package io.hops.hopsworks.api.auth.key;

import io.hops.hopsworks.api.auth.HopsworksSecurityContext;
import io.hops.hopsworks.api.auth.Subject;
import io.hops.hopsworks.exceptions.ApiKeyException;
import io.hops.hopsworks.exceptions.UserException;
import io.hops.hopsworks.jwt.Constants;
import io.hops.hopsworks.jwt.annotation.JWTRequired;
import io.hops.hopsworks.persistence.entity.user.Users;
import io.hops.hopsworks.persistence.entity.user.security.apiKey.ApiKey;
import io.hops.hopsworks.persistence.entity.user.security.apiKey.ApiScope;
import io.hops.hopsworks.restutils.JsonResponse;
import io.hops.hopsworks.restutils.RESTApiJsonResponse;
import io.hops.hopsworks.restutils.RESTCodes;
import io.hops.hopsworks.restutils.RESTLogLevel;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;

/* loaded from: input_file:WEB-INF/lib/hopsworks-api-auth-3.8.0-SNAPSHOT.jar:io/hops/hopsworks/api/auth/key/ApiKeyFilter.class */
public abstract class ApiKeyFilter implements ContainerRequestFilter {
    private static final Logger LOGGER = Logger.getLogger(ApiKeyFilter.class.getName());
    public static final String API_KEY = "ApiKey ";

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) {
        String headerString = containerRequestContext.getHeaderString("Authorization");
        JsonResponse rESTApiJsonResponse = new RESTApiJsonResponse();
        if (headerString == null) {
            LOGGER.log(Level.FINEST, "Authorization header not set.");
            rESTApiJsonResponse.setErrorCode(RESTCodes.SecurityErrorCode.EJB_ACCESS_LOCAL.getCode());
            rESTApiJsonResponse.setErrorMsg("Authorization header not set.");
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", Constants.WWW_AUTHENTICATE_VALUE).entity(rESTApiJsonResponse).build());
            return;
        }
        if (headerString.startsWith(Constants.BEARER)) {
            LOGGER.log(Level.FINEST, "{0} token found, leaving Api key interceptor", Constants.BEARER);
            if (getJWTAnnotation() == null) {
                rESTApiJsonResponse.setErrorCode(RESTCodes.SecurityErrorCode.EJB_ACCESS_LOCAL.getCode());
                rESTApiJsonResponse.setErrorMsg("Authorization method not supported.");
                containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", Constants.WWW_AUTHENTICATE_VALUE).entity(rESTApiJsonResponse).build());
                return;
            }
            return;
        }
        if (!headerString.startsWith(API_KEY)) {
            LOGGER.log(Level.FINEST, "Invalid Api key. AuthorizationHeader : {0}", headerString);
            rESTApiJsonResponse.setErrorCode(RESTCodes.SecurityErrorCode.EJB_ACCESS_LOCAL.getCode());
            rESTApiJsonResponse.setErrorMsg("Invalidated Api key.");
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", Constants.WWW_AUTHENTICATE_VALUE).entity(rESTApiJsonResponse).build());
            return;
        }
        try {
            ApiKey apiKey = getApiKey(headerString.substring(API_KEY.length()).trim());
            Users user = apiKey.getUser();
            validateUserStatus(user);
            List<String> userRoles = getUserRoles(user);
            Set<ApiScope> apiScopes = getApiScopes(apiKey);
            checkRole(userRoles);
            checkScope(apiScopes);
            containerRequestContext.setSecurityContext(new HopsworksSecurityContext(new Subject(user.getUsername(), userRoles), containerRequestContext.getUriInfo().getRequestUri().getScheme()));
        } catch (ApiKeyException | UserException e) {
            LOGGER.log(Level.FINEST, "Api key Verification Exception: {0}", e.getMessage());
            e.buildJsonResponse(rESTApiJsonResponse, getRestLogLevel());
            containerRequestContext.abortWith(Response.status(e.getErrorCode().getRespStatus().getStatusCode()).header("WWW-Authenticate", Constants.WWW_AUTHENTICATE_VALUE).entity(rESTApiJsonResponse).build());
        }
    }

    protected abstract void validateUserStatus(Users users) throws UserException;

    protected abstract ApiKey getApiKey(String str) throws ApiKeyException;

    protected abstract Set<ApiScope> getApiScopes(ApiKey apiKey);

    protected abstract List<String> getUserRoles(Users users);

    protected abstract RESTLogLevel getRestLogLevel();

    protected abstract Class<?> getResourceClass();

    protected abstract Method getResourceMethod();

    private void checkRole(List<String> list) throws ApiKeyException {
        Set<String> allowedRoles = getAllowedRoles();
        if (allowedRoles.isEmpty() || list == null || list.isEmpty()) {
            throw new ApiKeyException(RESTCodes.ApiKeyErrorCode.KEY_ROLE_CONTROL_EXCEPTION, Level.FINE);
        }
        allowedRoles.retainAll(list);
        if (allowedRoles.isEmpty()) {
            throw new ApiKeyException(RESTCodes.ApiKeyErrorCode.KEY_ROLE_CONTROL_EXCEPTION, Level.FINE);
        }
    }

    private void checkScope(Set<ApiScope> set) throws ApiKeyException {
        Set<ApiScope> allowedScopes = getAllowedScopes();
        if (allowedScopes.isEmpty() || set == null || set.isEmpty()) {
            throw new ApiKeyException(RESTCodes.ApiKeyErrorCode.KEY_SCOPE_CONTROL_EXCEPTION, Level.FINE);
        }
        allowedScopes.retainAll(set);
        if (allowedScopes.isEmpty()) {
            throw new ApiKeyException(RESTCodes.ApiKeyErrorCode.KEY_SCOPE_CONTROL_EXCEPTION, Level.FINE);
        }
    }

    private Set<String> getAllowedRoles() {
        ApiKeyRequired annotation = getAnnotation();
        return annotation == null ? Collections.emptySet() : new HashSet(Arrays.asList(annotation.allowedUserRoles()));
    }

    private Set<ApiScope> getAllowedScopes() {
        ApiKeyRequired annotation = getAnnotation();
        return annotation == null ? Collections.emptySet() : new HashSet(Arrays.asList(annotation.acceptedScopes()));
    }

    private ApiKeyRequired getAnnotation() {
        Class<?> resourceClass = getResourceClass();
        ApiKeyRequired apiKeyRequired = (ApiKeyRequired) getResourceMethod().getAnnotation(ApiKeyRequired.class);
        return apiKeyRequired != null ? apiKeyRequired : (ApiKeyRequired) resourceClass.getAnnotation(ApiKeyRequired.class);
    }

    private JWTRequired getJWTAnnotation() {
        Class<?> resourceClass = getResourceClass();
        JWTRequired jWTRequired = (JWTRequired) getResourceMethod().getAnnotation(JWTRequired.class);
        return jWTRequired != null ? jWTRequired : (JWTRequired) resourceClass.getAnnotation(JWTRequired.class);
    }
}
