package au.csiro.pathling.security.ga4gh;

import au.csiro.pathling.config.ServerConfiguration;
import ca.uhn.fhir.rest.server.exceptions.UnclassifiedServerFailureException;
import com.google.gson.GsonBuilder;
import jakarta.annotation.Nonnull;
import jakarta.annotation.Nullable;
import java.io.IOException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.util.EntityUtils;
import org.hl7.fhir.r4.model.Enumerations;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Profile;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.core.ClaimAccessor;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.stereotype.Component;

@Profile({"server & ga4gh"})
@Component
/* loaded from: input_file:au/csiro/pathling/security/ga4gh/PassportAuthenticationConverter.class */
public class PassportAuthenticationConverter extends JwtAuthenticationConverter {
    private static final Logger log = LoggerFactory.getLogger(PassportAuthenticationConverter.class);

    /* loaded from: input_file:au/csiro/pathling/security/ga4gh/PassportAuthenticationConverter$PassportAuthoritiesConverter.class */
    private static class PassportAuthoritiesConverter implements Converter<Jwt, Collection<GrantedAuthority>> {
        private static final String PASSPORT_CLAIM_NAME = "ga4gh_passport_v1";
        private static final String VISAS_CLAIM_NAME = "ga4gh_visa_v1";
        private static final Collection<GrantedAuthority> IMPLIED_AUTHORITIES = Arrays.asList(new SimpleGrantedAuthority("pathling:aggregate"), new SimpleGrantedAuthority("pathling:search"), new SimpleGrantedAuthority("pathling:extract"));
        private static final String VISA_TYPE_CLAIM = "type";
        private static final String VISA_DATASET_ID_CLAIM = "value";

        @Nonnull
        private final JwtDecoder jwtDecoder;

        @Nonnull
        private final ManifestConverter manifestConverter;

        @Nonnull
        private final PassportScope passportScope;

        private PassportAuthoritiesConverter(@Nonnull JwtDecoder jwtDecoder, @Nonnull ManifestConverter manifestConverter, @Nonnull PassportScope passportScope) {
            this.jwtDecoder = jwtDecoder;
            this.manifestConverter = manifestConverter;
            this.passportScope = passportScope;
        }

        @Nonnull
        public Collection<GrantedAuthority> convert(@Nullable Jwt jwt) {
            Objects.requireNonNull(jwt);
            List claimAsStringList = jwt.getClaimAsStringList(PASSPORT_CLAIM_NAME);
            checkToken(() -> {
                Objects.requireNonNull(claimAsStringList);
            }, "No ga4gh_passport_v1 claim");
            Iterator it = claimAsStringList.iterator();
            while (it.hasNext()) {
                Jwt decode = this.jwtDecoder.decode((String) it.next());
                String controlledAccessDatasetId = getControlledAccessDatasetId(decode);
                try {
                    VisaManifest manifest = getManifest(decode.getIssuer(), controlledAccessDatasetId);
                    PassportAuthenticationConverter.log.debug("Manifest for dataset {}: {}", controlledAccessDatasetId, manifest);
                    this.manifestConverter.populateScope(this.passportScope, manifest);
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
            PassportAuthenticationConverter.log.debug("Resolved passport filters: {}", this.passportScope);
            ArrayList arrayList = new ArrayList(IMPLIED_AUTHORITIES);
            for (Enumerations.ResourceType resourceType : this.passportScope.keySet()) {
                if (!this.passportScope.get(resourceType).isEmpty()) {
                    arrayList.add(new SimpleGrantedAuthority("pathling:read:" + resourceType.toCode()));
                }
            }
            PassportAuthenticationConverter.log.debug("Resolved passport authorities: {}", arrayList);
            return arrayList;
        }

        @Nonnull
        private String getControlledAccessDatasetId(@Nonnull ClaimAccessor claimAccessor) {
            JSONObject jSONObject = (JSONObject) claimAccessor.getClaim(VISAS_CLAIM_NAME);
            if (jSONObject == null) {
                throw new UnclassifiedServerFailureException(502, "Visa is wrong type");
            }
            String obj = jSONObject.get(VISA_TYPE_CLAIM).toString();
            String obj2 = jSONObject.get(VISA_DATASET_ID_CLAIM).toString();
            if (obj == null || obj2 == null) {
                throw new UnclassifiedServerFailureException(502, "Visa is wrong type, or is missing dataset ID");
            }
            return obj2;
        }

        @Nonnull
        private VisaManifest getManifest(@Nonnull URL url, @Nonnull String str) throws IOException {
            CloseableHttpClient createDefault = HttpClients.createDefault();
            try {
                String str2 = url + "/api/manifest/" + str;
                try {
                    PassportAuthenticationConverter.log.debug("Retrieving manifest from {}", url);
                    VisaManifest visaManifest = (VisaManifest) createDefault.execute(new HttpGet(str2), this::manifestResponseHandler);
                    if (createDefault != null) {
                        createDefault.close();
                    }
                    return visaManifest;
                } catch (IOException e) {
                    throw new UnclassifiedServerFailureException(502, "Problem retrieving manifest for visa");
                }
            } catch (Throwable th) {
                if (createDefault != null) {
                    try {
                        createDefault.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }

        @Nonnull
        private VisaManifest manifestResponseHandler(@Nonnull HttpResponse httpResponse) throws IOException {
            int statusCode = httpResponse.getStatusLine().getStatusCode();
            if (statusCode != 200) {
                throw new ClientProtocolException("VisaManifest retrieval - unexpected response status: " + statusCode);
            }
            HttpEntity entity = httpResponse.getEntity();
            if (entity == null) {
                throw new ClientProtocolException("VisaManifest retrieval - no content");
            }
            return (VisaManifest) new GsonBuilder().create().fromJson(EntityUtils.toString(entity), VisaManifest.class);
        }

        private void checkToken(@Nonnull Runnable runnable, @Nonnull String str) {
            try {
                runnable.run();
            } catch (Exception e) {
                UnclassifiedServerFailureException unclassifiedServerFailureException = new UnclassifiedServerFailureException(502, str);
                unclassifiedServerFailureException.initCause(e);
                throw unclassifiedServerFailureException;
            }
        }
    }

    public PassportAuthenticationConverter(@Nonnull VisaDecoderFactory visaDecoderFactory, @Nonnull ServerConfiguration serverConfiguration, @Nonnull ManifestConverter manifestConverter, @Nonnull PassportScope passportScope) {
        log.debug("Instantiating passport authentication converter");
        setJwtGrantedAuthoritiesConverter(new PassportAuthoritiesConverter(visaDecoderFactory.createDecoder(serverConfiguration), manifestConverter, passportScope));
    }
}
