package org.finos.tracdap.common.auth;

import io.grpc.Context;
import io.grpc.Contexts;
import io.grpc.Metadata;
import io.grpc.ServerCall;
import io.grpc.ServerCallHandler;
import io.grpc.ServerInterceptor;
import io.grpc.Status;
import org.finos.tracdap.common.config.ConfigKeys;
import org.finos.tracdap.common.config.ConfigManager;
import org.finos.tracdap.common.exception.EStartup;
import org.finos.tracdap.config.AuthenticationConfig;
import org.finos.tracdap.config.PlatformInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/finos/tracdap/common/auth/AuthInterceptor.class */
public class AuthInterceptor implements ServerInterceptor {
    private static final String BEARER_AUTH_PREFIX = "bearer ";
    private static final String AUTH_DISABLED_USER_ID = "no_auth";
    private static final String AUTH_DISABLED_USER_NAME = "Authentication Disabled";
    private static final Logger log = LoggerFactory.getLogger(AuthInterceptor.class);
    private final AuthenticationConfig authConfig;
    private final JwtValidator jwt;

    public static AuthInterceptor setupAuth(AuthenticationConfig authenticationConfig, PlatformInfo platformInfo, ConfigManager configManager) {
        if (platformInfo.getProduction() && (authenticationConfig.getDisableAuth() || authenticationConfig.getDisableSigning())) {
            String format = String.format("Authentication and token signing must be enabled in production environment [%s]", platformInfo.getEnvironment());
            log.error(format);
            throw new EStartup(format);
        }
        if (authenticationConfig.getDisableAuth()) {
            log.warn("!!!!! AUTHENTICATION IS DISABLED (do not use this setting in production)");
            return new AuthInterceptor(authenticationConfig, null);
        }
        if (authenticationConfig.getDisableSigning()) {
            log.warn("!!!!! SIGNATURE VALIDATION IS DISABLED (do not use this setting in production)");
            return new AuthInterceptor(authenticationConfig, JwtValidator.configure(authenticationConfig, platformInfo, null));
        }
        if (configManager.hasSecret(ConfigKeys.TRAC_AUTH_PUBLIC_KEY)) {
            return new AuthInterceptor(authenticationConfig, JwtValidator.configure(authenticationConfig, platformInfo, configManager.loadPublicKey(ConfigKeys.TRAC_AUTH_PUBLIC_KEY)));
        }
        log.error("Root authentication keys are not available, the service will not start");
        throw new EStartup("Root authentication keys are not available, the service will not start");
    }

    AuthInterceptor(AuthenticationConfig authenticationConfig, JwtValidator jwtValidator) {
        this.authConfig = authenticationConfig;
        this.jwt = jwtValidator;
    }

    public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler) {
        if (this.authConfig.getDisableAuth()) {
            log.warn("AUTHENTICATE: DISABLED {}", serverCall.getMethodDescriptor().getFullMethodName());
            UserInfo userInfo = new UserInfo();
            userInfo.setUserId(AUTH_DISABLED_USER_ID);
            userInfo.setDisplayName(AUTH_DISABLED_USER_NAME);
            return Contexts.interceptCall(Context.current().withValue(AuthConstants.AUTH_TOKEN_KEY, "").withValue(AuthConstants.USER_INFO_KEY, userInfo), serverCall, metadata, serverCallHandler);
        }
        String str = (String) metadata.get(AuthConstants.AUTH_METADATA_KEY);
        if (str == null) {
            log.error("AUTHENTICATE: FAILED {} [{}]", serverCall.getMethodDescriptor().getFullMethodName(), "No authentication provided");
            serverCall.close(Status.UNAUTHENTICATED.withDescription("No authentication provided"), new Metadata());
            return new ServerCall.Listener<ReqT>() { // from class: org.finos.tracdap.common.auth.AuthInterceptor.1
            };
        }
        if (str.length() >= BEARER_AUTH_PREFIX.length() && str.substring(0, BEARER_AUTH_PREFIX.length()).equalsIgnoreCase(BEARER_AUTH_PREFIX)) {
            str = str.substring(BEARER_AUTH_PREFIX.length());
        }
        SessionInfo decodeAndValidate = this.jwt.decodeAndValidate(str);
        if (!decodeAndValidate.isValid()) {
            log.error("AUTHENTICATE: FAILED {} [{}]", serverCall.getMethodDescriptor().getFullMethodName(), decodeAndValidate.getErrorMessage());
            serverCall.close(Status.UNAUTHENTICATED.withDescription(decodeAndValidate.getErrorMessage()), new Metadata());
            return new ServerCall.Listener<ReqT>() { // from class: org.finos.tracdap.common.auth.AuthInterceptor.2
            };
        }
        UserInfo userInfo2 = decodeAndValidate.getUserInfo();
        if (this.authConfig.getDisableSigning()) {
            log.warn("AUTHENTICATE: SUCCEEDED WITHOUT VALIDATION {} [{} <{}>]", new Object[]{serverCall.getMethodDescriptor().getFullMethodName(), userInfo2.getDisplayName(), userInfo2.getUserId()});
        } else {
            log.info("AUTHENTICATE: SUCCEEDED {} [{} <{}>]", new Object[]{serverCall.getMethodDescriptor().getFullMethodName(), userInfo2.getDisplayName(), userInfo2.getUserId()});
        }
        return Contexts.interceptCall(Context.current().withValue(AuthConstants.AUTH_TOKEN_KEY, str).withValue(AuthConstants.USER_INFO_KEY, userInfo2), serverCall, metadata, serverCallHandler);
    }
}
