package io.camunda.connector.inbound;

import io.camunda.connector.api.annotation.InboundConnector;
import io.camunda.connector.api.inbound.Activity;
import io.camunda.connector.api.inbound.Health;
import io.camunda.connector.api.inbound.InboundConnectorContext;
import io.camunda.connector.api.inbound.Severity;
import io.camunda.connector.api.inbound.webhook.MappedHttpRequest;
import io.camunda.connector.api.inbound.webhook.WebhookConnectorException;
import io.camunda.connector.api.inbound.webhook.WebhookConnectorExecutable;
import io.camunda.connector.api.inbound.webhook.WebhookHttpResponse;
import io.camunda.connector.api.inbound.webhook.WebhookProcessingPayload;
import io.camunda.connector.api.inbound.webhook.WebhookResult;
import io.camunda.connector.api.inbound.webhook.WebhookResultContext;
import io.camunda.connector.generator.dsl.BpmnType;
import io.camunda.connector.generator.java.annotation.ElementTemplate;
import io.camunda.connector.inbound.authorization.AuthorizationResult;
import io.camunda.connector.inbound.authorization.WebhookAuthorizationHandler;
import io.camunda.connector.inbound.model.WebhookConnectorProperties;
import io.camunda.connector.inbound.model.WebhookProcessingResultImpl;
import io.camunda.connector.inbound.signature.HMACAlgoCustomerChoice;
import io.camunda.connector.inbound.signature.HMACSignatureValidator;
import io.camunda.connector.inbound.signature.HMACSwitchCustomerChoice;
import io.camunda.connector.inbound.signature.strategy.HMACEncodingStrategyFactory;
import io.camunda.connector.inbound.utils.HttpMethods;
import io.camunda.connector.inbound.utils.HttpWebhookUtil;
import io.netty.handler.codec.http.HttpResponseStatus;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Map;
import java.util.Optional;
import java.util.function.Function;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InboundConnector(name = "Webhook", type = "io.camunda:webhook:1")
@ElementTemplate(id = "io.camunda.connectors.webhook", name = "Webhook Connector", icon = "icon.svg", version = 11, inputDataClass = WebhookConnectorProperties.WebhookConnectorPropertiesWrapper.class, description = "Configure webhook to receive callbacks", documentationRef = "https://docs.camunda.io/docs/components/connectors/out-of-the-box-connectors/http-webhook/", propertyGroups = {@ElementTemplate.PropertyGroup(id = "endpoint", label = "Webhook configuration"), @ElementTemplate.PropertyGroup(id = "authentication", label = "Authentication"), @ElementTemplate.PropertyGroup(id = "authorization", label = "Authorization"), @ElementTemplate.PropertyGroup(id = "webhookResponse", label = "Webhook response")}, elementTypes = {@ElementTemplate.ConnectorElementType(appliesTo = {BpmnType.START_EVENT}, elementType = BpmnType.START_EVENT, templateIdOverride = "io.camunda.connectors.webhook.WebhookConnector.v1", templateNameOverride = "Webhook Start Event Connector"), @ElementTemplate.ConnectorElementType(appliesTo = {BpmnType.START_EVENT}, elementType = BpmnType.MESSAGE_START_EVENT, templateIdOverride = "io.camunda.connectors.webhook.WebhookConnectorStartMessage.v1", templateNameOverride = "Webhook Message Start Event Connector"), @ElementTemplate.ConnectorElementType(appliesTo = {BpmnType.INTERMEDIATE_THROW_EVENT, BpmnType.INTERMEDIATE_CATCH_EVENT}, elementType = BpmnType.INTERMEDIATE_CATCH_EVENT, templateIdOverride = "io.camunda.connectors.webhook.WebhookConnectorIntermediate.v1", templateNameOverride = "Webhook Intermediate Event Connector"), @ElementTemplate.ConnectorElementType(appliesTo = {BpmnType.BOUNDARY_EVENT}, elementType = BpmnType.BOUNDARY_EVENT, templateIdOverride = "io.camunda.connectors.webhook.WebhookConnectorBoundary.v1", templateNameOverride = "Webhook Boundary Event Connector")})
/* loaded from: input_file:io/camunda/connector/inbound/HttpWebhookExecutable.class */
public class HttpWebhookExecutable implements WebhookConnectorExecutable {
    private static final Logger LOGGER = LoggerFactory.getLogger(HttpWebhookExecutable.class);
    private WebhookConnectorProperties props;
    private WebhookAuthorizationHandler<?> authChecker;
    private InboundConnectorContext context;
    private Function<WebhookResultContext, WebhookHttpResponse> responseExpression;

    public void activate(InboundConnectorContext inboundConnectorContext) {
        this.context = inboundConnectorContext;
        this.props = new WebhookConnectorProperties((WebhookConnectorProperties.WebhookConnectorPropertiesWrapper) inboundConnectorContext.bindProperties(WebhookConnectorProperties.WebhookConnectorPropertiesWrapper.class));
        this.authChecker = WebhookAuthorizationHandler.getHandlerForAuth(this.props.auth());
        this.responseExpression = mapResponseExpression();
        inboundConnectorContext.reportHealth(Health.up());
    }

    public WebhookResult triggerWebhook(WebhookProcessingPayload webhookProcessingPayload) {
        LOGGER.trace("Triggered webhook with context {} and payload {}", this.props.context(), webhookProcessingPayload);
        this.context.log(Activity.level(Severity.INFO).tag(webhookProcessingPayload.method()).message("Url: " + webhookProcessingPayload.requestURL()));
        validateHttpMethod(webhookProcessingPayload);
        verifySignature(webhookProcessingPayload);
        AuthorizationResult checkAuthorization = this.authChecker.checkAuthorization(webhookProcessingPayload);
        if (checkAuthorization instanceof AuthorizationResult.Failure) {
            throw ((AuthorizationResult.Failure) checkAuthorization).toException();
        }
        return new WebhookProcessingResultImpl(mapRequest(webhookProcessingPayload), this.responseExpression, null);
    }

    private void validateHttpMethod(WebhookProcessingPayload webhookProcessingPayload) {
        if (!HttpMethods.any.name().equalsIgnoreCase(this.props.method()) && !webhookProcessingPayload.method().equalsIgnoreCase(this.props.method())) {
            throw new WebhookConnectorException(HttpResponseStatus.METHOD_NOT_ALLOWED.code(), "Method " + webhookProcessingPayload.method() + " not supported");
        }
    }

    private static MappedHttpRequest mapRequest(WebhookProcessingPayload webhookProcessingPayload) {
        return new MappedHttpRequest(HttpWebhookUtil.transformRawBodyToObject(webhookProcessingPayload.rawBody(), HttpWebhookUtil.extractContentType(webhookProcessingPayload.headers())), webhookProcessingPayload.headers(), webhookProcessingPayload.params());
    }

    @Nullable
    private Function<WebhookResultContext, WebhookHttpResponse> mapResponseExpression() {
        Function<WebhookResultContext, WebhookHttpResponse> function = null;
        if (this.props.responseExpression() != null) {
            function = this.props.responseExpression();
        } else if (this.props.responseBodyExpression() != null) {
            function = webhookResultContext -> {
                return WebhookHttpResponse.ok(this.props.responseBodyExpression().apply(webhookResultContext));
            };
        }
        return function;
    }

    private void verifySignature(WebhookProcessingPayload webhookProcessingPayload) {
        if (!webhookSignatureIsValid(webhookProcessingPayload)) {
            throw new WebhookConnectorException.WebhookSecurityException(HttpResponseStatus.UNAUTHORIZED.code(), WebhookConnectorException.WebhookSecurityException.Reason.INVALID_SIGNATURE, "HMAC signature check didn't pass");
        }
    }

    private boolean webhookSignatureIsValid(WebhookProcessingPayload webhookProcessingPayload) {
        try {
            if (shouldValidateHmac()) {
                return validateHmacSignature(HMACEncodingStrategyFactory.getStrategy(this.props.hmacScopes(), webhookProcessingPayload.method()).getBytesToSign(webhookProcessingPayload), webhookProcessingPayload);
            }
            return true;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private boolean shouldValidateHmac() {
        return HMACSwitchCustomerChoice.enabled.name().equals((String) Optional.ofNullable(this.props.shouldValidateHmac()).orElse(HMACSwitchCustomerChoice.disabled.name()));
    }

    private boolean validateHmacSignature(byte[] bArr, WebhookProcessingPayload webhookProcessingPayload) throws NoSuchAlgorithmException, InvalidKeyException, IOException {
        return new HMACSignatureValidator(bArr, webhookProcessingPayload.headers(), this.props.hmacHeader(), this.props.hmacSecret(), HMACAlgoCustomerChoice.valueOf(this.props.hmacAlgorithm())).isRequestValid();
    }

    public WebhookHttpResponse verify(WebhookProcessingPayload webhookProcessingPayload) {
        WebhookHttpResponse webhookHttpResponse = null;
        if (this.props.verificationExpression() != null) {
            webhookHttpResponse = this.props.verificationExpression().apply(Map.of("request", Map.of("body", HttpWebhookUtil.transformRawBodyToObject(webhookProcessingPayload.rawBody(), HttpWebhookUtil.extractContentType(webhookProcessingPayload.headers())), "headers", webhookProcessingPayload.headers(), "params", webhookProcessingPayload.params())));
        }
        return webhookHttpResponse;
    }

    public void deactivate() {
        LOGGER.debug("Deactivating webhook connector");
        this.context.reportHealth(Health.down());
    }
}
