package io.cellery.observability.api.interceptor;

import io.cellery.observability.api.Constants;
import io.cellery.observability.api.internal.ServiceHolder;
import io.cellery.observability.auth.Permission;
import io.cellery.observability.auth.exception.AuthProviderException;
import java.util.Collections;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.ws.rs.core.Cookie;
import org.apache.commons.lang3.StringUtils;
import org.apache.log4j.Logger;
import org.wso2.msf4j.Request;
import org.wso2.msf4j.Response;
import org.wso2.msf4j.interceptor.RequestInterceptor;

/* loaded from: input_file:io/cellery/observability/api/interceptor/AuthInterceptor.class */
public class AuthInterceptor implements RequestInterceptor {
    private static final Logger logger = Logger.getLogger(AuthInterceptor.class);
    public static final Pattern API_URI_PATTERN = Pattern.compile("^/api/runtimes/([^/:?]+)(?:/namespaces/([^/:?]+))?");

    public boolean interceptRequest(Request request, Response response) {
        if ("OPTIONS".equalsIgnoreCase(request.getHttpMethod())) {
            if (!logger.isDebugEnabled()) {
                return true;
            }
            logger.debug("Allowing OPTIONS " + request.getUri());
            return true;
        }
        String header = request.getHeader("Authorization");
        Cookie cookie = (Cookie) request.getHeaders().getCookies().get(Constants.HTTP_ONLY_SESSION_COOKIE);
        if (!StringUtils.isNotEmpty(header) || cookie == null || !StringUtils.isNotEmpty(cookie.getValue())) {
            if (!isOpenApi(request)) {
                logger.debug("Blocking API Call " + request.getHttpMethod() + " " + request.getUri() + " without access token");
                response.setStatus(401);
                return false;
            }
            if (!logger.isDebugEnabled()) {
                return true;
            }
            logger.debug("Allowing Open API Call " + request.getHttpMethod() + " " + request.getUri() + " without access token");
            return true;
        }
        String str = header.split(" ")[1] + cookie.getValue();
        request.setProperty(Constants.REQUEST_PROPERTY_ACCESS_TOKEN, str);
        if (isOpenApi(request)) {
            if (!logger.isDebugEnabled()) {
                return true;
            }
            logger.debug("Allowing Open API Call " + request.getHttpMethod() + " " + request.getUri());
            return true;
        }
        try {
            if (ServiceHolder.getAuthProvider().isTokenValid(str, getRequiredPermission(request))) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Allowing API Call " + request.getHttpMethod() + " " + request.getUri() + " with valid access token");
                }
                return true;
            }
            response.setStatus(401);
            if (!logger.isDebugEnabled()) {
                return false;
            }
            logger.debug("Blocking API Call " + request.getHttpMethod() + " " + request.getUri() + " with invalid access token");
            return false;
        } catch (AuthProviderException e) {
            logger.debug("Error occurred while authenticating the access token", e);
            response.setStatus(401);
            return false;
        }
    }

    private boolean isOpenApi(Request request) {
        return StringUtils.isNotEmpty(request.getUri()) && request.getUri().startsWith("/api/auth");
    }

    private Permission getRequiredPermission(Request request) {
        String str;
        Matcher matcher = API_URI_PATTERN.matcher(request.getUri());
        str = "";
        String str2 = "";
        if (matcher.find()) {
            str = matcher.groupCount() >= 1 ? matcher.group(1) : "";
            if (matcher.groupCount() >= 2) {
                str2 = matcher.group(2);
            }
        }
        return new Permission(str, str2, Collections.singletonList(Permission.Action.API_GET));
    }
}
