package info.unterrainer.commons.httpserver.accessmanager;

import com.fasterxml.jackson.databind.ObjectMapper;
import info.unterrainer.commons.httpserver.HttpServer;
import info.unterrainer.commons.httpserver.enums.Attribute;
import info.unterrainer.commons.httpserver.exceptions.ForbiddenException;
import info.unterrainer.commons.httpserver.exceptions.GatewayTimeoutException;
import info.unterrainer.commons.httpserver.exceptions.UnauthorizedException;
import info.unterrainer.commons.httpserver.jsons.UserDataJson;
import io.javalin.core.security.AccessManager;
import io.javalin.core.security.Role;
import io.javalin.http.Context;
import io.javalin.http.Handler;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.security.PublicKey;
import java.util.HashSet;
import java.util.Set;
import org.eclipse.jetty.http.HttpHeader;
import org.keycloak.TokenVerifier;
import org.keycloak.common.VerificationException;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.PublishedRealmRepresentation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:info/unterrainer/commons/httpserver/accessmanager/HttpAccessManager.class */
public class HttpAccessManager implements AccessManager {
    private static final Logger log = LoggerFactory.getLogger(HttpAccessManager.class);
    private String host;
    private String realm;
    private String authUrl;
    private PublicKey publicKey = null;

    public HttpAccessManager(String str, String str2) {
        this.host = str;
        this.realm = str2;
        try {
            initPublicKey();
        } catch (Exception e) {
        }
    }

    public void manage(Handler handler, Context context, Set<Role> set) throws Exception {
        checkAccess(context, set);
        handler.handle(context);
    }

    private void initPublicKey() {
        if (this.publicKey != null) {
            return;
        }
        if (!this.host.endsWith("/")) {
            this.host += "/";
        }
        if (!this.realm.startsWith("/")) {
            this.realm = "/" + this.realm;
        }
        this.authUrl = this.host + "auth/realms" + this.realm;
        try {
            log.info("Getting public key from: [{}]", this.authUrl);
            HttpClient newHttpClient = HttpClient.newHttpClient();
            HttpRequest build = HttpRequest.newBuilder().uri(new URI(this.authUrl)).build();
            ObjectMapper objectMapper = new ObjectMapper();
            newHttpClient.sendAsync(build, HttpResponse.BodyHandlers.ofString()).thenApply(httpResponse -> {
                if (httpResponse.statusCode() < 300) {
                    return (String) httpResponse.body();
                }
                log.error("HTTP status [{}] getting public key from keycloak instance [{}].", Integer.valueOf(httpResponse.statusCode()), this.authUrl);
                throw new GatewayTimeoutException(String.format("The keycloak instance returned an error (status: %d).", Integer.valueOf(httpResponse.statusCode())));
            }).thenAccept(str -> {
                if (str == null) {
                    log.warn("Received empty body.");
                    return;
                }
                try {
                    this.publicKey = ((PublishedRealmRepresentation) objectMapper.readValue(str, PublishedRealmRepresentation.class)).getPublicKey();
                    log.info("Public key received.");
                } catch (IOException e) {
                    log.error("Error parsing answer from keycloak.");
                    throw new UncheckedIOException(e);
                }
            }).join();
        } catch (URISyntaxException e) {
            log.error("The keycloak URL was illegal [{}].", this.authUrl);
            throw new IllegalStateException(e);
        }
    }

    private void checkAccess(Context context, Set<Role> set) {
        try {
            TokenVerifier<AccessToken> persistUserInfoInContext = persistUserInfoInContext(context);
            if (set.isEmpty()) {
                return;
            }
            if (set.contains(DefaultRole.OPEN) && set.size() == 1) {
                return;
            }
            if (persistUserInfoInContext == null) {
                throw new UnauthorizedException();
            }
            initPublicKey();
            persistUserInfoInContext.publicKey(this.publicKey);
            try {
                persistUserInfoInContext.verifySignature();
                try {
                    persistUserInfoInContext.verify();
                    if ((set.contains(DefaultRole.AUTHENTICATED) && set.size() == 1) || hasPermittedRole(context, set)) {
                    } else {
                        throw new ForbiddenException();
                    }
                } catch (VerificationException e) {
                    throw new ForbiddenException();
                }
            } catch (VerificationException e2) {
                throw new UnauthorizedException("Error verifying token from user with publicKey obtained from keycloak.", e2);
            }
        } catch (Exception e3) {
            log.error("Error checking token.", e3);
            throw e3;
        }
    }

    private boolean hasPermittedRole(Context context, Set<Role> set) {
        Set set2 = (Set) context.attribute(Attribute.USER_CLIENT_ROLES);
        for (Role role : set) {
            if ((role instanceof NamedRole) && set2.contains(((NamedRole) role).name)) {
                return true;
            }
        }
        return false;
    }

    /* JADX WARN: Type inference failed for: r3v3, types: [info.unterrainer.commons.httpserver.jsons.UserDataJson$UserDataJsonBuilder] */
    private TokenVerifier<AccessToken> persistUserInfoInContext(Context context) {
        String header = context.header(HttpHeader.AUTHORIZATION.asString());
        if (header == null || header.isBlank()) {
            return null;
        }
        if (header.toLowerCase().startsWith("bearer ")) {
            header = header.substring(7);
        }
        try {
            TokenVerifier<AccessToken> create = TokenVerifier.create(header, AccessToken.class);
            AccessToken token = create.getToken();
            String preferredUsername = token.getPreferredUsername();
            if (preferredUsername == null) {
                preferredUsername = "unknown";
            }
            context.attribute(Attribute.USER_NAME, preferredUsername);
            context.attribute(Attribute.USER_GIVEN_NAME, token.getGivenName());
            context.attribute(Attribute.USER_FAMILY_NAME, token.getFamilyName());
            context.attribute(Attribute.USER_CLIENT, token.getIssuedFor());
            context.attribute(Attribute.USER_EMAIL, token.getEmail());
            context.attribute(Attribute.USER_EMAIL_VERIFIED, token.getEmailVerified());
            context.attribute(Attribute.USER_REALM_ROLES, token.getRealmAccess().getRoles());
            String str = (String) token.getOtherClaims().get("tenants_read");
            context.attribute(Attribute.USER_CLIENT_ATTRIBUTE_TENANTS_READ, str);
            context.attribute(Attribute.USER_TENANTS_READ_SET, createTenantSetFrom(str));
            String str2 = (String) token.getOtherClaims().get("tenants_write");
            context.attribute(Attribute.USER_CLIENT_ATTRIBUTE_TENANTS_WRITE, str2);
            context.attribute(Attribute.USER_TENANTS_WRITE_SET, createTenantSetFrom(str2));
            Set<String> of = Set.of();
            String issuedFor = token.getIssuedFor();
            if (token.getResourceAccess().containsKey(issuedFor)) {
                of = ((AccessToken.Access) token.getResourceAccess().get(issuedFor)).getRoles();
            }
            context.attribute(Attribute.USER_CLIENT_ROLES, of);
            UserAccessInterceptor userAccessInterceptor = ((HttpServer) context.attribute(Attribute.JAVALIN_SERVER)).getUserAccessInterceptor();
            if (userAccessInterceptor != null) {
                userAccessInterceptor.accept(context, token, UserDataJson.builder().userName(preferredUsername).givenName(token.getGivenName()).client(token.getIssuedFor()).familyName(token.getFamilyName()).email(token.getEmail()).emailVerified(token.getEmailVerified().booleanValue()).realmRoles(token.getRealmAccess().getRoles()).readTenants(str).writeTenants(str2).clientRoles(of).isActive(token.isActive()).isBearer(token.getType().equalsIgnoreCase("bearer")).build());
            }
            if (!token.isActive()) {
                setTokenRejectionReason(context, "Token is inactive.");
                return null;
            }
            if (token.getType().equalsIgnoreCase("bearer")) {
                return create;
            }
            setTokenRejectionReason(context, "Token is no bearer-token.");
            return null;
        } catch (VerificationException e) {
            setTokenRejectionReason(context, "Token was checked and deemed invalid.");
            return null;
        }
    }

    private Object createTenantSetFrom(String str) {
        HashSet hashSet = new HashSet();
        if (str == null || str.isBlank()) {
            return hashSet;
        }
        for (String str2 : str.split(",")) {
            if (!str2.isBlank()) {
                try {
                    hashSet.add(Long.valueOf(Long.parseLong(str2.trim())));
                } catch (NumberFormatException e) {
                }
            }
        }
        return hashSet;
    }

    private void setTokenRejectionReason(Context context, String str) {
        context.attribute(Attribute.KEYCLOAK_TOKEN_REJECTION_REASON, str);
    }
}
