package nl.vpro.media.odi.security;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardWatchEventKinds;
import java.nio.file.WatchEvent;
import java.nio.file.WatchKey;
import java.nio.file.WatchService;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Scanner;
import java.util.Set;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.PostConstruct;
import javax.annotation.PreDestroy;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import lombok.Generated;
import nl.vpro.domain.media.Location;
import nl.vpro.domain.media.MediaObject;
import nl.vpro.util.ThreadPools;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Before;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Aspect
/* loaded from: input_file:nl/vpro/media/odi/security/OdiAuthentication.class */
public class OdiAuthentication {
    public static final String X_NPO_DATE = "x-npo-date";
    public static final String X_NPO_MID = "x-npo-mid";
    public static final String X_NPO_URL = "x-npo-url";
    public static final String X_ORIGIN = "x-origin";
    public static final String AUTHORIZATION = "authorization";
    private static final String CONFIG_FILE = "odi.clients";
    private String configFolder;
    private long expiresInMinutes = 10;
    private Set<OdiClient> clients = null;
    private final ExecutorService executorService = Executors.newSingleThreadExecutor(ThreadPools.createThreadFactory("OdiConfigMonitor", true, 5));
    private boolean running = true;

    @Generated
    private static final Logger log = LoggerFactory.getLogger(OdiAuthentication.class);
    private static final Pattern CONFIG_PATTERN = Pattern.compile("^(\\w+):([^:]+):(false|true):(.+)$");
    private static final Pattern HEADER_PATTERN = Pattern.compile("\\s*NPO\\s+(\\w+):(.+)\\s*$");

    /* loaded from: input_file:nl/vpro/media/odi/security/OdiAuthentication$NoAccessException.class */
    public static class NoAccessException extends RuntimeException {
        private final String reason;

        NoAccessException(String str) {
            super("No access");
            this.reason = str;
        }

        public String getReason() {
            return this.reason;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:nl/vpro/media/odi/security/OdiAuthentication$WrappedIE89HttpServletRequest.class */
    public static class WrappedIE89HttpServletRequest extends HttpServletRequestWrapper {
        private static final ObjectMapper mapper = new ObjectMapper();
        private final JsonNode param;

        public WrappedIE89HttpServletRequest(String str, HttpServletRequest httpServletRequest) {
            super(httpServletRequest);
            try {
                this.param = mapper.readTree(Base64.decodeBase64(str));
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        }

        public String getHeader(String str) {
            boolean z = -1;
            switch (str.hashCode()) {
                case -1385570183:
                    if (str.equals(OdiAuthentication.AUTHORIZATION)) {
                        z = 3;
                        break;
                    }
                    break;
                case 436386883:
                    if (str.equals(OdiAuthentication.X_NPO_DATE)) {
                        z = false;
                        break;
                    }
                    break;
                case 1122464531:
                    if (str.equals(OdiAuthentication.X_NPO_MID)) {
                        z = true;
                        break;
                    }
                    break;
                case 1122472506:
                    if (str.equals(OdiAuthentication.X_NPO_URL)) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return fromJson(OdiAuthentication.X_NPO_DATE);
                case true:
                    return fromJson(OdiAuthentication.X_NPO_MID);
                case true:
                    return fromJson(OdiAuthentication.X_NPO_URL);
                case true:
                    return fromJson(OdiAuthentication.AUTHORIZATION);
                default:
                    return super.getHeader(str);
            }
        }

        private String fromJson(String str) {
            JsonNode jsonNode = this.param.get(str);
            if (jsonNode != null) {
                return jsonNode.asText();
            }
            return null;
        }
    }

    @PostConstruct
    public void init() {
        loadAuthorizedClients();
        appendConfigWatcher();
    }

    @PreDestroy
    public void shutdown() {
        this.running = false;
        this.executorService.shutdownNow();
    }

    @Before("target(nl.vpro.media.odi.OdiService) && execution(* *(..)) && args(media, request, ..)")
    public void handleMedia(MediaObject mediaObject, HttpServletRequest httpServletRequest) {
        HttpServletRequest patchIE89 = patchIE89(httpServletRequest);
        hasRecentDateHeader(patchIE89);
        hasMatchingMid(mediaObject, patchIE89);
        isAuthorized(patchIE89);
    }

    @Before("target(nl.vpro.media.odi.OdiService) && execution(* *(..)) && args(location, request, ..)")
    public void handleLocation(Location location, HttpServletRequest httpServletRequest) {
        HttpServletRequest patchIE89 = patchIE89(httpServletRequest);
        hasRecentDateHeader(patchIE89);
        hasMatchingLocation(location, patchIE89);
        isAuthorized(patchIE89);
    }

    @Before("target(nl.vpro.media.odi.OdiService) && execution(* *(..)) && args(url, request, ..)")
    public void handleUrl(String str, HttpServletRequest httpServletRequest) {
        HttpServletRequest patchIE89 = patchIE89(httpServletRequest);
        hasRecentDateHeader(patchIE89);
        hasMatchingUrl(str, patchIE89);
        isAuthorized(patchIE89);
    }

    public void setExpiresInMinutes(int i) {
        this.expiresInMinutes = i;
    }

    public void setConfigFolder(String str) {
        this.configFolder = str;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void loadAuthorizedClients() {
        Scanner scanner;
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        if (StringUtils.isEmpty(this.configFolder)) {
            log.warn("No odi.clients folder configured, taking default odi.clients configuration");
            scanner = new Scanner(getClass().getResourceAsStream("/odi.clients"));
        } else {
            File file = new File(this.configFolder, CONFIG_FILE);
            log.info("Loading odi clients from {}", file);
            try {
                scanner = new Scanner(file);
            } catch (FileNotFoundException e) {
                throw new RuntimeException("Missing ODI config " + file, e);
            }
        }
        while (scanner.hasNextLine()) {
            try {
                String nextLine = scanner.nextLine();
                if (!nextLine.startsWith("#") && !nextLine.isEmpty()) {
                    linkedHashSet.add(extractClientConfig(nextLine));
                }
            } catch (Throwable th) {
                scanner.close();
                throw th;
            }
        }
        this.clients = Collections.unmodifiableSet(linkedHashSet);
        log.info("Loaded {} odi clients", Integer.valueOf(this.clients.size()));
        scanner.close();
    }

    private void appendConfigWatcher() {
        this.executorService.execute(new Runnable() { // from class: nl.vpro.media.odi.security.OdiAuthentication.1
            @Override // java.lang.Runnable
            public void run() {
                WatchKey take;
                Path path = Paths.get(OdiAuthentication.this.configFolder, new String[0]);
                try {
                    WatchService newWatchService = path.getFileSystem().newWatchService();
                    path.register(newWatchService, StandardWatchEventKinds.ENTRY_CREATE, StandardWatchEventKinds.ENTRY_MODIFY, StandardWatchEventKinds.ENTRY_MODIFY);
                    while (OdiAuthentication.this.running) {
                        try {
                            take = newWatchService.take();
                            OdiAuthentication.log.info("Reloading odi clients from {}", OdiAuthentication.this.configFolder);
                            Iterator<WatchEvent<?>> it = take.pollEvents().iterator();
                            while (true) {
                                if (!it.hasNext()) {
                                    break;
                                } else if (((Path) it.next().context()).endsWith(OdiAuthentication.CONFIG_FILE)) {
                                    OdiAuthentication.this.loadAuthorizedClients();
                                    break;
                                }
                            }
                        } catch (Exception e) {
                            OdiAuthentication.log.error("Error reloading odi config from {}. ODI clients might not function properly. Retry after file update", OdiAuthentication.CONFIG_FILE, e);
                        }
                        if (!take.reset()) {
                            OdiAuthentication.log.info("Stopped watching as key " + take + " not valid");
                            return;
                        }
                        continue;
                    }
                } catch (IOException e2) {
                    OdiAuthentication.log.error("Error starting the odi config watcher on {}", OdiAuthentication.CONFIG_FILE, e2);
                    throw new RuntimeException(e2);
                }
            }
        });
    }

    protected OdiClient extractClientConfig(String str) {
        Matcher matcher = CONFIG_PATTERN.matcher(str);
        if (!matcher.find()) {
            throw new RuntimeException("Can't parse \"" + str + "\"");
        }
        String group = matcher.group(1);
        String group2 = matcher.group(4);
        ArrayList arrayList = new ArrayList();
        for (String str2 : group2.split(",")) {
            if (!StringUtils.isEmpty(str2)) {
                arrayList.add(str2.trim());
            }
        }
        return new OdiClient(group, arrayList, matcher.group(2), matcher.group(3) != null && "true".equals(matcher.group(3)));
    }

    private void hasRecentDateHeader(HttpServletRequest httpServletRequest) {
        try {
            Date rfc822 = Util.rfc822(httpServletRequest.getHeader(X_NPO_DATE.toLowerCase()));
            if (Math.abs(rfc822.getTime() - System.currentTimeMillis()) > (this.expiresInMinutes * 60) * 1000) {
                log.debug("Expired authentication client: {} server: {}", Long.valueOf(rfc822.getTime()), Long.valueOf(System.currentTimeMillis()));
                throw new NoAccessException("not recent");
            }
        } catch (Exception e) {
        }
    }

    private void hasMatchingMid(MediaObject mediaObject, HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(X_NPO_MID.toLowerCase());
        if (header == null) {
            throw new NoAccessException("no mid header");
        }
        if (mediaObject == null) {
            throw new NoAccessException("no media");
        }
        if (!mediaObject.getMid().equals(header)) {
            throw new NoAccessException("mid");
        }
    }

    private void hasMatchingLocation(Location location, HttpServletRequest httpServletRequest) {
        throw new NoAccessException("not implemented");
    }

    private void hasMatchingUrl(String str, HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(X_NPO_URL.toLowerCase());
        if (str != null && !str.equals(header)) {
            throw new NoAccessException("url");
        }
    }

    private void isAuthorized(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(AUTHORIZATION);
        if (header == null) {
            log.debug("Missing authorization");
            throw new NoAccessException("missing");
        }
        Matcher matcher = HEADER_PATTERN.matcher(header);
        if (!matcher.find()) {
            log.debug("Invalid authorization");
            throw new NoAccessException("invalid");
        }
        String group = matcher.group(1);
        boolean z = false;
        String header2 = httpServletRequest.getHeader("origin");
        if (header2 == null) {
            header2 = httpServletRequest.getHeader("X-Origin");
            z = true;
        }
        if (header2 == null || header2.length() == 0) {
            log.debug("Missing origin");
            throw new NoAccessException("origin");
        }
        OdiClient findMatchingClient = findMatchingClient(group, header2);
        if (findMatchingClient == null) {
            log.debug("Unauthorised client");
            throw new NoAccessException("client");
        }
        if (z && !findMatchingClient.isAllowXOrigin()) {
            log.debug("X-Origin not allowed for {}", findMatchingClient);
            throw new NoAccessException("xorigin");
        }
        String group2 = matcher.group(2);
        String concatSecurityHeaders = Util.concatSecurityHeaders(httpServletRequest);
        if (Util.hmacSHA256(findMatchingClient.getSecret(), concatSecurityHeaders).equals(group2)) {
            return;
        }
        log.debug("Invalid signature " + concatSecurityHeaders);
        throw new NoAccessException("signature");
    }

    private OdiClient findMatchingClient(String str, String str2) {
        for (OdiClient odiClient : this.clients) {
            if (odiClient.getPublicKey().equals(str) && odiClient.matchesOrigin(str2)) {
                return odiClient;
            }
        }
        return null;
    }

    private HttpServletRequest patchIE89(HttpServletRequest httpServletRequest) {
        String parameter;
        if (isIE89(httpServletRequest) && (parameter = httpServletRequest.getParameter("iecomp")) != null) {
            return new WrappedIE89HttpServletRequest(parameter, httpServletRequest);
        }
        return httpServletRequest;
    }

    private boolean isIE89(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("user-agent");
        return header != null && (header.contains("MSIE 9.0") || header.contains("MSIE 8.0") || header.contains("MSIE 7.0"));
    }
}
