package ee.datel.dogis6.content.oauth;

import com.fasterxml.jackson.annotation.JsonProperty;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.URI;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Stream;
import org.apache.commons.lang3.StringUtils;
import org.owasp.encoder.Encode;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.core.Ordered;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.scheduling.TaskScheduler;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.stereotype.Component;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.filter.OncePerRequestFilter;

@Component
@ConditionalOnExpression("'${application.oauth.introspect.url:}'!=''")
/* loaded from: input_file:ee/datel/dogis6/content/oauth/OAuthAuthorizeFilter.class */
public class OAuthAuthorizeFilter extends OncePerRequestFilter implements Ordered {
    protected final RestTemplate restTemplate;
    protected final URI uri;
    protected final TaskScheduler taskScheduler;
    protected final AtomicReference<String> cache = new AtomicReference<>("");
    protected final Map<String, Long> invalidTokens = new ConcurrentHashMap();

    /* loaded from: input_file:ee/datel/dogis6/content/oauth/OAuthAuthorizeFilter$OAuthResponse.class */
    protected static class OAuthResponse {

        @JsonProperty
        private Boolean active;

        protected OAuthResponse() {
        }

        public boolean isActive() {
            return Objects.equals(Boolean.TRUE, this.active);
        }
    }

    protected OAuthAuthorizeFilter(@Autowired(required = false) RestTemplate restTemplate, @Value("${application.oauth.introspect.url}") String str, TaskScheduler taskScheduler) {
        this.restTemplate = restTemplate == null ? new RestTemplate() : restTemplate;
        this.taskScheduler = taskScheduler;
        this.uri = URI.create(str).normalize();
        this.logger.info("Authorization initiated");
    }

    public int getOrder() {
        return Integer.MIN_VALUE;
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        String header = httpServletRequest.getHeader("Authorization");
        if (StringUtils.isBlank(header) || !header.startsWith("Bearer ")) {
            this.logger.info("Not authenticated");
            httpServletResponse.setHeader("WWW-Authenticate", "Bearer realm=\"dogis6-proxy\"");
            httpServletResponse.setStatus(401);
            return;
        }
        if (Objects.equals(this.cache.get(), header)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        if (this.invalidTokens.containsKey(header)) {
            addInvalidToken(header);
            httpServletResponse.setStatus(403);
            return;
        }
        try {
            String str = new String(Base64.getDecoder().decode(header.substring(header.indexOf(32) + 1).getBytes(StandardCharsets.US_ASCII)), StandardCharsets.US_ASCII);
            if (StringUtils.isBlank(str)) {
                addInvalidToken(header);
                throw new RuntimeException();
            }
            HttpHeaders httpHeaders = new HttpHeaders();
            httpHeaders.add("Content-Type", "application/x-www-form-urlencoded");
            try {
                ResponseEntity exchange = this.restTemplate.exchange(this.uri, HttpMethod.POST, new HttpEntity("token=" + URLEncoder.encode(str, StandardCharsets.UTF_8), httpHeaders), OAuthResponse.class);
                if (exchange.getStatusCode() != HttpStatus.OK) {
                    throw new RestClientException(String.format("OAuth response status %d", Integer.valueOf(exchange.getStatusCode().value())));
                }
                OAuthResponse oAuthResponse = (OAuthResponse) exchange.getBody();
                if (oAuthResponse != null && oAuthResponse.isActive()) {
                    this.cache.set(header);
                    this.taskScheduler.schedule(() -> {
                        this.cache.set("");
                    }, Instant.now().plusSeconds(10L));
                    filterChain.doFilter(httpServletRequest, httpServletResponse);
                } else {
                    addInvalidToken(header);
                    this.logger.info("Invalid token");
                    httpServletResponse.setHeader("WWW-Authenticate", "Bearer realm=\"dogis6-proxy\", error=\"invalid_token\"");
                    httpServletResponse.setStatus(401);
                }
            } catch (Exception e) {
                this.logger.error(e.getMessage(), e);
                httpServletResponse.setStatus(500);
            } catch (RestClientException e2) {
                this.logger.error(e2.getMessage());
                httpServletResponse.setStatus(500);
            }
        } catch (Exception e3) {
            addInvalidToken(header);
            this.logger.info(String.format("Invalid header value '%s'", Encode.forHtmlContent(header)));
            httpServletResponse.setStatus(403);
        }
    }

    protected boolean shouldNotFilter(HttpServletRequest httpServletRequest) throws ServletException {
        return Objects.equals("GET", httpServletRequest.getMethod());
    }

    protected void addInvalidToken(String str) {
        this.invalidTokens.put(str, Long.valueOf(System.currentTimeMillis() + 60000));
    }

    @Scheduled(fixedDelay = 10000, initialDelay = 60000)
    protected void invalidTokensCleaner() {
        if (this.invalidTokens.isEmpty()) {
            return;
        }
        long currentTimeMillis = System.currentTimeMillis();
        List list = this.invalidTokens.entrySet().stream().filter(entry -> {
            return ((Long) entry.getValue()).longValue() < currentTimeMillis;
        }).map((v0) -> {
            return v0.getKey();
        }).toList();
        if (list.isEmpty()) {
            return;
        }
        Stream stream = list.stream();
        Map<String, Long> map = this.invalidTokens;
        Objects.requireNonNull(map);
        stream.forEach((v1) -> {
            r1.remove(v1);
        });
    }
}
