package jp.openstandia.midpoint.grpc;

import com.evolveum.midpoint.prism.PrismObject;
import com.evolveum.midpoint.security.api.ConnectionEnvironment;
import com.evolveum.midpoint.task.api.Task;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.web.security.MidPointApplication;
import com.evolveum.midpoint.xml.ns._public.common.common_3.NodeType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType;
import com.evolveum.prism.xml.ns._public.types_3.PolyStringType;
import io.grpc.Metadata;
import io.grpc.Status;
import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.security.oauth2.resource.IssuerUriCondition;
import org.springframework.context.annotation.Conditional;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtValidationException;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.BearerTokenErrorCodes;
import org.springframework.stereotype.Component;

@Conditional({IssuerUriCondition.class})
@Component
/* loaded from: input_file:jp/openstandia/midpoint/grpc/JWTAuthenticationInterceptor.class */
public class JWTAuthenticationInterceptor extends AbstractGrpcAuthenticationInterceptor {
    private static final Trace LOGGER = TraceManager.getTrace(MidPointApplication.class);
    private static final String TYPE = "Bearer";

    @Autowired
    JwtDecoder jwtDecoder;

    @Value("${spring.security.oauth2.resourceserver.validIssuer}")
    String validIssuer;

    @Value("${spring.security.oauth2.resourceserver.validAudience}")
    String validAudience;

    @Override // jp.openstandia.midpoint.grpc.AbstractGrpcAuthenticationInterceptor
    public String getType() {
        return TYPE;
    }

    @Override // jp.openstandia.midpoint.grpc.AbstractGrpcAuthenticationInterceptor
    public Authentication authenticate(ConnectionEnvironment connectionEnvironment, Task task, String str) {
        String extractHeader = extractHeader(str, TYPE);
        try {
            Jwt decode = this.jwtDecoder.decode(extractHeader);
            if (!decode.getIssuer().toString().equalsIgnoreCase(this.validIssuer)) {
                throw Status.UNAUTHENTICATED.withDescription(BearerTokenErrorCodes.INVALID_TOKEN).asRuntimeException();
            }
            if (decode.getAudience().stream().noneMatch(str2 -> {
                return str2.equals(this.validAudience);
            })) {
                throw Status.UNAUTHENTICATED.withDescription(BearerTokenErrorCodes.INVALID_TOKEN).asRuntimeException();
            }
            NodeType nodeType = new NodeType();
            if (decode.getClaims().containsKey("clientId")) {
                nodeType.setName(PolyStringType.fromOrig(decode.getClaimAsString("clientId")));
            } else {
                nodeType.setName(PolyStringType.fromOrig(decode.getSubject()));
            }
            this.securityHelper.auditLoginSuccess(nodeType, connectionEnvironment);
            return new BearerTokenAuthenticationToken(extractHeader);
        } catch (JwtValidationException e) {
            throw Status.UNAUTHENTICATED.withDescription(BearerTokenErrorCodes.INVALID_TOKEN).withCause(e).asRuntimeException();
        } catch (RuntimeException e2) {
            throw Status.INTERNAL.withDescription("internal_error").withCause(e2).asRuntimeException();
        }
    }

    @Override // jp.openstandia.midpoint.grpc.AbstractGrpcAuthenticationInterceptor
    protected void authorizeClient(Authentication authentication, ConnectionEnvironment connectionEnvironment, Task task) {
    }

    @Override // jp.openstandia.midpoint.grpc.AbstractGrpcAuthenticationInterceptor
    protected Authentication switchToUser(Authentication authentication, Metadata metadata, ConnectionEnvironment connectionEnvironment, Task task) {
        PrismObject<UserType> findByUsername;
        String str = (String) metadata.get(Constant.SwitchToPrincipalMetadataKey);
        String str2 = (String) metadata.get(Constant.SwitchToPrincipalByNameMetadataKey);
        if (StringUtils.isNotBlank(str)) {
            findByUsername = findByOid(str, task);
        } else {
            if (!StringUtils.isNotBlank(str2)) {
                throw Status.UNAUTHENTICATED.withDescription("invalid_request").asRuntimeException();
            }
            findByUsername = findByUsername(str2, task);
        }
        return authenticateUser(findByUsername, connectionEnvironment, task);
    }
}
