package com.atomgraph.linkeddatahub.server.filter.request.auth;

import com.atomgraph.linkeddatahub.apps.model.AdminApplication;
import com.atomgraph.linkeddatahub.apps.model.Application;
import com.atomgraph.linkeddatahub.apps.model.EndUserApplication;
import com.atomgraph.linkeddatahub.model.auth.Agent;
import com.atomgraph.linkeddatahub.resource.admin.oauth2.Login;
import com.atomgraph.linkeddatahub.server.filter.request.AuthenticationFilter;
import com.atomgraph.linkeddatahub.server.security.IDTokenSecurityContext;
import com.atomgraph.linkeddatahub.vocabulary.FOAF;
import com.atomgraph.linkeddatahub.vocabulary.Google;
import com.atomgraph.linkeddatahub.vocabulary.LACL;
import com.atomgraph.processor.vocabulary.SIOC;
import com.auth0.jwt.JWT;
import com.auth0.jwt.exceptions.TokenExpiredException;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.io.IOException;
import java.net.URI;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import javax.annotation.PostConstruct;
import javax.annotation.Priority;
import javax.json.JsonObject;
import javax.ws.rs.InternalServerErrorException;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.client.Entity;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.PreMatching;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.jena.query.ParameterizedSparqlString;
import org.apache.jena.query.QuerySolutionMap;
import org.apache.jena.rdf.model.Literal;
import org.apache.jena.rdf.model.Model;
import org.apache.jena.rdf.model.Resource;
import org.apache.jena.rdf.model.ResourceFactory;
import org.apache.jena.vocabulary.RDF;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(5010)
@PreMatching
/* loaded from: input_file:com/atomgraph/linkeddatahub/server/filter/request/auth/IDTokenFilter.class */
public class IDTokenFilter extends AuthenticationFilter {
    private static final Logger log = LoggerFactory.getLogger(IDTokenFilter.class);
    public static final String AUTH_SCHEME = "JWT";
    public static final String COOKIE_NAME = "LinkedDataHub.id_token";
    private String clientID;
    private String clientSecret;
    private ParameterizedSparqlString userAccountQuery;

    @PostConstruct
    public void init() {
        this.userAccountQuery = new ParameterizedSparqlString(getSystem().getUserAccountQuery().toString());
        this.clientID = (String) getSystem().getProperty(Google.clientID.getURI());
        this.clientSecret = (String) getSystem().getProperty(Google.clientSecret.getURI());
    }

    @Override // com.atomgraph.linkeddatahub.server.filter.request.AuthenticationFilter
    public String getScheme() {
        return AUTH_SCHEME;
    }

    @Override // com.atomgraph.linkeddatahub.server.filter.request.AuthenticationFilter
    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (containerRequestContext.getSecurityContext().getUserPrincipal() != null) {
            return;
        }
        if ((!getApplication().canAs(EndUserApplication.class) && !getApplication().canAs(AdminApplication.class)) || containerRequestContext.getUriInfo().getAbsolutePath().equals(getLoginURL()) || containerRequestContext.getUriInfo().getAbsolutePath().equals(getAuthorizeGoogleURL())) {
            return;
        }
        super.filter(containerRequestContext);
    }

    @Override // com.atomgraph.linkeddatahub.server.filter.request.AuthenticationFilter
    public SecurityContext authenticate(ContainerRequestContext containerRequestContext) {
        Model loadModel;
        ParameterizedSparqlString userAccountQuery = getUserAccountQuery();
        String jWTToken = getJWTToken(containerRequestContext);
        if (jWTToken == null) {
            return null;
        }
        DecodedJWT decode = JWT.decode(jWTToken);
        if (decode.getExpiresAt().before(new Date())) {
            String refreshToken = getSystem().getRefreshToken(decode.getSubject());
            if (refreshToken == null) {
                if (log.isDebugEnabled()) {
                    log.debug("ID token for subject '{}' has expired at {}, refresh token not found", decode.getSubject(), decode.getExpiresAt());
                }
                throw new TokenExpiredException("ID token for subject '" + decode.getSubject() + "' has expired at " + decode.getExpiresAt());
            }
            if (log.isDebugEnabled()) {
                log.debug("ID token for subject '{}' has expired at {}, refreshing it", decode.getSubject(), decode.getExpiresAt());
            }
            decode = refreshIDToken(refreshToken);
        }
        if (!verify(decode)) {
            return null;
        }
        String str = decode.getIssuer() + decode.getSubject();
        Literal createStringLiteral = ResourceFactory.createStringLiteral(decode.getSubject());
        if (getSystem().getOIDCModelCache().containsKey(str)) {
            loadModel = (Model) getSystem().getOIDCModelCache().get(str);
        } else {
            QuerySolutionMap querySolutionMap = new QuerySolutionMap();
            querySolutionMap.add(SIOC.ID.getLocalName(), createStringLiteral);
            querySolutionMap.add(LACL.issuer.getLocalName(), ResourceFactory.createStringLiteral(decode.getIssuer()));
            loadModel = loadModel(userAccountQuery, querySolutionMap, getAgentService());
        }
        Resource resourceByPropertyValue = getResourceByPropertyValue(loadModel, SIOC.ID, createStringLiteral);
        if (resourceByPropertyValue == null) {
            return null;
        }
        Resource resource = resourceByPropertyValue.getRequiredProperty(SIOC.ACCOUNT_OF).getResource();
        if (resource == null) {
            throw new IllegalStateException("UserAccount is not attached to an agent (sioc:account_of property is missing)");
        }
        getSystem().getOIDCModelCache().put(str, loadModel, ChronoUnit.SECONDS.between(Instant.now(), decode.getExpiresAt().toInstant()), TimeUnit.SECONDS);
        return new IDTokenSecurityContext(getScheme(), resource.addProperty(RDF.type, FOAF.Agent).as(Agent.class), jWTToken);
    }

    protected String getJWTToken(ContainerRequestContext containerRequestContext) {
        if (containerRequestContext == null) {
            throw new IllegalArgumentException("ContainerRequest cannot be null");
        }
        Cookie cookie = (Cookie) containerRequestContext.getCookies().get(COOKIE_NAME);
        if (cookie != null) {
            return cookie.getValue();
        }
        return null;
    }

    protected boolean verify(DecodedJWT decodedJWT) {
        Response response = getSystem().getNoCertClient().target("https://oauth2.googleapis.com/tokeninfo").queryParam("id_token", new Object[]{decodedJWT.getToken()}).request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).get();
        try {
            if (!response.getStatusInfo().getFamily().equals(Response.Status.Family.SUCCESSFUL)) {
                if (log.isDebugEnabled()) {
                    log.debug("Could not verify JWT token for subject '{}'", decodedJWT.getSubject());
                }
                if (response != null) {
                    response.close();
                }
                return false;
            }
            JsonObject jsonObject = (JsonObject) response.readEntity(JsonObject.class);
            if (decodedJWT.getIssuer().equals(jsonObject.getString("iss")) && decodedJWT.getSubject().equals(jsonObject.getString("sub")) && decodedJWT.getKeyId().equals(jsonObject.getString("kid"))) {
                if (response != null) {
                    response.close();
                }
                return true;
            }
            if (response == null) {
                return false;
            }
            response.close();
            return false;
        } catch (Throwable th) {
            if (response != null) {
                try {
                    response.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Override // com.atomgraph.linkeddatahub.server.filter.request.AuthenticationFilter
    public void login(Application application, ContainerRequestContext containerRequestContext) {
        throw new WebApplicationException(Response.seeOther(getAuthorizeGoogleURL()).build());
    }

    @Override // com.atomgraph.linkeddatahub.server.filter.request.AuthenticationFilter
    public void logout(Application application, ContainerRequestContext containerRequestContext) {
        Cookie cookie = (Cookie) containerRequestContext.getCookies().get(COOKIE_NAME);
        if (cookie != null) {
            throw new NotAuthorizedException(Response.seeOther(containerRequestContext.getUriInfo().getAbsolutePath()).cookie(new NewCookie[]{new NewCookie(cookie.getName(), (String) null, application.getBase().getURI(), (String) null, 1, (String) null, -1, new Date(0L), true, true)}).build());
        }
    }

    public DecodedJWT refreshIDToken(String str) {
        Response post = getSystem().getClient().target(Login.TOKEN_ENDPOINT).request().post(Entity.form(new Form().param("grant_type", "refresh_token").param("client_id", getClientID()).param("client_secret", getClientSecret()).param("refresh_token", str)));
        try {
            JsonObject jsonObject = (JsonObject) post.readEntity(JsonObject.class);
            if (jsonObject.containsKey("error")) {
                if (log.isErrorEnabled()) {
                    log.error("OAuth error: '{}'", jsonObject.getString("error"));
                }
                throw new InternalServerErrorException(jsonObject.getString("error"));
            }
            DecodedJWT decode = JWT.decode(jsonObject.getString("id_token"));
            if (post != null) {
                post.close();
            }
            return decode;
        } catch (Throwable th) {
            if (post != null) {
                try {
                    post.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public URI getLoginURL() {
        return getAdminApplication().getBaseURI().resolve("oauth2/login");
    }

    public URI getAuthorizeGoogleURL() {
        return getAdminApplication().getBaseURI().resolve("oauth2/authorize/google");
    }

    public AdminApplication getAdminApplication() {
        return getApplication().canAs(EndUserApplication.class) ? getApplication().as(EndUserApplication.class).getAdminApplication() : getApplication().as(AdminApplication.class);
    }

    public ParameterizedSparqlString getUserAccountQuery() {
        return this.userAccountQuery.copy();
    }

    private String getClientID() {
        return this.clientID;
    }

    private String getClientSecret() {
        return this.clientSecret;
    }
}
