package de.adorsys.opba.api.security.internal.filter;

import com.google.common.io.CharStreams;
import de.adorsys.opba.api.security.external.domain.FilterValidationHeaderValues;
import de.adorsys.opba.api.security.external.domain.HttpHeaders;
import de.adorsys.opba.api.security.generator.api.DataToSignProvider;
import de.adorsys.opba.api.security.generator.api.RequestToSign;
import de.adorsys.opba.api.security.internal.service.RequestVerifyingService;
import de.adorsys.opba.api.security.requestsigner.OpenBankingDataToSignProvider;
import java.io.IOException;
import java.time.Duration;
import java.time.Instant;
import java.time.format.DateTimeParseException;
import java.time.temporal.TemporalAmount;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ConcurrentMap;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/opba-api-security-0.20.0.2-RC1.jar:de/adorsys/opba/api/security/internal/filter/RequestSignatureValidationFilter.class */
public class RequestSignatureValidationFilter implements Filter {

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) RequestSignatureValidationFilter.class);
    private final RequestVerifyingService requestVerifyingService;
    private final Duration requestTimeLimit;
    private final ConcurrentMap<String, String> consumerKeysMap;

    public RequestSignatureValidationFilter(RequestVerifyingService requestVerifyingService, Duration duration, ConcurrentMap<String, String> concurrentMap) {
        this.requestVerifyingService = requestVerifyingService;
        this.requestTimeLimit = duration;
        this.consumerKeysMap = concurrentMap;
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        FilterValidationHeaderValues buildRequestValidationData = buildRequestValidationData(httpServletRequest);
        if (isUnparsableRequestTimeStamp(buildRequestValidationData.getRequestTimeStamp(), httpServletResponse) || isMissingFintechId(buildRequestValidationData.getFintechId(), httpServletResponse) || isUnparsableXRequestId(buildRequestValidationData.getXRequestId(), httpServletResponse)) {
            return;
        }
        Instant parse = Instant.parse(buildRequestValidationData.getRequestTimeStamp());
        String str = this.consumerKeysMap.get(buildRequestValidationData.getFintechId());
        if (!isMissingFintechApiKey(str, buildRequestValidationData.getFintechId(), httpServletResponse) && validateVerificationResult(verifyRequestSignature(httpServletRequest, str), httpServletResponse) && validateExpirationDate(parse, httpServletResponse)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    private boolean isMissingFintechApiKey(String str, String str2, HttpServletResponse httpServletResponse) throws IOException {
        if (str != null) {
            return false;
        }
        log.error("Api key for fintech ID {} has not found ", str2);
        httpServletResponse.sendError(404, "Wrong Fintech ID");
        return true;
    }

    private boolean isUnparsableRequestTimeStamp(String str, HttpServletResponse httpServletResponse) throws IOException {
        if (str == null) {
            log.error("Required 'X-Timestamp-UTC' header is missing");
            httpServletResponse.sendError(404, "X-Timestamp-UTC is missing");
            return true;
        }
        try {
            Instant.parse(str);
            return false;
        } catch (DateTimeParseException e) {
            log.error("'X-Timestamp-UTC' header is not a valid ISO8601 date");
            httpServletResponse.sendError(404, "Wrong X-Timestamp-UTC");
            return true;
        }
    }

    private boolean isUnparsableXRequestId(String str, HttpServletResponse httpServletResponse) throws IOException {
        if (str == null) {
            log.error("Required 'X-Request-ID' header is missing");
            httpServletResponse.sendError(404, "X-Request-ID is missing");
            return true;
        }
        try {
            UUID.fromString(str);
            return false;
        } catch (IllegalArgumentException e) {
            log.error("''X-Request-ID' header is not a valid UUID");
            httpServletResponse.sendError(404, "Wrong X-Request-ID");
            return true;
        }
    }

    private boolean isMissingFintechId(String str, HttpServletResponse httpServletResponse) throws IOException {
        if (str != null) {
            return false;
        }
        log.error("'Fintech-ID' header is missing");
        httpServletResponse.sendError(404, "Fintech ID is missing");
        return true;
    }

    private boolean validateVerificationResult(boolean z, HttpServletResponse httpServletResponse) throws IOException {
        if (z) {
            return true;
        }
        log.error("Signature verification error ");
        httpServletResponse.sendError(404, "Signature verification error");
        return false;
    }

    private boolean validateExpirationDate(Instant instant, HttpServletResponse httpServletResponse) throws IOException {
        if (!isRequestExpired(instant)) {
            return true;
        }
        log.error("Timestamp validation failed");
        httpServletResponse.sendError(404, "Timestamp validation failed");
        return false;
    }

    private boolean verifyRequestSignature(HttpServletRequest httpServletRequest, String str) {
        OpenBankingDataToSignProvider openBankingDataToSignProvider = new OpenBankingDataToSignProvider();
        RequestToSign build = RequestToSign.builder().method(DataToSignProvider.HttpMethod.valueOf(httpServletRequest.getMethod())).path(httpServletRequest.getRequestURI()).headers(extractHeaders(httpServletRequest)).queryParams(extractQueryParams(httpServletRequest)).body(httpServletRequest.getContentLengthLong() >= 0 ? CharStreams.toString(httpServletRequest.getReader()) : null).build();
        return this.requestVerifyingService.verify(httpServletRequest.getHeader(HttpHeaders.X_REQUEST_SIGNATURE), str, openBankingDataToSignProvider.normalizerFor(build).canonicalStringToSign(build));
    }

    private Map<String, String> extractHeaders(HttpServletRequest httpServletRequest) {
        HashMap hashMap = new HashMap();
        Enumeration<String> headerNames = httpServletRequest.getHeaderNames();
        while (headerNames.hasMoreElements()) {
            String nextElement = headerNames.nextElement();
            if (!HttpHeaders.X_REQUEST_SIGNATURE.toLowerCase().equals(nextElement.toLowerCase())) {
                hashMap.put(nextElement, httpServletRequest.getHeader(nextElement));
            }
        }
        return hashMap;
    }

    private Map<String, String> extractQueryParams(HttpServletRequest httpServletRequest) {
        HashMap hashMap = new HashMap();
        Enumeration<String> parameterNames = httpServletRequest.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            String nextElement = parameterNames.nextElement();
            hashMap.put(nextElement, httpServletRequest.getParameter(nextElement));
        }
        return hashMap;
    }

    private boolean isRequestExpired(Instant instant) {
        Instant now = Instant.now();
        return now.plus((TemporalAmount) this.requestTimeLimit).isBefore(instant) || now.minus((TemporalAmount) this.requestTimeLimit).isAfter(instant);
    }

    private FilterValidationHeaderValues buildRequestValidationData(HttpServletRequest httpServletRequest) {
        return FilterValidationHeaderValues.builder().fintechId(httpServletRequest.getHeader(HttpHeaders.FINTECH_ID)).xRequestId(httpServletRequest.getHeader("X-Request-ID")).requestTimeStamp(httpServletRequest.getHeader(HttpHeaders.X_TIMESTAMP_UTC)).build();
    }
}
