {
        switch (rpcRequest) {
            case GET_PROTOCOL:
                return true;
            case LIST_REPOSITORIES:
                return true;
            default:
                return userModel.canAdmin();
        }
    }
}
