package org.yamcs.web;

import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.HttpHeaderNames;
import io.netty.handler.codec.http.HttpRequest;
import io.netty.handler.codec.http.cookie.Cookie;
import io.netty.handler.codec.http.cookie.ServerCookieDecoder;
import java.util.Base64;
import java.util.Iterator;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ExecutionException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.yamcs.YamcsServer;
import org.yamcs.security.AuthenticationException;
import org.yamcs.security.SecurityStore;
import org.yamcs.security.User;
import org.yamcs.security.UsernamePasswordToken;
import org.yamcs.web.JwtHelper;

/* loaded from: input_file:org/yamcs/web/HttpAuthorizationChecker.class */
public class HttpAuthorizationChecker {
    private static final String AUTH_TYPE_BASIC = "Basic ";
    private static final String AUTH_TYPE_BEARER = "Bearer ";
    private static final Logger log = LoggerFactory.getLogger(HttpAuthorizationChecker.class);
    private final ConcurrentHashMap<String, User> jwtTokens = new ConcurrentHashMap<>();
    private int cleaningCounter = 0;

    public User verifyAuth(ChannelHandlerContext channelHandlerContext, HttpRequest httpRequest) throws HttpException {
        this.cleaningCounter++;
        if (this.cleaningCounter == 1000) {
            this.cleaningCounter = 0;
            cleanupCache();
        }
        if (!httpRequest.headers().contains(HttpHeaderNames.AUTHORIZATION)) {
            if (httpRequest.headers().contains(HttpHeaderNames.COOKIE)) {
                return handleCookie(channelHandlerContext, httpRequest);
            }
            throw new UnauthorizedException("Missing 'Authorization' or 'Cookie' header");
        }
        String str = httpRequest.headers().get(HttpHeaderNames.AUTHORIZATION);
        if (str.startsWith(AUTH_TYPE_BASIC)) {
            return handleBasicAuth(channelHandlerContext, httpRequest);
        }
        if (str.startsWith(AUTH_TYPE_BEARER)) {
            return handleBearerAuth(channelHandlerContext, httpRequest);
        }
        throw new BadRequestException("Unsupported Authorization header '" + str + "'");
    }

    public void storeTokenToUserMapping(String str, User user) {
        this.jwtTokens.put(str, user);
    }

    private User handleBasicAuth(ChannelHandlerContext channelHandlerContext, HttpRequest httpRequest) throws HttpException {
        try {
            String[] split = new String(Base64.getDecoder().decode(httpRequest.headers().get(HttpHeaderNames.AUTHORIZATION).substring(AUTH_TYPE_BASIC.length()))).split(":", 2);
            if (split.length < 2) {
                throw new BadRequestException("Malformed username/password (Not separated by colon?)");
            }
            try {
                return SecurityStore.getInstance().login(new UsernamePasswordToken(split[0], split[1].toCharArray())).get();
            } catch (InterruptedException e) {
                Thread.currentThread().interrupt();
                return null;
            } catch (ExecutionException e2) {
                if (e2.getCause() instanceof AuthenticationException) {
                    throw new UnauthorizedException(e2.getCause().getMessage());
                }
                throw new InternalServerErrorException(e2.getCause());
            }
        } catch (IllegalArgumentException e3) {
            throw new BadRequestException("Could not decode Base64-encoded credentials");
        }
    }

    private User handleBearerAuth(ChannelHandlerContext channelHandlerContext, HttpRequest httpRequest) throws UnauthorizedException {
        return handleAccessToken(channelHandlerContext, httpRequest, httpRequest.headers().get(HttpHeaderNames.AUTHORIZATION).substring(AUTH_TYPE_BEARER.length()));
    }

    private User handleCookie(ChannelHandlerContext channelHandlerContext, HttpRequest httpRequest) throws UnauthorizedException {
        String str = null;
        Iterator it = ServerCookieDecoder.STRICT.decode(httpRequest.headers().get(HttpHeaderNames.COOKIE)).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Cookie cookie = (Cookie) it.next();
            if ("access_token".equalsIgnoreCase(cookie.name())) {
                str = cookie.value();
                break;
            }
        }
        if (str == null) {
            throw new UnauthorizedException("Missing 'Authorization' or 'Cookie' header");
        }
        return handleAccessToken(channelHandlerContext, httpRequest, str);
    }

    private User handleAccessToken(ChannelHandlerContext channelHandlerContext, HttpRequest httpRequest, String str) throws UnauthorizedException {
        try {
            if (new JwtToken(str, YamcsServer.getSecretKey()).isExpired()) {
                this.jwtTokens.remove(str);
                throw new UnauthorizedException("Token expired");
            }
            User user = this.jwtTokens.get(str);
            if (user == null) {
                log.warn("Got an invalid JWT token");
                throw new UnauthorizedException("Invalid JWT token");
            }
            if (SecurityStore.getInstance().verifyValidity(user)) {
                return user;
            }
            this.jwtTokens.remove(str);
            throw new UnauthorizedException("Could not verify token");
        } catch (JwtHelper.JwtDecodeException e) {
            throw new UnauthorizedException("Failed to decode JWT: " + e.getMessage());
        }
    }

    private void cleanupCache() {
        Iterator it = this.jwtTokens.keySet().iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            try {
                if (new JwtToken(str, YamcsServer.getSecretKey()).isExpired()) {
                    this.jwtTokens.remove(str);
                }
            } catch (JwtHelper.JwtDecodeException e) {
                this.jwtTokens.remove(str);
            }
        }
    }
}
