package tv.hd3g.authkit.mod;

import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Method;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.resource.ResourceHttpRequestHandler;
import tv.hd3g.authkit.mod.component.AuthKitEndpointsListener;
import tv.hd3g.authkit.mod.dto.LoggedUserTagsTokenDto;
import tv.hd3g.authkit.mod.exception.NotAcceptableSecuredTokenException;
import tv.hd3g.authkit.mod.service.AuditReportService;
import tv.hd3g.authkit.mod.service.AuditReportServiceImpl;
import tv.hd3g.authkit.mod.service.AuthenticationService;
import tv.hd3g.authkit.mod.service.SecuredTokenService;
import tv.hd3g.commons.authkit.AuditAfter;
import tv.hd3g.commons.authkit.CheckBefore;

/* loaded from: input_file:tv/hd3g/authkit/mod/ControllerInterceptor.class */
public class ControllerInterceptor implements HandlerInterceptor {
    private static Logger log = LogManager.getLogger();
    public static final String USER_UUID_ATTRIBUTE_NAME = ControllerInterceptor.class.getPackageName() + ".userUUID";
    private final AuditReportService auditService;
    private final SecuredTokenService securedTokenService;
    private final AuthKitEndpointsListener authKitEndpointsListener;
    private final AuthenticationService authenticationService;

    /* loaded from: input_file:tv/hd3g/authkit/mod/ControllerInterceptor$BaseInternalException.class */
    private abstract class BaseInternalException extends Exception {
        private final int statusCode;
        private final String logMessage;
        private final Object[] logContent;

        protected BaseInternalException(int i, String str, Object[] objArr) {
            this.statusCode = i;
            this.logMessage = str;
            this.logContent = objArr;
        }

        protected abstract void pushAudit(HttpServletRequest httpServletRequest);

        private void writeObject(ObjectOutputStream objectOutputStream) throws IOException {
        }

        private void readObject(ObjectInputStream objectInputStream) throws IOException, ClassNotFoundException {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:tv/hd3g/authkit/mod/ControllerInterceptor$Forbidden.class */
    public class Forbidden extends BaseInternalException {
        protected Forbidden(String str, Object... objArr) {
            super(403, str, objArr);
        }

        @Override // tv.hd3g.authkit.mod.ControllerInterceptor.BaseInternalException
        protected void pushAudit(HttpServletRequest httpServletRequest) {
            ControllerInterceptor.this.auditService.interceptForbiddenRequest(httpServletRequest);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:tv/hd3g/authkit/mod/ControllerInterceptor$Unauthorized.class */
    public class Unauthorized extends BaseInternalException {
        protected Unauthorized(String str, Object... objArr) {
            super(401, str, objArr);
        }

        @Override // tv.hd3g.authkit.mod.ControllerInterceptor.BaseInternalException
        protected void pushAudit(HttpServletRequest httpServletRequest) {
            ControllerInterceptor.this.auditService.interceptUnauthorizedRequest(httpServletRequest);
        }
    }

    public ControllerInterceptor(AuditReportService auditReportService, SecuredTokenService securedTokenService, AuthKitEndpointsListener authKitEndpointsListener, AuthenticationService authenticationService) {
        this.auditService = auditReportService;
        this.securedTokenService = securedTokenService;
        this.authKitEndpointsListener = authKitEndpointsListener;
        this.authenticationService = authenticationService;
    }

    private boolean isRequestIsHandle(HttpServletRequest httpServletRequest, Object obj) {
        if (obj instanceof ResourceHttpRequestHandler) {
            Optional.ofNullable(((ResourceHttpRequestHandler) obj).getUrlPathHelper()).map(urlPathHelper -> {
                return urlPathHelper.getLookupPathForRequest(httpServletRequest);
            }).ifPresent(str -> {
                log.trace("HandlerH: {}", str);
            });
            return false;
        }
        if (obj instanceof HandlerMethod) {
            return true;
        }
        log.info("Unknown handler: {}", obj.getClass());
        return false;
    }

    private Optional<LoggedUserTagsTokenDto> extractAndCheckAuthToken(HttpServletRequest httpServletRequest) throws Unauthorized {
        InetAddress inetAddress;
        InetAddress inetAddress2;
        Optional map = Optional.ofNullable(httpServletRequest.getHeader("Authorization")).filter(str -> {
            return str.toLowerCase().startsWith("bearer");
        }).map(str2 -> {
            return str2.substring("bearer".length()).trim();
        });
        if (map.isEmpty()) {
            return Optional.empty();
        }
        try {
            LoggedUserTagsTokenDto loggedUserRightsExtractToken = this.securedTokenService.loggedUserRightsExtractToken((String) map.get());
            Objects.requireNonNull(loggedUserRightsExtractToken);
            if (loggedUserRightsExtractToken.getOnlyForHost() != null) {
                try {
                    inetAddress = InetAddress.getByName(loggedUserRightsExtractToken.getOnlyForHost());
                    inetAddress2 = InetAddress.getByName(AuditReportServiceImpl.getOriginalRemoteAddr(httpServletRequest));
                } catch (UnknownHostException e) {
                    inetAddress = null;
                    inetAddress2 = null;
                }
                if (inetAddress == null || !inetAddress.equals(inetAddress2)) {
                    throw new Unauthorized("Reject request for {} from {} because the actual token contain a IP restriction on {} only", loggedUserRightsExtractToken.getUserUUID(), AuditReportServiceImpl.getOriginalRemoteAddr(httpServletRequest), loggedUserRightsExtractToken.getOnlyForHost());
                }
            }
            return Optional.of(loggedUserRightsExtractToken);
        } catch (NotAcceptableSecuredTokenException e2) {
            throw new Unauthorized("Invalid JWT in auth request from {}", AuditReportServiceImpl.getOriginalRemoteAddr(httpServletRequest));
        }
    }

    private void compareUserRightsAndRequestMandatories(HttpServletRequest httpServletRequest, LoggedUserTagsTokenDto loggedUserTagsTokenDto, Method method, AuthKitEndpointsListener.AnnotatedClass annotatedClass) throws BaseInternalException {
        List<CheckBefore> requireAuthList = annotatedClass.requireAuthList(method);
        if (requireAuthList.isEmpty()) {
            return;
        }
        String userUUID = loggedUserTagsTokenDto.getUserUUID();
        if (userUUID == null) {
            throw new Unauthorized("Unauthorized user from {}", AuditReportServiceImpl.getOriginalRemoteAddr(httpServletRequest));
        }
        if (requireAuthList.stream().noneMatch(checkBefore -> {
            Stream stream = Arrays.stream(checkBefore.value());
            Set<String> tags = loggedUserTagsTokenDto.getTags();
            Objects.requireNonNull(tags);
            return stream.allMatch((v1) -> {
                return r1.contains(v1);
            });
        })) {
            throw new Forbidden("Forbidden user {} from {} to go to {}", userUUID, AuditReportServiceImpl.getOriginalRemoteAddr(httpServletRequest), httpServletRequest.getRequestURI());
        }
    }

    private void checkRenforcedRightsChecks(HttpServletRequest httpServletRequest, AuthKitEndpointsListener.AnnotatedClass annotatedClass, Method method, LoggedUserTagsTokenDto loggedUserTagsTokenDto) throws BaseInternalException {
        if (annotatedClass.isRequireRenforceCheckBefore(method)) {
            String userUUID = loggedUserTagsTokenDto.getUserUUID();
            if (!this.authenticationService.isUserEnabledAndNonBlocked(userUUID)) {
                throw new Unauthorized("User {} is now disabled/blocked before last login", userUUID);
            }
            Set set = (Set) this.authenticationService.getRightsForUser(userUUID, AuditReportServiceImpl.getOriginalRemoteAddr(httpServletRequest)).stream().distinct().collect(Collectors.toUnmodifiableSet());
            for (String str : loggedUserTagsTokenDto.getTags()) {
                if (!set.contains(str)) {
                    throw new Forbidden("User {} has lost some rights (like {}) before last login from {}", userUUID, str, AuditReportServiceImpl.getOriginalRemoteAddr(httpServletRequest));
                }
            }
        }
    }

    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj) throws IOException {
        if (!isRequestIsHandle(httpServletRequest, obj)) {
            return true;
        }
        try {
            LoggedUserTagsTokenDto orElse = extractAndCheckAuthToken(httpServletRequest).orElse(new LoggedUserTagsTokenDto(null, Set.of(), null));
            String userUUID = orElse.getUserUUID();
            httpServletRequest.setAttribute(USER_UUID_ATTRIBUTE_NAME, userUUID);
            HandlerMethod handlerMethod = (HandlerMethod) obj;
            Class<?> beanType = handlerMethod.getBeanType();
            AuthKitEndpointsListener.AnnotatedClass annotatedClass = this.authKitEndpointsListener.getAnnotatedClass(beanType);
            Method method = handlerMethod.getMethod();
            checkRenforcedRightsChecks(httpServletRequest, annotatedClass, method, orElse);
            compareUserRightsAndRequestMandatories(httpServletRequest, orElse, method, annotatedClass);
            if (userUUID == null) {
                log.info("Request {} {}:{}()", beanType.getSimpleName(), httpServletRequest.getMethod(), handlerMethod.getMethod().getName());
                return true;
            }
            log.info("Request {} {}:{}() {}", beanType.getSimpleName(), httpServletRequest.getMethod(), handlerMethod.getMethod().getName(), userUUID);
            return true;
        } catch (BaseInternalException e) {
            e.pushAudit(httpServletRequest);
            httpServletResponse.reset();
            httpServletResponse.sendError(e.statusCode);
            log.error(e.logMessage, e.logContent);
            return false;
        }
    }

    public static final Optional<String> getRequestUserUUID(HttpServletRequest httpServletRequest) {
        return Optional.ofNullable(httpServletRequest.getAttribute(USER_UUID_ATTRIBUTE_NAME)).map(obj -> {
            return LogSanitizer.sanitize((String) obj);
        });
    }

    public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj, Exception exc) throws Exception {
        if (obj instanceof HandlerMethod) {
            HandlerMethod handlerMethod = (HandlerMethod) obj;
            List<AuditAfter> audits = this.authKitEndpointsListener.getAnnotatedClass(handlerMethod.getBeanType()).getAudits(handlerMethod.getMethod());
            if (audits.isEmpty()) {
                return;
            }
            Optional.ofNullable(exc).ifPresent(exc2 -> {
                List<String> list = (List) audits.stream().filter((v0) -> {
                    return v0.cantDoErrors();
                }).map((v0) -> {
                    return v0.value();
                }).collect(Collectors.toUnmodifiableList());
                if (list.isEmpty()) {
                    return;
                }
                this.auditService.onImportantError(httpServletRequest, list, exc2);
            });
            List<String> list = (List) audits.stream().filter((v0) -> {
                return v0.changeSecurity();
            }).map((v0) -> {
                return v0.value();
            }).collect(Collectors.toUnmodifiableList());
            if (!list.isEmpty()) {
                this.auditService.onChangeSecurity(httpServletRequest, list);
            }
            List<String> list2 = (List) audits.stream().filter((v0) -> {
                return v0.useSecurity();
            }).map((v0) -> {
                return v0.value();
            }).collect(Collectors.toUnmodifiableList());
            if (!list2.isEmpty()) {
                this.auditService.onUseSecurity(httpServletRequest, list2);
            }
            List<String> list3 = (List) audits.stream().filter(auditAfter -> {
                return (auditAfter.cantDoErrors() || auditAfter.changeSecurity() || auditAfter.useSecurity()) ? false : true;
            }).map((v0) -> {
                return v0.value();
            }).collect(Collectors.toUnmodifiableList());
            if (list3.isEmpty()) {
                return;
            }
            this.auditService.onSimpleEvent(httpServletRequest, list3);
        }
    }
}
