package org.finos.tracdap.common.auth.internal;

import io.grpc.Context;
import io.grpc.Contexts;
import io.grpc.Metadata;
import io.grpc.ServerCall;
import io.grpc.ServerCallHandler;
import io.grpc.ServerInterceptor;
import io.grpc.Status;
import org.finos.tracdap.common.exception.EStartup;
import org.finos.tracdap.config.AuthenticationConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/finos/tracdap/common/auth/internal/InternalAuthValidator.class */
public class InternalAuthValidator implements ServerInterceptor {
    private static final String AUTH_DISABLED_USER_ID = "no_auth";
    private static final String AUTH_DISABLED_USER_NAME = "Authentication Disabled";
    private static final Logger log = LoggerFactory.getLogger(InternalAuthValidator.class);
    private final AuthenticationConfig authConfig;
    private final JwtValidator jwt;

    public InternalAuthValidator(AuthenticationConfig authenticationConfig, JwtValidator jwtValidator) {
        if (jwtValidator == null && !authenticationConfig.getDisableAuth()) {
            throw new EStartup("Token validator is not available");
        }
        this.authConfig = authenticationConfig;
        this.jwt = jwtValidator;
    }

    public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler) {
        if (this.authConfig.getDisableAuth()) {
            log.warn("AUTHENTICATE: {}() AUTHENTICATION DISABLED", serverCall.getMethodDescriptor().getBareMethodName());
            UserInfo userInfo = new UserInfo();
            userInfo.setUserId(AUTH_DISABLED_USER_ID);
            userInfo.setDisplayName(AUTH_DISABLED_USER_NAME);
            return Contexts.interceptCall(Context.current().withValue(AuthConstants.TRAC_AUTH_USER_KEY, userInfo), serverCall, metadata, serverCallHandler);
        }
        String str = (String) metadata.get(AuthConstants.TRAC_AUTH_TOKEN_KEY);
        if (str == null) {
            log.error("AUTHENTICATE: {}() [{}] FAILED ", serverCall.getMethodDescriptor().getBareMethodName(), "No authentication provided");
            serverCall.close(Status.UNAUTHENTICATED.withDescription("No authentication provided"), new Metadata());
            return new ServerCall.Listener<ReqT>() { // from class: org.finos.tracdap.common.auth.internal.InternalAuthValidator.1
            };
        }
        SessionInfo decodeAndValidate = this.jwt.decodeAndValidate(str);
        if (!decodeAndValidate.isValid()) {
            log.error("AUTHENTICATE: {}() [{}] FAILED", serverCall.getMethodDescriptor().getBareMethodName(), decodeAndValidate.getErrorMessage());
            serverCall.close(Status.UNAUTHENTICATED.withDescription(decodeAndValidate.getErrorMessage()), new Metadata());
            return new ServerCall.Listener<ReqT>() { // from class: org.finos.tracdap.common.auth.internal.InternalAuthValidator.2
            };
        }
        UserInfo userInfo2 = decodeAndValidate.getUserInfo();
        UserInfo delegate = decodeAndValidate.getDelegate();
        if (this.authConfig.getDisableSigning()) {
            log.warn("AUTHENTICATE: {}() [{}] SUCCEEDED WITHOUT VALIDATION", serverCall.getMethodDescriptor().getBareMethodName(), AuthHelpers.printCurrentUser(userInfo2, delegate));
        } else {
            log.info("AUTHENTICATE: {}() [{}] SUCCEEDED", serverCall.getMethodDescriptor().getBareMethodName(), AuthHelpers.printCurrentUser(userInfo2, delegate));
        }
        return Contexts.interceptCall(Context.current().withValue(AuthConstants.TRAC_AUTH_USER_KEY, userInfo2).withValue(AuthConstants.TRAC_DELEGATE_KEY, delegate), serverCall, metadata, serverCallHandler);
    }
}
