package io.unitycatalog.server.service;

import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.linecorp.armeria.common.HttpHeaderNames;
import com.linecorp.armeria.common.HttpRequest;
import com.linecorp.armeria.common.HttpResponse;
import com.linecorp.armeria.server.DecoratingHttpServiceFunction;
import com.linecorp.armeria.server.HttpService;
import com.linecorp.armeria.server.ServiceRequestContext;
import io.netty.util.AsciiString;
import io.netty.util.AttributeKey;
import io.unitycatalog.control.model.User;
import io.unitycatalog.server.exception.AuthorizationException;
import io.unitycatalog.server.exception.ErrorCode;
import io.unitycatalog.server.persist.UserRepository;
import io.unitycatalog.server.security.JwtClaim;
import io.unitycatalog.server.security.SecurityContext;
import io.unitycatalog.server.service.AuthService;
import io.unitycatalog.server.utils.JwksOperations;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/unitycatalog/server/service/AuthDecorator.class */
public class AuthDecorator implements DecoratingHttpServiceFunction {
    private static final Logger LOGGER = LoggerFactory.getLogger(AuthDecorator.class);
    private static final UserRepository USER_REPOSITORY = UserRepository.getInstance();
    public static final AttributeKey<DecodedJWT> DECODED_JWT_ATTR = AttributeKey.valueOf(DecodedJWT.class, "DECODED_JWT_ATTR");

    public HttpResponse serve(HttpService httpService, ServiceRequestContext serviceRequestContext, HttpRequest httpRequest) throws Exception {
        User user;
        LOGGER.debug("AuthDecorator checking {}", httpRequest.path());
        String str = (String) httpRequest.headers().stream().filter(entry -> {
            return ((AsciiString) entry.getKey()).equals(HttpHeaderNames.AUTHORIZATION);
        }).map((v0) -> {
            return v0.getValue();
        }).findFirst().orElse(null);
        if (str == null) {
            throw new AuthorizationException(ErrorCode.UNAUTHENTICATED, "No authorization found.");
        }
        String[] split = str.split(" ");
        if (split.length != 2 || !split[0].equals(AuthService.AuthTypes.BEARER)) {
            throw new AuthorizationException(ErrorCode.UNAUTHENTICATED, "No Bearer found.");
        }
        DecodedJWT decode = JWT.decode(split[1]);
        JwksOperations jwksOperations = new JwksOperations();
        String asString = decode.getClaim(JwtClaim.ISSUER.key()).asString();
        String asString2 = decode.getHeaderClaim(JwtClaim.KEY_ID.key()).asString();
        LOGGER.debug("Validating access-token for issuer: {}", asString);
        if (!asString.equals(SecurityContext.Issuers.INTERNAL)) {
            throw new AuthorizationException(ErrorCode.PERMISSION_DENIED, "Invalid access token.");
        }
        DecodedJWT verify = jwksOperations.verifierForIssuerAndKey(asString, asString2).verify(decode);
        try {
            user = USER_REPOSITORY.getUserByEmail(verify.getClaim(JwtClaim.SUBJECT.key()).asString());
        } catch (Exception e) {
            user = null;
        }
        if (user == null || user.getState() != User.StateEnum.ENABLED) {
            throw new AuthorizationException(ErrorCode.PERMISSION_DENIED, "User not allowed.");
        }
        LOGGER.debug("Access allowed for subject: {}", verify.getClaim(JwtClaim.SUBJECT.key()));
        serviceRequestContext.setAttr(DECODED_JWT_ATTR, verify);
        return httpService.serve(serviceRequestContext, httpRequest);
    }
}
