package org.imixs.microservice.security.auth;

import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.SecretKey;
import javax.enterprise.context.RequestScoped;
import javax.enterprise.event.Observes;
import javax.inject.Inject;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.imixs.jwt.HMAC;
import org.imixs.jwt.JWSAlgorithm;
import org.imixs.jwt.JWTBuilder;
import org.imixs.jwt.JWTException;
import org.imixs.melman.AbstractClient;
import org.imixs.melman.BasicAuthenticator;
import org.imixs.melman.FormAuthenticator;
import org.imixs.melman.JWTAuthenticator;

@RequestScoped
/* loaded from: input_file:WEB-INF/lib/imixs-microservice-security-2.0.5.jar:org/imixs/microservice/security/auth/DefaultAuthenticator.class */
public class DefaultAuthenticator {
    private static final String QUERY_PARAM_SESSION = "jwt";

    @Inject
    @ConfigProperty(name = "imixs.auth.secret", defaultValue = "")
    String authSecret;

    @Inject
    @ConfigProperty(name = "imixs.auth.service", defaultValue = "")
    String authService;

    @Inject
    @ConfigProperty(name = "imixs.auth.userid", defaultValue = "")
    String authUserID;

    @Inject
    @ConfigProperty(name = "imixs.auth.method", defaultValue = "CUSTOM")
    String authMethod;

    @Inject
    @ConfigProperty(name = "imixs.auth.propagation", defaultValue = "false")
    boolean propagateAuthentication;
    private static Logger logger = Logger.getLogger(DefaultAuthenticator.class.getName());

    public void registerRequestFilter(@Observes AuthEvent authEvent) throws AuthException {
        int indexOf;
        boolean isLoggable = logger.isLoggable(Level.FINE);
        if ("CUSTOM".equalsIgnoreCase(this.authMethod) || this.authMethod.isEmpty()) {
            if (isLoggable) {
                logger.finest("......Default Auth Module disabled!");
                return;
            }
            return;
        }
        try {
            if (this.propagateAuthentication && authEvent.getRequest() != null) {
                String header = authEvent.getRequest().getHeader("Authorization");
                if (header == null || header.isEmpty()) {
                    String header2 = authEvent.getRequest().getHeader(QUERY_PARAM_SESSION);
                    if (header2 == null || header2.isEmpty()) {
                        String queryString = authEvent.getRequest().getQueryString();
                        if (queryString != null && !queryString.isEmpty() && (indexOf = queryString.indexOf("jwt=")) > -1) {
                            if (isLoggable) {
                                logger.fine("parsing query param jwt....");
                            }
                            String substring = queryString.substring(indexOf + "jwt=".length() + 0);
                            int indexOf2 = substring.indexOf("&");
                            if (indexOf2 > -1) {
                                substring = substring.substring(0, indexOf2);
                            }
                            header = "Bearer " + getURLDecodedToken(substring);
                        }
                    } else {
                        header = "Bearer " + header2;
                    }
                }
                if (header != null && !header.isEmpty()) {
                    registerPropagationAuthenticator(authEvent.getClient(), header);
                    return;
                }
            }
        } catch (Exception e) {
            logger.warning("Unable to resolve http request header - " + e.getMessage());
        }
        if (this.authSecret.isEmpty()) {
            logger.warning("Default Auth Module: secret not set - check your configuration!");
        }
        if (this.authUserID.isEmpty()) {
            logger.warning("Default Auth Module: secret not set - check your configuration!");
        }
        if ("JWT".equalsIgnoreCase(this.authMethod)) {
            registerJWTAuthenticator(authEvent.getClient());
        }
        if ("BASIC".equalsIgnoreCase(this.authMethod)) {
            registerBasicAuthenticator(authEvent.getClient());
        }
        if ("FORM".equalsIgnoreCase(this.authMethod)) {
            registerFormAuthenticator(authEvent.getClient());
        }
    }

    private void registerBasicAuthenticator(AbstractClient abstractClient) {
        abstractClient.registerClientRequestFilter(new BasicAuthenticator(this.authUserID, this.authSecret));
    }

    private void registerFormAuthenticator(AbstractClient abstractClient) {
        abstractClient.registerClientRequestFilter(new FormAuthenticator(this.authService, this.authUserID, this.authSecret));
    }

    private void registerJWTAuthenticator(AbstractClient abstractClient) throws AuthException {
        boolean isLoggable = logger.isLoggable(Level.FINE);
        SecretKey createKey = HMAC.createKey(JWSAlgorithm.JDK_HS256, this.authSecret.getBytes());
        String str = "{\"sub\":\"" + this.authUserID + "\",\"displayname\":\"" + this.authUserID + "\",\"groups\":[\"IMIXS-WORKFLOW-Manager\"]}";
        if (isLoggable) {
            logger.finest("......Payload=" + str);
        }
        try {
            abstractClient.registerClientRequestFilter(new JWTAuthenticator(new JWTBuilder().setKey(createKey).setPayload(str).getToken()));
        } catch (JWTException e) {
            e.printStackTrace();
            throw new AuthException("JWT_ERROR", e.getMessage(), e);
        }
    }

    private void registerPropagationAuthenticator(AbstractClient abstractClient, String str) {
        abstractClient.registerClientRequestFilter(new PropagationAuthenticator(str));
    }

    String getURLDecodedToken(String str) {
        try {
            return URLDecoder.decode(str, "UTF-8").replaceAll(" ", "+");
        } catch (UnsupportedEncodingException e) {
            logger.severe("URL decoding of token failed " + e.getMessage());
            return null;
        }
    }
}
