package org.gcube.smartgears.handlers.application.request;

import java.io.IOException;
import java.util.Iterator;
import javax.xml.bind.DatatypeConverter;
import javax.xml.bind.annotation.XmlAttribute;
import javax.xml.bind.annotation.XmlRootElement;
import org.gcube.common.authorization.client.exceptions.ObjectNotFound;
import org.gcube.common.authorization.library.AuthorizationEntry;
import org.gcube.common.authorization.library.PolicyUtils;
import org.gcube.common.authorization.library.policies.Policy;
import org.gcube.common.authorization.library.provider.AuthorizationProvider;
import org.gcube.common.authorization.library.provider.ClientInfo;
import org.gcube.common.authorization.library.provider.SecurityTokenProvider;
import org.gcube.common.authorization.library.provider.ServiceIdentifier;
import org.gcube.common.authorization.library.provider.UserInfo;
import org.gcube.common.authorization.library.utils.Caller;
import org.gcube.common.scope.api.ScopeProvider;
import org.gcube.common.scope.impl.ScopeBean;
import org.gcube.smartgears.Constants;
import org.gcube.smartgears.configuration.container.ContainerConfiguration;
import org.gcube.smartgears.context.application.ApplicationContext;
import org.gcube.smartgears.handlers.application.RequestEvent;
import org.gcube.smartgears.handlers.application.RequestHandler;
import org.gcube.smartgears.handlers.application.ResponseEvent;
import org.gcube.smartgears.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@XmlRootElement(name = Constants.request_validation)
/* loaded from: input_file:org/gcube/smartgears/handlers/application/request/RequestValidator.class */
public class RequestValidator extends RequestHandler {

    @XmlAttribute(required = false, name = "oauth")
    boolean oauthCompatibility = false;
    private static Logger log = LoggerFactory.getLogger(RequestValidator.class);
    private ApplicationContext context;

    @Override // org.gcube.smartgears.handlers.application.RequestHandler
    public String getName() {
        return Constants.request_validation;
    }

    @Override // org.gcube.smartgears.handlers.application.RequestHandler
    public void handleRequest(RequestEvent requestEvent) {
        log.trace("executing request validator ON REQUEST");
        this.context = requestEvent.context();
        validateAgainstLifecycle(requestEvent);
        if (validateToken(requestEvent)) {
            return;
        }
        String header = requestEvent.request().getParameter(Constants.scope_header) == null ? requestEvent.request().getHeader(Constants.scope_header) : requestEvent.request().getParameter(Constants.scope_header);
        validateScope(header);
        log.info("received call to {} in context {}", requestEvent.uri(), header);
    }

    @Override // org.gcube.smartgears.handlers.application.RequestHandler
    public void handleResponse(ResponseEvent responseEvent) {
        SecurityTokenProvider.instance.reset();
        AuthorizationProvider.instance.reset();
        ScopeProvider.instance.reset();
        log.debug("resetting all the Thread local for this call.");
    }

    private void validateAgainstLifecycle(RequestEvent requestEvent) {
        switch (this.context.lifecycle().state()) {
            case stopped:
                RequestError.application_unavailable_error.fire();
                return;
            case failed:
                RequestError.application_failed_error.fire();
                return;
            default:
                return;
        }
    }

    private void validateScope(String str) {
        if (str == null) {
            log.warn("rejecting unscoped call to {}", this.context.name());
            RequestError.invalid_request_error.fire("call is unscoped");
        }
        ScopeBean scopeBean = new ScopeBean(str);
        ContainerConfiguration configuration = this.context.container().configuration();
        if (!configuration.allowedContexts().contains(str) && (!configuration.authorizeChildrenContext() || !scopeBean.is(ScopeBean.Type.VRE) || !configuration.allowedContexts().contains(scopeBean.enclosingScope().toString()))) {
            log.warn("rejecting call to {} in invalid context {}, allowed context are {}", new Object[]{this.context.name(), str, this.context.container().configuration().allowedContexts()});
            RequestError.invalid_request_error.fire(this.context.name() + " cannot be called in scope " + str);
        }
        ScopeProvider.instance.set(str);
    }

    private boolean validateToken(RequestEvent requestEvent) {
        String header = requestEvent.request().getParameter(Constants.token_header) == null ? requestEvent.request().getHeader(Constants.token_header) : requestEvent.request().getParameter(Constants.token_header);
        String header2 = requestEvent.request().getParameter(Constants.scope_header) == null ? requestEvent.request().getHeader(Constants.scope_header) : requestEvent.request().getParameter(Constants.scope_header);
        if (header == null && header2 == null && this.oauthCompatibility) {
            header = requestEvent.request().getParameter(Constants.oauth_secret);
        }
        if (header == null && header2 == null) {
            log.warn("rejecting call to {}, authorization required", this.context.name(), header);
            if (requestEvent.context().container().configuration().authenticationEnpoint() != null) {
                log.info("authorization enpoint found on configuration, redirecting the call");
                try {
                    requestEvent.response().sendRedirect(this.context.container().configuration().authenticationEnpoint() + "?Recall-Location=" + String.format("http://%s:%d%s", requestEvent.context().container().configuration().hostname(), Integer.valueOf(requestEvent.context().container().configuration().port()), requestEvent.uri()));
                    return false;
                } catch (IOException e) {
                    log.error("errror redirecting call", e);
                    return false;
                }
            }
            if (requestEvent.request().getHeader(Constants.authorization_header) != null) {
                String[] split = new String(DatatypeConverter.parseBase64Binary(requestEvent.request().getHeader(Constants.authorization_header).substring("Basic".length()).trim())).split(":", 2);
                String str = split[1];
                ClientInfo retreiveAndSetInfo = retreiveAndSetInfo(str, requestEvent);
                if ((retreiveAndSetInfo instanceof UserInfo) && retreiveAndSetInfo.getId().equals(split[0])) {
                    return true;
                }
                log.warn("rejecting call to {}, username {} not valid for token {}", new Object[]{this.context.name(), split[0], str});
                RequestError.request_not_authorized_error.fire(this.context.name() + ": username " + split[0] + " not valid for token " + str);
                return true;
            }
            log.warn("rejecting call to {}, authorization required", this.context.name(), header);
            RequestError.request_not_authorized_error.fire(this.context.name() + ": authorization required");
        }
        log.trace("token is " + header);
        if (header != null) {
            retreiveAndSetInfo(header, requestEvent);
            return true;
        }
        log.info("invalid token, checking the context");
        return false;
    }

    @Override // org.gcube.smartgears.handlers.AbstractHandler
    public String toString() {
        return getName();
    }

    private ClientInfo retreiveAndSetInfo(String str, RequestEvent requestEvent) {
        log.info("accessing  validator with token {} ", str);
        AuthorizationEntry authorizationEntry = null;
        try {
            authorizationEntry = org.gcube.common.authorization.client.Constants.authorizationService().get(str);
        } catch (ObjectNotFound e) {
            log.warn("rejecting call to {}, invalid token {}", this.context.name(), str);
            RequestError.invalid_request_error.fire(this.context.name() + " invalid token : " + str);
        } catch (Exception e2) {
            log.error("error contacting authorization service", e2);
            RequestError.internal_server_error.fire("error contacting authorization service");
        }
        ServiceIdentifier serviceIdentifier = Utils.getServiceInfo(requestEvent.context()).getServiceIdentifier();
        Iterator it = authorizationEntry.getPolicies().iterator();
        while (it.hasNext()) {
            if (PolicyUtils.isPolicyValidForClient(((Policy) it.next()).getServiceAccess(), serviceIdentifier)) {
                log.error("rejecting call to {} : {} is not allowed to contact the service ", this.context.name(), authorizationEntry.getClientInfo().getId());
                RequestError.invalid_request_error.fire("rejecting call to " + this.context.name() + ": " + authorizationEntry.getClientInfo().getId() + " is not allowed to contact the service");
            }
        }
        AuthorizationProvider.instance.set(new Caller(authorizationEntry.getClientInfo(), authorizationEntry.getQualifier()));
        validateScope(authorizationEntry.getContext());
        log.info("retrieved request authorization info {} in scope {} ", AuthorizationProvider.instance.get(), authorizationEntry.getContext());
        SecurityTokenProvider.instance.set(str);
        return authorizationEntry.getClientInfo();
    }
}
