package org.trellisldp.oauth;

import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.security.SecurityException;
import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.Priority;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.ext.Provider;
import org.eclipse.microprofile.config.Config;
import org.eclipse.microprofile.config.ConfigProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Provider
@Priority(1000)
/* loaded from: input_file:org/trellisldp/oauth/OAuthFilter.class */
public class OAuthFilter implements ContainerRequestFilter {
    public static final String CONFIG_AUTH_ADMIN_USERS = "trellis.auth.admin-users";
    public static final String CONFIG_AUTH_REALM = "trellis.auth.realm";
    public static final String CONFIG_AUTH_OAUTH_KEYSTORE_PATH = "trellis.oauth.keystore-path";
    public static final String CONFIG_AUTH_OAUTH_KEYSTORE_CREDENTIALS = "trellis.oauth.keystore-credentials";
    public static final String CONFIG_AUTH_OAUTH_KEYSTORE_IDS = "trellis.oauth.keystore-ids";
    public static final String CONFIG_AUTH_OAUTH_SHARED_SECRET = "trellis.oauth.shared-secret";
    public static final String CONFIG_AUTH_OAUTH_JWK_URL = "trellis.oauth.jwk";
    public static final String SCHEME = "Bearer";
    public static final String ADMIN_ROLE = "admin";
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuthFilter.class);
    private Authenticator authenticator;
    private String challenge;
    private Set<String> admins;

    /* loaded from: input_file:org/trellisldp/oauth/OAuthFilter$OAuthSecurityContext.class */
    static final class OAuthSecurityContext implements SecurityContext {
        private final boolean secure;
        private final Principal principal;
        private final Set<String> admins;

        private OAuthSecurityContext(Principal principal, Set<String> set, boolean z) {
            this.principal = principal;
            this.admins = set;
            this.secure = z;
        }

        public Principal getUserPrincipal() {
            return this.principal;
        }

        public boolean isUserInRole(String str) {
            return OAuthFilter.ADMIN_ROLE.equals(str) && this.admins.contains(this.principal.getName());
        }

        public boolean isSecure() {
            return this.secure;
        }

        public String getAuthenticationScheme() {
            return OAuthFilter.SCHEME;
        }
    }

    public OAuthFilter() {
        Config config = ConfigProvider.getConfig();
        this.authenticator = buildAuthenticator();
        this.challenge = "Bearer realm=\"" + ((String) config.getOptionalValue(CONFIG_AUTH_REALM, String.class).orElse("trellis")) + "\"";
        this.admins = Collections.unmodifiableSet(getConfiguredAdmins(config));
    }

    public void setAuthenticator(Authenticator authenticator) {
        this.authenticator = authenticator;
    }

    public void setChallenge(String str) {
        this.challenge = str;
    }

    public void setAdmins(Set<String> set) {
        this.admins = (Set) Objects.requireNonNull(set, "Admin set may not be null!");
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        SecurityContext securityContext = containerRequestContext.getSecurityContext();
        boolean z = securityContext != null && securityContext.isSecure();
        String oAuthToken = getOAuthToken(containerRequestContext);
        if (oAuthToken != null) {
            Principal authenticate = authenticate(oAuthToken);
            if (authenticate == null) {
                throw new NotAuthorizedException(this.challenge, new Object[0]);
            }
            containerRequestContext.setSecurityContext(new OAuthSecurityContext(authenticate, this.admins, z));
        }
    }

    private Principal authenticate(String str) {
        try {
            return this.authenticator.authenticate(str);
        } catch (JwtException e) {
            LOGGER.warn("Problem reading JWT value: {}", e.getMessage());
            return null;
        } catch (SecurityException e2) {
            LOGGER.debug("Invalid signature, ignoring JWT token: {}", e2.getMessage());
            return null;
        }
    }

    private String getOAuthToken(ContainerRequestContext containerRequestContext) {
        String headerString = containerRequestContext.getHeaderString("Authorization");
        if (headerString == null) {
            return null;
        }
        String[] split = headerString.split(" ", 2);
        if (split.length == 2 && split[0].equalsIgnoreCase(SCHEME)) {
            return split[1];
        }
        return null;
    }

    static Authenticator buildAuthenticator() {
        Config config = ConfigProvider.getConfig();
        Authenticator buildAuthenticatorWithJwk = OAuthUtils.buildAuthenticatorWithJwk((String) config.getOptionalValue(CONFIG_AUTH_OAUTH_JWK_URL, String.class).orElse(null));
        if (buildAuthenticatorWithJwk != null) {
            return buildAuthenticatorWithJwk;
        }
        Authenticator buildAuthenticatorWithTruststore = OAuthUtils.buildAuthenticatorWithTruststore((String) config.getOptionalValue(CONFIG_AUTH_OAUTH_KEYSTORE_PATH, String.class).orElse(null), ((String) config.getOptionalValue(CONFIG_AUTH_OAUTH_KEYSTORE_CREDENTIALS, String.class).orElse("")).toCharArray(), Arrays.asList(((String) config.getOptionalValue(CONFIG_AUTH_OAUTH_KEYSTORE_IDS, String.class).orElse("")).split(",")));
        if (buildAuthenticatorWithTruststore != null) {
            return buildAuthenticatorWithTruststore;
        }
        Authenticator buildAuthenticatorWithSharedSecret = OAuthUtils.buildAuthenticatorWithSharedSecret((String) config.getOptionalValue(CONFIG_AUTH_OAUTH_SHARED_SECRET, String.class).orElse(null));
        return buildAuthenticatorWithSharedSecret != null ? buildAuthenticatorWithSharedSecret : new NullAuthenticator();
    }

    static Set<String> getConfiguredAdmins(Config config) {
        return (Set) Arrays.stream(((String) config.getOptionalValue(CONFIG_AUTH_ADMIN_USERS, String.class).orElse("")).split(",")).map((v0) -> {
            return v0.trim();
        }).collect(Collectors.toSet());
    }
}
