package org.interledger.connector.server.spring.auth.ilpoverhttp;

import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.spring.security.api.authentication.PreAuthenticatedAuthenticationJsonWebToken;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.hash.HashCode;
import io.prometheus.client.cache.caffeine.CacheMetricsCollector;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import org.interledger.connector.accounts.AccountId;
import org.interledger.connector.accounts.AccountNotFoundProblem;
import org.interledger.connector.accounts.AccountSettings;
import org.interledger.connector.links.LinkSettingsFactory;
import org.interledger.connector.persistence.repositories.AccountSettingsRepository;
import org.interledger.connector.settings.ConnectorSettings;
import org.interledger.crypto.Decryptor;
import org.interledger.crypto.EncryptedSecret;
import org.interledger.link.http.SharedSecretTokenSettings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:org/interledger/connector/server/spring/auth/ilpoverhttp/IlpOverHttpAuthenticationProvider.class */
public class IlpOverHttpAuthenticationProvider implements AuthenticationProvider {
    private static final String AUTH_DECISIONS_CACHE_NAME = "ilpOverHttpAuthenticationDecisionsCache";
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private final Decryptor decryptor;
    private final Cache<HashCode, AuthenticationDecision> authenticationDecisions;
    private AccountSettingsRepository accountSettingsRepository;
    private LinkSettingsFactory linkSettingsFactory;

    public IlpOverHttpAuthenticationProvider(Supplier<ConnectorSettings> supplier, Decryptor decryptor, AccountSettingsRepository accountSettingsRepository, LinkSettingsFactory linkSettingsFactory, CacheMetricsCollector cacheMetricsCollector) {
        this.accountSettingsRepository = accountSettingsRepository;
        this.linkSettingsFactory = linkSettingsFactory;
        Objects.requireNonNull(supplier);
        this.decryptor = (Decryptor) Objects.requireNonNull(decryptor);
        this.authenticationDecisions = Caffeine.newBuilder().recordStats().maximumSize(5000L).expireAfterAccess(30L, TimeUnit.MINUTES).removalListener((hashCode, authenticationDecision, removalCause) -> {
            this.logger.debug("Removing IlpOverHttp AuthenticationDecision from Cache for Principal: {}", authenticationDecision.mo0getPrincipal());
        }).build();
        ((CacheMetricsCollector) Objects.requireNonNull(cacheMetricsCollector)).addCache(AUTH_DECISIONS_CACHE_NAME, this.authenticationDecisions);
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        try {
            if (!(authentication instanceof BearerAuthentication)) {
                this.logger.debug("Unsupported authentication type: " + authentication.getClass());
                return null;
            }
            AuthenticationDecision authenticateBearer = authenticateBearer((BearerAuthentication) authentication);
            if (authenticateBearer.isAuthenticated()) {
                return authenticateBearer;
            }
            throw new BadCredentialsException("Authentication failed for principal: " + authenticateBearer.mo0getPrincipal());
        } catch (Exception e) {
            if (e.getCause() == null || !BadCredentialsException.class.isAssignableFrom(e.getCause().getClass())) {
                throw new BadCredentialsException("Unable to validate token due to system error", e);
            }
            throw e;
        } catch (BadCredentialsException e2) {
            throw e2;
        }
    }

    private static AuthenticationDecision notAuthenticated() {
        return AuthenticationDecision.builder().credentialHmac(HashCode.fromBytes(new byte[32])).isAuthenticated(false).build();
    }

    private AuthenticationDecision authenticateBearer(BearerAuthentication bearerAuthentication) {
        return (AuthenticationDecision) this.authenticationDecisions.get(bearerAuthentication.hmacSha256(), hashCode -> {
            return isSimple(bearerAuthentication.getBearerToken()) ? authenticateAsSimple(bearerAuthentication) : authenticateAsJwt(bearerAuthentication);
        });
    }

    public boolean supports(Class<?> cls) {
        return BearerAuthentication.class.isAssignableFrom(cls);
    }

    @VisibleForTesting
    protected final EncryptedSecret getIncomingSecret(AccountId accountId, SharedSecretTokenSettings sharedSecretTokenSettings) {
        Objects.requireNonNull(accountId);
        Objects.requireNonNull(sharedSecretTokenSettings);
        return (EncryptedSecret) Optional.of(sharedSecretTokenSettings).map((v0) -> {
            return v0.encryptedTokenSharedSecret();
        }).map(EncryptedSecret::fromEncodedValue).orElseThrow(() -> {
            return new BadCredentialsException(String.format("No account found for `%s`", accountId));
        });
    }

    private AuthenticationDecision authenticateAsJwt(BearerAuthentication bearerAuthentication) {
        try {
            PreAuthenticatedAuthenticationJsonWebToken usingToken = PreAuthenticatedAuthenticationJsonWebToken.usingToken(new String(bearerAuthentication.getBearerToken()));
            if (usingToken == null) {
                throw new JWTDecodeException("jwt decoded to null. Value: " + new String(bearerAuthentication.getBearerToken()));
            }
            AccountId of = AccountId.of(usingToken.getPrincipal().toString());
            return (AuthenticationDecision) this.decryptor.withDecrypted(getIncomingSecret(of), bArr -> {
                Authentication authenticate = new JwtHs256AuthenticationProvider(bArr).authenticate(usingToken);
                this.logger.debug("authenticationProvider returned with an AuthResult: {}", Boolean.valueOf(authenticate.isAuthenticated()));
                return AuthenticationDecision.builder().principal(of).isAuthenticated(authenticate.isAuthenticated()).credentialHmac(bearerAuthentication.hmacSha256()).build();
            });
        } catch (AccountNotFoundProblem | JWTDecodeException e) {
            this.logger.debug(e.getMessage(), e);
            return notAuthenticated();
        }
    }

    private AuthenticationDecision authenticateAsSimple(BearerAuthentication bearerAuthentication) {
        try {
            SimpleCredentials orElseThrow = getSimpleCredentials(bearerAuthentication.getBearerToken()).orElseThrow(() -> {
                return new BadCredentialsException("invalid simple auth credentials");
            });
            return AuthenticationDecision.builder().principal(orElseThrow.mo1getPrincipal()).credentialHmac(bearerAuthentication.hmacSha256()).isAuthenticated(this.decryptor.isEqualDecrypted(getIncomingSecret(orElseThrow.mo1getPrincipal()), orElseThrow.getAuthToken())).build();
        } catch (AccountNotFoundProblem e) {
            this.logger.debug(e.getMessage(), e);
            return notAuthenticated();
        }
    }

    private EncryptedSecret getIncomingSecret(AccountId accountId) {
        return getIncomingSecret(accountId, ((LinkSettingsFactory) Objects.requireNonNull(this.linkSettingsFactory)).constructTyped((AccountSettings) this.accountSettingsRepository.findByAccountIdWithConversion(accountId).orElseThrow(() -> {
            return new AccountNotFoundProblem(accountId);
        })).incomingHttpLinkSettings());
    }

    private static Optional<SimpleCredentials> getSimpleCredentials(byte[] bArr) {
        String str = new String(bArr);
        int indexOf = str.indexOf(":");
        return indexOf > 0 ? Optional.of(SimpleCredentials.builder().principal(AccountId.of(str.substring(0, indexOf).trim())).authToken(str.substring(indexOf + 1).trim().getBytes()).build()) : Optional.empty();
    }

    private static boolean isSimple(byte[] bArr) {
        return new String(bArr).indexOf(":") > 0;
    }
}
