package net.solarnetwork.web.security;

import jakarta.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import net.solarnetwork.security.Snws2AuthorizationBuilder;
import net.solarnetwork.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.BadCredentialsException;

/* loaded from: input_file:net/solarnetwork/web/security/AuthenticationDataV2.class */
public class AuthenticationDataV2 extends AuthenticationData {
    private static final String HOST_HEADER = "host";
    private static final Logger log = LoggerFactory.getLogger(AuthenticationDataV2.class);
    private static final int SIGNATURE_HEX_LENGTH = 64;
    public static final String TOKEN_COMPONENT_KEY_CREDENTIAL = "Credential";
    public static final String TOKEN_COMPONENT_KEY_SIGNED_HEADERS = "SignedHeaders";
    public static final String TOKEN_COMPONENT_KEY_SIGNATURE = "Signature";
    private final String explicitHost;
    private final String authTokenId;
    private final String signatureDigest;
    private final Set<String> signedHeaderNames;
    private final String[] sortedSignedHeaderNames;
    private final Snws2AuthorizationBuilder builder;

    public AuthenticationDataV2(SecurityHttpServletRequestWrapper securityHttpServletRequestWrapper, String str) throws IOException {
        this(securityHttpServletRequestWrapper, str, null);
    }

    public AuthenticationDataV2(SecurityHttpServletRequestWrapper securityHttpServletRequestWrapper, String str, String str2) throws IOException {
        super(AuthenticationScheme.V2, securityHttpServletRequestWrapper, str);
        this.explicitHost = str2;
        Map<String, String> map = tokenStringToMap(str);
        this.authTokenId = map.get(TOKEN_COMPONENT_KEY_CREDENTIAL);
        if (this.authTokenId == null) {
            throw new BadCredentialsException("Invalid Credential value");
        }
        this.signatureDigest = map.get(TOKEN_COMPONENT_KEY_SIGNATURE);
        if (this.signatureDigest == null || this.signatureDigest.length() != SIGNATURE_HEX_LENGTH) {
            throw new BadCredentialsException("Invalid Signature value");
        }
        this.signedHeaderNames = StringUtils.delimitedStringToSet(map.get(TOKEN_COMPONENT_KEY_SIGNED_HEADERS), ";");
        if (this.signedHeaderNames == null || this.signedHeaderNames.size() < 2) {
            throw new BadCredentialsException("Invalid SignedHeaders value");
        }
        this.sortedSignedHeaderNames = (String[]) this.signedHeaderNames.toArray(new String[this.signedHeaderNames.size()]);
        for (int i = 0; i < this.sortedSignedHeaderNames.length; i++) {
            this.sortedSignedHeaderNames[i] = this.sortedSignedHeaderNames[i].toLowerCase();
        }
        Arrays.sort(this.sortedSignedHeaderNames);
        validateSignedHeaderNames(securityHttpServletRequestWrapper);
        validateContentDigest(securityHttpServletRequestWrapper);
        this.builder = new Snws2AuthorizationBuilder(this.authTokenId).date(getDate());
        setupBuilder(securityHttpServletRequestWrapper);
    }

    private static Map<String, String> tokenStringToMap(String str) {
        if (str == null || str.length() < 1) {
            return null;
        }
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        String str2 = str + ",";
        int i = 0;
        int indexOf = str2.indexOf(44);
        while (true) {
            int i2 = indexOf;
            if (i2 < 0) {
                return linkedHashMap;
            }
            String substring = str2.substring(i, i2);
            int indexOf2 = substring.indexOf(61);
            if (indexOf2 > 0) {
                linkedHashMap.put(substring.substring(0, indexOf2), substring.substring(indexOf2 + 1));
            }
            i = i2 + 1;
            indexOf = str2.indexOf(44, i);
        }
    }

    @Override // net.solarnetwork.web.security.AuthenticationData
    public String computeSignatureDigest(String str) {
        return computeSignatureDigest(str, getDate());
    }

    public String computeSignatureDigest(String str, Instant instant) {
        String str2 = null;
        for (int i = 0; i < 7; i++) {
            String buildSignature = this.builder.signingKey(this.builder.computeSigningKey(instant, str)).buildSignature();
            if (buildSignature.equals(this.signatureDigest)) {
                return buildSignature;
            }
            if (str2 == null) {
                str2 = buildSignature;
            }
            instant = instant.minus(1L, (TemporalUnit) ChronoUnit.DAYS);
        }
        return str2;
    }

    private void setupBuilder(SecurityHttpServletRequestWrapper securityHttpServletRequestWrapper) throws IOException {
        this.builder.method(securityHttpServletRequestWrapper.getMethod());
        this.builder.path(securityHttpServletRequestWrapper.getRequestURI());
        this.builder.parameterMap(securityHttpServletRequestWrapper.getParameterMap());
        setupBuilderHeaders(securityHttpServletRequestWrapper);
        this.builder.signedHttpHeaders(this.signedHeaderNames);
        this.builder.contentSha256(securityHttpServletRequestWrapper.getContentSHA256());
        if (log.isDebugEnabled()) {
            log.debug("Canonical req data:\n{}", this.builder.computeCanonicalRequestMessage());
            log.debug("Signature data:\n{}", getSignatureData());
        }
    }

    private void setupBuilderHeaders(HttpServletRequest httpServletRequest) {
        int serverPort;
        for (String str : this.sortedSignedHeaderNames) {
            String trim = nullSafeHeaderValue(httpServletRequest, str).trim();
            boolean equals = HOST_HEADER.equals(str);
            if (equals && this.explicitHost != null) {
                log.trace("Replacing host header [{}] with explicit value {}", trim, this.explicitHost);
                trim = this.explicitHost;
            }
            log.trace("Signed req header: {}: {}", str, trim);
            if (equals && this.explicitHost == null) {
                if (trim.length() < 1) {
                    trim = httpServletRequest.getServerName();
                    if (trim != null && (serverPort = httpServletRequest.getServerPort()) != 80) {
                        trim = trim + ":" + serverPort;
                    }
                } else if (trim.indexOf(":") < 0) {
                    String trim2 = nullSafeHeaderValue(httpServletRequest, "X-Forwarded-Port").trim();
                    log.trace("X-Forwarded-Port header: {}", trim2);
                    if (trim2.length() < 1) {
                        String lowerCase = nullSafeHeaderValue(httpServletRequest, "X-Forwarded-Proto").trim().toLowerCase();
                        log.trace("X-Forwarded-Proto header: {}", lowerCase);
                        if ("https".equals(lowerCase)) {
                            trim2 = "443";
                        }
                    }
                    if (trim2.length() > 0 && !"80".equals(trim2)) {
                        trim = trim + ":" + trim2;
                    }
                }
            }
            this.builder.header(str, new String[]{trim});
        }
    }

    private void validateSignedHeaderNames(SecurityHttpServletRequestWrapper securityHttpServletRequestWrapper) {
        if (!this.signedHeaderNames.contains(HOST_HEADER)) {
            throw new BadCredentialsException("The 'Host' HTTP header must be included in SignedHeaders");
        }
        if (!this.signedHeaderNames.contains(WebConstants.HEADER_DATE.toLowerCase()) && !this.signedHeaderNames.contains("date")) {
            throw new BadCredentialsException("One of the 'Date' or 'X-SN-Date' HTTP headers must be included in SignedHeaders");
        }
        Enumeration headerNames = securityHttpServletRequestWrapper.getHeaderNames();
        String lowerCase = WebConstants.HEADER_PREFIX.toLowerCase();
        while (headerNames.hasMoreElements()) {
            String lowerCase2 = ((String) headerNames.nextElement()).toLowerCase();
            if ((lowerCase2.startsWith(lowerCase) || lowerCase2.equals("content-type") || lowerCase2.equals("content-md5") || lowerCase2.equals("digest")) && !this.signedHeaderNames.contains(lowerCase2)) {
                throw new BadCredentialsException("The '" + lowerCase2 + "' HTTP header must be included in SignedHeaders");
            }
        }
    }

    @Override // net.solarnetwork.web.security.AuthenticationData
    public String getAuthTokenId() {
        return this.authTokenId;
    }

    @Override // net.solarnetwork.web.security.AuthenticationData
    public String getSignatureDigest() {
        return this.signatureDigest;
    }

    @Override // net.solarnetwork.web.security.AuthenticationData
    public String getSignatureData() {
        return this.builder.computeSignatureData(getDate(), this.builder.computeCanonicalRequestMessage());
    }

    public Set<String> getSignedHeaderNames() {
        return this.signedHeaderNames;
    }
}
