package org.fenixedu.bennu.oauth.jaxrs;

import com.google.common.base.Strings;
import com.google.gson.JsonObject;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.fenixedu.bennu.core.domain.User;
import org.fenixedu.bennu.core.security.Authenticate;
import org.fenixedu.bennu.oauth.annotation.OAuthEndpoint;
import org.fenixedu.bennu.oauth.domain.ApplicationUserSession;
import org.fenixedu.bennu.oauth.domain.ExternalApplication;
import org.fenixedu.bennu.oauth.domain.ExternalApplicationScope;
import org.fenixedu.bennu.oauth.domain.ServiceApplication;
import org.fenixedu.bennu.oauth.util.OAuthUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/fenixedu/bennu/oauth/jaxrs/BennuOAuthAuthorizationFilter.class */
class BennuOAuthAuthorizationFilter implements ContainerRequestFilter {
    private static final Logger logger = LoggerFactory.getLogger(BennuOAuthAuthorizationFilter.class);

    @Context
    ResourceInfo requestInfo;

    @Context
    private HttpServletRequest httpRequest;

    BennuOAuthAuthorizationFilter() {
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        String ipAddress = getIpAddress();
        String accessToken = getAccessToken(containerRequestContext);
        OAuthEndpoint oAuthEndpoint = (OAuthEndpoint) this.requestInfo.getResourceMethod().getAnnotation(OAuthEndpoint.class);
        Optional<ServiceApplication> extractServiceApplication = extractServiceApplication(accessToken);
        if (oAuthEndpoint.serviceOnly() && !extractServiceApplication.isPresent()) {
            containerRequestContext.abortWith(Response.status(Response.Status.NOT_FOUND).build());
            return;
        }
        if (extractServiceApplication.isPresent()) {
            if (extractServiceApplication.get().isDeleted()) {
                sendError(containerRequestContext, "accessTokenInvalidFormat", "Access Token not recognized.");
                return;
            }
            if (extractServiceApplication.get().isBanned()) {
                sendError(containerRequestContext, "appBanned", "The application has been banned.");
                return;
            }
            if (!extractServiceApplication.get().hasServiceAuthorization(accessToken)) {
                containerRequestContext.abortWith(Response.status(Response.Status.NOT_FOUND).build());
                return;
            }
            if (!Strings.isNullOrEmpty(ipAddress) && !extractServiceApplication.get().matchesIpAddress(ipAddress)) {
                containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
                return;
            }
            Optional<ExternalApplicationScope> forKey = ExternalApplicationScope.forKey(oAuthEndpoint.value());
            if (!forKey.isPresent() && oAuthEndpoint.value().length > 0) {
                sendError(containerRequestContext, "invalidScope", "Application doesn't have permissions to this endpoint.");
                return;
            } else {
                if (!forKey.isPresent() || extractServiceApplication.get().getScopesSet().contains(forKey.get())) {
                    return;
                }
                sendError(containerRequestContext, "invalidScope", "Application doesn't have permissions to this endpoint.");
                return;
            }
        }
        if (Authenticate.isLogged()) {
            logger.trace("Already logged in, proceeding...");
            return;
        }
        Optional<ExternalApplicationScope> forKey2 = ExternalApplicationScope.forKey(oAuthEndpoint.value());
        if (!forKey2.isPresent()) {
            logger.debug("Scope '{}' is not defined!", oAuthEndpoint.value());
            containerRequestContext.abortWith(Response.status(Response.Status.NOT_FOUND).build());
            return;
        }
        Optional<ApplicationUserSession> extractUserSession = extractUserSession(accessToken);
        if (!extractUserSession.isPresent()) {
            sendError(containerRequestContext, "accessTokenInvalidFormat", "Access Token not recognized.");
            return;
        }
        ApplicationUserSession applicationUserSession = extractUserSession.get();
        ExternalApplication application = extractUserSession.get().getApplicationUserAuthorization().getApplication();
        if (application.isDeleted()) {
            sendError(containerRequestContext, "accessTokenInvalidFormat", "Access Token not recognized.");
            return;
        }
        if (application.isBanned()) {
            sendError(containerRequestContext, "appBanned", "The application has been banned.");
            return;
        }
        if (!application.getScopesSet().contains(forKey2.get())) {
            sendError(containerRequestContext, "invalidScope", "Application doesn't have permissions to this getEndpoint().");
            return;
        }
        if (!applicationUserSession.matchesAccessToken(accessToken)) {
            sendError(containerRequestContext, "accessTokenInvalid", "Access Token doesn't match.");
            return;
        }
        if (!applicationUserSession.isAccessTokenValid()) {
            sendError(containerRequestContext, "accessTokenExpired", "The access has expired. Please use the refresh token endpoint to generate a new one.");
            return;
        }
        User user = applicationUserSession.getApplicationUserAuthorization().getUser();
        if (user.isLoginExpired()) {
            sendError(containerRequestContext, "accessTokenInvalidFormat", "Access Token not recognized.");
        } else {
            Authenticate.mock(user, "OAuth Access Token");
        }
    }

    private String getIpAddress() {
        if (this.httpRequest == null) {
            return null;
        }
        String header = this.httpRequest.getHeader("x-forwarded-for");
        return !Strings.isNullOrEmpty(header) ? header : this.httpRequest.getRemoteAddr();
    }

    private void sendError(ContainerRequestContext containerRequestContext, String str, String str2) {
        JsonObject jsonObject = new JsonObject();
        jsonObject.addProperty("error", str);
        jsonObject.addProperty("error_description", str2);
        containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(jsonObject.toString()).type("application/json").build());
    }

    private Optional<ServiceApplication> extractServiceApplication(String str) {
        if (Strings.isNullOrEmpty(str)) {
            return Optional.empty();
        }
        try {
            String[] split = new String(Base64.getDecoder().decode(str), StandardCharsets.UTF_8).split(":");
            return split.length != 2 ? Optional.empty() : OAuthUtils.getDomainObject(split[0], ServiceApplication.class);
        } catch (IllegalArgumentException e) {
            return Optional.empty();
        }
    }

    private Optional<ApplicationUserSession> extractUserSession(String str) {
        if (Strings.isNullOrEmpty(str)) {
            return Optional.empty();
        }
        try {
            String[] split = new String(Base64.getDecoder().decode(str), StandardCharsets.UTF_8).split(":");
            return split.length != 2 ? Optional.empty() : OAuthUtils.getDomainObject(split[0], ApplicationUserSession.class);
        } catch (IllegalArgumentException e) {
            return Optional.empty();
        }
    }

    private String getAccessToken(ContainerRequestContext containerRequestContext) {
        return getHeaderOrQueryParam(containerRequestContext, OAuthUtils.ACCESS_TOKEN);
    }

    private String getAuthorizationHeader(ContainerRequestContext containerRequestContext) {
        String headerString = containerRequestContext.getHeaderString("Authorization");
        if (headerString == null || !headerString.startsWith(OAuthUtils.TOKEN_TYPE_HEADER_ACCESS_TOKEN)) {
            return null;
        }
        return headerString.substring(OAuthUtils.TOKEN_TYPE_HEADER_ACCESS_TOKEN.length()).trim();
    }

    private String getHeaderOrQueryParam(ContainerRequestContext containerRequestContext, String str) {
        String authorizationHeader = getAuthorizationHeader(containerRequestContext);
        if (!Strings.isNullOrEmpty(authorizationHeader)) {
            return authorizationHeader;
        }
        String headerString = containerRequestContext.getHeaderString(str);
        if (Strings.isNullOrEmpty(headerString)) {
            headerString = (String) containerRequestContext.getUriInfo().getQueryParameters().getFirst(str);
        }
        return headerString;
    }
}
