package fi.metatavu.acgbridge.server.rest;

import fi.metatavu.acgbridge.server.persistence.model.Client;
import fi.metatavu.acgbridge.server.security.AuthenticationWhitelistController;
import fi.metatavu.acgbridge.server.security.ClientController;
import fi.metatavu.acgbridge.server.security.HmacSignatureBuilder;
import fi.metatavu.acgbridge.server.security.HmacSignatureException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.Base64;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Provider;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.CharEncoding;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.message.ParameterizedMessage;

@Provider
/* loaded from: input_file:WEB-INF/classes/fi/metatavu/acgbridge/server/rest/SecurityFilter.class */
public class SecurityFilter implements ContainerRequestFilter {
    private static final String AUTHORIZATION_HEADER = "Authorization";

    @Inject
    private Logger logger;

    @Inject
    private AuthenticationWhitelistController authenticationWhitelistController;

    @Inject
    private ClientController clientController;

    @Inject
    private ClientContainer clientContainer;

    @Context
    private HttpServletRequest request;

    public void filter(ContainerRequestContext containerRequestContext) {
        UriInfo uriInfo = containerRequestContext.getUriInfo();
        if (this.authenticationWhitelistController.isWhitelisted(uriInfo.getPath())) {
            return;
        }
        String headerString = containerRequestContext.getHeaderString(AUTHORIZATION_HEADER);
        if (StringUtils.isBlank(headerString)) {
            handleUnuauthorized(containerRequestContext, "Missing authorization header");
            return;
        }
        String decodeAuthorization = decodeAuthorization(headerString);
        if (StringUtils.isBlank(decodeAuthorization)) {
            handleUnuauthorized(containerRequestContext, "Invalid credentials");
            return;
        }
        String[] split = StringUtils.split(decodeAuthorization, ParameterizedMessage.ERROR_MSG_SEPARATOR, 2);
        if (split.length != 2) {
            handleUnuauthorized(containerRequestContext, "Missing credentials");
            return;
        }
        Client findClientByClientId = this.clientController.findClientByClientId(split[0]);
        if (findClientByClientId == null) {
            handleUnuauthorized(containerRequestContext, "Invalid clientId");
            return;
        }
        HmacSignatureBuilder hmacSignatureBuilder = new HmacSignatureBuilder(findClientByClientId.getSecretKey());
        hmacSignatureBuilder.append(uriInfo.getAbsolutePath().toString());
        if ("POST".equals(StringUtils.upperCase(containerRequestContext.getMethod()))) {
            try {
                byte[] byteArray = IOUtils.toByteArray(containerRequestContext.getEntityStream());
                hmacSignatureBuilder.append(IOUtils.toString(byteArray, CharEncoding.UTF_8));
                containerRequestContext.setEntityStream(new ByteArrayInputStream(byteArray));
            } catch (IOException e) {
                this.logger.log(Level.WARNING, "Failed to read entity stream", (Throwable) e);
            }
        }
        try {
            if (StringUtils.equals(split[1], hmacSignatureBuilder.build())) {
                this.clientContainer.setClient(findClientByClientId);
            } else {
                handleUnuauthorized(containerRequestContext, "Signature from does not match");
            }
        } catch (HmacSignatureException e2) {
            this.logger.log(Level.WARNING, "Malformed HMAC signature", (Throwable) e2);
            handleUnuauthorized(containerRequestContext, "Malformed signature");
        }
    }

    private String decodeAuthorization(String str) {
        try {
            return new String(Base64.getDecoder().decode(str), CharEncoding.UTF_8);
        } catch (UnsupportedEncodingException e) {
            this.logger.log(Level.WARNING, "Invalid credential encoding", (Throwable) e);
            return null;
        }
    }

    private void handleUnuauthorized(ContainerRequestContext containerRequestContext, String str) {
        this.logger.log(Level.WARNING, () -> {
            return String.format("%s from %s", str, getRequestDetails(containerRequestContext));
        });
        containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).entity(str).build());
    }

    private String getRequestDetails(ContainerRequestContext containerRequestContext) {
        return String.format("%s (%s)", this.request.getRemoteHost(), containerRequestContext.getHeaderString("User-Agent"));
    }
}
