package org.gcube.smartgears.handlers.application.request;

import javax.xml.bind.DatatypeConverter;
import javax.xml.bind.annotation.XmlRootElement;
import org.gcube.common.authorization.client.exceptions.ObjectNotFound;
import org.gcube.common.authorization.client.proxy.AuthorizationProxy;
import org.gcube.common.authorization.library.AuthorizationEntry;
import org.gcube.common.authorization.library.BannedService;
import org.gcube.common.authorization.library.provider.AuthorizationProvider;
import org.gcube.common.authorization.library.provider.SecurityTokenProvider;
import org.gcube.common.authorization.library.provider.UserInfo;
import org.gcube.common.resources.gcore.GCoreEndpoint;
import org.gcube.common.scope.api.ScopeProvider;
import org.gcube.smartgears.Constants;
import org.gcube.smartgears.context.application.ApplicationContext;
import org.gcube.smartgears.extensions.resource.FrontPageResource;
import org.gcube.smartgears.handlers.application.RequestEvent;
import org.gcube.smartgears.handlers.application.RequestHandler;
import org.gcube.smartgears.handlers.application.ResponseEvent;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@XmlRootElement(name = Constants.request_validation)
/* loaded from: input_file:org/gcube/smartgears/handlers/application/request/RequestValidator.class */
public class RequestValidator extends RequestHandler {
    private static Logger log = LoggerFactory.getLogger(RequestValidator.class);
    private ApplicationContext context;

    @Override // org.gcube.smartgears.handlers.application.RequestHandler
    public void handleRequest(RequestEvent requestEvent) {
        this.context = requestEvent.context();
        validateAgainstLifecycle(requestEvent);
        if (validateToken(requestEvent)) {
            return;
        }
        String header = requestEvent.request().getHeader(Constants.scope_header);
        validateScope(header);
        log.info("received call to {} in scope {}", requestEvent.uri(), header);
    }

    @Override // org.gcube.smartgears.handlers.application.RequestHandler
    public void handleResponse(ResponseEvent responseEvent) {
        SecurityTokenProvider.instance.reset();
        AuthorizationProvider.instance.reset();
        ScopeProvider.instance.reset();
    }

    private void validateAgainstLifecycle(RequestEvent requestEvent) {
        switch (this.context.lifecycle().state()) {
            case stopped:
                RequestError.application_unavailable_error.fire();
                return;
            case failed:
                RequestError.application_failed_error.fire();
                return;
            default:
                return;
        }
    }

    private void validateScope(String str) {
        if (str == null) {
            log.info("rejecting unscoped call to {}", this.context.name());
            RequestError.invalid_request_error.fire("call is unscoped");
        }
        if (!((GCoreEndpoint) this.context.profile(GCoreEndpoint.class)).scopes().contains(str)) {
            log.info("rejecting call to {} in invalid scope {}", this.context.name(), str);
            RequestError.invalid_request_error.fire(this.context.name() + " cannot be called in scope " + str);
        }
        ScopeProvider.instance.set(str);
    }

    private boolean validateToken(RequestEvent requestEvent) {
        String header = requestEvent.request().getParameter(Constants.token_header) == null ? requestEvent.request().getHeader(Constants.token_header) : requestEvent.request().getParameter(Constants.token_header);
        if (header == null && requestEvent.request().getHeader(Constants.scope_header) == null) {
            if (requestEvent.request().getHeader(Constants.authorization_header) != null) {
                String[] split = new String(DatatypeConverter.parseBase64Binary(requestEvent.request().getHeader(Constants.authorization_header).substring("Basic".length()).trim())).split(":", 2);
                String str = split[1];
                if (retreiveAndSetInfo(str, requestEvent).getUserName().equals(split[0])) {
                    return true;
                }
                log.info("rejecting call to {}, username {} not valid for token {}", new Object[]{this.context.name(), split[0], str});
                RequestError.request_not_authorized_error.fire(this.context.name() + ": username " + split[0] + " not valid for token " + str);
                return true;
            }
            log.info("rejecting call to {}, authorization required", this.context.name(), header);
            RequestError.request_not_authorized_error.fire(this.context.name() + ": authorization required");
        }
        log.trace("token is " + header);
        if (header != null) {
            retreiveAndSetInfo(header, requestEvent);
            return true;
        }
        log.info("invalid token, returning false");
        return false;
    }

    @Override // org.gcube.smartgears.handlers.AbstractHandler
    public String toString() {
        return Constants.request_validation;
    }

    private UserInfo retreiveAndSetInfo(String str, RequestEvent requestEvent) {
        ScopeProvider.instance.set(FrontPageResource.mapping + requestEvent.context().container().configuration().infrastructure());
        AuthorizationEntry authorizationEntry = null;
        try {
            authorizationEntry = ((AuthorizationProxy) org.gcube.common.authorization.client.Constants.authorizationService().build()).get(str);
        } catch (ObjectNotFound e) {
            log.warn("rejecting call to {}, invalid token {}", this.context.name(), str);
            RequestError.invalid_request_error.fire(this.context.name() + " invalid token : " + str);
        } catch (Exception e2) {
            log.error("error contacting authorization service", e2);
            RequestError.internal_server_error.fire("error contacting authorization service");
        }
        if (authorizationEntry.getBannedServices().contains(new BannedService(requestEvent.context().configuration().serviceClass(), requestEvent.context().configuration().name()))) {
            log.error("rejecting call to {}, invalid token {}: service is banned for this token", this.context.name(), str);
            RequestError.invalid_request_error.fire("rejecting call to " + this.context.name() + ", invalid token " + str + ": service is banned for this token");
        }
        UserInfo userInfo = new UserInfo(authorizationEntry.getUserName(), authorizationEntry.getRoles(), authorizationEntry.getBannedServices());
        AuthorizationProvider.instance.set(userInfo);
        validateScope(authorizationEntry.getScope());
        log.info("retrieved request authorization info " + AuthorizationProvider.instance.get() + " in scope " + ScopeProvider.instance.get());
        SecurityTokenProvider.instance.set(str);
        return userInfo;
    }
}
