package edu.utexas.tacc.tapis.sharedapi.jaxrs.filters;

import edu.utexas.tacc.tapis.shared.exceptions.TapisSecurityException;
import edu.utexas.tacc.tapis.shared.i18n.MsgUtils;
import edu.utexas.tacc.tapis.shared.parameters.TapisEnv;
import edu.utexas.tacc.tapis.shared.threadlocal.TapisThreadContext;
import edu.utexas.tacc.tapis.shared.threadlocal.TapisThreadLocal;
import edu.utexas.tacc.tapis.shared.utils.TapisUtils;
import edu.utexas.tacc.tapis.sharedapi.keys.KeyManager;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.Jwts;
import java.security.KeyStoreException;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.annotation.Priority;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Provider
@Priority(1000)
/* loaded from: input_file:edu/utexas/tacc/tapis/sharedapi/jaxrs/filters/JWTValidateRequestFilter.class */
public class JWTValidateRequestFilter implements ContainerRequestFilter {
    private static final String JWT_PREFIX = "x-jwt-assertion-";
    public static final String DEFAULT_KEY_ALIAS = "wso2";
    private static PublicKey _jwtPublicKey;
    private static final Logger _log = LoggerFactory.getLogger(JWTValidateRequestFilter.class);
    private static final String[] _noAuthRequests = new String[0];

    public void filter(ContainerRequestContext containerRequestContext) {
        if (_log.isTraceEnabled()) {
            _log.trace("Executing JAX-RX request filter: " + getClass().getSimpleName() + ".");
        }
        if (isNoAuthRequest(containerRequestContext)) {
            return;
        }
        String str = null;
        String str2 = null;
        Iterator it = containerRequestContext.getHeaders().entrySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Map.Entry entry = (Map.Entry) it.next();
            String str3 = (String) entry.getKey();
            if (str3.startsWith(JWT_PREFIX)) {
                str = TapisUtils.transformRawTenantId(str3.substring(JWT_PREFIX.length()));
                List list = (List) entry.getValue();
                if (list != null && !list.isEmpty()) {
                    str2 = (String) list.get(0);
                }
            }
        }
        if (StringUtils.isBlank(str2) || StringUtils.isBlank(str)) {
            if (TapisEnv.getBoolean(TapisEnv.EnvVar.TAPIS_ENVONLY_JWT_OPTIONAL)) {
                return;
            }
            String msg = MsgUtils.getMsg("TAPIS_SECURITY_MISSING_JWT_INFO", new Object[]{containerRequestContext.getMethod()});
            _log.error(msg);
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg).build());
            return;
        }
        try {
            Jwt decodeJwt = TapisEnv.getBoolean(TapisEnv.EnvVar.TAPIS_ENVONLY_SKIP_JWT_VERIFY) ? decodeJwt(str2) : decodeAndVerifyJwt(str2);
            if (decodeJwt == null) {
                String msg2 = MsgUtils.getMsg("TAPIS_SECURITY_JWT_DECODE_ERROR", new Object[]{str2, "Null JWT encountered in " + getClass().getSimpleName() + "."});
                _log.error(msg2);
                containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg2).build());
                return;
            }
            String str4 = null;
            String str5 = null;
            Claims claims = (Claims) decodeJwt.getBody();
            if (claims != null) {
                str4 = getUser(claims);
                str5 = getRoles(claims);
            }
            TapisThreadContext tapisThreadContext = (TapisThreadContext) TapisThreadLocal.tapisThreadContext.get();
            if (!StringUtils.isBlank(str)) {
                tapisThreadContext.setTenantId(str);
            }
            if (!StringUtils.isBlank(str4)) {
                tapisThreadContext.setUser(str4);
            }
            if (StringUtils.isBlank(str5)) {
                return;
            }
            tapisThreadContext.setRoles(str5);
        } catch (Exception e) {
            String msg3 = MsgUtils.getMsg("TAPIS_SECURITY_JWT_DECODE_ERROR", new Object[]{str2, e.getMessage()});
            _log.error(msg3, e);
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg3).build());
        }
    }

    private Jwt decodeJwt(String str) throws TapisSecurityException {
        if (str == null) {
            return null;
        }
        String str2 = str;
        int lastIndexOf = str.lastIndexOf(".");
        if (lastIndexOf + 1 < str.length()) {
            str2 = str.substring(0, lastIndexOf + 1);
        }
        try {
            return Jwts.parser().parse(str2);
        } catch (Exception e) {
            String msg = MsgUtils.getMsg("TAPIS_SECURITY_JWT_PARSE_ERROR", new Object[]{e.getMessage()});
            _log.error(msg, e);
            throw new TapisSecurityException(msg, e);
        }
    }

    private Jwt decodeAndVerifyJwt(String str) throws TapisSecurityException {
        if (str == null) {
            return null;
        }
        try {
            return Jwts.parser().setSigningKey(getJwtPublicKey()).parse(str);
        } catch (Exception e) {
            String msg = MsgUtils.getMsg("TAPIS_SECURITY_JWT_PARSE_ERROR", new Object[]{e.getMessage()});
            _log.error(msg, e);
            throw new TapisSecurityException(msg, e);
        }
    }

    private PublicKey getJwtPublicKey() throws TapisSecurityException {
        if (_jwtPublicKey != null) {
            return _jwtPublicKey;
        }
        synchronized (JWTValidateRequestFilter.class) {
            if (_jwtPublicKey != null) {
                return _jwtPublicKey;
            }
            try {
                KeyManager keyManager = new KeyManager();
                String str = TapisEnv.get(TapisEnv.EnvVar.TAPIS_ENVONLY_KEYSTORE_PASSWORD);
                if (StringUtils.isBlank(str)) {
                    String msg = MsgUtils.getMsg("TAPIS_SECURITY_NO_KEYSTORE_PASSWORD", new Object[0]);
                    _log.error(msg);
                    throw new TapisSecurityException(msg);
                }
                try {
                    keyManager.load(str);
                    try {
                        Certificate certificate = keyManager.getCertificate(DEFAULT_KEY_ALIAS);
                        if (certificate == null) {
                            String msg2 = MsgUtils.getMsg("TAPIS_SECURITY_CERTIFICATE_NOT_FOUND", new Object[]{DEFAULT_KEY_ALIAS, keyManager.getStorePath()});
                            _log.error(msg2);
                            throw new TapisSecurityException(msg2);
                        }
                        PublicKey publicKey = certificate.getPublicKey();
                        try {
                            certificate.verify(publicKey);
                            _jwtPublicKey = publicKey;
                            return _jwtPublicKey;
                        } catch (Exception e) {
                            String msg3 = MsgUtils.getMsg("TAPIS_SECURITY_CERTIFICATE_VERIFY", new Object[]{DEFAULT_KEY_ALIAS, e.getMessage()});
                            _log.error(msg3, e);
                            throw new TapisSecurityException(msg3, e);
                        }
                    } catch (KeyStoreException e2) {
                        String msg4 = MsgUtils.getMsg("TAPIS_SECURITY_GET_CERTIFICATE", new Object[]{DEFAULT_KEY_ALIAS, e2.getMessage()});
                        _log.error(msg4, e2);
                        throw new TapisSecurityException(msg4, e2);
                    }
                } catch (Exception e3) {
                    String msg5 = MsgUtils.getMsg("TAPIS_SECURITY_KEYSTORE_LOAD_ERROR", new Object[]{e3.getMessage()});
                    _log.error(msg5, e3);
                    throw new TapisSecurityException(msg5, e3);
                }
            } catch (Exception e4) {
                String msg6 = MsgUtils.getMsg("TAPIS_SECURITY_NO_KEYSTORE", new Object[]{e4.getMessage()});
                _log.error(msg6, e4);
                throw new TapisSecurityException(msg6, e4);
            }
        }
    }

    private String getUser(Claims claims) {
        String str = (String) claims.get("http://wso2.org/claims/enduser");
        if (StringUtils.isBlank(str)) {
            return null;
        }
        return str.contains("@") ? StringUtils.substringBefore(str, "@") : str.contains("/") ? StringUtils.substringAfter(str, "/") : str;
    }

    private String getRoles(Claims claims) {
        String str = (String) claims.get("http://wso2.org/claims/role");
        if (StringUtils.isBlank(str)) {
            return null;
        }
        return str;
    }

    private boolean isNoAuthRequest(ContainerRequestContext containerRequestContext) {
        for (String str : _noAuthRequests) {
            String path = containerRequestContext.getUriInfo().getPath();
            if (path != null && path.startsWith(str)) {
                if (!_log.isInfoEnabled()) {
                    return true;
                }
                _log.info(MsgUtils.getMsg("TAPIS_SECURITY_NO_AUTH_REQUEST", new Object[]{containerRequestContext.getUriInfo().getAbsolutePath()}));
                return true;
            }
        }
        return false;
    }
}
