package org.sdase.commons.server.opa.filter;

import com.auth0.jwt.interfaces.Claim;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ObjectNode;
import io.opentelemetry.api.trace.Span;
import io.opentelemetry.api.trace.Tracer;
import io.opentelemetry.context.Scope;
import jakarta.annotation.Priority;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.ProcessingException;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.client.Entity;
import jakarta.ws.rs.client.WebTarget;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.SecurityContext;
import jakarta.ws.rs.core.UriInfo;
import jakarta.ws.rs.ext.Provider;
import java.security.Principal;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import org.apache.commons.lang3.NotImplementedException;
import org.sdase.commons.server.auth.JwtPrincipal;
import org.sdase.commons.server.opa.OpaJwtPrincipal;
import org.sdase.commons.server.opa.config.OpaConfig;
import org.sdase.commons.server.opa.extension.OpaInputExtension;
import org.sdase.commons.server.opa.filter.model.OpaInput;
import org.sdase.commons.server.opa.filter.model.OpaRequest;
import org.sdase.commons.server.opa.filter.model.OpaResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Provider
@Priority(2000)
/* loaded from: input_file:org/sdase/commons/server/opa/filter/OpaAuthFilter.class */
public class OpaAuthFilter implements ContainerRequestFilter {
    private static final Logger LOG = LoggerFactory.getLogger(OpaAuthFilter.class);
    private static final String OPA_ALLOW_ATTRIBUTE = "opa.allow";
    private final WebTarget webTarget;
    private final boolean isDisabled;
    private final List<Pattern> excludePatterns;
    private final ObjectMapper om;
    private final Map<String, OpaInputExtension<?>> inputExtensions;
    private final Tracer tracer;

    public OpaAuthFilter(WebTarget webTarget, OpaConfig opaConfig, List<String> list, ObjectMapper objectMapper, Map<String, OpaInputExtension<?>> map, Tracer tracer) {
        this.webTarget = webTarget;
        this.isDisabled = opaConfig.isDisableOpa();
        this.excludePatterns = list == null ? Collections.emptyList() : list.stream().map(Pattern::compile).toList();
        this.om = objectMapper;
        this.inputExtensions = map;
        this.tracer = tracer;
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        JwtPrincipal jwtPrincipal;
        Span startSpan = this.tracer.spanBuilder("authorizeUsingOpa").setAttribute(OPA_ALLOW_ATTRIBUTE, false).startSpan();
        try {
            Scope makeCurrent = startSpan.makeCurrent();
            try {
                UriInfo uriInfo = containerRequestContext.getUriInfo();
                String method = containerRequestContext.getMethod();
                String headerString = containerRequestContext.getHeaderString("Trace-Token");
                String str = null;
                SecurityContext securityContext = containerRequestContext.getSecurityContext();
                Map<String, Claim> map = null;
                if (null != securityContext && (jwtPrincipal = getJwtPrincipal(containerRequestContext.getSecurityContext())) != null) {
                    str = jwtPrincipal.getJwt();
                    map = jwtPrincipal.getClaims();
                }
                JsonNode jsonNode = null;
                if (!this.isDisabled && !isExcluded(uriInfo)) {
                    ObjectNode objectNode = (ObjectNode) this.om.convertValue(new OpaInput(str, (String[]) uriInfo.getPathSegments().stream().map((v0) -> {
                        return v0.getPath();
                    }).toArray(i -> {
                        return new String[i];
                    }), method, headerString), ObjectNode.class);
                    this.inputExtensions.forEach((str2, opaInputExtension) -> {
                        objectNode.set(str2, this.om.valueToTree(opaInputExtension.createAdditionalInputContent(containerRequestContext)));
                    });
                    jsonNode = authorizeWithOpa(OpaRequest.request(objectNode), startSpan);
                }
                replaceSecurityContext(containerRequestContext, securityContext, OpaJwtPrincipal.create(str, map, jsonNode, this.om));
                if (makeCurrent != null) {
                    makeCurrent.close();
                }
            } finally {
            }
        } finally {
            startSpan.end();
        }
    }

    private boolean isExcluded(UriInfo uriInfo) {
        return this.excludePatterns.stream().anyMatch(pattern -> {
            return pattern.matcher(uriInfo.getPath()).matches();
        });
    }

    private void replaceSecurityContext(ContainerRequestContext containerRequestContext, SecurityContext securityContext, final OpaJwtPrincipal opaJwtPrincipal) {
        final boolean z = securityContext != null && securityContext.isSecure();
        final String authenticationScheme = securityContext != null ? securityContext.getAuthenticationScheme() : "unknown";
        containerRequestContext.setSecurityContext(new SecurityContext() { // from class: org.sdase.commons.server.opa.filter.OpaAuthFilter.1
            public Principal getUserPrincipal() {
                return opaJwtPrincipal;
            }

            public boolean isUserInRole(String str) {
                throw new NotImplementedException("The isUserInRole methods is not supported for OpaJwtPrincipal");
            }

            public boolean isSecure() {
                return z;
            }

            public String getAuthenticationScheme() {
                return authenticationScheme;
            }
        });
    }

    private JsonNode authorizeWithOpa(OpaRequest opaRequest, Span span) {
        OpaResponse opaResponse = null;
        try {
            opaResponse = (OpaResponse) this.webTarget.request(new MediaType[]{MediaType.APPLICATION_JSON_TYPE}).post(Entity.json(opaRequest), OpaResponse.class);
        } catch (WebApplicationException e) {
            try {
                e.getResponse().close();
            } catch (ProcessingException e2) {
                LOG.warn("Error while closing response", e2);
            }
            LOG.warn("Exception when querying OPA. Maybe policy is broken", e);
        } catch (ProcessingException e3) {
            LOG.warn("Exception during processing of OPA request.", e3);
        }
        if (null == opaResponse || opaResponse.getResult() == null) {
            LOG.warn("Invalid response from OPA. Maybe the policy path or the response format is not correct");
            throw new ForbiddenException("Not authorized");
        }
        span.setAttribute(OPA_ALLOW_ATTRIBUTE, opaResponse.isAllow());
        if (!opaResponse.isAllow()) {
            throw new ForbiddenException("Not authorized");
        }
        if (null == opaResponse.getResult()) {
            return null;
        }
        return opaResponse.getResult();
    }

    private JwtPrincipal getJwtPrincipal(SecurityContext securityContext) {
        Principal userPrincipal = securityContext.getUserPrincipal();
        if (userPrincipal instanceof JwtPrincipal) {
            return (JwtPrincipal) userPrincipal;
        }
        return null;
    }
}
