package tv.hd3g.authkit.mod;

import java.io.IOException;
import java.lang.reflect.Method;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.resource.ResourceHttpRequestHandler;
import tv.hd3g.authkit.mod.component.AuthKitEndpointsListener;
import tv.hd3g.authkit.mod.dto.LoggedUserTagsTokenDto;
import tv.hd3g.authkit.mod.exception.BadRequestException;
import tv.hd3g.authkit.mod.exception.ForbiddenRequestException;
import tv.hd3g.authkit.mod.exception.NotAcceptableSecuredTokenException;
import tv.hd3g.authkit.mod.exception.UnauthorizedRequestException;
import tv.hd3g.authkit.mod.service.AuditReportService;
import tv.hd3g.authkit.mod.service.AuditReportServiceImpl;
import tv.hd3g.authkit.mod.service.AuthenticationService;
import tv.hd3g.authkit.mod.service.CookieService;
import tv.hd3g.authkit.mod.service.SecuredTokenService;
import tv.hd3g.authkit.utility.AnnotatedControllerClass;
import tv.hd3g.authkit.utility.ControllerType;
import tv.hd3g.authkit.utility.LogSanitizer;
import tv.hd3g.commons.authkit.AuditAfter;
import tv.hd3g.commons.authkit.CheckBefore;

/* loaded from: input_file:tv/hd3g/authkit/mod/ControllerInterceptor.class */
public class ControllerInterceptor implements HandlerInterceptor {
    private static final Logger log = LogManager.getLogger();
    private static final String PACKAGE_NAME = ControllerInterceptor.class.getPackageName();
    public static final String USER_UUID_ATTRIBUTE_NAME = PACKAGE_NAME + ".userUUID";
    public static final String USER_TOKEN_ATTRIBUTE_NAME = PACKAGE_NAME + ".LoggedUserTagsToken";
    public static final String CONTROLLER_TYPE_ATTRIBUTE_NAME = PACKAGE_NAME + ".controllerType";
    public static final String REDIRECT_AFTER_LOGIN_ATTRIBUTE_NAME = PACKAGE_NAME + ".redirectAfterLogin";
    private final AuditReportService auditService;
    private final SecuredTokenService securedTokenService;
    private final AuthKitEndpointsListener authKitEndpointsListener;
    private final AuthenticationService authenticationService;
    private final CookieService cookieService;

    public ControllerInterceptor(AuditReportService auditReportService, SecuredTokenService securedTokenService, AuthKitEndpointsListener authKitEndpointsListener, AuthenticationService authenticationService, CookieService cookieService) {
        this.auditService = auditReportService;
        this.securedTokenService = securedTokenService;
        this.authKitEndpointsListener = authKitEndpointsListener;
        this.authenticationService = authenticationService;
        this.cookieService = cookieService;
    }

    private boolean isRequestIsHandle(HttpServletRequest httpServletRequest, Object obj) {
        if (obj instanceof ResourceHttpRequestHandler) {
            Optional.ofNullable(((ResourceHttpRequestHandler) obj).getUrlPathHelper()).map(urlPathHelper -> {
                return urlPathHelper.getLookupPathForRequest(httpServletRequest);
            }).ifPresent(str -> {
                log.trace("HandlerH: {}", str);
            });
            return false;
        }
        if (obj instanceof HandlerMethod) {
            return true;
        }
        log.info("Unknown handler: {}", obj.getClass());
        return false;
    }

    private Optional<LoggedUserTagsTokenDto> extractAndCheckAuthToken(HttpServletRequest httpServletRequest) {
        InetAddress inetAddress;
        InetAddress inetAddress2;
        Optional map = Optional.ofNullable(httpServletRequest.getHeader("Authorization")).filter(str -> {
            return str.toLowerCase().startsWith("bearer");
        }).map(str2 -> {
            return str2.substring("bearer".length()).trim();
        });
        boolean z = false;
        if (map.isEmpty()) {
            map = Optional.ofNullable(this.cookieService.getLogonCookiePayload(httpServletRequest));
            z = true;
        }
        if (map.isEmpty()) {
            return Optional.empty();
        }
        try {
            LoggedUserTagsTokenDto loggedUserTagsTokenDto = (LoggedUserTagsTokenDto) Objects.requireNonNull(this.securedTokenService.loggedUserRightsExtractToken((String) map.get(), z));
            if (loggedUserTagsTokenDto.getOnlyForHost() != null) {
                try {
                    inetAddress = InetAddress.getByName(loggedUserTagsTokenDto.getOnlyForHost());
                    inetAddress2 = InetAddress.getByName(AuditReportServiceImpl.getOriginalRemoteAddr(httpServletRequest));
                } catch (UnknownHostException e) {
                    inetAddress = null;
                    inetAddress2 = null;
                }
                if (inetAddress == null || !inetAddress.equals(inetAddress2)) {
                    throw new UnauthorizedRequestException("Reject request for from " + loggedUserTagsTokenDto.getOnlyForHost() + " because the actual token contain a IP restriction on {} only", loggedUserTagsTokenDto.getUserUUID());
                }
            }
            return Optional.ofNullable(loggedUserTagsTokenDto);
        } catch (NotAcceptableSecuredTokenException e2) {
            throw new UnauthorizedRequestException("Invalid JWT in auth request");
        }
    }

    private void compareUserRightsAndRequestMandatories(HttpServletRequest httpServletRequest, LoggedUserTagsTokenDto loggedUserTagsTokenDto, Method method, AnnotatedControllerClass annotatedControllerClass) {
        List<CheckBefore> requireAuthList = annotatedControllerClass.getRequireAuthList(method);
        if (!requireAuthList.isEmpty() || annotatedControllerClass.isRequireValidAuth(method)) {
            if (loggedUserTagsTokenDto.isFromCookie()) {
                if (annotatedControllerClass.getControllerType().equals(ControllerType.REST)) {
                    throw new UnauthorizedRequestException("An auth cookie can't authorized a REST request");
                }
                String method2 = httpServletRequest.getMethod();
                if (!method2.equalsIgnoreCase("GET") && !method2.equalsIgnoreCase("POST")) {
                    throw new BadRequestException("Unacceptable method " + method2);
                }
            }
            String userUUID = loggedUserTagsTokenDto.getUserUUID();
            if (userUUID == null) {
                throw new UnauthorizedRequestException("Unauthorized");
            }
            if (requireAuthList.stream().noneMatch(checkBefore -> {
                Stream stream = Arrays.stream(checkBefore.value());
                Set<String> tags = loggedUserTagsTokenDto.getTags();
                Objects.requireNonNull(tags);
                return stream.allMatch((v1) -> {
                    return r1.contains(v1);
                });
            })) {
                throw new ForbiddenRequestException("Forbidden user", userUUID);
            }
        }
    }

    private void checkRenforcedRightsChecks(HttpServletRequest httpServletRequest, AnnotatedControllerClass annotatedControllerClass, Method method, LoggedUserTagsTokenDto loggedUserTagsTokenDto) {
        if (annotatedControllerClass.isRequireRenforceCheckBefore(method)) {
            String userUUID = loggedUserTagsTokenDto.getUserUUID();
            if (!this.authenticationService.isUserEnabledAndNonBlocked(userUUID)) {
                throw new UnauthorizedRequestException("User {} is now disabled/blocked before last login", userUUID);
            }
            Set set = (Set) this.authenticationService.getRightsForUser(userUUID, AuditReportServiceImpl.getOriginalRemoteAddr(httpServletRequest)).stream().distinct().collect(Collectors.toUnmodifiableSet());
            for (String str : loggedUserTagsTokenDto.getTags()) {
                if (!set.contains(str)) {
                    throw new ForbiddenRequestException("User has lost some rights (like " + str + ") before last login", userUUID);
                }
            }
        }
    }

    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj) throws IOException {
        if (!isRequestIsHandle(httpServletRequest, obj)) {
            return true;
        }
        HandlerMethod handlerMethod = (HandlerMethod) obj;
        Class<?> beanType = handlerMethod.getBeanType();
        AnnotatedControllerClass annotatedClass = this.authKitEndpointsListener.getAnnotatedClass(beanType);
        Method method = handlerMethod.getMethod();
        httpServletRequest.setAttribute(CONTROLLER_TYPE_ATTRIBUTE_NAME, annotatedClass.getControllerType());
        Optional<LoggedUserTagsTokenDto> extractAndCheckAuthToken = extractAndCheckAuthToken(httpServletRequest);
        if (extractAndCheckAuthToken.isPresent()) {
            httpServletRequest.setAttribute(USER_TOKEN_ATTRIBUTE_NAME, extractAndCheckAuthToken.get());
        }
        LoggedUserTagsTokenDto orElse = extractAndCheckAuthToken.orElse(new LoggedUserTagsTokenDto(null, Set.of(), null, false));
        checkRenforcedRightsChecks(httpServletRequest, annotatedClass, method, orElse);
        compareUserRightsAndRequestMandatories(httpServletRequest, orElse, method, annotatedClass);
        String userUUID = orElse.getUserUUID();
        httpServletRequest.setAttribute(USER_UUID_ATTRIBUTE_NAME, userUUID);
        Optional.ofNullable(this.cookieService.getRedirectAfterLoginCookiePayload(httpServletRequest)).ifPresent(str -> {
            httpServletRequest.setAttribute(REDIRECT_AFTER_LOGIN_ATTRIBUTE_NAME, str);
        });
        if (userUUID == null) {
            log.info("Request {} {}:{}()", beanType.getSimpleName(), httpServletRequest.getMethod(), handlerMethod.getMethod().getName());
            return true;
        }
        log.info("Request {} {}:{}() {}", beanType.getSimpleName(), httpServletRequest.getMethod(), handlerMethod.getMethod().getName(), userUUID);
        return true;
    }

    public static final Optional<String> getRequestUserUUID(HttpServletRequest httpServletRequest) {
        return Optional.ofNullable(httpServletRequest.getAttribute(USER_UUID_ATTRIBUTE_NAME)).map(obj -> {
            return LogSanitizer.sanitize((String) obj);
        });
    }

    public static final Optional<LoggedUserTagsTokenDto> getUserTokenFromRequestAttribute(HttpServletRequest httpServletRequest) {
        Optional ofNullable = Optional.ofNullable(httpServletRequest.getAttribute(USER_TOKEN_ATTRIBUTE_NAME));
        Class<LoggedUserTagsTokenDto> cls = LoggedUserTagsTokenDto.class;
        Objects.requireNonNull(LoggedUserTagsTokenDto.class);
        return ofNullable.map(cls::cast);
    }

    public static final Optional<String> getPathToRedirectToAfterLogin(HttpServletRequest httpServletRequest) {
        return Optional.ofNullable(httpServletRequest.getAttribute(REDIRECT_AFTER_LOGIN_ATTRIBUTE_NAME)).map(obj -> {
            return LogSanitizer.sanitize((String) obj);
        });
    }

    public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj, Exception exc) throws Exception {
        if (obj instanceof HandlerMethod) {
            HandlerMethod handlerMethod = (HandlerMethod) obj;
            List<AuditAfter> audits = this.authKitEndpointsListener.getAnnotatedClass(handlerMethod.getBeanType()).getAudits(handlerMethod.getMethod());
            if (audits.isEmpty()) {
                return;
            }
            Optional.ofNullable(exc).ifPresent(exc2 -> {
                List<String> list = audits.stream().filter((v0) -> {
                    return v0.cantDoErrors();
                }).map((v0) -> {
                    return v0.value();
                }).toList();
                if (list.isEmpty()) {
                    return;
                }
                this.auditService.onImportantError(httpServletRequest, list, exc2);
            });
            List<String> list = audits.stream().filter((v0) -> {
                return v0.changeSecurity();
            }).map((v0) -> {
                return v0.value();
            }).toList();
            if (!list.isEmpty()) {
                this.auditService.onChangeSecurity(httpServletRequest, list);
            }
            List<String> list2 = audits.stream().filter((v0) -> {
                return v0.useSecurity();
            }).map((v0) -> {
                return v0.value();
            }).toList();
            if (!list2.isEmpty()) {
                this.auditService.onUseSecurity(httpServletRequest, list2);
            }
            List<String> list3 = audits.stream().filter(auditAfter -> {
                return (auditAfter.cantDoErrors() || auditAfter.changeSecurity() || auditAfter.useSecurity()) ? false : true;
            }).map((v0) -> {
                return v0.value();
            }).toList();
            if (list3.isEmpty()) {
                return;
            }
            this.auditService.onSimpleEvent(httpServletRequest, list3);
        }
    }
}
