package edu.utexas.tacc.tapis.sharedapi.jaxrs.filters;

import edu.utexas.tacc.tapis.shared.exceptions.TapisSecurityException;
import edu.utexas.tacc.tapis.shared.i18n.MsgUtils;
import edu.utexas.tacc.tapis.shared.parameters.TapisEnv;
import edu.utexas.tacc.tapis.shared.security.ITenantManager;
import edu.utexas.tacc.tapis.shared.security.TenantManager;
import edu.utexas.tacc.tapis.shared.threadlocal.TapisThreadContext;
import edu.utexas.tacc.tapis.shared.threadlocal.TapisThreadLocal;
import edu.utexas.tacc.tapis.sharedapi.security.AuthenticatedUser;
import edu.utexas.tacc.tapis.sharedapi.security.TapisSecurityContext;
import edu.utexas.tacc.tapis.sharedapi.utils.TapisRestUtils;
import edu.utexas.tacc.tapis.tenants.client.gen.model.Site;
import edu.utexas.tacc.tapis.tenants.client.gen.model.Tenant;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.Jwts;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.spec.X509EncodedKeySpec;
import java.time.Instant;
import java.util.Base64;
import java.util.HashMap;
import javax.annotation.Priority;
import javax.annotation.security.PermitAll;
import javax.validation.constraints.NotNull;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Provider
@Priority(1000)
/* loaded from: input_file:edu/utexas/tacc/tapis/sharedapi/jaxrs/filters/JWTValidateRequestFilter.class */
public class JWTValidateRequestFilter implements ContainerRequestFilter {
    private static final String TAPIS_JWT_HEADER = "X-Tapis-Token";
    private static final String TAPIS_USER_HEADER = "X-Tapis-User";
    private static final String TAPIS_HASH_HEADER = "X-Tapis-User-Token-Hash";
    private static final String CLAIM_TENANT = "tapis/tenant_id";
    private static final String TAPIS_TENANT_HEADER = "X-Tapis-Tenant";
    private static final String CLAIM_USERNAME = "tapis/username";
    private static final String CLAIM_TOKEN_TYPE = "tapis/token_type";
    private static final String CLAIM_ACCOUNT_TYPE = "tapis/account_type";
    private static final String CLAIM_DELEGATION = "tapis/delegation";
    private static final String CLAIM_DELEGATION_SUB = "tapis/delegation_sub";
    private static final String CLAIM_SITE = "tapis/target_site";
    private static final String OPENAPI_JSON = "/openapi.json";
    private static final String OPENAPI_YAML = "/openapi.yaml";
    private static final String TOKEN_ACCESS = "access";

    @Context
    private ResourceInfo resourceInfo;
    private static String _siteId;
    private static String _service;
    private static Site _localSite;
    private static Boolean _localOnlyService;
    private ITenantManager _tenantManager;
    private static final Logger _log = LoggerFactory.getLogger(JWTValidateRequestFilter.class);
    private static final HashMap<String, PublicKey> _keyCache = new HashMap<>();

    public JWTValidateRequestFilter() {
    }

    public JWTValidateRequestFilter(@NotNull ITenantManager iTenantManager) {
        this._tenantManager = iTenantManager;
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        if (_log.isTraceEnabled()) {
            _log.trace("Executing JAX-RX request filter: " + getClass().getSimpleName() + ".");
        }
        if (!initialized()) {
            String msg = MsgUtils.getMsg("TAPIS_SECURITY_UNINITIALIZED_FILTER", new Object[]{containerRequestContext.getMethod(), "siteId, service"});
            _log.error(msg);
            containerRequestContext.abortWith(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(msg).build());
            return;
        }
        if (containerRequestContext.getMethod().equals("OPTIONS") || this.resourceInfo.getResourceMethod().isAnnotationPresent(PermitAll.class) || isNoAuthRequest(containerRequestContext)) {
            return;
        }
        if (this._tenantManager == null) {
            this._tenantManager = TenantManager.getInstance();
        }
        if (getLocalSite() == null) {
            String msg2 = MsgUtils.getMsg("TAPIS_SECURITY_UNINITIALIZED_FILTER", new Object[]{containerRequestContext.getMethod(), "localSite"});
            _log.error(msg2);
            containerRequestContext.abortWith(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(msg2).build());
            return;
        }
        MultivaluedMap headers = containerRequestContext.getHeaders();
        String str = (String) headers.getFirst(TAPIS_JWT_HEADER);
        if (StringUtils.isBlank(str)) {
            if (TapisEnv.getBoolean(TapisEnv.EnvVar.TAPIS_ENVONLY_JWT_OPTIONAL)) {
                return;
            }
            String msg3 = MsgUtils.getMsg("TAPIS_SECURITY_MISSING_JWT_INFO", new Object[]{containerRequestContext.getMethod()});
            _log.error(msg3);
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg3).build());
            return;
        }
        try {
            Jwt decodeJwt = decodeJwt(str);
            try {
                Claims claims = (Claims) decodeJwt.getBody();
                if (claims == null) {
                    String msg4 = MsgUtils.getMsg("TAPIS_SECURITY_JWT_NO_CLAIMS", new Object[]{decodeJwt});
                    _log.error(msg4);
                    containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg4).build());
                    return;
                }
                String str2 = (String) claims.get(CLAIM_TENANT);
                if (StringUtils.isBlank(str2)) {
                    String msg5 = MsgUtils.getMsg("TAPIS_SECURITY_JWT_CLAIM_NOT_FOUND", new Object[]{decodeJwt, CLAIM_TENANT});
                    _log.error(msg5);
                    containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg5).build());
                    return;
                }
                if (!TapisEnv.getBoolean(TapisEnv.EnvVar.TAPIS_ENVONLY_SKIP_JWT_VERIFY)) {
                    try {
                        verifyJwt(str, str2);
                    } catch (Exception e) {
                        Response.Status status = Response.Status.UNAUTHORIZED;
                        if (e.getMessage().startsWith("TAPIS_SECURITY_JWT_KEY_ERROR")) {
                            status = Response.Status.INTERNAL_SERVER_ERROR;
                        }
                        _log.error(e.getMessage(), e);
                        containerRequestContext.abortWith(Response.status(status).entity(e.getMessage()).build());
                        return;
                    }
                }
                String str3 = (String) claims.get(CLAIM_TOKEN_TYPE);
                if (StringUtils.isBlank(str3) || !TOKEN_ACCESS.contentEquals(str3)) {
                    String msg6 = MsgUtils.getMsg("TAPIS_SECURITY_JWT_INVALID_CLAIM", new Object[]{CLAIM_TOKEN_TYPE, str3});
                    _log.error(msg6);
                    containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg6).build());
                    return;
                }
                String str4 = (String) claims.get(CLAIM_ACCOUNT_TYPE);
                if (StringUtils.isBlank(str4)) {
                    String msg7 = MsgUtils.getMsg("TAPIS_SECURITY_JWT_INVALID_CLAIM", new Object[]{CLAIM_ACCOUNT_TYPE, str4});
                    _log.error(msg7);
                    containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg7).build());
                    return;
                }
                try {
                    TapisThreadContext.AccountType valueOf = TapisThreadContext.AccountType.valueOf(str4);
                    String str5 = (String) claims.get(CLAIM_USERNAME);
                    if (StringUtils.isBlank(str5)) {
                        String msg8 = MsgUtils.getMsg("TAPIS_SECURITY_JWT_INVALID_CLAIM", new Object[]{CLAIM_USERNAME, str5});
                        _log.error(msg8);
                        containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg8).build());
                        return;
                    }
                    String str6 = null;
                    Boolean bool = (Boolean) claims.get(CLAIM_DELEGATION);
                    if (bool != null && bool.booleanValue()) {
                        str6 = (String) claims.get(CLAIM_DELEGATION_SUB);
                        if (!TapisRestUtils.checkJWTSubjectFormat(str6)) {
                            String msg9 = MsgUtils.getMsg("TAPIS_SECURITY_JWT_INVALID_CLAIM", new Object[]{CLAIM_DELEGATION_SUB, str6});
                            _log.error(msg9);
                            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg9).build());
                            return;
                        } else if (!allowTenant(containerRequestContext, str5, str2, str6.substring(str6.indexOf(64) + 1))) {
                            return;
                        }
                    }
                    String str7 = (String) headers.getFirst(TAPIS_HASH_HEADER);
                    String str8 = (String) headers.getFirst(TAPIS_TENANT_HEADER);
                    String str9 = (String) headers.getFirst(TAPIS_USER_HEADER);
                    if (valueOf == TapisThreadContext.AccountType.service) {
                        if (StringUtils.isBlank(str9)) {
                            String msg10 = MsgUtils.getMsg("TAPIS_SECURITY_MISSING_HEADER", new Object[]{str5, str2, valueOf.name(), TAPIS_USER_HEADER});
                            _log.error(msg10);
                            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg10).build());
                            return;
                        } else if (StringUtils.isBlank(str8)) {
                            String msg11 = MsgUtils.getMsg("TAPIS_SECURITY_MISSING_HEADER", new Object[]{str5, str2, valueOf.name(), TAPIS_TENANT_HEADER});
                            _log.error(msg11);
                            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg11).build());
                            return;
                        } else if (!allowTenant(containerRequestContext, str5, str2, str8) || !validateSite(containerRequestContext, str2, str5, (String) claims.get(CLAIM_SITE))) {
                            return;
                        }
                    } else if (StringUtils.isNotBlank(str9)) {
                        String msg12 = MsgUtils.getMsg("TAPIS_SECURITY_UNEXPECTED_HEADER", new Object[]{str5, str2, valueOf.name(), TAPIS_USER_HEADER});
                        _log.error(msg12);
                        containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg12).build());
                        return;
                    } else {
                        if (StringUtils.isNotBlank(str8)) {
                            String msg13 = MsgUtils.getMsg("TAPIS_SECURITY_UNEXPECTED_HEADER", new Object[]{str5, str2, valueOf.name(), TAPIS_TENANT_HEADER});
                            _log.error(msg13);
                            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg13).build());
                            return;
                        }
                        str8 = str2;
                        str9 = str5;
                    }
                    TapisThreadContext tapisThreadContext = (TapisThreadContext) TapisThreadLocal.tapisThreadContext.get();
                    tapisThreadContext.setJwtTenantId(str2);
                    tapisThreadContext.setJwtUser(str5);
                    tapisThreadContext.setOboTenantId(str8);
                    tapisThreadContext.setOboUser(str9);
                    tapisThreadContext.setAccountType(valueOf);
                    tapisThreadContext.setDelegatorSubject(str6);
                    tapisThreadContext.setUserJwtHash(str7);
                    tapisThreadContext.setSiteId(_siteId);
                    containerRequestContext.setSecurityContext(new TapisSecurityContext(new AuthenticatedUser(str5, str2, str4, str6, str9, str8, str7, _siteId, str)));
                } catch (Exception e2) {
                    String msg14 = MsgUtils.getMsg("TAPIS_SECURITY_JWT_INVALID_CLAIM", new Object[]{CLAIM_ACCOUNT_TYPE, str4});
                    _log.error(msg14, e2);
                    containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg14).build());
                }
            } catch (Exception e3) {
                String msg15 = MsgUtils.getMsg("TAPIS_SECURITY_JWT_GET_CLAIMS", new Object[]{decodeJwt});
                _log.error(msg15, e3);
                containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg15).build());
            }
        } catch (Exception e4) {
            String message = e4.getMessage();
            _log.error(message);
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(message).build());
        }
    }

    public static void setSiteId(String str) {
        if (_siteId == null) {
            _siteId = str;
        }
    }

    public static void setService(String str) {
        if (_service == null) {
            _service = str;
        }
    }

    private Jwt decodeJwt(String str) throws TapisSecurityException {
        if (str == null) {
            return null;
        }
        String str2 = str;
        int lastIndexOf = str.lastIndexOf(".");
        if (lastIndexOf + 1 < str.length()) {
            str2 = str.substring(0, lastIndexOf + 1);
        }
        try {
            return Jwts.parser().parse(str2);
        } catch (Exception e) {
            String message = e.getMessage();
            String msg = (message == null || !message.startsWith("JWT expired at")) ? MsgUtils.getMsg("TAPIS_SECURITY_JWT_PARSE_ERROR", new Object[]{message}) : MsgUtils.getMsg("TAPIS_SECURITY_JWT_EXPIRED", new Object[]{message});
            _log.error(msg, e);
            throw new TapisSecurityException(msg, e);
        }
    }

    private void verifyJwt(String str, String str2) throws TapisSecurityException {
        try {
            Jwts.parser().setSigningKey(getJwtPublicKey(str2)).parse(str);
        } catch (Exception e) {
            String msg = MsgUtils.getMsg("TAPIS_SECURITY_JWT_PARSE_ERROR", new Object[]{e.getMessage()});
            _log.error(msg, e);
            throw new TapisSecurityException(msg, e);
        }
    }

    private PublicKey getJwtPublicKey(String str) throws TapisSecurityException {
        Instant lastUpdateTime = this._tenantManager.getLastUpdateTime();
        synchronized (_keyCache) {
            if (lastUpdateTime != null) {
                if (Instant.now().isBefore(lastUpdateTime)) {
                    _keyCache.clear();
                } else {
                    PublicKey publicKey = _keyCache.get(str);
                    if (publicKey != null) {
                        return publicKey;
                    }
                }
            }
            try {
                try {
                    try {
                        PublicKey generatePublic = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(trimPublicKey(this._tenantManager.getTenant(str).getPublicKey()))));
                        _keyCache.put(str, generatePublic);
                        return generatePublic;
                    } catch (Exception e) {
                        String msg = MsgUtils.getMsg("TAPIS_SECURITY_JWT_KEY_ERROR", new Object[]{e.getMessage()});
                        _log.error(msg, e);
                        throw new TapisSecurityException(msg, e);
                    }
                } catch (Exception e2) {
                    String msg2 = MsgUtils.getMsg("TAPIS_SECURITY_JWT_KEY_ERROR", new Object[]{e2.getMessage()});
                    _log.error(msg2, e2);
                    throw new TapisSecurityException(msg2, e2);
                }
            } catch (Exception e3) {
                String msg3 = MsgUtils.getMsg("TAPIS_SECURITY_JWT_KEY_ERROR", new Object[]{e3.getMessage()});
                _log.error(msg3, e3);
                throw new TapisSecurityException(msg3, e3);
            }
        }
    }

    private String trimPublicKey(String str) {
        if (str == null) {
            return "";
        }
        int indexOf = str.indexOf("-\n");
        if (indexOf > 0) {
            str = str.substring(indexOf + 2);
        }
        int lastIndexOf = str.lastIndexOf("\n-");
        if (lastIndexOf > 0) {
            str = str.substring(0, lastIndexOf);
        }
        return str;
    }

    private boolean isNoAuthRequest(ContainerRequestContext containerRequestContext) {
        String path = containerRequestContext.getUriInfo().getRequestUri().getPath();
        return path.endsWith(OPENAPI_JSON) || path.endsWith(OPENAPI_YAML);
    }

    private boolean allowTenant(ContainerRequestContext containerRequestContext, String str, String str2, String str3) {
        try {
            if (TapisRestUtils.isAllowedTenant(str2, str3)) {
                return true;
            }
            String msg = MsgUtils.getMsg("TAPIS_SECURITY_TENANT_NOT_ALLOWED", new Object[]{str, str2, str3});
            _log.error(msg);
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg).build());
            return false;
        } catch (Exception e) {
            String msg2 = MsgUtils.getMsg("TAPIS_SECURITY_ALLOWABLE_TENANT_ERROR", new Object[]{str, str2, str3});
            _log.error(msg2, e);
            containerRequestContext.abortWith(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(msg2).build());
            return false;
        }
    }

    private boolean validateSite(ContainerRequestContext containerRequestContext, String str, String str2, String str3) {
        if (StringUtils.isBlank(str3)) {
            String msg = MsgUtils.getMsg("TAPIS_SECURITY_JWT_INVALID_CLAIM", new Object[]{CLAIM_SITE, str3});
            _log.error(msg);
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg).build());
            return false;
        }
        if (!str3.equals(_siteId)) {
            String msg2 = MsgUtils.getMsg("TAPIS_SECURITY_JWT_WRONG_SITE", new Object[]{str2, str, str3, _siteId});
            _log.error(msg2);
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg2).build());
            return false;
        }
        String siteId = getSiteId(str);
        if (StringUtils.isBlank(siteId)) {
            String msg3 = MsgUtils.getMsg("TAPIS_SECURITY_JWT_MISSING_SITE", new Object[]{str});
            _log.error(msg3);
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg3).build());
            return false;
        }
        String primarySiteId = this._tenantManager.getPrimarySiteId();
        if (!siteId.equals(_siteId)) {
            if (isLocalOnlyService()) {
                String msg4 = MsgUtils.getMsg("TAPIS_SECURITY_INVALID_CROSS_SITE_SERVICE", new Object[]{str2, str, _siteId, _service});
                _log.error(msg4);
                containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg4).build());
                return false;
            }
            if (!_siteId.equals(primarySiteId) && !siteId.equals(primarySiteId)) {
                String msg5 = MsgUtils.getMsg("TAPIS_SECURITY_INTERSITE_COMM", new Object[]{str2, str, _siteId, siteId});
                _log.error(msg5);
                containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg5).build());
                return false;
            }
        }
        if (!getLocalSite().getServices().contains(_service)) {
            String msg6 = MsgUtils.getMsg("TAPIS_SECURITY_NO_LOCAL_SERVICE", new Object[]{str2, str, _siteId, _service});
            _log.error(msg6);
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg6).build());
            return false;
        }
        if (!getLocalSite().getPrimary().booleanValue() || _siteId.equals(siteId)) {
            return true;
        }
        Site site = this._tenantManager.getSite(siteId);
        if (site == null) {
            String msg7 = MsgUtils.getMsg("TAPIS_SECURITY_UNKNOWN_SITE", new Object[]{str2, str, siteId});
            _log.error(msg7);
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg7).build());
            return false;
        }
        if (!site.getServices().contains(_service)) {
            return true;
        }
        String msg8 = MsgUtils.getMsg("TAPIS_SECURITY_SOURCE_SITE_SERVICE", new Object[]{str2, str, siteId, _service});
        _log.error(msg8);
        containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(msg8).build());
        return false;
    }

    private String getSiteId(String str) {
        try {
            Tenant tenant = this._tenantManager.getTenant(str);
            if (tenant == null) {
                return null;
            }
            return tenant.getSiteId();
        } catch (Exception e) {
            return null;
        }
    }

    private Site getLocalSite() {
        if (_localSite == null) {
            _localSite = this._tenantManager.getSite(_siteId);
        }
        return _localSite;
    }

    private boolean isLocalOnlyService() {
        if (_localOnlyService == null) {
            if (_service.equals("security") || _service.equals("tokens")) {
                _localOnlyService = Boolean.TRUE;
            } else {
                _localOnlyService = Boolean.FALSE;
            }
        }
        return _localOnlyService.booleanValue();
    }

    private static boolean initialized() {
        return (_siteId == null || _service == null) ? false : true;
    }
}
