package com.spotify.styx.api;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.googleapis.util.Utils;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.spotify.apollo.Request;
import com.spotify.apollo.RequestContext;
import com.spotify.apollo.Response;
import com.spotify.apollo.Status;
import com.spotify.apollo.route.AsyncHandler;
import com.spotify.apollo.route.Middleware;
import com.spotify.apollo.route.SyncHandler;
import com.spotify.styx.serialization.Json;
import io.norberg.automatter.AutoMatter;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionException;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import okio.ByteString;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/spotify/styx/api/Middlewares.class */
public final class Middlewares {
    public static final String BEARER_PREFIX = "Bearer ";
    private static final GoogleIdTokenVerifier GOOGLE_ID_TOKEN_VERIFIER;
    private static final Logger LOG = LoggerFactory.getLogger(Middlewares.class);
    private static final Set<String> BLACKLISTED_HEADERS = ImmutableSet.of("Authorization");

    @AutoMatter
    /* loaded from: input_file:com/spotify/styx/api/Middlewares$AuthContext.class */
    public interface AuthContext {
        Optional<GoogleIdToken> user();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/spotify/styx/api/Middlewares$Authenticated.class */
    public interface Authenticated<T> extends Function<AuthContext, T> {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/spotify/styx/api/Middlewares$Requested.class */
    public interface Requested<T> extends Function<RequestContext, T> {
    }

    private Middlewares() {
    }

    public static Middleware<SyncHandler<? extends Response<?>>, AsyncHandler<Response<ByteString>>> json() {
        return syncHandler -> {
            return (AsyncHandler) jsonAsync().apply(Middleware.syncToAsync(syncHandler));
        };
    }

    public static Middleware<AsyncHandler<? extends Response<?>>, AsyncHandler<Response<ByteString>>> jsonAsync() {
        return asyncHandler -> {
            return asyncHandler.map(response -> {
                if (!response.payload().isPresent()) {
                    return response;
                }
                try {
                    return response.withPayload(ByteString.of(Json.OBJECT_MAPPER.writeValueAsBytes(response.payload().get()))).withHeader("Content-Type", "application/json");
                } catch (JsonProcessingException e) {
                    return Response.forStatus(Status.INTERNAL_SERVER_ERROR.withReasonPhrase("Failed to serialize response " + e.getMessage()));
                }
            });
        };
    }

    public static <T> Middleware<AsyncHandler<Response<T>>, AsyncHandler<Response<T>>> clientValidator(Supplier<Optional<List<String>>> supplier) {
        return asyncHandler -> {
            return requestContext -> {
                return ((Boolean) requestContext.request().header("User-Agent").map(str -> {
                    return Boolean.valueOf(((List) ((Optional) supplier.get()).orElse(ImmutableList.of())).contains(str));
                }).orElse(false)).booleanValue() ? CompletableFuture.completedFuture(Response.forStatus(Status.NOT_ACCEPTABLE.withReasonPhrase("blacklisted client version, please upgrade"))) : asyncHandler.invoke(requestContext);
            };
        };
    }

    public static <T> Middleware<AsyncHandler<Response<T>>, AsyncHandler<Response<T>>> exceptionHandler() {
        return asyncHandler -> {
            return requestContext -> {
                try {
                    return asyncHandler.invoke(requestContext).handle((response, th) -> {
                        if (th == null) {
                            return response;
                        }
                        if (th instanceof ResponseException) {
                            return ((ResponseException) th).getResponse();
                        }
                        throw new CompletionException(th);
                    });
                } catch (ResponseException e) {
                    return CompletableFuture.completedFuture(e.getResponse());
                }
            };
        };
    }

    private static GoogleIdToken verifyIdToken(String str) {
        try {
            return GOOGLE_ID_TOKEN_VERIFIER.verify(str);
        } catch (IOException e) {
            throw new RuntimeException(e);
        } catch (GeneralSecurityException e2) {
            return null;
        }
    }

    public static <T> Middleware<AsyncHandler<Response<T>>, AsyncHandler<Response<T>>> auditLogger() {
        return asyncHandler -> {
            return requestContext -> {
                Request request = requestContext.request();
                if (!"GET".equals(request.method())) {
                    LOG.info("[AUDIT] {} {} by {} with headers {} parameters {} and payload {}", new Object[]{request.method(), request.uri(), auth(requestContext).user().map(googleIdToken -> {
                        return googleIdToken.getPayload().getEmail();
                    }).orElse("anonymous"), filterHeaders(request.headers()), request.parameters(), ((String) request.payload().map((v0) -> {
                        return v0.utf8();
                    }).orElse("")).replaceAll("\n", " ")});
                }
                return asyncHandler.invoke(requestContext);
            };
        };
    }

    private static AuthContext auth(RequestContext requestContext) {
        Request request = requestContext.request();
        if (!request.header("Authorization").isPresent()) {
            return Optional::empty;
        }
        String str = (String) request.header("Authorization").get();
        if (!str.startsWith(BEARER_PREFIX)) {
            throw new ResponseException(Response.forStatus(Status.BAD_REQUEST.withReasonPhrase("Authorization token must be of type Bearer")));
        }
        try {
            GoogleIdToken verifyIdToken = verifyIdToken(str.substring(BEARER_PREFIX.length()));
            if (verifyIdToken == null) {
                throw new ResponseException(Response.forStatus(Status.UNAUTHORIZED.withReasonPhrase("Authorization token is invalid")));
            }
            return () -> {
                return Optional.of(verifyIdToken);
            };
        } catch (IllegalArgumentException e) {
            throw new ResponseException(Response.forStatus(Status.BAD_REQUEST.withReasonPhrase("Failed to parse Authorization token")), e);
        }
    }

    private static Map<String, String> filterHeaders(Map<String, String> map) {
        return (Map) map.entrySet().stream().filter(entry -> {
            return !BLACKLISTED_HEADERS.contains(entry.getKey());
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    private static <T> Middleware<Requested<Authenticated<T>>, AsyncHandler<Response<ByteString>>> authed() {
        return requested -> {
            return (AsyncHandler) jsonAsync().apply(requestContext -> {
                return CompletableFuture.completedFuture(Response.forPayload(((Authenticated) requested.apply(requestContext)).apply(auth(requestContext))));
            });
        };
    }

    public static <T> Middleware<AsyncHandler<Response<T>>, AsyncHandler<Response<T>>> authValidator() {
        return asyncHandler -> {
            return requestContext -> {
                return ("GET".equals(requestContext.request().method()) || auth(requestContext).user().isPresent()) ? asyncHandler.invoke(requestContext) : CompletableFuture.completedFuture(Response.forStatus(Status.UNAUTHORIZED.withReasonPhrase("Unauthorized access")));
            };
        };
    }

    static {
        try {
            GOOGLE_ID_TOKEN_VERIFIER = new GoogleIdTokenVerifier.Builder(GoogleNetHttpTransport.newTrustedTransport(), Utils.getDefaultJsonFactory()).build();
        } catch (IOException | GeneralSecurityException e) {
            throw new RuntimeException(e);
        }
    }
}
