package com.e2eq.framework.rest.filters;

import com.e2eq.framework.model.persistent.base.DataDomain;
import com.e2eq.framework.model.persistent.morphia.CredentialRepo;
import com.e2eq.framework.model.persistent.morphia.RealmRepo;
import com.e2eq.framework.model.persistent.security.CredentialUserIdPassword;
import com.e2eq.framework.model.persistent.security.Realm;
import com.e2eq.framework.model.securityrules.PrincipalContext;
import com.e2eq.framework.model.securityrules.ResourceContext;
import com.e2eq.framework.model.securityrules.RuleContext;
import com.e2eq.framework.model.securityrules.SecurityContext;
import com.e2eq.framework.util.SecurityUtils;
import com.e2eq.framework.util.ValidateUtils;
import com.fasterxml.jackson.databind.ObjectMapper;
import io.quarkus.logging.Log;
import io.quarkus.security.identity.SecurityIdentity;
import jakarta.inject.Inject;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.ext.Provider;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.StringTokenizer;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.eclipse.microprofile.jwt.JsonWebToken;
import org.jboss.logging.Logger;

@Provider
/* loaded from: input_file:com/e2eq/framework/rest/filters/SecurityFilter.class */
public class SecurityFilter implements ContainerRequestFilter {
    private static final String AUTHENTICATION_SCHEME = "Bearer";

    @ConfigProperty(name = "auth.provider")
    String authProvider;

    @Inject
    JsonWebToken jwt;

    @Inject
    SecurityIdentity securityIdentity;

    @Inject
    RuleContext ruleContext;

    @Inject
    RealmRepo realmRepo;

    @Inject
    CredentialRepo credentialRepo;

    @Inject
    ObjectMapper mapper;

    @Inject
    SecurityUtils securityUtils;

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (Log.isDebugEnabled()) {
            containerRequestContext.getUriInfo().getPath();
            if ("POST".equalsIgnoreCase(containerRequestContext.getMethod())) {
            }
        }
        ResourceContext determineResourceContext = determineResourceContext(containerRequestContext);
        PrincipalContext determinePrincipalContext = determinePrincipalContext(containerRequestContext);
        if (determinePrincipalContext == null) {
            throw new IllegalStateException("Principal context came back null and should not be null");
        }
        SecurityContext.setPrincipalContext(determinePrincipalContext);
        SecurityContext.setResourceContext(determineResourceContext);
    }

    protected ResourceContext determineResourceContext(ContainerRequestContext containerRequestContext) {
        ResourceContext resourceContext;
        if (SecurityContext.getResourceContext().isPresent()) {
            return SecurityContext.getResourceContext().get();
        }
        String path = containerRequestContext.getUriInfo().getPath();
        StringTokenizer stringTokenizer = new StringTokenizer(path, "/");
        int countTokens = stringTokenizer.countTokens();
        if (countTokens > 2) {
            if (Log.isEnabled(Logger.Level.WARN)) {
                Log.warn("Path: +" + path + " three or more levels");
            }
            String nextToken = stringTokenizer.nextToken();
            String nextToken2 = stringTokenizer.nextToken();
            String nextToken3 = stringTokenizer.nextToken();
            if (Log.isDebugEnabled()) {
                Log.debug("Based upon request convention assumed that the area is:" + nextToken + " functional domain is:" + nextToken2 + " and action is:" + nextToken3);
            }
            resourceContext = new ResourceContext.Builder().withAction(nextToken3).withArea(nextToken).withFunctionalDomain(nextToken2).build();
            SecurityContext.setResourceContext(resourceContext);
            if (Log.isDebugEnabled()) {
                Log.debug("Resource Context set");
            }
        } else if (countTokens == 2) {
            String nextToken4 = stringTokenizer.nextToken();
            String nextToken5 = stringTokenizer.nextToken();
            resourceContext = new ResourceContext.Builder().withAction(nextToken5).withArea(nextToken4).withFunctionalDomain(nextToken4).build();
            SecurityContext.setResourceContext(resourceContext);
            if (Log.isEnabled(Logger.Level.WARN)) {
                Log.warnf("%s:Odd request convention, not following /area/fd/fa .. so assuming the fd and area are equal: %s only two tokens for resource, assuming area as fd, fd=%s action=%s", new Object[]{path, nextToken4, nextToken4, nextToken5});
            }
            if (Log.isDebugEnabled()) {
                Log.debug("Resource Context set");
            }
        } else {
            Log.warn("Non conformant url:" + path + " could not set resource context as a result, expecting /area/functionalDomain/action: TokenCount:" + countTokens);
            resourceContext = ResourceContext.DEFAULT_ANONYMOUS_CONTEXT;
        }
        return resourceContext;
    }

    protected PrincipalContext determinePrincipalContext(ContainerRequestContext containerRequestContext) {
        if (Log.isDebugEnabled()) {
            Log.debug("---Determining principal context--");
            Log.debugf("Security Identity:%s", this.securityIdentity.toString());
            Log.debugf("Security Identity Principal Name:%s ", this.securityIdentity.getPrincipal().getName());
        }
        MultivaluedMap queryParameters = containerRequestContext.getUriInfo().getQueryParameters();
        String str = queryParameters.get("realm") == null ? null : (String) ((List) queryParameters.get("realm")).get(0);
        if (str != null) {
            Log.debug("!!!! Determining realm from query parameters: " + str);
        }
        PrincipalContext build = str == null ? new PrincipalContext.Builder().withDefaultRealm(this.securityUtils.getSystemRealm()).withDataDomain(this.securityUtils.getSystemDataDomain()).withUserId(this.securityUtils.getAnonymousUserId()).withRoles(new String[]{"ANONYMOUS"}).withScope("systemGenerated").build() : new PrincipalContext.Builder().withDefaultRealm(str).withDataDomain(this.securityUtils.getSystemDataDomain()).withUserId(this.securityUtils.getAnonymousUserId()).withRoles(new String[]{"ANONYMOUS"}).withScope("systemGenerated").build();
        String headerString = containerRequestContext.getHeaderString("Authorization");
        if (headerString != null && this.jwt != null) {
            headerString.substring(AUTHENTICATION_SCHEME.length()).trim();
            String str2 = (String) this.jwt.getClaim("username");
            if (str2 == null) {
                Log.warn("JWT did not contain a username claim, using sub claim instead");
                str2 = (String) this.jwt.getClaim("sub");
            }
            if (str2 != null) {
                Optional<CredentialUserIdPassword> findByUsername = this.credentialRepo.findByUsername(str2);
                if (findByUsername.isPresent()) {
                    Log.debugf("Found user with username %s userId:%s in the database, adding roles %s", str2, findByUsername.get().getUserId(), Arrays.toString(findByUsername.get().getRoles()));
                    CredentialUserIdPassword credentialUserIdPassword = findByUsername.get();
                    build.setUserId(credentialUserIdPassword.getUserId());
                    String[] roles = credentialUserIdPassword.getRoles();
                    if (roles == null || roles.length == 0) {
                        Set roles2 = this.securityIdentity.getRoles();
                        roles = roles2.isEmpty() ? new String[]{"ANONYMOUS"} : (String[]) roles2.toArray(new String[0]);
                    }
                    build = new PrincipalContext.Builder().withDefaultRealm(credentialUserIdPassword.getDomainContext().getDefaultRealm()).withDataDomain(credentialUserIdPassword.getDomainContext().toDataDomain(credentialUserIdPassword.getUserId())).withUserId(credentialUserIdPassword.getUserId()).withRoles(roles).withScope("AUTHENTICATED").build();
                    if (Log.isDebugEnabled()) {
                        Log.debugf("Principal Context updated with roles: %s", Arrays.toString(roles));
                        Log.debugf("Principal Context: %s", build.toString());
                    }
                } else {
                    Log.warnf("Could not find user with username: %s", str2);
                    Log.warn("Attempting to see if the realm is defined via the user/subject being an email address");
                    if (!ValidateUtils.isValidEmailAddress(str2)) {
                        String format = String.format("Could not find the user with username:%s in the database:%s and could not parse the id into an email address to look up the realm.", str2, this.credentialRepo.getDatabaseName());
                        Log.warnf(format, new Object[0]);
                        throw new WebApplicationException(format, Response.Status.UNAUTHORIZED);
                    }
                    String substring = str2.substring(str2.indexOf("@") + 1);
                    Log.infof("UserId appears to be an email address with domain %s searching realms for domain Context", substring);
                    Optional<Realm> findByEmailDomain = this.realmRepo.findByEmailDomain(substring, true);
                    if (!findByEmailDomain.isPresent()) {
                        String format2 = String.format("Could not find the username:%s in the database:%s and could not find a realm based on the email domain:%s", str2, this.credentialRepo.getDatabaseName(), substring);
                        Log.warnf(format2, new Object[0]);
                        throw new WebApplicationException(format2, Response.Status.UNAUTHORIZED);
                    }
                    Realm realm = findByEmailDomain.get();
                    DataDomain dataDomain = realm.getDomainContext().toDataDomain(str2);
                    Set roles3 = this.securityIdentity.getRoles();
                    build = new PrincipalContext.Builder().withDefaultRealm(realm.getDomainContext().getDefaultRealm()).withDataDomain(dataDomain).withUserId(str2).withRoles(roles3.isEmpty() ? new String[]{"ANONYMOUS"} : (String[]) roles3.toArray(new String[roles3.size()])).withScope("AUTHENTICATED").build();
                    Set roles4 = this.securityIdentity.getRoles();
                    build.setRoles(roles4.isEmpty() ? new String[]{"ANONYMOUS"} : (String[]) roles4.toArray(new String[0]));
                }
            }
        }
        return build;
    }
}
