package eu.unicore.services.rest.security;

import de.fzj.unicore.wsrflite.Kernel;
import de.fzj.unicore.wsrflite.security.IContainerSecurityConfiguration;
import de.fzj.unicore.wsrflite.security.util.AuthZAttributeStore;
import de.fzj.unicore.wsrflite.security.util.PubkeyCache;
import eu.unicore.security.AuthorisationException;
import eu.unicore.security.Client;
import eu.unicore.security.SecurityException;
import eu.unicore.security.SecurityTokens;
import eu.unicore.security.wsutil.CXFUtils;
import eu.unicore.security.wsutil.SecuritySession;
import eu.unicore.security.wsutil.SecuritySessionStore;
import eu.unicore.services.rest.impl.PostInvokeHandler;
import eu.unicore.services.rest.jwt.JWTHelper;
import eu.unicore.services.rest.jwt.JWTServerProperties;
import eu.unicore.services.rest.security.jwt.JWTUtils;
import eu.unicore.util.Log;
import java.io.IOException;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Map;
import java.util.UUID;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.log4j.Logger;
import org.json.JSONObject;

/* loaded from: input_file:eu/unicore/services/rest/security/AuthNHandler.class */
public class AuthNHandler implements ContainerRequestFilter {
    private static final Logger logger = Log.getLogger("unicore.security", AuthNHandler.class);
    private final Kernel kernel;
    public static final String CONSIGNOR_IP_HEADER = "X-UNICORE-Consignor-IP";
    public static final String GW_EXTERNAL_URL = "X-UNICORE-Gateway";
    public static final String USER_PREFERENCES_HEADER = "X-UNICORE-User-Preferences";
    private final SecuritySessionStore sessionStore;
    private final boolean useSessions;
    private final JWTHelper jwt;

    public AuthNHandler(Kernel kernel, SecuritySessionStore securitySessionStore) {
        this.kernel = kernel;
        this.useSessions = kernel.getContainerSecurityConfiguration().isSessionsEnabled();
        this.sessionStore = securitySessionStore;
        JWTServerProperties jWTServerProperties = new JWTServerProperties(kernel.getContainerProperties().getRawProperties());
        PubkeyCache pubkeyCache = PubkeyCache.get(kernel);
        IContainerSecurityConfiguration containerSecurityConfiguration = kernel.getContainerSecurityConfiguration();
        try {
            pubkeyCache.update(containerSecurityConfiguration.getCredential().getSubjectName(), containerSecurityConfiguration.getCredential().getCertificate().getPublicKey());
        } catch (Exception e) {
        }
        this.jwt = new JWTHelper(jWTServerProperties, kernel.getContainerSecurityConfiguration(), pubkeyCache);
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        Message currentMessage = PhaseInterceptorChain.getCurrentMessage();
        Response handleRequest = handleRequest(currentMessage);
        if (handleRequest != null) {
            currentMessage.getExchange().put(Response.class, handleRequest);
        }
    }

    public Response handleRequest(Message message) {
        try {
            return doHandle(message);
        } catch (SecurityException e) {
            Log.logException("User authentication/authorisation failed", e, logger);
            throw new WebApplicationException(e, 403);
        }
    }

    protected Response doHandle(Message message) {
        SecurityTokens tokens;
        Response response = null;
        SecuritySession securitySession = null;
        String securitySessionID = getSecuritySessionID(message);
        if (securitySessionID == null) {
            tokens = new SecurityTokens();
            response = process(message, tokens);
            if (this.useSessions) {
                securitySession = createSession(tokens);
            }
        } else {
            securitySession = getSession(message, securitySessionID);
            tokens = securitySession.getTokens();
            tokens.getContext().put("reused-unicore-security-session", Boolean.TRUE);
            if (logger.isDebugEnabled()) {
                logger.debug("Re-using session " + securitySessionID + " for <" + securitySession.getUserKey() + ">");
            }
        }
        if (response == null) {
            handleUserPreferences(message, tokens);
            Client createClient = createClient(tokens);
            if (logger.isDebugEnabled()) {
                logger.debug("Authenticated client: " + createClient);
            }
            AuthZAttributeStore.setClient(createClient);
            PostInvokeHandler.setSession(securitySession);
        }
        return response;
    }

    private Response process(Message message, SecurityTokens securityTokens) {
        securityTokens.setClientIP(establishClientIP(message));
        processDelegation(message, securityTokens);
        if (securityTokens.isTrustDelegationValidated()) {
            return null;
        }
        return processNoDelegation(message, securityTokens);
    }

    protected void processDelegation(Message message, SecurityTokens securityTokens) {
        String bearerToken = CXFUtils.getBearerToken(message);
        if (bearerToken != null) {
            try {
                validateJWT(bearerToken, securityTokens);
            } catch (Exception e) {
                Log.logException("JWT trust delegation not accepted", e, logger);
                throw new WebApplicationException(e, 403);
            }
        }
    }

    protected void validateJWT(String str, SecurityTokens securityTokens) throws Exception {
        try {
            JSONObject payload = JWTUtils.getPayload(str);
            String optString = payload.optString("sub", null);
            String optString2 = payload.optString("iss", null);
            if ((!Boolean.parseBoolean(payload.optString("etd", null)) || optString == null || optString2 == null || optString == optString2) ? false : true) {
                this.jwt.verifyJWTToken(str);
                securityTokens.setUserName(optString);
                securityTokens.setConsignorTrusted(true);
                securityTokens.setConsignorName(optString2);
                if (logger.isDebugEnabled()) {
                    logger.debug("Trust delegated authentication as <" + optString + "> via JWT issued by <" + optString2 + ">");
                }
            }
        } catch (Exception e) {
        }
    }

    protected Response processNoDelegation(Message message, SecurityTokens securityTokens) {
        IAuthenticator authenticator = ((RESTSecurityProperties) this.kernel.getAttribute(RESTSecurityProperties.class)).getAuthenticator();
        if (authenticator.authenticate(message, securityTokens) || !((RESTSecurityProperties) this.kernel.getAttribute(RESTSecurityProperties.class)).forbidNoCreds() || !this.kernel.getContainerSecurityConfiguration().isAccessControlEnabled()) {
            return null;
        }
        String containerURL = this.kernel.getContainerProperties().getContainerURL();
        Response.ResponseBuilder status = Response.status(401);
        Iterator<String> it = authenticator.getAuthSchemes().iterator();
        while (it.hasNext()) {
            status.header("WWW-Authenticate", String.valueOf(it.next()) + " realm=" + containerURL);
        }
        return status.build();
    }

    protected String establishClientIP(Message message) {
        String header = CXFUtils.getServletRequest(message).getHeader(CONSIGNOR_IP_HEADER);
        if (header == null) {
            header = CXFUtils.getClientIP(message);
        }
        return header;
    }

    public Client createClient(SecurityTokens securityTokens) {
        if (logger.isDebugEnabled()) {
            logger.debug("Authenticated user: " + securityTokens.getEffectiveUserName());
        }
        Client createClientWithAttributes = this.kernel.getSecurityManager().createClientWithAttributes(securityTokens);
        if (createClientWithAttributes != null && createClientWithAttributes.getSecurityTokens() != null) {
            this.kernel.getSecurityManager().collectDynamicAttributes(createClientWithAttributes);
        }
        return createClientWithAttributes;
    }

    protected void handleUserPreferences(Message message, SecurityTokens securityTokens) {
        Enumeration headers = CXFUtils.getServletRequest(message).getHeaders(USER_PREFERENCES_HEADER);
        Map<String, String[]> userPreferences = securityTokens.getUserPreferences();
        while (headers.hasMoreElements()) {
            String str = (String) headers.nextElement();
            for (String str2 : str.split(",")) {
                String[] split = str2.split(":");
                if (split.length != 2) {
                    throw new AuthorisationException("Invalid format for user preference: " + str);
                }
                handlePreference(split[0], split[1], userPreferences);
            }
        }
    }

    private void handlePreference(String str, String str2, Map<String, String[]> map) {
        if ("xlogin".equalsIgnoreCase(str) || "uid".equalsIgnoreCase(str)) {
            map.put("xlogin", new String[]{str2});
            return;
        }
        if ("role".equalsIgnoreCase(str)) {
            map.put("role", new String[]{str2});
            return;
        }
        if ("group".equalsIgnoreCase(str) || "pgid".equalsIgnoreCase(str)) {
            map.put("group", new String[]{str2});
            return;
        }
        if ("supplementaryGroups".equalsIgnoreCase(str) || "supgids".equalsIgnoreCase(str)) {
            map.put("supplementaryGroups", str2.split("+"));
        } else if ("selectedVirtualOrganisation".equalsIgnoreCase(str) || "vo".equalsIgnoreCase(str)) {
            map.put("selectedVirtualOrganisation", new String[]{str2});
        }
    }

    private String getSecuritySessionID(Message message) {
        if (this.useSessions) {
            return CXFUtils.getServletRequest(message).getHeader("X-UNICORE-SecuritySession");
        }
        return null;
    }

    private SecuritySession getSession(Message message, String str) {
        SecuritySession session = this.sessionStore.getSession(str);
        if (session == null || session.isExpired()) {
            throw new WebApplicationException(432);
        }
        return session;
    }

    private SecuritySession createSession(SecurityTokens securityTokens) {
        long sessionLifetime = this.kernel.getContainerSecurityConfiguration().getSessionLifetime() * 1000;
        String uuid = UUID.randomUUID().toString();
        securityTokens.getContext().put("unicore-security-session-id", uuid);
        SecuritySession securitySession = new SecuritySession(uuid, securityTokens, sessionLifetime);
        this.sessionStore.storeSession(securitySession, securityTokens);
        return securitySession;
    }
}
