package org.sdase.commons.server.auth;

import io.dropwizard.Configuration;
import io.dropwizard.ConfiguredBundle;
import io.dropwizard.auth.AuthDynamicFeature;
import io.dropwizard.client.JerseyClientBuilder;
import io.dropwizard.setup.Bootstrap;
import io.dropwizard.setup.Environment;
import io.opentracing.Tracer;
import io.opentracing.util.GlobalTracer;
import java.net.ProxySelector;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.stream.Stream;
import javax.ws.rs.client.Client;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.impl.conn.SystemDefaultRoutePlanner;
import org.sdase.commons.server.auth.config.AuthConfig;
import org.sdase.commons.server.auth.config.AuthConfigProvider;
import org.sdase.commons.server.auth.config.KeyLocation;
import org.sdase.commons.server.auth.error.ForbiddenExceptionMapper;
import org.sdase.commons.server.auth.error.JwtAuthExceptionMapper;
import org.sdase.commons.server.auth.filter.JwtAuthFilter;
import org.sdase.commons.server.auth.key.JwksKeySource;
import org.sdase.commons.server.auth.key.KeyLoaderScheduler;
import org.sdase.commons.server.auth.key.KeySource;
import org.sdase.commons.server.auth.key.OpenIdProviderDiscoveryKeySource;
import org.sdase.commons.server.auth.key.PemKeySource;
import org.sdase.commons.server.auth.key.PublicKeyLoader;
import org.sdase.commons.server.auth.service.AuthService;
import org.sdase.commons.server.auth.service.JwtAuthenticator;
import org.sdase.commons.server.opentracing.client.ClientTracingUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/sdase/commons/server/auth/AuthBundle.class */
public class AuthBundle<T extends Configuration> implements ConfiguredBundle<T> {
    private static final Logger LOG = LoggerFactory.getLogger(AuthBundle.class);
    private AuthConfigProvider<T> configProvider;
    private boolean useAnnotatedAuthorization;
    private final Tracer tracer;

    /* loaded from: input_file:org/sdase/commons/server/auth/AuthBundle$AuthBuilder.class */
    public interface AuthBuilder<C extends Configuration> {
        AuthBuilder<C> withTracer(Tracer tracer);

        AuthBundle<C> build();
    }

    /* loaded from: input_file:org/sdase/commons/server/auth/AuthBundle$AuthorizationBuilder.class */
    public interface AuthorizationBuilder<C extends Configuration> {
        AuthBuilder<C> withAnnotatedAuthorization();

        AuthBuilder<C> withExternalAuthorization();
    }

    /* loaded from: input_file:org/sdase/commons/server/auth/AuthBundle$Builder.class */
    public static class Builder<C extends Configuration> implements ProviderBuilder, AuthorizationBuilder<C>, AuthBuilder<C> {
        private AuthConfigProvider<C> authConfigProvider;
        private boolean useAnnotatedAuthorization;
        private Tracer tracer;

        private Builder() {
            this.useAnnotatedAuthorization = true;
        }

        private Builder(AuthConfigProvider<C> authConfigProvider) {
            this.useAnnotatedAuthorization = true;
            this.authConfigProvider = authConfigProvider;
        }

        @Override // org.sdase.commons.server.auth.AuthBundle.ProviderBuilder
        public <T extends Configuration> AuthorizationBuilder<T> withAuthConfigProvider(AuthConfigProvider<T> authConfigProvider) {
            return new Builder(authConfigProvider);
        }

        @Override // org.sdase.commons.server.auth.AuthBundle.AuthorizationBuilder
        public AuthBuilder<C> withAnnotatedAuthorization() {
            this.useAnnotatedAuthorization = true;
            return this;
        }

        @Override // org.sdase.commons.server.auth.AuthBundle.AuthorizationBuilder
        public AuthBuilder<C> withExternalAuthorization() {
            this.useAnnotatedAuthorization = false;
            return this;
        }

        @Override // org.sdase.commons.server.auth.AuthBundle.AuthBuilder
        public AuthBuilder<C> withTracer(Tracer tracer) {
            this.tracer = tracer;
            return this;
        }

        @Override // org.sdase.commons.server.auth.AuthBundle.AuthBuilder
        public AuthBundle<C> build() {
            return new AuthBundle<>(this.authConfigProvider, this.useAnnotatedAuthorization, this.tracer);
        }
    }

    /* loaded from: input_file:org/sdase/commons/server/auth/AuthBundle$ProviderBuilder.class */
    public interface ProviderBuilder {
        <C extends Configuration> AuthorizationBuilder<C> withAuthConfigProvider(AuthConfigProvider<C> authConfigProvider);
    }

    public static ProviderBuilder builder() {
        return new Builder();
    }

    private AuthBundle(AuthConfigProvider<T> authConfigProvider, boolean z, Tracer tracer) {
        this.configProvider = authConfigProvider;
        this.useAnnotatedAuthorization = z;
        this.tracer = tracer;
    }

    public void initialize(Bootstrap<?> bootstrap) {
    }

    public void run(T t, Environment environment) {
        AuthConfig apply = this.configProvider.apply(t);
        if (apply.isDisableAuth()) {
            LOG.warn("Authentication is disabled. This setting should NEVER be used in production.");
        }
        Tracer tracer = this.tracer == null ? GlobalTracer.get() : this.tracer;
        Client createKeyLoaderClient = createKeyLoaderClient(environment, apply, tracer);
        PublicKeyLoader publicKeyLoader = new PublicKeyLoader();
        Stream<R> map = apply.getKeys().stream().map(keyLocation -> {
            return createKeySources(keyLocation, createKeyLoaderClient);
        });
        publicKeyLoader.getClass();
        map.forEach(publicKeyLoader::addKeySource);
        KeyLoaderScheduler.create(publicKeyLoader, environment.lifecycle().scheduledExecutorService("reloadKeysExecutorService").build()).start();
        JwtAuthFilter jwtAuthFilter = (JwtAuthFilter) new JwtAuthFilter.Builder().withTracer(tracer).setAcceptAnonymous(!this.useAnnotatedAuthorization).setAuthenticator(new JwtAuthenticator(new AuthService(publicKeyLoader, apply.getLeeway()), apply.isDisableAuth())).buildAuthFilter();
        if (this.useAnnotatedAuthorization) {
            environment.jersey().register(new AuthDynamicFeature(jwtAuthFilter));
        } else {
            environment.jersey().register(jwtAuthFilter);
        }
        environment.jersey().register(JwtAuthExceptionMapper.class);
        environment.jersey().register(ForbiddenExceptionMapper.class);
    }

    private Client createKeyLoaderClient(Environment environment, AuthConfig authConfig, Tracer tracer) {
        JerseyClientBuilder jerseyClientBuilder = new JerseyClientBuilder(environment);
        if (authConfig.getKeyLoaderClient() == null || authConfig.getKeyLoaderClient().getProxyConfiguration() == null) {
            jerseyClientBuilder.using(new SystemDefaultRoutePlanner(ProxySelector.getDefault()));
        }
        if (authConfig.getKeyLoaderClient() != null) {
            jerseyClientBuilder.using(authConfig.getKeyLoaderClient());
        }
        Client build = jerseyClientBuilder.build("keyLoader");
        ClientTracingUtil.registerTracing(build, tracer);
        return build;
    }

    private KeySource createKeySources(KeyLocation keyLocation, Client client) {
        switch (keyLocation.getType()) {
            case PEM:
                return new PemKeySource(keyLocation.getPemKeyId(), keyLocation.getPemSignAlg(), keyLocation.getLocation(), keyLocation.getRequiredIssuer());
            case OPEN_ID_DISCOVERY:
                validateKeyLocation(keyLocation.getLocation(), keyLocation.getRequiredIssuer());
                return new OpenIdProviderDiscoveryKeySource(keyLocation.getLocation().toASCIIString(), client, keyLocation.getRequiredIssuer());
            case JWKS:
                validateKeyLocation(keyLocation.getLocation(), keyLocation.getRequiredIssuer());
                return new JwksKeySource(keyLocation.getLocation().toASCIIString(), client, keyLocation.getRequiredIssuer());
            default:
                throw new IllegalArgumentException("KeyLocation has no valid type: " + keyLocation.getType());
        }
    }

    private void validateKeyLocation(URI uri, String str) {
        if (StringUtils.isNotBlank(str) && StringUtils.contains(str, 58)) {
            try {
                URI uri2 = new URI(str);
                if (!StringUtils.equalsIgnoreCase(uri.getHost(), uri2.getHost())) {
                    LOG.warn("The required issuer host name <{}> for the key <{}> does not match to the key source uri host name <{}>.", new Object[]{uri2.getHost(), uri, uri.getHost()});
                }
            } catch (URISyntaxException e) {
                throw new IllegalArgumentException("The requiredIssuer <" + str + "> is no valid stringOrURI", e);
            }
        }
    }
}
