package io.bdeploy.jersey;

import com.sun.jna.platform.win32.WinError;
import io.bdeploy.common.security.ApiAccessToken;
import io.bdeploy.common.security.SecurityHelper;
import jakarta.ws.rs.NameBinding;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.container.ContainerResponseContext;
import jakarta.ws.rs.container.ContainerResponseFilter;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.ext.Provider;
import java.io.IOException;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import javax.annotation.Priority;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Provider
@Priority(1000)
/* loaded from: input_file:io/bdeploy/jersey/JerseyAuthenticationProvider.class */
public class JerseyAuthenticationProvider implements ContainerRequestFilter, ContainerResponseFilter {
    private static final String BDEPLOY_ALT_AUTH_HEADER = "X-BDeploy-Authorization";
    private static final String THREAD_ORIG_NAME = "THREAD_ORIG_NAME";
    private static final Logger log = LoggerFactory.getLogger((Class<?>) JerseyAuthenticationProvider.class);
    public static final String AUTHENTICATION_SCHEME = "Bearer";
    private static final String REALM = "BDeploy";
    private static final String NO_AUTH = "unsecured";
    private static final String WEAK_AUTH = "weak";
    private final KeyStore store;
    private final UserValidator userValidator;

    @Unsecured
    @Provider
    @Priority(WinError.ERROR_SWAPERROR)
    /* loaded from: input_file:io/bdeploy/jersey/JerseyAuthenticationProvider$JerseyAuthenticationUnprovider.class */
    public static class JerseyAuthenticationUnprovider implements ContainerRequestFilter {
        @Override // jakarta.ws.rs.container.ContainerRequestFilter
        public void filter(ContainerRequestContext containerRequestContext) throws IOException {
            containerRequestContext.setProperty(JerseyAuthenticationProvider.NO_AUTH, JerseyAuthenticationProvider.NO_AUTH);
        }
    }

    @WeakTokenAllowed
    @Provider
    @Priority(WinError.ERROR_NOACCESS)
    /* loaded from: input_file:io/bdeploy/jersey/JerseyAuthenticationProvider$JerseyAuthenticationWeakenerProvider.class */
    public static class JerseyAuthenticationWeakenerProvider implements ContainerRequestFilter {
        @Override // jakarta.ws.rs.container.ContainerRequestFilter
        public void filter(ContainerRequestContext containerRequestContext) throws IOException {
            containerRequestContext.setProperty(JerseyAuthenticationProvider.WEAK_AUTH, JerseyAuthenticationProvider.WEAK_AUTH);
        }
    }

    @Target({ElementType.TYPE, ElementType.METHOD})
    @NameBinding
    @Retention(RetentionPolicy.RUNTIME)
    /* loaded from: input_file:io/bdeploy/jersey/JerseyAuthenticationProvider$Unsecured.class */
    public @interface Unsecured {
    }

    @FunctionalInterface
    /* loaded from: input_file:io/bdeploy/jersey/JerseyAuthenticationProvider$UserValidator.class */
    public interface UserValidator {
        boolean isValid(String str);
    }

    @Target({ElementType.TYPE, ElementType.METHOD})
    @NameBinding
    @Retention(RetentionPolicy.RUNTIME)
    /* loaded from: input_file:io/bdeploy/jersey/JerseyAuthenticationProvider$WeakTokenAllowed.class */
    public @interface WeakTokenAllowed {
    }

    public JerseyAuthenticationProvider(KeyStore keyStore, UserValidator userValidator) {
        this.store = keyStore;
        this.userValidator = userValidator;
    }

    @Override // jakarta.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        String path = containerRequestContext.getUriInfo().getPath();
        containerRequestContext.setProperty(THREAD_ORIG_NAME, Thread.currentThread().getName());
        Thread.currentThread().setName(path);
        if (containerRequestContext.getProperty(NO_AUTH) != null) {
            return;
        }
        if (log.isTraceEnabled()) {
            log.trace("Authenticating {}", path);
        }
        String headerString = containerRequestContext.getHeaderString(BDEPLOY_ALT_AUTH_HEADER);
        if (headerString == null) {
            headerString = containerRequestContext.getHeaderString("Authorization");
        }
        if (!isTokenBasedAuthentication(headerString)) {
            abortWithUnauthorized(containerRequestContext);
            return;
        }
        try {
            ApiAccessToken validateToken = validateToken(headerString.substring(AUTHENTICATION_SCHEME.length()).trim(), this.store);
            if (validateToken.isWeak() && containerRequestContext.getProperty(WEAK_AUTH) == null) {
                abortWithUnauthorized(containerRequestContext);
            }
            if (!validateToken.isSystem() && this.userValidator != null && !this.userValidator.isValid(validateToken.getIssuedTo())) {
                abortWithUnauthorized(containerRequestContext);
            }
            containerRequestContext.setSecurityContext(new JerseySecurityContext(validateToken, containerRequestContext.getHeaderString(JerseyOnBehalfOfFilter.ON_BEHALF_OF_HEADER)));
        } catch (Exception e) {
            log.error("Exception while parsing authorization: {}", e.toString());
            abortWithUnauthorized(containerRequestContext);
        }
    }

    @Override // jakarta.ws.rs.container.ContainerResponseFilter
    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) throws IOException {
        String str = (String) containerRequestContext.getProperty(THREAD_ORIG_NAME);
        if (str != null) {
            Thread.currentThread().setName(str);
        }
    }

    private boolean isTokenBasedAuthentication(String str) {
        return str != null && str.toLowerCase().startsWith(new StringBuilder().append(AUTHENTICATION_SCHEME.toLowerCase()).append(" ").toString());
    }

    private void abortWithUnauthorized(ContainerRequestContext containerRequestContext) {
        containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", "Bearer realm=\"BDeploy\"").build());
    }

    public static ApiAccessToken validateToken(String str, KeyStore keyStore) {
        try {
            ApiAccessToken apiAccessToken = (ApiAccessToken) SecurityHelper.getInstance().getVerifiedPayload(str, ApiAccessToken.class, keyStore);
            if (apiAccessToken == null || !apiAccessToken.isValid()) {
                throw new IllegalStateException("Access token is null or no longer valid");
            }
            return apiAccessToken;
        } catch (GeneralSecurityException e) {
            throw new IllegalStateException("Cannot verify access token.", e);
        }
    }
}
