package nl.vpro.io.prepr.rs;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.ws.rs.ServerErrorException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.ext.Provider;
import lombok.Generated;
import nl.vpro.jmx.MBeans;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.io.IOUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.MDC;

@PreprEndPoint
@Provider
/* loaded from: input_file:nl/vpro/io/prepr/rs/SignatureValidatorInterceptor.class */
public class SignatureValidatorInterceptor implements SignatureValidatorInterceptorMXBean, ContainerRequestFilter {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(SignatureValidatorInterceptor.class);
    private static final String[] SIGNATURES = {"Mediaconnect-Signature", "Prepr-Signature"};
    static final Map<String, List<UUID>> WEBHOOK_IDS = new ConcurrentHashMap();
    private static Instant ready = null;
    private InvalidSignatureAction invalidSignatureAction = InvalidSignatureAction.UNAUTHORIZED;

    public static boolean put(String str, UUID uuid) {
        List<UUID> computeIfAbsent = WEBHOOK_IDS.computeIfAbsent(str, str2 -> {
            return Collections.synchronizedList(new ArrayList());
        });
        if (computeIfAbsent.contains(uuid)) {
            log.debug("webhook for {} was registered already {}", str, uuid);
            return false;
        }
        computeIfAbsent.add(uuid);
        log.info("Registered webhook {} -> {}", str, uuid);
        return true;
    }

    public static void readyForRequests() {
        ready = Instant.now();
    }

    public static boolean isReadyForRequests() {
        return ready != null;
    }

    public void registerBean() {
        MBeans.registerBean(MBeans.getObjectNameWithName(this, "signatureinterceptor"), this);
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (ready == null) {
            log.info("Received webhook while we are not yet ready and can't validate it yet");
            throw new ServerErrorException("Received webhook while we are not yet ready and can't validate it yet", 503);
        }
        try {
            String headerString = containerRequestContext.getHeaderString("User-Agent");
            if (headerString != null) {
                MDC.put(Constants.USER_AGENT, headerString);
            }
            String str = null;
            String[] strArr = SIGNATURES;
            int length = strArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                String str2 = strArr[i];
                str = containerRequestContext.getHeaderString(str2);
                if (str != null) {
                    log.debug("Found signature at {}", str2);
                    break;
                }
                i++;
            }
            String[] split = containerRequestContext.getUriInfo().getPath().split("/");
            String str3 = split[split.length - 1];
            if (str == null) {
                log.warn("No signature found {} in ({})", SIGNATURES, containerRequestContext.getHeaders().keySet());
                throw new NoSignatureException(this.invalidSignatureAction, str3, "No signature found", null);
            }
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            IOUtils.copy(containerRequestContext.getEntityStream(), byteArrayOutputStream);
            containerRequestContext.setEntityStream(new ByteArrayInputStream(byteArrayOutputStream.toByteArray()));
            try {
                validate(str, byteArrayOutputStream.toByteArray(), str3);
            } catch (InvalidKeyException | NoSuchAlgorithmException e) {
                log.error(e.getMessage());
            }
        } catch (SignatureException e2) {
            throw e2;
        } catch (Exception e3) {
            log.error(e3.getMessage(), e3);
            throw e3;
        }
    }

    protected void validate(String str, byte[] bArr, String str2) throws NoSuchAlgorithmException, InvalidKeyException, SignatureMatchException {
        List<UUID> list = WEBHOOK_IDS.get(str2);
        if (list == null || list.isEmpty()) {
            log.warn("No webhookId found for {} (Only known for {})", str2, WEBHOOK_IDS.keySet());
            throw new NotRegisteredSignatureException(this.invalidSignatureAction, str2, "Webhook id currently not registered for " + str2, bArr);
        }
        UUID uuid = null;
        ArrayList arrayList = new ArrayList();
        Iterator<UUID> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            UUID next = it.next();
            String sign = sign(next, bArr);
            if (Objects.equals(sign, str)) {
                log.debug("Validated {}", str);
                uuid = next;
                break;
            }
            arrayList.add(() -> {
                log.warn("Incoming signature {} didn't match {} (payload (signed with webhookid: {}):\n{}", new Object[]{str, sign, next, new String(bArr, StandardCharsets.UTF_8)});
            });
        }
        if (uuid == null) {
            arrayList.forEach((v0) -> {
                v0.run();
            });
            if (!this.invalidSignatureAction.test(((Instant) Optional.ofNullable(ready).orElse(Instant.now())).plus((TemporalAmount) Duration.ofMinutes(5L)))) {
                if (list.size() != 1) {
                    throw new SignatureMatchException(this.invalidSignatureAction, str2, list.get(0), "No signing webhook ids matched. For channel " + str2 + "  we see the following webhook ids:  " + String.valueOf(list), bArr);
                }
                throw new SignatureMatchException(this.invalidSignatureAction, str2, list.get(0), "Validation for failed for " + str2 + " webhook id: " + String.valueOf(list), bArr);
            }
            log.info("Not matched call for channel {} but accepting anyways because {}", str2, this.invalidSignatureAction);
        }
        MDC.put("userName", "webhook:" + String.valueOf(uuid));
        if (list.size() > 1) {
            Iterator<UUID> it2 = list.iterator();
            while (it2.hasNext() && !it2.next().equals(uuid)) {
            }
        }
    }

    String sign(UUID uuid, byte[] bArr) throws NoSuchAlgorithmException, InvalidKeyException {
        Mac mac = Mac.getInstance("HmacSHA256");
        mac.init(new SecretKeySpec(uuid.toString().getBytes(StandardCharsets.UTF_8), "HmacSHA256"));
        return new String(Hex.encodeHex(mac.doFinal(bArr)));
    }

    public static Optional<UUID> getWebhookIdForChannel(String str) {
        return Optional.ofNullable(WEBHOOK_IDS.get(str)).map(list -> {
            return (UUID) list.get(0);
        });
    }

    public static PreprWebhookAnswer createAnswer(String str, String str2) {
        return new PreprWebhookAnswer(str2, getWebhookIdForChannel(str).orElse(null), str);
    }

    @Override // nl.vpro.io.prepr.rs.SignatureValidatorInterceptorMXBean
    @Generated
    public InvalidSignatureAction getInvalidSignatureAction() {
        return this.invalidSignatureAction;
    }

    @Override // nl.vpro.io.prepr.rs.SignatureValidatorInterceptorMXBean
    @Generated
    public void setInvalidSignatureAction(InvalidSignatureAction invalidSignatureAction) {
        this.invalidSignatureAction = invalidSignatureAction;
    }
}
