package com.aeontronix.kryptotek.rest;

import com.aeontronix.commons.BackendAccessException;
import com.aeontronix.commons.InvalidBackendDataException;
import com.aeontronix.commons.StringUtils;
import com.aeontronix.commons.TimeUtils;
import com.aeontronix.commons.io.BoundedOutputStream;
import com.aeontronix.commons.io.IOUtils;
import com.aeontronix.kryptotek.CryptoEngine;
import com.aeontronix.kryptotek.CryptoUtils;
import com.aeontronix.kryptotek.DigestAlgorithm;
import com.aeontronix.kryptotek.key.SignatureVerificationKey;
import com.aeontronix.kryptotek.key.SigningKey;
import com.aeontronix.kryptotek.rest.AuthenticationFailedException;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.InvalidKeyException;
import java.security.SignatureException;
import java.text.ParseException;
import java.util.Date;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/aeontronix/kryptotek/rest/AuthenticationFilterHelper.class */
public abstract class AuthenticationFilterHelper<P, Q> {
    private static final Logger logger = LoggerFactory.getLogger(AuthenticationFilterHelper.class);
    public static final long DEFAULT_EXPIRY = 300000;
    protected Long contentMaxSize;
    protected DigestAlgorithm digestAlgorithm;
    protected long expiry;
    protected ReplayAttackValidator replayAttackValidator;
    protected CryptoEngine cryptoEngine;

    public AuthenticationFilterHelper() {
        this(CryptoUtils.getEngine());
    }

    public AuthenticationFilterHelper(CryptoEngine cryptoEngine) {
        this(cryptoEngine, new ReplayAttackValidatorNoOpImpl());
    }

    public AuthenticationFilterHelper(CryptoEngine cryptoEngine, ReplayAttackValidator replayAttackValidator) {
        this(cryptoEngine, null, DigestAlgorithm.SHA256, DEFAULT_EXPIRY, replayAttackValidator);
    }

    public AuthenticationFilterHelper(CryptoEngine cryptoEngine, Long l, DigestAlgorithm digestAlgorithm, long j, ReplayAttackValidator replayAttackValidator) {
        this.expiry = DEFAULT_EXPIRY;
        this.cryptoEngine = cryptoEngine;
        this.contentMaxSize = l;
        this.digestAlgorithm = digestAlgorithm;
        this.expiry = j;
        this.replayAttackValidator = replayAttackValidator;
    }

    public P authenticateRequest(InputStream inputStream, String str, String str2, String str3, String str4, String str5, String str6, String str7, Q q) throws AuthenticationFailedException, IOException, InvalidRequestException, InvalidBackendDataException {
        if (str == null) {
            throw new InvalidRequestException("header X-KT-NONCE missing", q);
        }
        if (str2 == null) {
            throw new InvalidRequestException("header X-KT-IDENTITY missing", q);
        }
        if (str3 == null) {
            throw new InvalidRequestException("header X-KT-TIMESTAMP missing", q);
        }
        if (str4 == null) {
            throw new InvalidRequestException("header X-KT-TIMESTAMP missing", q);
        }
        StringBuilder sb = new StringBuilder(str6);
        if (str7 != null) {
            sb.append('?').append(str7);
        }
        RESTRequestSigner rESTRequestSigner = new RESTRequestSigner(str5, sb.toString(), str, str3, str2);
        BoundedOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        IOUtils.copy(inputStream, this.contentMaxSize != null ? new BoundedOutputStream(byteArrayOutputStream, this.contentMaxSize.longValue(), true) : byteArrayOutputStream);
        byte[] byteArray = byteArrayOutputStream.toByteArray();
        rESTRequestSigner.setContent(byteArray);
        replaceDataStream(q, new ByteArrayInputStream(byteArray));
        try {
            if (TimeUtils.parseISOUTCDateTime(str3).after(new Date(System.currentTimeMillis() + this.expiry))) {
                throw new InvalidRequestException("Unauthorized request (expired timestamp): " + str3, q);
            }
            if (this.replayAttackValidator.checkNonceReplay(str)) {
                throw new InvalidRequestException("Unauthorized request (duplicated nonce): " + str, q);
            }
            P findUserPrincipal = findUserPrincipal(str2);
            if (findUserPrincipal == null) {
                throw new AuthenticationFailedException("Unauthorized request (principal not found): " + str2, AuthenticationFailedException.Reason.USER_NOT_FOUND, q);
            }
            if (verifySignature(str2, findUserPrincipal, rESTRequestSigner.getDataToSign(), str4)) {
                return findUserPrincipal;
            }
            throw new AuthenticationFailedException("Unauthorized request (invalid signature): " + rESTRequestSigner.toString(), AuthenticationFailedException.Reason.INVALID_SIGNATURE, q);
        } catch (ParseException e) {
            throw new InvalidRequestException("Invalid timestamp: " + str3, e);
        }
    }

    protected abstract void replaceDataStream(Q q, InputStream inputStream);

    private boolean verifySignature(String str, P p, byte[] bArr, String str2) throws BackendAccessException, InvalidBackendDataException {
        byte[] base64Decode = StringUtils.base64Decode(str2);
        if (logger.isDebugEnabled()) {
            logger.debug("Verifying REST request - principal: " + p + " data: " + CryptoUtils.fingerprint(bArr) + " signature: " + CryptoUtils.fingerprint(base64Decode));
        }
        SignatureVerificationKey findVerificationKey = findVerificationKey(p);
        if (findVerificationKey == null) {
            return false;
        }
        try {
            this.cryptoEngine.verifySignature(findVerificationKey, this.digestAlgorithm, bArr, base64Decode);
            return true;
        } catch (InvalidKeyException e) {
            throw new InvalidBackendDataException("Invalid key for principal " + str + " found while verifying signature: " + e.getMessage(), e);
        } catch (SignatureException e2) {
            return false;
        }
    }

    public String signResponse(P p, byte[] bArr) throws BackendAccessException, InvalidBackendDataException {
        SigningKey findSigningKey = findSigningKey(p);
        if (findSigningKey == null) {
            logger.error("Unable to find key for response signing: ", (Exception) null);
            throw new InvalidBackendDataException("Unable to find key for response signing: ");
        }
        try {
            return StringUtils.base64Encode(this.cryptoEngine.sign(findSigningKey, this.digestAlgorithm, bArr));
        } catch (InvalidKeyException e) {
            throw new InvalidBackendDataException("Invalid key: " + e.getMessage(), e);
        }
    }

    protected abstract P findUserPrincipal(String str) throws BackendAccessException;

    protected abstract SignatureVerificationKey findVerificationKey(P p) throws BackendAccessException;

    protected abstract SigningKey findSigningKey(P p) throws BackendAccessException;
}
