package net.trajano.ms.vertx.jaxrs;

import java.net.URI;
import java.util.Arrays;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import javax.annotation.PostConstruct;
import javax.annotation.Priority;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;
import net.trajano.ms.core.ErrorCodes;
import net.trajano.ms.core.ErrorResponse;
import net.trajano.ms.vertx.beans.DefaultAssertionRequiredPredicate;
import net.trajano.ms.vertx.beans.JwksProvider;
import net.trajano.ms.vertx.beans.JwtAssertionRequiredPredicate;
import net.trajano.ms.vertx.beans.JwtClaimsProcessor;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;

@Provider
@Priority(2000)
@Component
/* loaded from: input_file:BOOT-INF/lib/ms-common-impl-1.0.2.jar:net/trajano/ms/vertx/jaxrs/JwtAssertionInterceptor.class */
public class JwtAssertionInterceptor implements ContainerRequestFilter {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) JwtAssertionInterceptor.class);
    public static final String X_JWKS_URI = "X-JWKS-URI";
    public static final String X_JWT_ASSERTION = "X-JWT-Assertion";
    public static final String X_JWT_AUDIENCE = "X-JWT-Audience";
    private JwtAssertionRequiredPredicate assertionRequiredPredicate;
    private JwtClaimsProcessor claimsProcessor;

    @Autowired(required = false)
    @Qualifier("authz.issuer")
    private URI issuer;
    private final ConcurrentMap<String, HttpsJwks> jwks = new ConcurrentHashMap();
    private JwksProvider jwksProvider;

    @Context
    private ResourceInfo resourceInfo;

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) {
        HttpsJwks httpsJwks;
        if (this.assertionRequiredPredicate.test(this.resourceInfo)) {
            String headerString = containerRequestContext.getHeaderString(X_JWT_ASSERTION);
            if (headerString == null) {
                LOG.warn("Missing assertion on request for {}", containerRequestContext.getUriInfo());
                containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", X_JWT_ASSERTION).entity(new ErrorResponse(ErrorCodes.UNAUTHORIZED_CLIENT, "Missing assertion", containerRequestContext.getHeaderString("X-Request-ID"))).build());
                return;
            }
            LOG.debug("assertion={}", headerString);
            try {
                String headerString2 = containerRequestContext.getHeaderString(X_JWKS_URI);
                if (headerString2 == null) {
                    httpsJwks = null;
                } else {
                    httpsJwks = this.jwks.get(headerString2);
                    if (httpsJwks == null) {
                        httpsJwks = new HttpsJwks(headerString2);
                    }
                }
                JwtClaims processToClaims = this.jwksProvider.buildConsumer(httpsJwks, Arrays.asList(containerRequestContext.getHeaderString(X_JWT_AUDIENCE).split(", "))).processToClaims(headerString);
                containerRequestContext.setSecurityContext(new JwtSecurityContext(processToClaims, containerRequestContext.getUriInfo()));
                if (this.claimsProcessor != null) {
                    boolean booleanValue = this.claimsProcessor.apply(processToClaims).booleanValue();
                    LOG.debug("{}.validateClaims result={}", this.claimsProcessor, Boolean.valueOf(booleanValue));
                    if (booleanValue) {
                        return;
                    }
                    LOG.warn("Validation of claims failed on request for {}", containerRequestContext.getUriInfo());
                    containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).entity(new ErrorResponse(ErrorCodes.FORBIDDEN, "Claims validation failed", containerRequestContext.getHeaderString("X-Request-ID"))).build());
                }
            } catch (InvalidJwtException e) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("JWT invalid", (Throwable) e);
                } else {
                    LOG.error("JWT Invalid");
                }
                containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", X_JWT_ASSERTION).entity(new ErrorResponse(ErrorCodes.UNAUTHORIZED_CLIENT, "JWT was not valid", containerRequestContext.getHeaderString("X-Request-ID"))).build());
            }
        }
    }

    @PostConstruct
    public void init() {
        if (this.issuer == null) {
            LOG.warn("`authz.issuer` was not specified, will accept any issuer");
        }
        if (this.claimsProcessor == null) {
            LOG.warn("JwtClaimsProcessor was not defined, will not peform any claims validation");
        }
        if (this.assertionRequiredPredicate == null) {
            LOG.debug("assertionRequiredPredicate was not defined, default annotation based predicate will be used");
            this.assertionRequiredPredicate = new DefaultAssertionRequiredPredicate();
        }
    }

    @Autowired(required = false)
    public void setAssertionRequiredFunction(JwtAssertionRequiredPredicate jwtAssertionRequiredPredicate) {
        this.assertionRequiredPredicate = jwtAssertionRequiredPredicate;
    }

    @Autowired(required = false)
    public void setClaimsProcessor(JwtClaimsProcessor jwtClaimsProcessor) {
        this.claimsProcessor = jwtClaimsProcessor;
    }

    @Autowired
    public void setJwksProvider(JwksProvider jwksProvider) {
        this.jwksProvider = jwksProvider;
    }
}
