package org.apache.tomee.microprofile.jwt;

import jakarta.enterprise.inject.Instance;
import jakarta.enterprise.inject.spi.DeploymentException;
import jakarta.inject.Inject;
import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletRequestWrapper;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.ext.ExceptionMapper;
import jakarta.ws.rs.ext.Provider;
import java.io.IOException;
import java.security.Key;
import java.security.Principal;
import java.util.Collection;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.Callable;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.security.auth.Subject;
import org.apache.catalina.connector.Request;
import org.apache.openejb.loader.SystemInstance;
import org.apache.openejb.spi.SecurityService;
import org.apache.openejb.util.Logger;
import org.apache.tomee.catalina.OpenEJBSecurityListener;
import org.apache.tomee.catalina.TomcatSecurityService;
import org.apache.tomee.microprofile.jwt.bval.ValidationInterceptor;
import org.apache.tomee.microprofile.jwt.config.JWTAuthConfiguration;
import org.apache.tomee.microprofile.jwt.config.JWTAuthConfigurationProperties;
import org.apache.tomee.microprofile.jwt.principal.JWTCallerPrincipal;
import org.eclipse.microprofile.jwt.Claims;
import org.eclipse.microprofile.jwt.JsonWebToken;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.keys.resolvers.JwksDecryptionKeyResolver;
import org.jose4j.keys.resolvers.JwksVerificationKeyResolver;
import org.jose4j.lang.JoseException;

/* loaded from: input_file:lib/mp-jwt-9.0.0.RC1.jar:org/apache/tomee/microprofile/jwt/MPJWTFilter.class */
public class MPJWTFilter implements Filter {
    private static final Logger VALIDATION = Logger.getInstance(JWTLogCategories.VALIDATION, MPJWTFilter.class);

    @Inject
    private Instance<JWTAuthConfiguration> authContextInfo;

    @Inject
    private JWTAuthConfigurationProperties jwtAuthConfigurationProperties;

    /* loaded from: input_file:lib/mp-jwt-9.0.0.RC1.jar:org/apache/tomee/microprofile/jwt/MPJWTFilter$BadAuthorizationPrefixException.class */
    private static class BadAuthorizationPrefixException extends MPJWTException {
        private final String authorizationHeader;

        public BadAuthorizationPrefixException(String str) {
            this.authorizationHeader = str;
        }

        @Override // org.apache.tomee.microprofile.jwt.MPJWTFilter.MPJWTException
        public int getStatus() {
            return 401;
        }

        @Override // org.apache.tomee.microprofile.jwt.MPJWTFilter.MPJWTException, java.lang.Throwable
        public String getMessage() {
            return "Authorization header does not use the Bearer prefix. Can't validate header " + this.authorizationHeader;
        }
    }

    /* loaded from: input_file:lib/mp-jwt-9.0.0.RC1.jar:org/apache/tomee/microprofile/jwt/MPJWTFilter$InvalidTokenException.class */
    private static class InvalidTokenException extends MPJWTException {
        private final String token;

        public InvalidTokenException(String str, Throwable th) {
            super(th);
            this.token = str;
        }

        @Override // org.apache.tomee.microprofile.jwt.MPJWTFilter.MPJWTException
        public int getStatus() {
            return 401;
        }

        @Override // org.apache.tomee.microprofile.jwt.MPJWTFilter.MPJWTException, java.lang.Throwable
        public String getMessage() {
            return "Invalid or not parsable JWT " + this.token;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/mp-jwt-9.0.0.RC1.jar:org/apache/tomee/microprofile/jwt/MPJWTFilter$MPJWTException.class */
    public static abstract class MPJWTException extends RuntimeException {
        public MPJWTException() {
        }

        public MPJWTException(Throwable th) {
            super(th);
        }

        public abstract int getStatus();

        @Override // java.lang.Throwable
        public abstract String getMessage();
    }

    @Provider
    /* loaded from: input_file:lib/mp-jwt-9.0.0.RC1.jar:org/apache/tomee/microprofile/jwt/MPJWTFilter$MPJWTExceptionMapper.class */
    public static class MPJWTExceptionMapper implements ExceptionMapper<MPJWTException> {
        @Override // jakarta.ws.rs.ext.ExceptionMapper
        public Response toResponse(MPJWTException mPJWTException) {
            return Response.status(mPJWTException.getStatus()).entity(mPJWTException.getMessage()).build();
        }
    }

    /* loaded from: input_file:lib/mp-jwt-9.0.0.RC1.jar:org/apache/tomee/microprofile/jwt/MPJWTFilter$MPJWTServletRequestWrapper.class */
    public static class MPJWTServletRequestWrapper extends HttpServletRequestWrapper {
        private final Function<HttpServletRequest, JsonWebToken> tokenFunction;
        private final HttpServletRequest request;

        public MPJWTServletRequestWrapper(final HttpServletRequest httpServletRequest, JWTAuthConfiguration jWTAuthConfiguration) {
            super(httpServletRequest);
            this.request = httpServletRequest;
            this.tokenFunction = MPJWTFilter.token(httpServletRequest, jWTAuthConfiguration);
            Supplier supplier = () -> {
                return this.tokenFunction.apply(httpServletRequest);
            };
            httpServletRequest.setAttribute(JsonWebToken.class.getName(), this.tokenFunction);
            httpServletRequest.setAttribute(ValidationInterceptor.JWT_SUPPLIER, supplier);
            httpServletRequest.setAttribute("javax.security.auth.subject.callable", new Callable<Subject>() { // from class: org.apache.tomee.microprofile.jwt.MPJWTFilter.MPJWTServletRequestWrapper.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public Subject call() throws Exception {
                    LinkedHashSet linkedHashSet = new LinkedHashSet();
                    JsonWebToken apply = MPJWTServletRequestWrapper.this.tokenFunction.apply(httpServletRequest);
                    linkedHashSet.add(apply);
                    linkedHashSet.addAll((Collection) apply.getGroups().stream().map(str -> {
                        return () -> {
                            return str;
                        };
                    }).collect(Collectors.toList()));
                    return new Subject(true, linkedHashSet, Collections.emptySet(), Collections.emptySet());
                }
            });
        }

        @Override // jakarta.servlet.http.HttpServletRequestWrapper, jakarta.servlet.http.HttpServletRequest
        public Principal getUserPrincipal() {
            return this.tokenFunction.apply(this.request);
        }

        @Override // jakarta.servlet.http.HttpServletRequestWrapper, jakarta.servlet.http.HttpServletRequest
        public boolean isUserInRole(String str) {
            return this.tokenFunction.apply(this.request).getGroups().contains(str);
        }

        @Override // jakarta.servlet.http.HttpServletRequestWrapper, jakarta.servlet.http.HttpServletRequest
        public String getAuthType() {
            return "MP-JWT";
        }
    }

    /* loaded from: input_file:lib/mp-jwt-9.0.0.RC1.jar:org/apache/tomee/microprofile/jwt/MPJWTFilter$MissingAuthorizationHeaderException.class */
    private static class MissingAuthorizationHeaderException extends MPJWTException {
        private MissingAuthorizationHeaderException() {
        }

        @Override // org.apache.tomee.microprofile.jwt.MPJWTFilter.MPJWTException
        public int getStatus() {
            return 401;
        }

        @Override // org.apache.tomee.microprofile.jwt.MPJWTFilter.MPJWTException, java.lang.Throwable
        public String getMessage() {
            return "No authorization header provided. Can't validate the JWT.";
        }
    }

    /* loaded from: input_file:lib/mp-jwt-9.0.0.RC1.jar:org/apache/tomee/microprofile/jwt/MPJWTFilter$MissingTokenCookieException.class */
    private static class MissingTokenCookieException extends MPJWTException {
        private final String cookieName;

        public MissingTokenCookieException(String str) {
            this.cookieName = str;
        }

        @Override // org.apache.tomee.microprofile.jwt.MPJWTFilter.MPJWTException
        public int getStatus() {
            return 401;
        }

        @Override // org.apache.tomee.microprofile.jwt.MPJWTFilter.MPJWTException, java.lang.Throwable
        public String getMessage() {
            return String.format("Cookie of name '%s' holding a JWT was not found.", this.cookieName);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/mp-jwt-9.0.0.RC1.jar:org/apache/tomee/microprofile/jwt/MPJWTFilter$NoPrivateKeysException.class */
    public static class NoPrivateKeysException extends MPJWTException {
        public NoPrivateKeysException(Throwable th) {
            super(th);
        }

        @Override // org.apache.tomee.microprofile.jwt.MPJWTFilter.MPJWTException
        public int getStatus() {
            return 401;
        }

        @Override // org.apache.tomee.microprofile.jwt.MPJWTFilter.MPJWTException, java.lang.Throwable
        public String getMessage() {
            return "No private keys available. Cannot validate JWT. " + getCause().getMessage();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/mp-jwt-9.0.0.RC1.jar:org/apache/tomee/microprofile/jwt/MPJWTFilter$NoPublicKeysException.class */
    public static class NoPublicKeysException extends MPJWTException {
        public NoPublicKeysException(Throwable th) {
            super(th);
        }

        @Override // org.apache.tomee.microprofile.jwt.MPJWTFilter.MPJWTException
        public int getStatus() {
            return 401;
        }

        @Override // org.apache.tomee.microprofile.jwt.MPJWTFilter.MPJWTException, java.lang.Throwable
        public String getMessage() {
            return "No public keys available. Cannot validate JWT. " + getCause().getMessage();
        }
    }

    /* loaded from: input_file:lib/mp-jwt-9.0.0.RC1.jar:org/apache/tomee/microprofile/jwt/MPJWTFilter$ValidateJSonWebToken.class */
    public static class ValidateJSonWebToken {
        private final HttpServletRequest httpServletRequest;
        private final JWTAuthConfiguration jwtAuthConfiguration;
        private JsonWebToken jsonWebToken;

        public ValidateJSonWebToken(HttpServletRequest httpServletRequest, JWTAuthConfiguration jWTAuthConfiguration) {
            this.httpServletRequest = httpServletRequest;
            this.jwtAuthConfiguration = jWTAuthConfiguration;
        }

        public JsonWebToken validate(HttpServletRequest httpServletRequest) {
            String substring;
            if (this.jsonWebToken != null) {
                return this.jsonWebToken;
            }
            String headerName = this.jwtAuthConfiguration.getHeaderName();
            if ("cookie".equals(headerName)) {
                String cookieName = this.jwtAuthConfiguration.getCookieName();
                if (this.httpServletRequest.getCookies() == null) {
                    throw new MissingTokenCookieException(cookieName);
                }
                Cookie cookie = (Cookie) Stream.of((Object[]) this.httpServletRequest.getCookies()).filter(cookie2 -> {
                    return cookieName.equals(cookie2.getName().toLowerCase());
                }).findFirst().orElse(null);
                if (cookie == null) {
                    throw new MissingTokenCookieException(cookieName);
                }
                substring = cookie.getValue();
            } else {
                String header = this.httpServletRequest.getHeader(headerName);
                if (header == null || header.isEmpty()) {
                    throw new MissingAuthorizationHeaderException();
                }
                String lowerCase = (this.jwtAuthConfiguration.getHeaderScheme() + " ").toLowerCase(Locale.ENGLISH);
                if (lowerCase.trim().length() > 0 && !header.toLowerCase(Locale.ENGLISH).startsWith(lowerCase)) {
                    throw new BadAuthorizationPrefixException(header);
                }
                substring = header.substring(lowerCase.length());
            }
            try {
                this.jsonWebToken = parse(substring, this.jwtAuthConfiguration);
                SecurityService securityService = (SecurityService) SystemInstance.get().getComponent(SecurityService.class);
                if (TomcatSecurityService.class.isInstance(securityService)) {
                    TomcatSecurityService tomcatSecurityService = (TomcatSecurityService) TomcatSecurityService.class.cast(securityService);
                    Request request = OpenEJBSecurityListener.requests.get();
                    httpServletRequest.setAttribute("MP_JWT_PRE_LOGIN_STATE", tomcatSecurityService.enterWebApp(request.getWrapper().getRealm(), this.jsonWebToken, request.getWrapper().getRunAs()));
                }
                return this.jsonWebToken;
            } catch (ParseException e) {
                throw new InvalidTokenException(substring, e);
            }
        }

        public static JWTCallerPrincipal parse(String str, JWTAuthConfiguration jWTAuthConfiguration) throws ParseException {
            try {
                JwtConsumerBuilder requireSubject = new JwtConsumerBuilder().setRelaxVerificationKeyValidation().setRelaxDecryptionKeyValidation().setRequireSubject();
                if (jWTAuthConfiguration.getSignatureAlgorithm() != null) {
                    requireSubject.setJwsAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, jWTAuthConfiguration.getSignatureAlgorithm()));
                } else {
                    requireSubject.setJwsAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, "RS256", "RS384", "RS512", "ES256", "ES384", "ES512"));
                }
                if (jWTAuthConfiguration.getDecryptAlgorithm() != null) {
                    requireSubject.setJweAlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, jWTAuthConfiguration.getDecryptAlgorithm());
                } else {
                    requireSubject.setJweAlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, "RSA-OAEP", "RSA-OAEP-256", "ECDH-ES", "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW");
                }
                if (jWTAuthConfiguration.getAudiences().length > 0) {
                    requireSubject.setExpectedAudience(true, jWTAuthConfiguration.getAudiences());
                } else {
                    requireSubject.setSkipDefaultAudienceValidation();
                }
                if (!jWTAuthConfiguration.isAllowNoExpiryClaim()) {
                    requireSubject.setRequireExpirationTime();
                }
                if (jWTAuthConfiguration.getIssuer() != null) {
                    requireSubject.setExpectedIssuer(jWTAuthConfiguration.getIssuer());
                }
                if (jWTAuthConfiguration.getExpGracePeriodSecs() > 0) {
                    requireSubject.setAllowedClockSkewInSeconds(jWTAuthConfiguration.getExpGracePeriodSecs());
                } else {
                    requireSubject.setEvaluationTime(NumericDate.fromSeconds(0L));
                }
                try {
                    Map<String, Key> publicKeys = jWTAuthConfiguration.getPublicKeys();
                    if (publicKeys.size() == 1) {
                        requireSubject.setVerificationKey(publicKeys.values().iterator().next());
                    } else if (publicKeys.size() > 1) {
                        requireSubject.setVerificationKeyResolver(new JwksVerificationKeyResolver(asJwks(publicKeys)));
                    }
                    try {
                        Map<String, Key> decryptKeys = jWTAuthConfiguration.getDecryptKeys();
                        if (decryptKeys.size() == 1) {
                            requireSubject.setDecryptionKey(decryptKeys.values().iterator().next());
                            requireSubject.setEnableRequireEncryption();
                        } else if (decryptKeys.size() > 1) {
                            requireSubject.setDecryptionKeyResolver(new JwksDecryptionKeyResolver(asJwks(decryptKeys)));
                            requireSubject.setEnableRequireEncryption();
                        }
                        JwtConsumer build = requireSubject.build();
                        JwtContext process = build.process(str);
                        String header = process.getJoseObjects().get(0).getHeader("typ");
                        build.processContext(process);
                        JwtClaims jwtClaims = process.getJwtClaims();
                        String str2 = (String) jwtClaims.getClaimValue("upn", String.class);
                        if (str2 == null) {
                            str2 = (String) jwtClaims.getClaimValue("preferred_username", String.class);
                            if (str2 == null) {
                                str2 = jwtClaims.getSubject();
                            }
                        }
                        jwtClaims.setClaim(Claims.raw_token.name(), str);
                        return new JWTCallerPrincipal(str, header, jwtClaims, str2);
                    } catch (Exception e) {
                        throw new NoPrivateKeysException(e);
                    }
                } catch (Exception e2) {
                    throw new NoPublicKeysException(e2);
                }
            } catch (NoPrivateKeysException e3) {
                MPJWTFilter.VALIDATION.error(e3.getMessage());
                throw e3;
            } catch (NoPublicKeysException e4) {
                MPJWTFilter.VALIDATION.error(e4.getMessage());
                throw e4;
            } catch (MalformedClaimException e5) {
                MPJWTFilter.VALIDATION.warning(e5.getMessage());
                throw new ParseException("Failed to verify token claims", e5);
            } catch (InvalidJwtException e6) {
                MPJWTFilter.VALIDATION.warning(e6.getMessage());
                throw new ParseException("Failed to verify token", e6);
            }
        }

        public static List<JsonWebKey> asJwks(Map<String, Key> map) {
            return (List) map.entrySet().stream().map(entry -> {
                try {
                    JsonWebKey newJwk = JsonWebKey.Factory.newJwk((Key) entry.getValue());
                    newJwk.setKeyId((String) entry.getKey());
                    return newJwk;
                } catch (JoseException e) {
                    throw new DeploymentException(e);
                }
            }).collect(Collectors.toList());
        }
    }

    @Override // jakarta.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override // jakarta.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        Optional<JWTAuthConfiguration> authContextInfo = getAuthContextInfo();
        if (!authContextInfo.isPresent()) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        try {
            filterChain.doFilter(new MPJWTServletRequestWrapper((HttpServletRequest) servletRequest, authContextInfo.get()), servletResponse);
            Object attribute = servletRequest.getAttribute("MP_JWT_PRE_LOGIN_STATE");
            SecurityService securityService = (SecurityService) SystemInstance.get().getComponent(SecurityService.class);
            if (TomcatSecurityService.class.isInstance(securityService) && attribute != null) {
                ((TomcatSecurityService) TomcatSecurityService.class.cast(securityService)).exitWebApp(attribute);
            }
        } catch (Exception e) {
            if (MPJWTException.class.isInstance(e)) {
                MPJWTException mPJWTException = (MPJWTException) MPJWTException.class.cast(e);
                ((HttpServletResponse) HttpServletResponse.class.cast(servletResponse)).sendError(mPJWTException.getStatus(), mPJWTException.getMessage());
            } else {
                if (!MPJWTException.class.isInstance(e.getCause())) {
                    throw e;
                }
                MPJWTException mPJWTException2 = (MPJWTException) MPJWTException.class.cast(e.getCause());
                ((HttpServletResponse) HttpServletResponse.class.cast(servletResponse)).sendError(mPJWTException2.getStatus(), mPJWTException2.getMessage());
            }
        }
    }

    @Override // jakarta.servlet.Filter
    public void destroy() {
    }

    private Optional<JWTAuthConfiguration> getAuthContextInfo() {
        return !this.authContextInfo.isUnsatisfied() ? Optional.of(this.authContextInfo.get()) : this.jwtAuthConfigurationProperties.getJWTAuthConfiguration();
    }

    private static Function<HttpServletRequest, JsonWebToken> token(HttpServletRequest httpServletRequest, JWTAuthConfiguration jWTAuthConfiguration) {
        ValidateJSonWebToken validateJSonWebToken = new ValidateJSonWebToken(httpServletRequest, jWTAuthConfiguration);
        return validateJSonWebToken::validate;
    }
}
