package org.mycore.restapi;

import com.auth0.jwt.JWT;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.io.IOException;
import java.net.UnknownHostException;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.util.Base64;
import java.util.LinkedHashMap;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import javax.annotation.Priority;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.InternalServerErrorException;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.core.Application;
import javax.ws.rs.core.CacheControl;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.ext.Provider;
import org.apache.commons.io.output.ProxyOutputStream;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.mycore.common.MCRSession;
import org.mycore.common.MCRSessionMgr;
import org.mycore.common.MCRSystemUserInformation;
import org.mycore.common.MCRUserInformation;
import org.mycore.frontend.MCRFrontendUtil;
import org.mycore.frontend.jersey.MCRJWTUtil;
import org.mycore.frontend.jersey.resources.MCRJWTResource;
import org.mycore.restapi.v1.MCRRestAPIAuthentication;
import org.mycore.restapi.v1.utils.MCRRestAPIUtil;
import org.mycore.user2.MCRUser;
import org.mycore.user2.MCRUserManager;

@Provider
@Priority(1000)
/* loaded from: input_file:org/mycore/restapi/MCRSessionFilter.class */
public class MCRSessionFilter implements ContainerRequestFilter, ContainerResponseFilter {
    public static final Logger LOGGER = LogManager.getLogger();
    private static final String PROP_RENEW_JWT = "mcr:renewJWT";

    @Context
    HttpServletRequest httpServletRequest;

    @Context
    Application app;

    /* loaded from: input_file:org/mycore/restapi/MCRSessionFilter$MCRJWTUserInformation.class */
    private static class MCRJWTUserInformation implements MCRUserInformation {
        private final DecodedJWT jwt;

        MCRJWTUserInformation(DecodedJWT decodedJWT) {
            this.jwt = decodedJWT;
        }

        public String getUserID() {
            return this.jwt.getSubject();
        }

        public boolean isUserInRole(String str) {
            Stream of = Stream.of(this.jwt.getClaim("mcr:roles").asArray(String.class));
            Objects.requireNonNull(str);
            return of.anyMatch((v1) -> {
                return r1.equals(v1);
            });
        }

        public String getUserAttribute(String str) {
            if ("realName".equals(str)) {
                return this.jwt.getClaim("name").asString();
            }
            if ("eMail".equals(str)) {
                return this.jwt.getClaim("email").asString();
            }
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/mycore/restapi/MCRSessionFilter$MCRRestSecurityContext.class */
    public static class MCRRestSecurityContext implements SecurityContext {
        private final MCRUserInformation ui;
        private final boolean isSecure;
        private final Principal principal;

        MCRRestSecurityContext(MCRUserInformation mCRUserInformation, boolean z) {
            Objects.requireNonNull(mCRUserInformation);
            this.principal = mCRUserInformation::getUserID;
            this.ui = mCRUserInformation;
            this.isSecure = z;
        }

        public Principal getUserPrincipal() {
            return this.principal;
        }

        public boolean isUserInRole(String str) {
            return this.ui.isUserInRole(str);
        }

        public boolean isSecure() {
            return this.isSecure;
        }

        public String getAuthenticationScheme() {
            if (this.ui.getUserID().equals(MCRSystemUserInformation.getGuestInstance().getUserID())) {
                return null;
            }
            if (this.ui instanceof MCRUser) {
                return "BASIC";
            }
            if (this.ui instanceof MCRJWTUserInformation) {
                return "BEARER";
            }
            return null;
        }
    }

    private static void addJWTToResponse(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) {
        MCRSession currentSession = MCRSessionMgr.getCurrentSession();
        Optional ofNullable = Optional.ofNullable(containerRequestContext.getProperty(PROP_RENEW_JWT));
        Class<Boolean> cls = Boolean.class;
        Objects.requireNonNull(Boolean.class);
        boolean booleanValue = ((Boolean) ofNullable.map(cls::cast).orElse(Boolean.FALSE)).booleanValue();
        Optional.ofNullable(containerRequestContext.getHeaderString("Authorization")).filter(str -> {
            return str.startsWith("Bearer ");
        }).filter(str2 -> {
            return !containerResponseContext.getStatusInfo().getFamily().equals(Response.Status.Family.CLIENT_ERROR);
        }).filter(str3 -> {
            return containerResponseContext.getHeaderString("Authorization") == null;
        }).map(str4 -> {
            return booleanValue ? "Bearer " + MCRRestAPIAuthentication.getToken(currentSession.getUserInformation(), currentSession.getCurrentIP()).orElseThrow(() -> {
                return new InternalServerErrorException("Could not get JSON Web Token");
            }) : str4;
        }).ifPresent(str5 -> {
            containerResponseContext.getHeaders().putSingle("Authorization", str5);
            Optional.ofNullable(containerRequestContext.getHeaderString("Cache-Control")).map(CacheControl::valueOf).filter(cacheControl -> {
                return !cacheControl.isPrivate();
            }).ifPresent(cacheControl2 -> {
                cacheControl2.setPrivate(true);
                containerResponseContext.getHeaders().putSingle("Cache-Control", cacheControl2);
            });
        });
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        LOGGER.debug("Filter start.");
        boolean isSecure = containerRequestContext.getSecurityContext().isSecure();
        if (MCRSessionMgr.hasCurrentSession()) {
            throw new InternalServerErrorException("Session is already attached.");
        }
        MCRSessionMgr.unlock();
        MCRSession currentSession = MCRSessionMgr.getCurrentSession();
        currentSession.setCurrentIP(MCRFrontendUtil.getRemoteAddr(this.httpServletRequest));
        currentSession.beginTransaction();
        Optional empty = Optional.empty();
        String headerString = containerRequestContext.getHeaderString("Authorization");
        if (headerString == null) {
            LOGGER.debug("No 'Authorization' header");
            return;
        }
        if (headerString.startsWith("Basic ")) {
            LOGGER.debug("Using 'Basic' authentication.");
            String str = new String(Base64.getDecoder().decode(headerString.substring("Basic ".length()).trim().getBytes(StandardCharsets.ISO_8859_1)), StandardCharsets.ISO_8859_1);
            if (str != null && str.contains(":")) {
                String[] split = str.split(":");
                Optional ofNullable = Optional.ofNullable(MCRUserManager.checkPassword(split[0], split[1]));
                Class<MCRUserInformation> cls = MCRUserInformation.class;
                Objects.requireNonNull(MCRUserInformation.class);
                empty = (Optional) ofNullable.map((v1) -> {
                    return r1.cast(v1);
                }).map((v0) -> {
                    return Optional.of(v0);
                }).orElseThrow(() -> {
                    LinkedHashMap linkedHashMap = new LinkedHashMap();
                    linkedHashMap.put("error", "invalid_login");
                    linkedHashMap.put("error_description", "Wrong login or password.");
                    return new NotAuthorizedException(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", MCRRestAPIUtil.getWWWAuthenticateHeader(null, linkedHashMap, this.app)).build());
                });
            }
        }
        if (headerString.startsWith("Bearer ")) {
            LOGGER.debug("Using 'JSON Web Token' authentication.");
            String trim = headerString.substring("Bearer ".length()).trim();
            try {
                DecodedJWT verify = JWT.require(MCRJWTUtil.getJWTAlgorithm()).build().verify(trim);
                checkIPClaim(verify.getClaim("mcr:ip"), MCRFrontendUtil.getRemoteAddr(this.httpServletRequest));
                Optional findAny = verify.getAudience().stream().filter(str2 -> {
                    return "mcr:session".equals(str2) || MCRRestAPIAuthentication.AUDIENCE.equals(str2);
                }).findAny();
                if (findAny.isPresent()) {
                    String str3 = (String) findAny.get();
                    boolean z = -1;
                    switch (str3.hashCode()) {
                        case -1135682653:
                            if (str3.equals(MCRRestAPIAuthentication.AUDIENCE)) {
                                z = true;
                                break;
                            }
                            break;
                        case -476776776:
                            if (str3.equals("mcr:session")) {
                                z = false;
                                break;
                            }
                            break;
                    }
                    switch (z) {
                        case false:
                            MCRJWTResource.validate(trim);
                            break;
                        case true:
                            containerRequestContext.setProperty(PROP_RENEW_JWT, true);
                            MCRRestAPIAuthentication.validate(trim);
                            break;
                        default:
                            LOGGER.warn("Cannot validate JWT for '{}' audience.", findAny.get());
                            break;
                    }
                }
                empty = Optional.of(new MCRJWTUserInformation(verify));
            } catch (JWTVerificationException e) {
                LOGGER.error(e.getMessage());
                LinkedHashMap linkedHashMap = new LinkedHashMap();
                linkedHashMap.put("error", "invalid_token");
                linkedHashMap.put("error_description", e.getMessage());
                throw new NotAuthorizedException(e.getMessage(), e, MCRRestAPIUtil.getWWWAuthenticateHeader("Bearer", linkedHashMap, this.app), new Object[0]);
            }
        }
        if (!empty.isPresent()) {
            LOGGER.warn(() -> {
                return "Unsupported Authorization header: " + headerString;
            });
        }
        empty.ifPresent(mCRUserInformation -> {
            currentSession.setUserInformation(mCRUserInformation);
            containerRequestContext.setSecurityContext(new MCRRestSecurityContext(mCRUserInformation, isSecure));
        });
        LOGGER.info("user detected: " + currentSession.getUserInformation().getUserID());
    }

    private static void checkIPClaim(Claim claim, String str) {
        try {
            if (claim.isNull() || !MCRFrontendUtil.isIPAddrAllowed(claim.asString(), str)) {
                throw new JWTVerificationException("The Claim 'mcr:ip' value doesn't match the required one.");
            }
        } catch (UnknownHostException e) {
            throw new JWTVerificationException("The Claim 'mcr:ip' value doesn't match the required one.", e);
        }
    }

    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) {
        LOGGER.debug("ResponseFilter start");
        try {
            MCRSessionMgr.unlock();
            MCRSession currentSession = MCRSessionMgr.getCurrentSession();
            if (containerResponseContext.getStatus() == Response.Status.FORBIDDEN.getStatusCode() && currentSession.getUserInformation().getUserID().equals(MCRSystemUserInformation.getGuestInstance().getUserID())) {
                LOGGER.debug("Guest detected, change response from FORBIDDEN to UNAUTHORIZED.");
                containerResponseContext.setStatus(Response.Status.UNAUTHORIZED.getStatusCode());
                containerResponseContext.getHeaders().putSingle("WWW-Authenticate", MCRRestAPIUtil.getWWWAuthenticateHeader("Basic", null, this.app));
            }
            if (containerResponseContext.getStatus() == Response.Status.UNAUTHORIZED.getStatusCode() && doNotWWWAuthenticate(containerRequestContext)) {
                LOGGER.debug("Remove {} header.", "WWW-Authenticate");
                containerResponseContext.getHeaders().remove("WWW-Authenticate");
            }
            addJWTToResponse(containerRequestContext, containerResponseContext);
            if (containerResponseContext.hasEntity()) {
                containerResponseContext.setEntityStream(new ProxyOutputStream(containerResponseContext.getEntityStream()) { // from class: org.mycore.restapi.MCRSessionFilter.1
                    public void close() throws IOException {
                        MCRSessionFilter.LOGGER.debug("Closing EntityStream");
                        try {
                            super.close();
                            MCRSessionFilter.closeSessionIfNeeded();
                            MCRSessionFilter.LOGGER.debug("Closing EntityStream done");
                        } catch (Throwable th) {
                            MCRSessionFilter.closeSessionIfNeeded();
                            MCRSessionFilter.LOGGER.debug("Closing EntityStream done");
                            throw th;
                        }
                    }
                });
            } else {
                LOGGER.debug("No Entity in response, closing MCRSession");
                closeSessionIfNeeded();
            }
            LOGGER.debug("ResponseFilter stop");
        } catch (Throwable th) {
            LOGGER.debug("ResponseFilter stop");
            throw th;
        }
    }

    private static boolean doNotWWWAuthenticate(ContainerRequestContext containerRequestContext) {
        return "XMLHttpRequest".equals(containerRequestContext.getHeaderString("X-Requested-With")) || containerRequestContext.getAcceptableMediaTypes().stream().findFirst().filter(mediaType -> {
            return "image".equals(mediaType.getType());
        }).isPresent();
    }

    private static void closeSessionIfNeeded() {
        if (MCRSessionMgr.hasCurrentSession()) {
            MCRSession currentSession = MCRSessionMgr.getCurrentSession();
            try {
                if (currentSession.isTransactionActive()) {
                    LOGGER.debug("Active MCRSession and JPA-Transaction found. Clearing up");
                    if (currentSession.transactionRequiresRollback()) {
                        currentSession.rollbackTransaction();
                    } else {
                        currentSession.commitTransaction();
                    }
                } else {
                    LOGGER.debug("Active MCRSession found. Clearing up");
                }
                MCRSessionMgr.releaseCurrentSession();
                currentSession.close();
                LOGGER.debug("Session closed.");
            } catch (Throwable th) {
                MCRSessionMgr.releaseCurrentSession();
                currentSession.close();
                LOGGER.debug("Session closed.");
                throw th;
            }
        }
    }
}
