package io.hops.hopsworks.jwt.filter;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.interfaces.Verification;
import io.hops.hopsworks.jwt.Constants;
import io.hops.hopsworks.jwt.exception.SigningKeyNotFoundException;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;

/* loaded from: input_file:io/hops/hopsworks/jwt/filter/JWTFilter.class */
public abstract class JWTFilter implements ContainerRequestFilter {
    private static final Logger LOGGER = Logger.getLogger(JWTFilter.class.getName());

    public final void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (preJWTFilter(containerRequestContext)) {
            jwtFilter(containerRequestContext);
        }
    }

    public void jwtFilter(ContainerRequestContext containerRequestContext) throws IOException {
        String headerString = containerRequestContext.getHeaderString("Authorization");
        if (headerString == null) {
            LOGGER.log(Level.FINEST, "Authorization header not set.");
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", Constants.WWW_AUTHENTICATE_VALUE).entity(responseEntity(Response.Status.UNAUTHORIZED, "Authorization header not set.")).build());
            return;
        }
        if (!headerString.startsWith(Constants.BEARER)) {
            LOGGER.log(Level.FINEST, "Invalid token. AuthorizationHeader : {0}", headerString);
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", Constants.WWW_AUTHENTICATE_VALUE).entity(responseEntity(Response.Status.UNAUTHORIZED, "Invalidated token.")).build());
            return;
        }
        String trim = headerString.substring(Constants.BEARER.length()).trim();
        DecodedJWT decode = JWT.decode(trim);
        Claim claim = decode.getClaim(Constants.EXPIRY_LEEWAY);
        String issuer = getIssuer();
        int intValue = claim.asInt().intValue();
        try {
            Verification require = JWT.require(getAlgorithm(decode));
            String[] strArr = new String[1];
            strArr[0] = (issuer == null || issuer.isEmpty()) ? decode.getIssuer() : issuer;
            DecodedJWT verify = require.withIssuer(strArr).acceptExpiresAt(intValue == 0 ? 60L : intValue).build().verify(trim);
            if (!isTokenValid(verify)) {
                LOGGER.log(Level.FINEST, "JWT Verification Exception: Invalidated token.");
                containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", Constants.WWW_AUTHENTICATE_VALUE).entity(responseEntity(Response.Status.UNAUTHORIZED, "Invalidated token.")).build());
                return;
            }
            Claim claim2 = verify.getClaim(Constants.ROLES);
            String[] strArr2 = claim2 == null ? new String[0] : (String[]) claim2.asArray(String.class);
            Set<String> allowedRoles = allowedRoles();
            if (allowedRoles != null && !allowedRoles.isEmpty() && !intersect(allowedRoles, Arrays.asList(strArr2))) {
                LOGGER.log(Level.FINE, "JWT Access Exception: Client not authorized for this invocation.");
                containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).entity(responseEntity(Response.Status.FORBIDDEN, "Client not authorized for this invocation.")).build());
                return;
            }
            List audience = verify.getAudience();
            Set<String> acceptedTokens = acceptedTokens();
            if (acceptedTokens == null || acceptedTokens.isEmpty() || intersect(acceptedTokens, audience)) {
                postJWTFilter(containerRequestContext, verify);
            } else {
                LOGGER.log(Level.FINE, "JWT Access Exception: Token not issued for this recipient.");
                containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).entity(responseEntity(Response.Status.FORBIDDEN, "Token not issued for this recipient.")).build());
            }
        } catch (Exception e) {
            LOGGER.log(Level.FINE, "JWT Verification Exception: {0}", e.getMessage());
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", Constants.WWW_AUTHENTICATE_VALUE).entity(responseEntity(Response.Status.UNAUTHORIZED, e.getMessage())).build());
        }
    }

    private boolean intersect(Collection collection, Collection collection2) {
        if (collection == null || collection.isEmpty() || collection2 == null || collection2.isEmpty()) {
            return false;
        }
        HashSet hashSet = new HashSet(collection);
        hashSet.retainAll(new HashSet(collection2));
        return !hashSet.isEmpty();
    }

    public abstract Algorithm getAlgorithm(DecodedJWT decodedJWT) throws SigningKeyNotFoundException;

    public abstract Set<String> allowedRoles();

    public abstract Set<String> acceptedTokens();

    public abstract boolean isTokenValid(DecodedJWT decodedJWT);

    public abstract boolean preJWTFilter(ContainerRequestContext containerRequestContext) throws IOException;

    public abstract void postJWTFilter(ContainerRequestContext containerRequestContext, DecodedJWT decodedJWT) throws IOException;

    public abstract String getIssuer();

    public abstract Object responseEntity(Response.Status status, String str);
}
