package org.mycore.restapi.v1;

import com.auth0.jwt.JWT;
import com.auth0.jwt.exceptions.JWTVerificationException;
import java.io.IOException;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.Date;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.DefaultValue;
import javax.ws.rs.GET;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Application;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.mycore.common.MCRSessionMgr;
import org.mycore.common.MCRUserInformation;
import org.mycore.frontend.MCRFrontendUtil;
import org.mycore.frontend.jersey.MCRCacheControl;
import org.mycore.frontend.jersey.MCRJWTUtil;
import org.mycore.frontend.jersey.access.MCRRequireLogin;
import org.mycore.frontend.jersey.filter.access.MCRRestrictedAccess;
import org.mycore.restapi.v1.utils.MCRRestAPIUtil;

@Path("/auth")
/* loaded from: input_file:org/mycore/restapi/v1/MCRRestAPIAuthentication.class */
public class MCRRestAPIAuthentication {
    private static final int EXPIRATION_TIME_MINUTES = 10;
    public static final String AUDIENCE = "mcr:rest-auth";

    @Context
    HttpServletRequest req;

    @Context
    Application app;

    @GET
    @Path("/login")
    @MCRCacheControl(noTransform = true, noStore = true, private_ = @MCRCacheControl.FieldArgument(active = true), noCache = @MCRCacheControl.FieldArgument(active = true))
    @Produces({"application/json;charset=utf-8"})
    public Response authorize(@HeaderParam("Authorization") @DefaultValue("") String str) throws IOException {
        if (str.startsWith("Basic ")) {
            Optional<String> token = getToken(MCRSessionMgr.getCurrentSession().getUserInformation(), MCRFrontendUtil.getRemoteAddr(this.req));
            if (token.isPresent()) {
                return MCRJWTUtil.getJWTLoginSuccessResponse(token.get());
            }
        }
        throw new NotAuthorizedException("Login failed. Please provide proper user name and password via HTTP Basic Authentication.", MCRRestAPIUtil.getWWWAuthenticateHeader("Basic", null, this.app), new Object[0]);
    }

    public static Optional<String> getToken(MCRUserInformation mCRUserInformation, String str) {
        ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
        return Optional.ofNullable(mCRUserInformation).map(MCRJWTUtil::getJWTBuilder).map(builder -> {
            return builder.withAudience(new String[]{AUDIENCE}).withClaim("mcr:ip", str).withExpiresAt(Date.from(now.plusMinutes(10L).toInstant())).withNotBefore(Date.from(now.minusMinutes(10L).toInstant())).sign(MCRJWTUtil.getJWTAlgorithm());
        });
    }

    @GET
    @MCRRestrictedAccess(MCRRequireLogin.class)
    @Path("/renew")
    @MCRCacheControl(noTransform = true, noStore = true, private_ = @MCRCacheControl.FieldArgument(active = true), noCache = @MCRCacheControl.FieldArgument(active = true))
    public Response renew(@HeaderParam("Authorization") @DefaultValue("") String str) throws IOException {
        if (str.startsWith("Bearer ")) {
            Optional<String> token = getToken(MCRSessionMgr.getCurrentSession().getUserInformation(), MCRFrontendUtil.getRemoteAddr(this.req));
            if (token.isPresent()) {
                return MCRJWTUtil.getJWTRenewSuccessResponse(token.get());
            }
        }
        throw new NotAuthorizedException("Login failed. Please provide a valid JSON Web Token for authentication.", MCRRestAPIUtil.getWWWAuthenticateHeader("Basic", null, this.app), new Object[0]);
    }

    public static void validate(String str) throws JWTVerificationException {
        JWT.require(MCRJWTUtil.getJWTAlgorithm()).withAudience(new String[]{AUDIENCE}).acceptLeeway(0L).build().verify(str);
    }
}
