package com.predic8.membrane.core.interceptor.jwt;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.predic8.membrane.annot.MCAttribute;
import com.predic8.membrane.annot.MCChildElement;
import com.predic8.membrane.annot.MCElement;
import com.predic8.membrane.core.Router;
import com.predic8.membrane.core.exchange.Exchange;
import com.predic8.membrane.core.http.Response;
import com.predic8.membrane.core.interceptor.AbstractInterceptor;
import com.predic8.membrane.core.interceptor.Interceptor;
import com.predic8.membrane.core.interceptor.Outcome;
import com.predic8.membrane.core.security.JWTSecurityScheme;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.text.StringEscapeUtils;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@MCElement(name = "jwtAuth")
/* loaded from: input_file:WEB-INF/lib/service-proxy-core-5.7.1.jar:com/predic8/membrane/core/interceptor/jwt/JwtAuthInterceptor.class */
public class JwtAuthInterceptor extends AbstractInterceptor {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) JwtAuthInterceptor.class);
    public static final String ERROR_JWT_NOT_FOUND = "Could not retrieve JWT";
    public static final String ERROR_DECODED_HEADER_NOT_JSON = "JWT header is not valid JSON";
    public static final String ERROR_UNKNOWN_KEY = "JWT signed by unknown key";
    public static final String ERROR_VALIDATION_FAILED = "JWT validation failed";
    ObjectMapper mapper = new ObjectMapper();
    JwtRetriever jwtRetriever;
    Jwks jwks;
    String expectedAud;
    volatile HashMap<String, RsaJsonWebKey> kidToKey;

    public JwtAuthInterceptor() {
        this.name = "JWT Checker.";
        setFlow(EnumSet.of(Interceptor.Flow.REQUEST));
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public void init(Router router) throws Exception {
        super.init(router);
        if (this.jwtRetriever == null) {
            this.jwtRetriever = new HeaderJwtRetriever("Authorization", "Bearer");
        }
        this.jwks.init(router.getResolverMap(), router.getBaseLocation());
        this.kidToKey = (HashMap) this.jwks.getJwks().stream().map(jwk -> {
            try {
                return new RsaJsonWebKey((Map<String, Object>) this.mapper.readValue(jwk.getJwk(router.getResolverMap(), router.getBaseLocation(), this.mapper), Map.class));
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }).collect(HashMap::new, (hashMap, rsaJsonWebKey) -> {
            hashMap.put(rsaJsonWebKey.getKeyId(), rsaJsonWebKey);
        }, (v0, v1) -> {
            v0.putAll(v1);
        });
        if (this.kidToKey.isEmpty()) {
            throw new RuntimeException("No JWKs given or none resolvable - please specify at least one resolvable JWK");
        }
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public Outcome handleRequest(Exchange exchange) {
        try {
            return handleJwt(exchange, this.jwtRetriever.get(exchange));
        } catch (JsonProcessingException e) {
            return setJsonErrorAndReturn(e, exchange, 400, "JWT header is not valid JSON");
        } catch (JWTException e2) {
            return setJsonErrorAndReturn(e2, exchange, 400, e2.getMessage());
        } catch (InvalidJwtException e3) {
            return setJsonErrorAndReturn(e3, exchange, 400, ERROR_VALIDATION_FAILED);
        } catch (Exception e4) {
            return setJsonErrorAndReturn(e4, exchange, 400, ERROR_JWT_NOT_FOUND);
        }
    }

    public Outcome handleJwt(Exchange exchange, String str) throws JWTException, JsonProcessingException, InvalidJwtException {
        if (str == null) {
            throw new JWTException(ERROR_JWT_NOT_FOUND);
        }
        String kid = new JsonWebToken(str).getHeader().kid();
        if (!this.kidToKey.containsKey(kid)) {
            throw new JWTException(ERROR_UNKNOWN_KEY);
        }
        Map<String, Object> claimsMap = createValidator(this.kidToKey.get(kid)).processToClaims(str).getClaimsMap();
        exchange.getProperties().put("jwt", claimsMap);
        new JWTSecurityScheme(claimsMap).add(exchange);
        return Outcome.CONTINUE;
    }

    private JwtConsumer createValidator(RsaJsonWebKey rsaJsonWebKey) {
        JwtConsumerBuilder verificationKey = new JwtConsumerBuilder().setRequireExpirationTime().setAllowedClockSkewInSeconds(30).setRequireSubject().setVerificationKey(rsaJsonWebKey.getRsaPublicKey());
        if (acceptAnyAud()) {
            verificationKey.setSkipDefaultAudienceValidation();
        } else if (this.expectedAud != null && !this.expectedAud.isEmpty()) {
            verificationKey.setExpectedAudience(this.expectedAud);
        }
        return verificationKey.build();
    }

    private boolean acceptAnyAud() {
        return this.expectedAud != null && this.expectedAud.equals("any!!");
    }

    private Outcome setJsonErrorAndReturn(Exception exc, Exchange exchange, int i, String str) {
        if (exc != null) {
            if (exc instanceof InvalidJwtException) {
                LOG.error(exc.getMessage());
            } else {
                LOG.error("", (Throwable) exc);
            }
        }
        try {
            exchange.setResponse(Response.ResponseBuilder.newInstance().status(i, "Bad Request").body(this.mapper.writeValueAsString(Map.of("code", Integer.valueOf(i), "description", str))).build());
            return Outcome.RETURN;
        } catch (JsonProcessingException e) {
            throw new RuntimeException(e);
        }
    }

    public JwtRetriever getJwtRetriever() {
        return this.jwtRetriever;
    }

    @MCChildElement
    public void setJwtRetriever(JwtRetriever jwtRetriever) {
        this.jwtRetriever = jwtRetriever;
    }

    public Jwks getJwks() {
        return this.jwks;
    }

    @MCChildElement(order = 1)
    public void setJwks(Jwks jwks) {
        this.jwks = jwks;
    }

    public String getExpectedAud() {
        return this.expectedAud;
    }

    @MCAttribute
    public JwtAuthInterceptor setExpectedAud(String str) {
        this.expectedAud = str;
        return this;
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public String getShortDescription() {
        return "Checks for a valid JWT.";
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public String getLongDescription() {
        return "Checks for a valid JWT.<br/>" + (acceptAnyAud() ? "Accepts any value for the <font style=\"font-family: monospace\">aud</font> field. <b>THIS IS STRONGLY DISCOURAGED!</b><br/>" : "Accepts <font style=\"font-family: monospace\">" + StringEscapeUtils.escapeHtml4(this.expectedAud) + "</font> as valid value for the <font style=\"font-family: monospace\">aud</font> payload entry.<br/>") + (this.jwks != null ? "Validates the JWT signature against " + this.jwks.getLongDescription() + " ." : "");
    }
}
