package eu.europeana.api.commons.service.authorization;

import eu.europeana.api.commons.definitions.exception.ApiWriteLockException;
import eu.europeana.api.commons.definitions.vocabulary.Role;
import eu.europeana.api.commons.exception.ApiKeyExtractionException;
import eu.europeana.api.commons.exception.AuthorizationExtractionException;
import eu.europeana.api.commons.nosql.service.ApiWriteLockService;
import eu.europeana.api.commons.oauth2.utils.OAuthUtils;
import eu.europeana.api.commons.web.exception.ApplicationAuthenticationException;
import eu.europeana.api.commons.web.model.vocabulary.Operations;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.jwt.crypto.sign.RsaVerifier;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.ClientRegistrationException;

/* loaded from: input_file:eu/europeana/api/commons/service/authorization/BaseAuthorizationService.class */
public abstract class BaseAuthorizationService implements AuthorizationService {
    RsaVerifier signatureVerifier;
    private Logger log = LogManager.getLogger(getClass());

    public Logger getLog() {
        return this.log;
    }

    protected RsaVerifier getSignatureVerifier() {
        if (this.signatureVerifier == null) {
            this.signatureVerifier = new RsaVerifier(getSignatureKey());
        }
        return this.signatureVerifier;
    }

    @Override // eu.europeana.api.commons.service.authorization.AuthorizationService
    public Authentication authorizeReadAccess(HttpServletRequest httpServletRequest) throws ApplicationAuthenticationException {
        String header = httpServletRequest.getHeader("Authorization");
        return (header == null || !header.startsWith("Bearer")) ? authorizeReadByApiKey(httpServletRequest) : authorizeReadByJwtToken(httpServletRequest);
    }

    private Authentication authorizeReadByApiKey(HttpServletRequest httpServletRequest) throws ApplicationAuthenticationException {
        try {
            String extractApiKey = OAuthUtils.extractApiKey(httpServletRequest);
            if (StringUtils.isEmpty(extractApiKey)) {
                throw new ApplicationAuthenticationException("error.empty_apikey", "error.empty_apikey", null);
            }
            try {
                getClientDetailsService().loadClientByClientId(extractApiKey);
            } catch (ClientRegistrationException e) {
                throw new ApplicationAuthenticationException("error.invalid_apikey", "error.invalid_apikey", new String[]{extractApiKey}, HttpStatus.UNAUTHORIZED, e);
            } catch (OAuth2Exception e2) {
                getLog().info("Invocation of API Key Service failed. Silently approve apikey: " + extractApiKey, e2);
            }
            return OAuthUtils.buildReadOnlyAuthenticationToken(getApiName(), extractApiKey);
        } catch (ApiKeyExtractionException | AuthorizationExtractionException e3) {
            throw new ApplicationAuthenticationException("error.invalid_apikey", "error.invalid_apikey", new String[]{e3.getMessage()}, HttpStatus.UNAUTHORIZED, e3);
        }
    }

    private Authentication authorizeReadByJwtToken(HttpServletRequest httpServletRequest) throws ApplicationAuthenticationException {
        Authentication authentication = null;
        try {
            Map extractCustomData = OAuthUtils.extractCustomData(httpServletRequest, getSignatureVerifier(), getApiName());
            String extractApiKey = OAuthUtils.extractApiKey(extractCustomData);
            if (extractApiKey == null) {
                throw new ApplicationAuthenticationException("error.missing_apikey", "error.missing_apikey", null, HttpStatus.UNAUTHORIZED, null);
            }
            if (extractCustomData.containsKey("sub")) {
                ArrayList arrayList = new ArrayList();
                OAuthUtils.processResourceAccessClaims(getApiName(), extractCustomData, arrayList, false);
                authentication = !arrayList.isEmpty() ? (Authentication) arrayList.get(0) : OAuthUtils.buildReadOnlyAuthenticationToken(getApiName(), extractCustomData, extractApiKey);
            }
            return authentication;
        } catch (ApiKeyExtractionException | AuthorizationExtractionException e) {
            throw new ApplicationAuthenticationException("error.invalid_jwttoken", "error.invalid_jwttoken", new String[]{e.getMessage()}, HttpStatus.UNAUTHORIZED, e);
        }
    }

    @Override // eu.europeana.api.commons.service.authorization.AuthorizationService
    public Authentication authorizeWriteAccess(HttpServletRequest httpServletRequest, String str) throws ApplicationAuthenticationException {
        return authorizeOperation(httpServletRequest, str);
    }

    private Authentication authorizeOperation(HttpServletRequest httpServletRequest, String str) throws ApplicationAuthenticationException {
        if (getSignatureVerifier() == null) {
            throw new ApplicationAuthenticationException("error.operation_not_authorized", "error.operation_not_authorized", new String[]{"No signature key configured for verification of JWT Token"}, HttpStatus.INTERNAL_SERVER_ERROR);
        }
        boolean isResourceAccessVerificationRequired = isResourceAccessVerificationRequired(str);
        try {
            List<? extends Authentication> processJwtToken = OAuthUtils.processJwtToken(httpServletRequest, getSignatureVerifier(), getApiName(), isResourceAccessVerificationRequired);
            if (processJwtToken == null || processJwtToken.isEmpty()) {
                throw new ApplicationAuthenticationException("error.operation_not_authorized", "error.operation_not_authorized", new String[]{"Invalid token or ApiKey, resource access not granted!"}, HttpStatus.FORBIDDEN);
            }
            return isResourceAccessVerificationRequired ? checkPermissions(processJwtToken, getApiName(), str) : processJwtToken.get(0);
        } catch (ApiKeyExtractionException | AuthorizationExtractionException e) {
            throw new ApplicationAuthenticationException("error.operation_not_authorized", "error.operation_not_authorized", new String[]{"Invalid token or ApiKey"}, HttpStatus.UNAUTHORIZED, e);
        }
    }

    protected Authentication checkPermissions(List<? extends Authentication> list, String str, String str2) throws ApplicationAuthenticationException {
        if (list == null || list.isEmpty()) {
            if (isResourceAccessVerificationRequired(str2)) {
                throw new ApplicationAuthenticationException("error.operation_not_authorized", "error.operation_not_authorized", new String[]{"No or invalid authorization provided"}, HttpStatus.FORBIDDEN);
            }
            return null;
        }
        if (list == null || !list.isEmpty()) {
        }
        for (Authentication authentication : list) {
            List<GrantedAuthority> list2 = (List) authentication.getAuthorities();
            if (str.equals(authentication.getDetails()) && isOperationAuthorized(str2, list2)) {
                return authentication;
            }
        }
        throw new ApplicationAuthenticationException("error.operation_not_authorized", "error.operation_not_authorized", new String[]{"Operation not permitted or not GrantedAuthority found for operation:" + str2}, HttpStatus.FORBIDDEN);
    }

    public Authentication checkPermissions(Authentication authentication, String str) throws ApplicationAuthenticationException {
        return checkPermissions(List.of(authentication), getApiName(), str);
    }

    private boolean isOperationAuthorized(String str, List<GrantedAuthority> list) {
        if (!isResourceAccessVerificationRequired(str)) {
            return true;
        }
        Iterator<GrantedAuthority> it = list.iterator();
        while (it.hasNext()) {
            Role roleByName = getRoleByName(it.next().getAuthority());
            if (roleByName != null && Arrays.asList(roleByName.getPermissions()).contains(str)) {
                return true;
            }
        }
        return false;
    }

    protected boolean isResourceAccessVerificationRequired(String str) {
        return true;
    }

    @Override // eu.europeana.api.commons.service.authorization.AuthorizationService
    public void checkWriteLockInEffect(String str) throws ApplicationAuthenticationException {
        try {
            if (getApiWriteLockService().getLastActiveLock("lockWriteOperations") != null && !isMaintenanceOperation(str)) {
                throw new ApplicationAuthenticationException("error.userset_lock_maintenance", "error.userset_lock_maintenance", null, HttpStatus.LOCKED, null);
            }
        } catch (ApiWriteLockException e) {
            throw new ApplicationAuthenticationException("error.userset_lock_maintenance", "error.userset_lock_maintenance", null, HttpStatus.LOCKED, e);
        }
    }

    protected boolean isMaintenanceOperation(String str) {
        return getMaintenanceOperations().contains(str);
    }

    protected Set<String> getMaintenanceOperations() {
        return Set.of(Operations.WRITE_UNLOCK);
    }

    protected abstract ApiWriteLockService getApiWriteLockService();

    protected abstract Role getRoleByName(String str);

    protected abstract String getSignatureKey();

    protected abstract ClientDetailsService getClientDetailsService();

    protected abstract String getApiName();
}
