package org.openmetadata.service.security;

import com.auth0.jwk.JwkProvider;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.fasterxml.jackson.databind.node.TextNode;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableList;
import java.net.URL;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.TimeZone;
import java.util.TreeMap;
import java.util.stream.Stream;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Provider;
import org.openmetadata.common.utils.CommonUtil;
import org.openmetadata.schema.api.security.AuthenticationConfiguration;
import org.openmetadata.schema.api.security.AuthorizerConfiguration;
import org.openmetadata.schema.auth.ServiceTokenType;
import org.openmetadata.schema.services.connections.metadata.AuthProvider;
import org.openmetadata.service.security.auth.BotTokenCache;
import org.openmetadata.service.security.auth.CatalogSecurityContext;
import org.openmetadata.service.security.auth.UserTokenCache;
import org.openmetadata.service.security.jwt.JWTTokenGenerator;
import org.openmetadata.service.security.saml.JwtTokenCacheManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Provider
/* loaded from: input_file:org/openmetadata/service/security/JwtFilter.class */
public class JwtFilter implements ContainerRequestFilter {
    public static final String AUTHORIZATION_HEADER = "Authorization";
    public static final String TOKEN_PREFIX = "Bearer";
    public static final String BOT_CLAIM = "isBot";
    private List<String> jwtPrincipalClaims;
    private JwkProvider jwkProvider;
    private String principalDomain;
    private boolean enforcePrincipalDomain;
    private AuthProvider providerType;
    private static final Logger LOG = LoggerFactory.getLogger(JwtFilter.class);
    private static final List<String> DEFAULT_PUBLIC_KEY_URLS = Arrays.asList("http://localhost:8585/api/v1/system/config/jwks", "http://host.docker.internal:8585/api/v1/system/config/jwks");
    public static final List<String> EXCLUDED_ENDPOINTS = List.of((Object[]) new String[]{"v1/system/config/jwks", "v1/system/config/authorizer", "v1/system/config/customLogoConfiguration", "v1/system/config/auth", "v1/users/signup", "v1/system/version", "v1/users/registrationConfirmation", "v1/users/resendRegistrationToken", "v1/users/generatePasswordResetLink", "v1/users/password/reset", "v1/users/checkEmailInUse", "v1/users/login", "v1/users/refresh"});

    private JwtFilter() {
    }

    public JwtFilter(AuthenticationConfiguration authenticationConfiguration, AuthorizerConfiguration authorizerConfiguration) {
        this.providerType = authenticationConfiguration.getProvider();
        this.jwtPrincipalClaims = authenticationConfiguration.getJwtPrincipalClaims();
        ImmutableList.Builder builder = ImmutableList.builder();
        Iterator it = authenticationConfiguration.getPublicKeyUrls().iterator();
        while (it.hasNext()) {
            builder.add(new URL((String) it.next()));
        }
        for (String str : DEFAULT_PUBLIC_KEY_URLS) {
            if (!authenticationConfiguration.getPublicKeyUrls().contains(str)) {
                builder.add(new URL(str));
            }
        }
        this.jwkProvider = new MultiUrlJwkProvider(builder.build());
        this.principalDomain = authorizerConfiguration.getPrincipalDomain();
        this.enforcePrincipalDomain = authorizerConfiguration.getEnforcePrincipalDomain().booleanValue();
    }

    @VisibleForTesting
    JwtFilter(JwkProvider jwkProvider, List<String> list, String str, boolean z) {
        this.jwkProvider = jwkProvider;
        this.jwtPrincipalClaims = list;
        this.principalDomain = str;
        this.enforcePrincipalDomain = z;
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        UriInfo uriInfo = containerRequestContext.getUriInfo();
        if (EXCLUDED_ENDPOINTS.stream().anyMatch(str -> {
            return uriInfo.getPath().equalsIgnoreCase(str);
        })) {
            return;
        }
        String extractToken = extractToken((MultivaluedMap<String, String>) containerRequestContext.getHeaders());
        LOG.debug("Token from header:{}", extractToken);
        if (AuthProvider.BASIC.equals(this.providerType) || AuthProvider.SAML.equals(this.providerType)) {
            validateTokenIsNotUsedAfterLogout(extractToken);
        }
        DecodedJWT validateAndReturnDecodedJwtToken = validateAndReturnDecodedJwtToken(extractToken);
        TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
        treeMap.putAll(validateAndReturnDecodedJwtToken.getClaims());
        String validateAndReturnUsername = validateAndReturnUsername(treeMap);
        if (treeMap.containsKey(BOT_CLAIM) && Boolean.TRUE.equals(treeMap.get(BOT_CLAIM).asBoolean())) {
            validateBotToken(extractToken, validateAndReturnUsername);
        }
        if (treeMap.containsKey(JWTTokenGenerator.TOKEN_TYPE) && ServiceTokenType.PERSONAL_ACCESS.equals(ServiceTokenType.fromValue(treeMap.get(JWTTokenGenerator.TOKEN_TYPE).asString()))) {
            validatePersonalAccessToken(extractToken, validateAndReturnUsername);
        }
        CatalogSecurityContext catalogSecurityContext = new CatalogSecurityContext(new CatalogPrincipal(validateAndReturnUsername), containerRequestContext.getUriInfo().getRequestUri().getScheme(), "DIGEST");
        LOG.debug("SecurityContext {}", catalogSecurityContext);
        containerRequestContext.setSecurityContext(catalogSecurityContext);
    }

    public DecodedJWT validateAndReturnDecodedJwtToken(String str) {
        try {
            DecodedJWT decode = JWT.decode(str);
            if (decode.getExpiresAt() != null && decode.getExpiresAt().before(Calendar.getInstance(TimeZone.getTimeZone("UTC")).getTime())) {
                throw new AuthenticationException("Expired token!");
            }
            try {
                Algorithm.RSA256((RSAPublicKey) this.jwkProvider.get(decode.getKeyId()).getPublicKey(), (RSAPrivateKey) null).verify(decode);
                return decode;
            } catch (RuntimeException e) {
                throw new AuthenticationException("Invalid token", e);
            }
        } catch (JWTDecodeException e2) {
            throw new AuthenticationException("Invalid token", e2);
        }
    }

    public String validateAndReturnUsername(Map<String, Claim> map) {
        String str;
        String str2;
        Stream<String> stream = this.jwtPrincipalClaims.stream();
        Objects.requireNonNull(map);
        Optional<String> findFirst = stream.filter((v1) -> {
            return r1.containsKey(v1);
        }).findFirst();
        Objects.requireNonNull(map);
        String str3 = (String) findFirst.map((v1) -> {
            return r1.get(v1);
        }).map(claim -> {
            return ((TextNode) claim.as(TextNode.class)).asText();
        }).orElseThrow(() -> {
            return new AuthenticationException("Invalid JWT token, none of the following claims are present " + this.jwtPrincipalClaims);
        });
        if (str3.contains("@")) {
            str = str3.split("@")[0];
            str2 = str3.split("@")[1];
        } else {
            str = str3;
            str2 = BotTokenCache.EMPTY_STRING;
        }
        if ((map.containsKey(BOT_CLAIM) && Boolean.TRUE.equals(map.get(BOT_CLAIM).asBoolean())) || !this.enforcePrincipalDomain || str2.equals(this.principalDomain)) {
            return str;
        }
        throw new AuthenticationException(String.format("Not Authorized! Email does not match the principal domain %s", this.principalDomain));
    }

    protected static String extractToken(MultivaluedMap<String, String> multivaluedMap) {
        LOG.debug("Request Headers:{}", multivaluedMap);
        String str = (String) multivaluedMap.getFirst(AUTHORIZATION_HEADER);
        if (CommonUtil.nullOrEmpty(str)) {
            throw AuthenticationException.getTokenNotPresentException();
        }
        if (str.startsWith(TOKEN_PREFIX)) {
            return str.substring(TOKEN_PREFIX.length() + 1);
        }
        throw AuthenticationException.getTokenNotPresentException();
    }

    public static String extractToken(String str) {
        LOG.debug("Request Token:{}", str);
        if (CommonUtil.nullOrEmpty(str)) {
            throw AuthenticationException.getTokenNotPresentException();
        }
        if (str.startsWith(TOKEN_PREFIX)) {
            return str.substring(TOKEN_PREFIX.length() + 1);
        }
        throw AuthenticationException.getTokenNotPresentException();
    }

    private void validateBotToken(String str, String str2) {
        if (!str.equals(BotTokenCache.getToken(str2))) {
            throw AuthenticationException.getInvalidTokenException();
        }
    }

    private void validatePersonalAccessToken(String str, String str2) {
        if (!UserTokenCache.getToken(str2).contains(str)) {
            throw AuthenticationException.getInvalidTokenException();
        }
    }

    private void validateTokenIsNotUsedAfterLogout(String str) {
        if (JwtTokenCacheManager.getInstance().getLogoutEventForToken(str) != null) {
            throw new AuthenticationException("Expired token!");
        }
    }
}
