package io.hyperfoil.tools.horreum.server;

import com.fasterxml.jackson.databind.JsonNode;
import io.hyperfoil.tools.horreum.svc.Util;
import jakarta.inject.Singleton;
import jakarta.ws.rs.core.Response;
import java.util.Base64;
import java.util.Locale;
import java.util.Optional;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.jboss.resteasy.reactive.server.ServerRequestFilter;
import org.jboss.resteasy.reactive.server.spi.ResteasyReactiveContainerRequestContext;

@Singleton
/* loaded from: input_file:io/hyperfoil/tools/horreum/server/HorreumAuthorizationFilter.class */
public class HorreumAuthorizationFilter {
    private final Optional<String> authServerUrl;
    private final Optional<String> issuer;

    public HorreumAuthorizationFilter(@ConfigProperty(name = "quarkus.oidc.auth-server-url") Optional<String> optional, @ConfigProperty(name = "quarkus.oidc.token.issuer") Optional<String> optional2) {
        this.authServerUrl = optional;
        this.issuer = optional2;
    }

    @ServerRequestFilter(priority = 999)
    public Response filter(ResteasyReactiveContainerRequestContext resteasyReactiveContainerRequestContext) {
        String headerString = resteasyReactiveContainerRequestContext.getHeaderString("Authorization");
        if (headerString == null || !headerString.toLowerCase(Locale.ROOT).startsWith("bearer ")) {
            return null;
        }
        int indexOf = headerString.indexOf(46, 7);
        int indexOf2 = headerString.indexOf(46, indexOf + 1);
        if (indexOf <= 0 || indexOf2 <= 0 || indexOf >= indexOf2) {
            resteasyReactiveContainerRequestContext.getServerRequestContext().vertxServerRequest().headers().remove("Authorization");
            resteasyReactiveContainerRequestContext.getHeaders().addFirst(TokenInterceptor.TOKEN_HEADER, headerString.substring(7));
            return null;
        }
        JsonNode jsonNode = Util.toJsonNode(Base64.getDecoder().decode(headerString.substring(indexOf + 1, indexOf2)));
        if (jsonNode == null) {
            return Response.status(Response.Status.FORBIDDEN).entity("Invalid authorization token").build();
        }
        String asText = jsonNode.path("iss").asText();
        if (asText == null || asText.isBlank()) {
            return Response.status(Response.Status.FORBIDDEN).entity("Authorization token does not contain issuer ('iss') claim.").build();
        }
        if (this.issuer.isPresent()) {
            if (this.issuer.get().equals("any") || this.issuer.get().equals(asText)) {
                return null;
            }
            return replyWrongIss(asText, this.issuer.get());
        }
        if (this.authServerUrl.isEmpty()) {
            return Response.status(Response.Status.FORBIDDEN).entity("Missing URL to validate authorization token. Set OIDC authentication server URL (or OIDC token issuer) in Horreum config.").build();
        }
        if (this.authServerUrl.get().equals(asText)) {
            return null;
        }
        return replyWrongIss(asText, this.authServerUrl.get());
    }

    private Response replyWrongIss(String str, String str2) {
        return Response.status(Response.Status.FORBIDDEN).entity("Authorization token has issuer '" + str + "' but this is not the expected issuer '" + str2 + "'; you have probably received the token from a wrong URL. Please login into Horreum Web UI and check the login URL used.").build();
    }
}
