package io.apicurio.hub.api.security;

import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.mashape.unirest.http.HttpResponse;
import com.mashape.unirest.http.Unirest;
import io.apicurio.studio.shared.beans.User;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import javax.inject.Inject;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.HttpStatus;
import org.eclipse.egit.github.core.client.IGitHubConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/apicurio-studio-be-hub-api-0.2.15.Final.jar:io/apicurio/hub/api/security/GitHubAuthenticationFilter.class */
public class GitHubAuthenticationFilter implements Filter {
    private static Logger logger = LoggerFactory.getLogger(GitHubAuthenticationFilter.class);
    private static final Map<String, User> authCache = new HashMap();
    private static ObjectMapper mapper = new ObjectMapper();

    @Inject
    private ISecurityContext security;

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String authenticationToken = getAuthenticationToken((HttpServletRequest) servletRequest);
        if (authenticationToken == null || authenticationToken.trim().isEmpty()) {
            httpServletResponse.setHeader("WWW-Authenticate", "Bearer realm=\"apicurio-studio\"");
            httpServletResponse.sendError(HttpStatus.SC_UNAUTHORIZED);
            return;
        }
        User cachedUser = getCachedUser(authenticationToken);
        if (cachedUser == null) {
            cachedUser = authenticateUser(authenticationToken);
            if (cachedUser != null) {
                cacheAuthenticatedUser(authenticationToken, cachedUser);
            }
        }
        if (cachedUser == null) {
            httpServletResponse.setHeader("WWW-Authenticate", "Bearer realm=\"apicurio-studio\"");
            httpServletResponse.sendError(HttpStatus.SC_UNAUTHORIZED);
        } else {
            ((SecurityContext) this.security).setUser(cachedUser);
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    private String getAuthenticationToken(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            return null;
        }
        if (header.toLowerCase().startsWith("bearer ") || header.toLowerCase().startsWith("token ")) {
            return header.substring(header.indexOf(32) + 1);
        }
        return null;
    }

    private User getCachedUser(String str) {
        return authCache.get(str);
    }

    private User authenticateUser(String str) {
        try {
            HttpResponse<String> asString = Unirest.get("https://api.github.com/user").header("Accept", IGitHubConstants.CONTENT_TYPE_JSON).header("Authorization", "Bearer " + str).asString();
            if (asString.getStatus() != 200) {
                return null;
            }
            return (User) mapper.readerFor(User.class).readValue(asString.getBody());
        } catch (Exception e) {
            logger.error("Failed to authenticate with the GitHub API", (Throwable) e);
            return null;
        }
    }

    private void cacheAuthenticatedUser(String str, User user) {
        authCache.put(str, user);
    }

    public void destroy() {
    }

    static {
        mapper.setSerializationInclusion(JsonInclude.Include.NON_NULL);
    }
}
