package org.entur.jwt.spring.grpc;

import io.grpc.Context;
import io.grpc.Contexts;
import io.grpc.Metadata;
import io.grpc.ServerCall;
import io.grpc.ServerCallHandler;
import io.grpc.ServerInterceptor;
import io.grpc.Status;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import org.entur.jwt.jwk.JwksClientException;
import org.entur.jwt.jwk.JwksException;
import org.entur.jwt.spring.filter.JwtAuthenticationToken;
import org.entur.jwt.spring.filter.JwtAuthorityMapper;
import org.entur.jwt.spring.filter.JwtDetailsMapper;
import org.entur.jwt.spring.filter.JwtPrincipalMapper;
import org.entur.jwt.spring.filter.log.JwtMappedDiagnosticContextMapper;
import org.entur.jwt.verifier.JwtClaimExtractor;
import org.entur.jwt.verifier.JwtClientException;
import org.entur.jwt.verifier.JwtException;
import org.entur.jwt.verifier.JwtVerifier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;

/* loaded from: input_file:org/entur/jwt/spring/grpc/JwtAuthenticationInterceptor.class */
public class JwtAuthenticationInterceptor<T> implements ServerInterceptor {
    private static final Logger log = LoggerFactory.getLogger(JwtAuthenticationInterceptor.class);
    private String key = UUID.randomUUID().toString();
    public static final String AUTHORIZATION = "Authorization";
    public static final String BEARER = "Bearer ";
    private final JwtVerifier<T> verifier;
    private final JwtAuthorityMapper<T> authorityMapper;
    private final JwtMappedDiagnosticContextMapper<T> mdcMapper;
    private final JwtClaimExtractor<T> extractor;
    private final GrpcServiceMethodFilter anonymousMethodFilter;
    private final JwtDetailsMapper detailsMapper;
    private final JwtPrincipalMapper principalMapper;

    public JwtAuthenticationInterceptor(JwtVerifier<T> jwtVerifier, GrpcServiceMethodFilter grpcServiceMethodFilter, JwtAuthorityMapper<T> jwtAuthorityMapper, JwtMappedDiagnosticContextMapper<T> jwtMappedDiagnosticContextMapper, JwtClaimExtractor<T> jwtClaimExtractor, JwtPrincipalMapper jwtPrincipalMapper, JwtDetailsMapper jwtDetailsMapper) {
        this.verifier = jwtVerifier;
        this.anonymousMethodFilter = grpcServiceMethodFilter;
        this.authorityMapper = jwtAuthorityMapper;
        this.mdcMapper = jwtMappedDiagnosticContextMapper;
        this.extractor = jwtClaimExtractor;
        this.principalMapper = jwtPrincipalMapper;
        this.detailsMapper = jwtDetailsMapper;
    }

    public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler) {
        String str = (String) metadata.get(Metadata.Key.of(AUTHORIZATION, Metadata.ASCII_STRING_MARSHALLER));
        if (str != null) {
            if (str.startsWith(BEARER)) {
                return interceptBearerTokenCall(serverCall, metadata, serverCallHandler, str);
            }
            log.debug("Invalid authorization header type");
            serverCall.close(Status.UNAUTHENTICATED.withDescription("Invalid authorization header type"), new Metadata());
            return new ServerCall.Listener<ReqT>() { // from class: org.entur.jwt.spring.grpc.JwtAuthenticationInterceptor.1
            };
        }
        if (this.anonymousMethodFilter != null && this.anonymousMethodFilter.matches(serverCall)) {
            return Contexts.interceptCall(Context.current().withValue(GrpcAuthorization.SECURITY_CONTEXT_AUTHENTICATION, new AnonymousAuthenticationToken(this.key, "anonymousUser", Collections.singletonList(new SimpleGrantedAuthority("ROLE_ANONYMOUS")))), serverCall, metadata, serverCallHandler);
        }
        log.debug("Authentication is required, however there was no bearer token");
        serverCall.close(Status.UNAUTHENTICATED.withDescription("Authorization header is missing"), new Metadata());
        return new ServerCall.Listener<ReqT>() { // from class: org.entur.jwt.spring.grpc.JwtAuthenticationInterceptor.2
        };
    }

    protected <ReqT, RespT> ServerCall.Listener<ReqT> interceptBearerTokenCall(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler, String str) {
        String substring = str.substring(BEARER.length());
        try {
            Object verify = this.verifier.verify(substring);
            if (verify == null) {
                log.debug("Unable to verify token");
                serverCall.close(Status.UNAUTHENTICATED.withDescription("Invalid authorization header"), new Metadata());
                return new ServerCall.Listener<ReqT>() { // from class: org.entur.jwt.spring.grpc.JwtAuthenticationInterceptor.3
                };
            }
            List grantedAuthorities = this.authorityMapper.getGrantedAuthorities(verify);
            Map claims = this.extractor.getClaims(verify);
            Context withValue = Context.current().withValue(GrpcAuthorization.SECURITY_CONTEXT_AUTHENTICATION, new JwtAuthenticationToken(claims, substring, grantedAuthorities, this.principalMapper.getPrincipal(claims), this.detailsMapper.getDetails(serverCall, claims)));
            if (this.mdcMapper != null) {
                withValue = withValue.withValue(GrpcAuthorization.SECURITY_CONTEXT_MDC, this.mdcMapper.getContext(verify));
            }
            return Contexts.interceptCall(withValue, serverCall, metadata, serverCallHandler);
        } catch (JwksException | JwtException e) {
            log.warn("Unable to process token", e);
            serverCall.close(Status.UNAVAILABLE.withDescription(e.getMessage()).withCause(e), new Metadata());
            return new ServerCall.Listener<ReqT>() { // from class: org.entur.jwt.spring.grpc.JwtAuthenticationInterceptor.5
            };
        } catch (JwtClientException | JwksClientException e2) {
            log.debug("JWT verification failed due to {}", e2.getMessage());
            serverCall.close(Status.UNAUTHENTICATED.withDescription(e2.getMessage()).withCause(e2), new Metadata());
            return new ServerCall.Listener<ReqT>() { // from class: org.entur.jwt.spring.grpc.JwtAuthenticationInterceptor.4
            };
        }
    }
}
