package com.atomgraph.linkeddatahub.server.filter.request.auth;

import com.atomgraph.core.MediaTypes;
import com.atomgraph.linkeddatahub.apps.model.Application;
import com.atomgraph.linkeddatahub.model.auth.Agent;
import com.atomgraph.linkeddatahub.server.exception.auth.webid.InvalidWebIDPublicKeyException;
import com.atomgraph.linkeddatahub.server.exception.auth.webid.WebIDDelegationException;
import com.atomgraph.linkeddatahub.server.exception.auth.webid.WebIDLoadingException;
import com.atomgraph.linkeddatahub.server.filter.request.AuthenticationFilter;
import com.atomgraph.linkeddatahub.server.security.WebIDSecurityContext;
import com.atomgraph.linkeddatahub.vocabulary.ACL;
import com.atomgraph.linkeddatahub.vocabulary.Cert;
import com.atomgraph.linkeddatahub.vocabulary.FOAF;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.List;
import javax.annotation.PostConstruct;
import javax.annotation.Priority;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.ProcessingException;
import javax.ws.rs.client.Client;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.PreMatching;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.jena.datatypes.xsd.XSDDatatype;
import org.apache.jena.query.ParameterizedSparqlString;
import org.apache.jena.query.QueryExecution;
import org.apache.jena.query.ResultSet;
import org.apache.jena.rdf.model.Model;
import org.apache.jena.rdf.model.ModelFactory;
import org.apache.jena.rdf.model.Resource;
import org.apache.jena.rdf.model.ResourceFactory;
import org.apache.jena.vocabulary.RDF;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(5000)
@PreMatching
/* loaded from: input_file:com/atomgraph/linkeddatahub/server/filter/request/auth/WebIDFilter.class */
public class WebIDFilter extends AuthenticationFilter {
    private static final Logger log = LoggerFactory.getLogger(WebIDFilter.class);
    public static final int SAN_URI_NAME = 6;
    private final MediaTypes mediaTypes = new MediaTypes();
    private final MediaType[] acceptedTypes;

    @Context
    HttpServletRequest httpServletRequest;
    private ParameterizedSparqlString webIDQuery;

    public WebIDFilter() {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(this.mediaTypes.getReadable(Model.class));
        this.acceptedTypes = (MediaType[]) arrayList.toArray(i -> {
            return new MediaType[i];
        });
    }

    @PostConstruct
    public void init() {
        this.webIDQuery = new ParameterizedSparqlString(getSystem().getWebIDQuery().toString());
    }

    @Override // com.atomgraph.linkeddatahub.server.filter.request.AuthenticationFilter
    public String getScheme() {
        return "CLIENT_CERT";
    }

    @Override // com.atomgraph.linkeddatahub.server.filter.request.AuthenticationFilter
    public SecurityContext authenticate(ContainerRequestContext containerRequestContext) {
        try {
            X509Certificate webIDCertificate = getWebIDCertificate(containerRequestContext);
            if (log.isTraceEnabled()) {
                log.trace("Client WebID certificate: {}", webIDCertificate);
            }
            if (webIDCertificate == null) {
                return null;
            }
            webIDCertificate.checkValidity();
            RSAPublicKey rSAPublicKey = (RSAPublicKey) webIDCertificate.getPublicKey();
            URI webIDURI = getWebIDURI(webIDCertificate);
            if (webIDURI == null) {
                if (!log.isTraceEnabled()) {
                    return null;
                }
                log.trace("WebID not found in the client certificate, skipping WebID filter");
                return null;
            }
            if (log.isTraceEnabled()) {
                log.trace("Client WebID: {}", webIDURI);
            }
            Resource authenticate = authenticate(loadWebID(webIDURI), webIDURI, rSAPublicKey);
            if (authenticate == null) {
                if (log.isErrorEnabled()) {
                    log.error("Client certificate public key did not match WebID public key: {}", webIDURI);
                }
                throw new InvalidWebIDPublicKeyException(rSAPublicKey, webIDURI.toString());
            }
            getSystem().getWebIDModelCache().put(webIDURI, authenticate.getModel());
            String headerString = containerRequestContext.getHeaderString(AuthenticationFilter.ON_BEHALF_OF);
            if (headerString != null) {
                URI uri = new URI(headerString);
                Resource createResource = loadWebID(uri).createResource(headerString);
                if (!authenticate.equals(createResource) && !createResource.getModel().contains(authenticate, ACL.delegates, createResource)) {
                    throw new WebIDDelegationException(authenticate, createResource);
                }
                authenticate = createResource;
                getSystem().getWebIDModelCache().put(uri, createResource.getModel());
            }
            return new WebIDSecurityContext(getScheme(), authenticate.addProperty(RDF.type, FOAF.Agent).as(Agent.class));
        } catch (URISyntaxException e) {
            if (!log.isErrorEnabled()) {
                return null;
            }
            log.error("Could not parse WebID URI: {}", e.getInput(), e);
            return null;
        } catch (CertificateException e2) {
            if (!log.isErrorEnabled()) {
                return null;
            }
            log.error("WebID certificate error (could not parse, expired or not yet valid)", e2);
            return null;
        } catch (ProcessingException e3) {
            if (!log.isErrorEnabled()) {
                return null;
            }
            log.error("Could not load WebID URI", e3);
            return null;
        }
    }

    public X509Certificate getWebIDCertificate(ContainerRequestContext containerRequestContext) throws URISyntaxException, CertificateException, CertificateParsingException {
        for (X509Certificate x509Certificate : (X509Certificate[]) getHttpServletRequest().getAttribute("javax.servlet.request.X509Certificate")) {
            if (getWebIDURI(x509Certificate) != null) {
                return x509Certificate;
            }
        }
        return null;
    }

    public static URI getWebIDURI(X509Certificate x509Certificate) throws URISyntaxException, CertificateParsingException {
        if (x509Certificate.getSubjectAlternativeNames() == null) {
            return null;
        }
        List[] listArr = (List[]) x509Certificate.getSubjectAlternativeNames().toArray(i -> {
            return new List[i];
        });
        if (listArr.length <= 0 || !(x509Certificate.getPublicKey() instanceof RSAPublicKey)) {
            return null;
        }
        for (List list : listArr) {
            if (Integer.valueOf(list.get(0).toString()).equals(6)) {
                return new URI(list.get(1).toString());
            }
        }
        return null;
    }

    public Resource authenticate(Model model, URI uri, RSAPublicKey rSAPublicKey) {
        Resource resource;
        ParameterizedSparqlString webIDQuery = getWebIDQuery();
        webIDQuery.setLiteral("exp", ResourceFactory.createTypedLiteral(rSAPublicKey.getPublicExponent()));
        webIDQuery.setLiteral("mod", ResourceFactory.createTypedLiteral(rSAPublicKey.getModulus().toString(16), XSDDatatype.XSDhexBinary));
        QueryExecution create = QueryExecution.create(webIDQuery.asQuery(), model);
        try {
            ResultSet execSelect = create.execSelect();
            if (execSelect.hasNext() && (resource = execSelect.next().getResource("webid")) != null && resource.isURIResource()) {
                if (resource.getURI().equals(uri.toString())) {
                    if (create != null) {
                        create.close();
                    }
                    return resource;
                }
            }
            if (create == null) {
                return null;
            }
            create.close();
            return null;
        } catch (Throwable th) {
            if (create != null) {
                try {
                    create.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public Model loadWebID(URI uri) {
        return getSystem().getWebIDModelCache().containsKey(uri) ? (Model) getSystem().getWebIDModelCache().get(uri) : loadWebIDFromURI(uri);
    }

    public Model loadWebIDFromURI(URI uri) {
        try {
            Model createDefaultModel = ModelFactory.createDefaultModel();
            URI normalize = new URI(uri.getScheme(), uri.getSchemeSpecificPart(), null).normalize();
            Response response = getClient().target(normalize).request(getAcceptableMediaTypes()).get();
            try {
                if (!response.getStatusInfo().getFamily().equals(Response.Status.Family.SUCCESSFUL)) {
                    if (log.isErrorEnabled()) {
                        log.error("Could not load WebID Agent: {}", uri.toString());
                    }
                    throw new WebIDLoadingException(uri, response);
                }
                response.getHeaders().putSingle("X-Request-URI", normalize.toString());
                createDefaultModel.add((Model) response.readEntity(Model.class));
                Resource propertyResourceValue = createDefaultModel.createResource(uri.toString()).getPropertyResourceValue(Cert.key);
                if (propertyResourceValue != null && propertyResourceValue.isURIResource()) {
                    URI create = URI.create(propertyResourceValue.getURI());
                    Response response2 = getClient().target(new URI(create.getScheme(), create.getSchemeSpecificPart(), null).normalize()).request(getAcceptableMediaTypes()).get();
                    try {
                        if (!response2.getStatusInfo().getFamily().equals(Response.Status.Family.SUCCESSFUL)) {
                            if (log.isErrorEnabled()) {
                                log.error("Could not load WebID Key: {}", create.toString());
                            }
                            throw new WebIDLoadingException(uri, response2);
                        }
                        response2.getHeaders().putSingle("X-Request-URI", create.toString());
                        createDefaultModel.add((Model) response2.readEntity(Model.class));
                        if (response2 != null) {
                            response2.close();
                        }
                    } catch (Throwable th) {
                        if (response2 != null) {
                            try {
                                response2.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                }
                if (response != null) {
                    response.close();
                }
                return createDefaultModel;
            } catch (Throwable th3) {
                if (response != null) {
                    try {
                        response.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                }
                throw th3;
            }
        } catch (URISyntaxException e) {
            return null;
        }
    }

    public HttpServletRequest getHttpServletRequest() {
        return this.httpServletRequest;
    }

    public ParameterizedSparqlString getWebIDQuery() {
        return this.webIDQuery.copy();
    }

    public Client getClient() {
        return getSystem().getNoCertClient();
    }

    public MediaType[] getAcceptableMediaTypes() {
        return this.acceptedTypes;
    }

    @Override // com.atomgraph.linkeddatahub.server.filter.request.AuthenticationFilter
    public void login(Application application, ContainerRequestContext containerRequestContext) {
        throw new UnsupportedOperationException("Not supported yet.");
    }

    @Override // com.atomgraph.linkeddatahub.server.filter.request.AuthenticationFilter
    public void logout(Application application, ContainerRequestContext containerRequestContext) {
        throw new UnsupportedOperationException("Not supported yet.");
    }
}
