package io.unitycatalog.server.service;

import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.databind.PropertyNamingStrategies;
import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
import com.fasterxml.jackson.databind.annotation.JsonNaming;
import com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder;
import com.linecorp.armeria.common.HttpResponse;
import com.linecorp.armeria.common.annotation.Nullable;
import com.linecorp.armeria.server.annotation.ExceptionHandler;
import com.linecorp.armeria.server.annotation.Param;
import com.linecorp.armeria.server.annotation.Post;
import io.unitycatalog.control.model.User;
import io.unitycatalog.server.exception.ErrorCode;
import io.unitycatalog.server.exception.GlobalExceptionHandler;
import io.unitycatalog.server.exception.OAuthInvalidRequestException;
import io.unitycatalog.server.persist.UserRepository;
import io.unitycatalog.server.persist.utils.ServerPropertiesUtils;
import io.unitycatalog.server.security.JwtClaim;
import io.unitycatalog.server.security.SecurityContext;
import io.unitycatalog.server.utils.JwksOperations;
import lombok.NonNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ExceptionHandler(GlobalExceptionHandler.class)
/* loaded from: input_file:io/unitycatalog/server/service/AuthService.class */
public class AuthService {
    private static final Logger LOGGER = LoggerFactory.getLogger(AuthService.class);
    private static final UserRepository USER_REPOSITORY = UserRepository.getInstance();
    private final SecurityContext securityContext;
    private final JwksOperations jwksOperations = new JwksOperations();

    /* loaded from: input_file:io/unitycatalog/server/service/AuthService$AuthTypes.class */
    interface AuthTypes {
        public static final String BEARER = "Bearer";
    }

    /* loaded from: input_file:io/unitycatalog/server/service/AuthService$Fields.class */
    interface Fields {
        public static final String GRANT_TYPE = "grant_type";
        public static final String CLIENT_ID = "client_id";
        public static final String CLIENT_SECRET = "client_secret";
        public static final String SUBJECT_TOKEN = "subject_token";
        public static final String SUBJECT_TOKEN_TYPE = "subject_token_type";
        public static final String ACTOR_TOKEN = "actor_token";
        public static final String ACTOR_TOKEN_TYPE = "actor_token_type";
        public static final String REQUESTED_TOKEN_TYPE = "requested_token_type";
    }

    /* loaded from: input_file:io/unitycatalog/server/service/AuthService$GrantTypes.class */
    interface GrantTypes {
        public static final String TOKEN_EXCHANGE = "urn:ietf:params:oauth:grant-type:token-exchange";
    }

    /* loaded from: input_file:io/unitycatalog/server/service/AuthService$OAuthTokenExchangeRequest.class */
    static class OAuthTokenExchangeRequest {

        @Param(Fields.GRANT_TYPE)
        private String grantType;

        @Param(Fields.REQUESTED_TOKEN_TYPE)
        private String requestedTokenType;

        @Param(Fields.SUBJECT_TOKEN_TYPE)
        private String subjectTokenType;

        @Param(Fields.SUBJECT_TOKEN)
        private String subjectToken;

        @Nullable
        @Param(Fields.ACTOR_TOKEN_TYPE)
        private String actorTokenType;

        @Nullable
        @Param(Fields.ACTOR_TOKEN)
        private String actorToken;

        OAuthTokenExchangeRequest() {
        }

        public String toString() {
            return "AuthService.OAuthTokenExchangeRequest(grantType=" + getGrantType() + ", requestedTokenType=" + getRequestedTokenType() + ", subjectTokenType=" + getSubjectTokenType() + ", subjectToken=" + getSubjectToken() + ", actorTokenType=" + getActorTokenType() + ", actorToken=" + getActorToken() + ")";
        }

        public String getGrantType() {
            return this.grantType;
        }

        public String getRequestedTokenType() {
            return this.requestedTokenType;
        }

        public String getSubjectTokenType() {
            return this.subjectTokenType;
        }

        public String getSubjectToken() {
            return this.subjectToken;
        }

        public String getActorTokenType() {
            return this.actorTokenType;
        }

        public String getActorToken() {
            return this.actorToken;
        }
    }

    @JsonInclude(JsonInclude.Include.NON_NULL)
    @JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
    @JsonDeserialize(builder = OAuthTokenExchangeResponseBuilder.class)
    /* loaded from: input_file:io/unitycatalog/server/service/AuthService$OAuthTokenExchangeResponse.class */
    public static class OAuthTokenExchangeResponse {

        @NonNull
        private String accessToken;

        @NonNull
        private String issuedTokenType;

        @NonNull
        private String tokenType;
        private Long expiresIn;
        private String scope;
        private String refreshToken;

        @JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
        @JsonPOJOBuilder(withPrefix = "", buildMethodName = "build")
        /* loaded from: input_file:io/unitycatalog/server/service/AuthService$OAuthTokenExchangeResponse$OAuthTokenExchangeResponseBuilder.class */
        public static class OAuthTokenExchangeResponseBuilder {
            private String accessToken;
            private String issuedTokenType;
            private String tokenType;
            private Long expiresIn;
            private String scope;
            private String refreshToken;

            OAuthTokenExchangeResponseBuilder() {
            }

            public OAuthTokenExchangeResponseBuilder accessToken(@NonNull String str) {
                if (str == null) {
                    throw new NullPointerException("accessToken is marked non-null but is null");
                }
                this.accessToken = str;
                return this;
            }

            public OAuthTokenExchangeResponseBuilder issuedTokenType(@NonNull String str) {
                if (str == null) {
                    throw new NullPointerException("issuedTokenType is marked non-null but is null");
                }
                this.issuedTokenType = str;
                return this;
            }

            public OAuthTokenExchangeResponseBuilder tokenType(@NonNull String str) {
                if (str == null) {
                    throw new NullPointerException("tokenType is marked non-null but is null");
                }
                this.tokenType = str;
                return this;
            }

            public OAuthTokenExchangeResponseBuilder expiresIn(Long l) {
                this.expiresIn = l;
                return this;
            }

            public OAuthTokenExchangeResponseBuilder scope(String str) {
                this.scope = str;
                return this;
            }

            public OAuthTokenExchangeResponseBuilder refreshToken(String str) {
                this.refreshToken = str;
                return this;
            }

            public OAuthTokenExchangeResponse build() {
                return new OAuthTokenExchangeResponse(this.accessToken, this.issuedTokenType, this.tokenType, this.expiresIn, this.scope, this.refreshToken);
            }

            public String toString() {
                return "AuthService.OAuthTokenExchangeResponse.OAuthTokenExchangeResponseBuilder(accessToken=" + this.accessToken + ", issuedTokenType=" + this.issuedTokenType + ", tokenType=" + this.tokenType + ", expiresIn=" + this.expiresIn + ", scope=" + this.scope + ", refreshToken=" + this.refreshToken + ")";
            }
        }

        OAuthTokenExchangeResponse(@NonNull String str, @NonNull String str2, @NonNull String str3, Long l, String str4, String str5) {
            if (str == null) {
                throw new NullPointerException("accessToken is marked non-null but is null");
            }
            if (str2 == null) {
                throw new NullPointerException("issuedTokenType is marked non-null but is null");
            }
            if (str3 == null) {
                throw new NullPointerException("tokenType is marked non-null but is null");
            }
            this.accessToken = str;
            this.issuedTokenType = str2;
            this.tokenType = str3;
            this.expiresIn = l;
            this.scope = str4;
            this.refreshToken = str5;
        }

        public static OAuthTokenExchangeResponseBuilder builder() {
            return new OAuthTokenExchangeResponseBuilder();
        }

        @NonNull
        public String getAccessToken() {
            return this.accessToken;
        }

        @NonNull
        public String getIssuedTokenType() {
            return this.issuedTokenType;
        }

        @NonNull
        public String getTokenType() {
            return this.tokenType;
        }

        public Long getExpiresIn() {
            return this.expiresIn;
        }

        public String getScope() {
            return this.scope;
        }

        public String getRefreshToken() {
            return this.refreshToken;
        }
    }

    /* loaded from: input_file:io/unitycatalog/server/service/AuthService$TokenTypes.class */
    interface TokenTypes {
        public static final String ACCESS = "urn:ietf:params:oauth:token-type:access_token";
        public static final String ID = "urn:ietf:params:oauth:token-type:id_token";
        public static final String JWT = "urn:ietf:params:oauth:token-type:jwt";
    }

    public AuthService(SecurityContext securityContext) {
        this.securityContext = securityContext;
    }

    @Post("/tokens")
    public HttpResponse grantToken(OAuthTokenExchangeRequest oAuthTokenExchangeRequest) {
        LOGGER.debug("Got token: {}", oAuthTokenExchangeRequest);
        if (oAuthTokenExchangeRequest.getGrantType() == null || !GrantTypes.TOKEN_EXCHANGE.equals(oAuthTokenExchangeRequest.getGrantType())) {
            throw new OAuthInvalidRequestException(ErrorCode.INVALID_ARGUMENT, "Unsupported grant type: " + oAuthTokenExchangeRequest.getGrantType());
        }
        if (oAuthTokenExchangeRequest.getRequestedTokenType() == null || !TokenTypes.ACCESS.equals(oAuthTokenExchangeRequest.getRequestedTokenType())) {
            throw new OAuthInvalidRequestException(ErrorCode.INVALID_ARGUMENT, "Unsupported requested token type: " + oAuthTokenExchangeRequest.getRequestedTokenType());
        }
        if (oAuthTokenExchangeRequest.getSubjectTokenType() == null) {
            throw new OAuthInvalidRequestException(ErrorCode.INVALID_ARGUMENT, "Subject token type is required but was not specified");
        }
        if (oAuthTokenExchangeRequest.getActorTokenType() != null) {
            throw new OAuthInvalidRequestException(ErrorCode.INVALID_ARGUMENT, "Actor tokens not currently supported");
        }
        if (!ServerPropertiesUtils.getInstance().getProperty("server.authorization", "disable").equals("enable")) {
            throw new OAuthInvalidRequestException(ErrorCode.INVALID_ARGUMENT, "Authorization is disabled");
        }
        DecodedJWT decode = JWT.decode(oAuthTokenExchangeRequest.getSubjectToken());
        String asString = decode.getClaim("iss").asString();
        String asString2 = decode.getHeaderClaim("kid").asString();
        LOGGER.debug("Validating token for issuer: {}", asString);
        DecodedJWT verify = this.jwksOperations.verifierForIssuerAndKey(asString, asString2).verify(decode);
        verifyPrincipal(verify);
        LOGGER.debug("Validated. Creating access token.");
        return HttpResponse.ofJson(OAuthTokenExchangeResponse.builder().accessToken(this.securityContext.createAccessToken(verify)).issuedTokenType(TokenTypes.ACCESS).tokenType(AuthTypes.BEARER).build());
    }

    private static void verifyPrincipal(DecodedJWT decodedJWT) {
        String asString = decodedJWT.getClaim(JwtClaim.EMAIL.key()).isMissing() ? decodedJWT.getClaim(JwtClaim.SUBJECT.key()).asString() : decodedJWT.getClaim(JwtClaim.EMAIL.key()).asString();
        if (asString.equals("admin")) {
            return;
        }
        try {
            User userByEmail = USER_REPOSITORY.getUserByEmail(asString);
            if (userByEmail != null) {
                if (userByEmail.getState() == User.StateEnum.ENABLED) {
                    return;
                }
            }
        } catch (Exception e) {
        }
        throw new OAuthInvalidRequestException(ErrorCode.INVALID_ARGUMENT, "User not allowed: " + asString);
    }
}
