package fi.evolver.basics.spring.auth.alb;

import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.json.JsonMapper;
import fi.evolver.basics.spring.auth.alb.verify.AlbAccessTokenVerifier;
import fi.evolver.basics.spring.auth.alb.verify.AlbClaimsTokenVerifier;
import fi.evolver.utils.collection.BoundedLinkedHashMap;
import fi.evolver.utils.string.StringUtils;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.time.Instant;
import java.util.Base64;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ExecutionException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;

/* loaded from: input_file:fi/evolver/basics/spring/auth/alb/LoadBalancerAuthenticationProcessingFilter.class */
public class LoadBalancerAuthenticationProcessingFilter extends AbstractAuthenticationProcessingFilter {
    protected static final Logger LOG = LoggerFactory.getLogger(LoadBalancerAuthenticationProcessingFilter.class);
    public static final String HEADER_ACCESS_TOKEN = "x-amzn-oidc-accesstoken";
    public static final String HEADER_USER_INFO = "x-amzn-oidc-identity";
    public static final String HEADER_DATA_TOKEN = "x-amzn-oidc-data";
    public final AlbAccessTokenVerifier accessTokenVerifier;
    public final AlbClaimsTokenVerifier claimsTokenVerifier;
    protected final Base64.Decoder decoder;
    protected final ObjectMapper mapper;
    private final Map<String, Instant> tokenCache;

    public LoadBalancerAuthenticationProcessingFilter(String str, String str2, String str3) throws NoSuchAlgorithmException {
        super("/**");
        this.decoder = Base64.getUrlDecoder();
        this.mapper = JsonMapper.builder().findAndAddModules().build();
        this.tokenCache = new BoundedLinkedHashMap(512);
        this.accessTokenVerifier = StringUtils.hasText(str) ? new AlbAccessTokenVerifier(str) : null;
        if (StringUtils.hasText(str2) && StringUtils.hasText(str3)) {
            this.claimsTokenVerifier = new AlbClaimsTokenVerifier(str2, str3);
        } else {
            this.claimsTokenVerifier = null;
        }
    }

    public void destroy() {
        this.accessTokenVerifier.destroy();
        this.claimsTokenVerifier.destroy();
        super.destroy();
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String header = httpServletRequest.getHeader(HEADER_ACCESS_TOKEN);
        String header2 = httpServletRequest.getHeader(HEADER_USER_INFO);
        String header3 = httpServletRequest.getHeader(HEADER_DATA_TOKEN);
        if (!StringUtils.isNullOrEmpty(header) && !StringUtils.isNullOrEmpty(header2) && !StringUtils.isNullOrEmpty(header3)) {
            super.doFilter(httpServletRequest, servletResponse, filterChain);
        } else {
            LOG.trace("Skipping LoadBalancerAuthenticationProcessingFilter");
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    protected void successfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, Authentication authentication) throws IOException, ServletException {
        SecurityContext createEmptyContext = SecurityContextHolder.createEmptyContext();
        createEmptyContext.setAuthentication(authentication);
        SecurityContextHolder.setContext(createEmptyContext);
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
        String header = httpServletRequest.getHeader(HEADER_ACCESS_TOKEN);
        String header2 = httpServletRequest.getHeader(HEADER_USER_INFO);
        String header3 = httpServletRequest.getHeader(HEADER_DATA_TOKEN);
        if (StringUtils.isNullOrEmpty(header) || StringUtils.isNullOrEmpty(header2) || StringUtils.isNullOrEmpty(header3)) {
            LOG.warn("Missing some x-amzn headers");
            throw new BadCredentialsException("Missing some x-amzn headers");
        }
        String str = header + header2 + header3;
        Instant instant = this.tokenCache.get(str);
        if (instant == null || !instant.isAfter(Instant.now())) {
            DecodedJWT decode = JWT.decode(header);
            DecodedJWT decode2 = JWT.decode(header3);
            validateTokens(decode, decode2);
            if (decode.getExpiresAtAsInstant().isBefore(decode2.getExpiresAtAsInstant())) {
                this.tokenCache.put(str, decode.getExpiresAtAsInstant());
            } else {
                this.tokenCache.put(str, decode2.getExpiresAtAsInstant());
            }
        }
        try {
            return createToken(header, header2, header3);
        } catch (Exception e) {
            throw new InternalAuthenticationServiceException("Error in handling x-amzn headers", e);
        }
    }

    protected LoadBalancerAuthenticationToken<?, ?> createToken(String str, String str2, String str3) throws JsonProcessingException {
        AlbHeaderToken albHeaderToken = (AlbHeaderToken) this.mapper.readValue(getJwtBody(str), AlbHeaderToken.class);
        AlbHeaderToken albHeaderToken2 = (AlbHeaderToken) this.mapper.readValue(getJwtBody(str3), AlbHeaderToken.class);
        if (str2.equals(albHeaderToken.getUserId()) && str2.equals(albHeaderToken2.getUserId())) {
            return LoadBalancerAuthenticationToken.createToken(albHeaderToken, str2, albHeaderToken2, createAuthorities(albHeaderToken, str2, albHeaderToken2));
        }
        LOG.warn("Identity does not match between headers");
        throw new BadCredentialsException("Identity does not match between headers");
    }

    protected Collection<? extends GrantedAuthority> createAuthorities(AlbHeaderToken albHeaderToken, String str, AlbHeaderToken albHeaderToken2) {
        return List.of();
    }

    protected void validateTokens(DecodedJWT decodedJWT, DecodedJWT decodedJWT2) {
        CompletableFuture<DecodedJWT> completedFuture;
        CompletableFuture<DecodedJWT> completedFuture2;
        if (this.accessTokenVerifier != null) {
            completedFuture = this.accessTokenVerifier.verifyAsync(decodedJWT);
        } else {
            LOG.warn("Not verifying Access token because of missing configuration");
            completedFuture = CompletableFuture.completedFuture(null);
        }
        if (this.claimsTokenVerifier != null) {
            completedFuture2 = this.claimsTokenVerifier.verifyAsync(decodedJWT2);
        } else {
            LOG.warn("Not verifying ALB token because of missing configuration");
            completedFuture2 = CompletableFuture.completedFuture(null);
        }
        try {
            CompletableFuture.allOf(completedFuture, completedFuture2).get();
        } catch (InterruptedException e) {
            throw new InternalAuthenticationServiceException("Token validation interrupted", e);
        } catch (ExecutionException e2) {
            BadCredentialsException cause = e2.getCause();
            if (cause instanceof BadCredentialsException) {
                throw cause;
            }
            InternalAuthenticationServiceException cause2 = e2.getCause();
            if (!(cause2 instanceof InternalAuthenticationServiceException)) {
                throw new InternalAuthenticationServiceException("Token validation failed", e2);
            }
            throw cause2;
        }
    }

    protected String getJwtBody(String str) {
        return new String(this.decoder.decode(str.split("\\.")[1]), StandardCharsets.UTF_8);
    }
}
