package org.trellisldp.auth.oauth;

import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.security.SecurityException;
import java.io.IOException;
import java.security.Principal;
import java.util.Arrays;
import java.util.Objects;
import java.util.Optional;
import javax.annotation.Priority;
import javax.inject.Inject;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.SecurityContext;
import org.apache.tamaya.Configuration;
import org.apache.tamaya.ConfigurationProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(1000)
/* loaded from: input_file:org/trellisldp/auth/oauth/OAuthFilter.class */
public class OAuthFilter implements ContainerRequestFilter {
    public static final String CONFIG_AUTH_REALM = "trellis.auth.realm";
    public static final String CONFIG_AUTH_OAUTH_KEYSTORE_PATH = "trellis.auth.oauth.keystore.path";
    public static final String CONFIG_AUTH_OAUTH_KEYSTORE_CREDENTIALS = "trellis.auth.oauth.keystore.credentials";
    public static final String CONFIG_AUTH_OAUTH_KEYSTORE_IDS = "trellis.auth.oauth.keystore.ids";
    public static final String CONFIG_AUTH_OAUTH_SHARED_SECRET = "trellis.auth.oauth.sharedsecret";
    public static final String CONFIG_AUTH_OAUTH_JWK_URL = "trellis.auth.oauth.jwk";
    public static final String SCHEME = "Bearer";
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuthFilter.class);
    private final Authenticator authenticator;
    private final String challenge;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/trellisldp/auth/oauth/OAuthFilter$OAuthSecurityContext.class */
    public static final class OAuthSecurityContext implements SecurityContext {
        private final boolean secure;
        private final Principal principal;

        private OAuthSecurityContext(boolean z, Principal principal) {
            this.secure = z;
            this.principal = principal;
        }

        public Principal getUserPrincipal() {
            return this.principal;
        }

        public boolean isUserInRole(String str) {
            return true;
        }

        public boolean isSecure() {
            return this.secure;
        }

        public String getAuthenticationScheme() {
            return OAuthFilter.SCHEME;
        }
    }

    @Inject
    public OAuthFilter() {
        this(buildAuthenticator());
    }

    public OAuthFilter(Authenticator authenticator) {
        this(authenticator, ConfigurationProvider.getConfiguration().getOrDefault(CONFIG_AUTH_REALM, "trellis"));
    }

    public OAuthFilter(Authenticator authenticator, String str) {
        this.authenticator = authenticator;
        this.challenge = "Bearer realm=\"" + str + "\"";
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        boolean isPresent = Optional.ofNullable(containerRequestContext.getSecurityContext()).filter((v0) -> {
            return v0.isSecure();
        }).isPresent();
        getOAuthToken(containerRequestContext).map(str -> {
            return authenticate(str).orElseThrow(() -> {
                return new NotAuthorizedException(this.challenge, new Object[0]);
            });
        }).ifPresent(principal -> {
            containerRequestContext.setSecurityContext(new OAuthSecurityContext(isPresent, principal));
        });
    }

    private Optional<Principal> authenticate(String str) {
        try {
            return this.authenticator.authenticate(str);
        } catch (JwtException e) {
            LOGGER.warn("Problem reading JWT value: {}", e.getMessage());
            return Optional.empty();
        } catch (SecurityException e2) {
            LOGGER.debug("Invalid signature, ignoring JWT token: {}", e2.getMessage());
            return Optional.empty();
        }
    }

    private Optional<String> getOAuthToken(ContainerRequestContext containerRequestContext) {
        return Optional.ofNullable(containerRequestContext.getHeaderString("Authorization")).map(str -> {
            return str.split(" ", 2);
        }).filter(strArr -> {
            return strArr[0].equalsIgnoreCase(SCHEME);
        }).filter(strArr2 -> {
            return strArr2.length == 2;
        }).map(strArr3 -> {
            return strArr3[1];
        });
    }

    private static Authenticator buildAuthenticator() {
        Configuration configuration = ConfigurationProvider.getConfiguration();
        Authenticator buildAuthenticatorWithJwk = OAuthUtils.buildAuthenticatorWithJwk(configuration.get(CONFIG_AUTH_OAUTH_JWK_URL));
        if (Objects.nonNull(buildAuthenticatorWithJwk)) {
            return buildAuthenticatorWithJwk;
        }
        Authenticator buildAuthenticatorWithTruststore = OAuthUtils.buildAuthenticatorWithTruststore(configuration.get(CONFIG_AUTH_OAUTH_KEYSTORE_PATH), configuration.getOrDefault(CONFIG_AUTH_OAUTH_KEYSTORE_CREDENTIALS, "").toCharArray(), Arrays.asList(configuration.getOrDefault(CONFIG_AUTH_OAUTH_KEYSTORE_IDS, "").split(",")));
        if (Objects.nonNull(buildAuthenticatorWithTruststore)) {
            return buildAuthenticatorWithTruststore;
        }
        Authenticator buildAuthenticatorWithSharedSecret = OAuthUtils.buildAuthenticatorWithSharedSecret(configuration.get(CONFIG_AUTH_OAUTH_SHARED_SECRET));
        return Objects.nonNull(buildAuthenticatorWithSharedSecret) ? buildAuthenticatorWithSharedSecret : new NullAuthenticator();
    }
}
