package com.uid2.shared.middleware;

import com.uid2.shared.Const;
import com.uid2.shared.Utils;
import com.uid2.shared.attest.IAttestationTokenService;
import com.uid2.shared.attest.JwtService;
import com.uid2.shared.attest.JwtValidationResponse;
import com.uid2.shared.attest.RoleBasedJwtClaimValidator;
import com.uid2.shared.audit.Audit;
import com.uid2.shared.auth.IAuthorizable;
import com.uid2.shared.auth.OperatorKey;
import com.uid2.shared.auth.Role;
import io.vertx.core.Handler;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.RoutingContext;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Objects;
import org.apache.commons.collections4.CollectionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/uid2/shared/middleware/AttestationMiddleware.class */
public class AttestationMiddleware {
    private final IAttestationTokenService tokenService;
    private final JwtService jwtService;
    private final String jwtAudience;
    private final String jwtIssuer;
    private final boolean enforceJwt;

    /* loaded from: input_file:com/uid2/shared/middleware/AttestationMiddleware$AttestationHandler.class */
    private static class AttestationHandler {
        private static final Logger LOGGER = LoggerFactory.getLogger(AttestationHandler.class);
        private final Handler<RoutingContext> next;
        private final IAttestationTokenService attestor;
        private final JwtService jwtService;
        private final String jwtAudience;
        private final String jwtIssuer;
        private final boolean enforceJwt;
        private final RoleBasedJwtClaimValidator roleBasedJwtClaimValidator;

        AttestationHandler(Handler<RoutingContext> handler, IAttestationTokenService iAttestationTokenService, JwtService jwtService, String str, String str2, boolean z, RoleBasedJwtClaimValidator roleBasedJwtClaimValidator) {
            this.next = handler;
            this.attestor = iAttestationTokenService;
            this.jwtService = jwtService;
            this.jwtAudience = str;
            this.jwtIssuer = str2;
            this.enforceJwt = z;
            this.roleBasedJwtClaimValidator = roleBasedJwtClaimValidator;
        }

        public void handle(RoutingContext routingContext) {
            boolean z = false;
            boolean z2 = false;
            IAuthorizable authClient = AuthMiddleware.getAuthClient(routingContext);
            if (authClient instanceof OperatorKey) {
                OperatorKey operatorKey = (OperatorKey) authClient;
                String protocol = operatorKey.getProtocol();
                String authToken = AuthMiddleware.getAuthToken(routingContext);
                String attestationJWT = getAttestationJWT(routingContext);
                String attestationToken = getAttestationToken(routingContext);
                if ("trusted".equals(protocol)) {
                    z = true;
                } else if (attestationToken != null && authToken != null) {
                    z = this.attestor.validateToken(authToken, attestationToken);
                }
                if (z) {
                    if (attestationJWT != null && !attestationJWT.isBlank()) {
                        try {
                            JwtValidationResponse validateJwt = this.jwtService.validateJwt(attestationJWT, this.jwtAudience, this.jwtIssuer);
                            z2 = validateJwt.getIsValid();
                            if (z2) {
                                if (!this.roleBasedJwtClaimValidator.hasRequiredRoles(validateJwt)) {
                                    z2 = false;
                                    LOGGER.info("JWT missing required role. Required roles: {}, JWT Presented Roles: {}, SiteId: {}, Name: {}, Contact: {}", new Object[]{this.roleBasedJwtClaimValidator.getRequiredRoles(), validateJwt.getRoles(), operatorKey.getSiteId(), operatorKey.getName(), operatorKey.getContact()});
                                }
                                JsonObject jsonObject = (JsonObject) routingContext.get(Audit.USER_DETAILS, new JsonObject());
                                if (CollectionUtils.isNotEmpty(validateJwt.getRoles())) {
                                    jsonObject.put("jwt_roles", new ArrayList(validateJwt.getRoles()));
                                }
                                String calculateSubject = calculateSubject(operatorKey);
                                jsonObject.put("jwt_subject", calculateSubject);
                                if (!validateSubject(validateJwt, calculateSubject).booleanValue()) {
                                    z2 = false;
                                    LOGGER.info("JWT failed validation of Subject. JWT Presented Roles: {}, SiteId: {}, Name: {}, Contact: {}, JWT Subject: {}, Operator Subject: {}", new Object[]{validateJwt.getRoles(), operatorKey.getSiteId(), operatorKey.getName(), operatorKey.getContact(), validateJwt.getSubject(), calculateSubject});
                                }
                                routingContext.put(Audit.USER_DETAILS, jsonObject);
                            }
                        } catch (JwtService.ValidationException e) {
                            LOGGER.info("Error validating JWT. Attestation validation failed. SiteId: {}, Name: {}, Contact: {}. Error: {}", new Object[]{operatorKey.getSiteId(), operatorKey.getName(), operatorKey.getContact(), e.toString()});
                        }
                    } else if (this.enforceJwt) {
                        LOGGER.info("JWT is required, but was not received. Attestation validation failed. SiteId: {}, Name: {}, Contact: {}", new Object[]{operatorKey.getSiteId(), operatorKey.getName(), operatorKey.getContact()});
                    }
                }
            }
            if (z && !z2 && this.enforceJwt) {
                LOGGER.info("JWT validation has failed.");
                z = false;
            } else if (z && !z2 && !this.enforceJwt) {
                LOGGER.info("JWT validation has failed, but JWTs are not being enforced.");
            }
            if (z) {
                this.next.handle(routingContext);
            } else {
                onFailedAttestation(routingContext);
            }
        }

        private void onFailedAttestation(RoutingContext routingContext) {
            routingContext.fail(401);
        }

        private String getAttestationToken(RoutingContext routingContext) {
            return routingContext.request().getHeader(Const.Attestation.AttestationTokenHeader);
        }

        private String getAttestationJWT(RoutingContext routingContext) {
            return routingContext.request().getHeader(Const.Attestation.AttestationJWTHeader);
        }

        private static String calculateSubject(OperatorKey operatorKey) {
            if (operatorKey.getKeyHash() == null || operatorKey.getKeyHash().isBlank()) {
                return "";
            }
            return Utils.toBase64String(Utils.createMessageDigestSHA512().digest(operatorKey.getKeyHash().getBytes()));
        }

        private static Boolean validateSubject(JwtValidationResponse jwtValidationResponse, String str) {
            if (jwtValidationResponse.getSubject() == null || jwtValidationResponse.getSubject().isBlank()) {
                return false;
            }
            return Boolean.valueOf(str.equals(jwtValidationResponse.getSubject()));
        }
    }

    public AttestationMiddleware(IAttestationTokenService iAttestationTokenService, JwtService jwtService, String str, String str2, boolean z) {
        this.tokenService = iAttestationTokenService;
        this.jwtService = jwtService;
        this.jwtAudience = str;
        this.jwtIssuer = str2;
        this.enforceJwt = z;
    }

    public Handler<RoutingContext> handle(Handler<RoutingContext> handler, Role... roleArr) {
        AttestationHandler attestationHandler = new AttestationHandler(handler, this.tokenService, this.jwtService, this.jwtAudience, this.jwtIssuer, this.enforceJwt, new RoleBasedJwtClaimValidator(Collections.unmodifiableSet(new HashSet(Arrays.asList(roleArr)))));
        Objects.requireNonNull(attestationHandler);
        return attestationHandler::handle;
    }
}
