package org.gbif.ws.security;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableMap;
import com.google.inject.Singleton;
import com.sun.jersey.api.client.ClientRequest;
import com.sun.jersey.core.util.Base64;
import com.sun.jersey.spi.container.ContainerRequest;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.nio.charset.Charset;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Map;
import java.util.regex.Pattern;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.ws.rs.core.MultivaluedMap;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.protocol.HTTP;
import org.apache.tika.metadata.Metadata;
import org.codehaus.jackson.map.ObjectMapper;
import org.gbif.ws.json.JacksonJsonContextResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:WEB-INF/lib/gbif-common-ws-0.41.jar:org/gbif/ws/security/GbifAuthService.class */
public class GbifAuthService {
    private static final String ALGORITHM = "HmacSHA1";
    private static final String CHAR_ENCODING = "UTF8";
    public static final String HEADER_AUTHORIZATION = "Authorization";
    public static final String HEADER_CONTENT_TYPE = "Content-Type";
    public static final String HEADER_CONTENT_MD5 = "Content-MD5";
    public static final String GBIF_SCHEME = "GBIF";
    public static final String HEADER_GBIF_USER = "x-gbif-user";
    public static final String HEADER_ORIGINAL_REQUEST_URL = "x-url";
    private static final char NEWLINE = '\n';
    private final ImmutableMap<String, String> keyStore;
    private final String appKey;
    private final ObjectMapper mapper = new JacksonJsonContextResolver().getContext((Class<?>) null);
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) GbifAuthService.class);
    private static final Pattern COLON_PATTERN = Pattern.compile(Metadata.NAMESPACE_PREFIX_DELIMITER);

    private GbifAuthService(Map<String, String> map, String str) {
        this.keyStore = ImmutableMap.copyOf((Map) map);
        this.appKey = str;
        LOG.info("Initialised appkey store with {} keys", Integer.valueOf(this.keyStore.size()));
    }

    public static GbifAuthService multiKeyAuthService(Map<String, String> map) {
        return new GbifAuthService(map, null);
    }

    public static GbifAuthService singleKeyAuthService(String str, String str2) {
        LOG.info("Initialising auth service with key {}", str);
        return new GbifAuthService(ImmutableMap.of(str, str2), str);
    }

    private static String buildStringToSign(ContainerRequest containerRequest) {
        StringBuilder sb = new StringBuilder();
        sb.append(containerRequest.getMethod());
        sb.append('\n');
        if (containerRequest.getRequestHeaders().containsKey(HEADER_ORIGINAL_REQUEST_URL)) {
            sb.append(containerRequest.getRequestHeaders().getFirst(HEADER_ORIGINAL_REQUEST_URL));
        } else {
            sb.append(getCanonicalizedPath(containerRequest.getRequestUri()));
        }
        appendHeader(sb, containerRequest.getRequestHeaders(), "Content-Type", false);
        appendHeader(sb, containerRequest.getRequestHeaders(), "Content-MD5", true);
        appendHeader(sb, containerRequest.getRequestHeaders(), HEADER_GBIF_USER, true);
        return sb.toString();
    }

    private static String buildStringToSign(ClientRequest clientRequest) {
        StringBuilder sb = new StringBuilder();
        sb.append(clientRequest.getMethod());
        sb.append('\n');
        sb.append(getCanonicalizedPath(clientRequest.getURI()));
        appendHeader(sb, clientRequest.getHeaders(), "Content-Type", false);
        appendHeader(sb, clientRequest.getHeaders(), "Content-MD5", true);
        appendHeader(sb, clientRequest.getHeaders(), HEADER_GBIF_USER, true);
        return sb.toString();
    }

    private static void appendHeader(StringBuilder sb, MultivaluedMap<String, ?> multivaluedMap, String str, boolean z) {
        if (multivaluedMap.containsKey(str)) {
            sb.append('\n');
            if (z) {
                sb.append(multivaluedMap.getFirst(str));
            } else {
                sb.append(multivaluedMap.getFirst(str).toString().toLowerCase());
            }
        }
    }

    private static String getCanonicalizedPath(URI uri) {
        return uri.normalize().getPath();
    }

    private static String buildAuthHeader(String str, String str2) {
        return "GBIF " + str + ':' + str2;
    }

    private String buildSignature(String str, String str2) {
        try {
            Mac mac = Mac.getInstance(ALGORITHM);
            mac.init(new SecretKeySpec(str2.getBytes(Charset.forName("UTF8")), ALGORITHM));
            return new String(Base64.encode(mac.doFinal(str.getBytes())), HTTP.ASCII);
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException("Unsupported character encoding UTF8", e);
        } catch (InvalidKeyException e2) {
            throw new RuntimeException("Invalid secret key " + str2, e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new RuntimeException("Cant find HmacSHA1 message digester", e3);
        }
    }

    public void signRequest(String str, ClientRequest clientRequest) {
        Preconditions.checkNotNull(this.appKey, "To sign request a single application key is required");
        clientRequest.getHeaders().putSingle(HEADER_GBIF_USER, str);
        clientRequest.getHeaders().putSingle(HEADER_ORIGINAL_REQUEST_URL, getCanonicalizedPath(clientRequest.getURI()));
        if (clientRequest.getEntity() != null) {
            clientRequest.getHeaders().putSingle("Content-MD5", buildContentMD5(clientRequest.getEntity()));
        }
        String buildStringToSign = buildStringToSign(clientRequest);
        String privateKey = getPrivateKey(this.appKey);
        if (privateKey == null) {
            LOG.warn("Skip signing request with unknown application key: {}", this.appKey);
            return;
        }
        String buildAuthHeader = buildAuthHeader(this.appKey, buildSignature(buildStringToSign, privateKey));
        LOG.debug("Adding authentication header to request {} for proxied user {} : {}", clientRequest.getURI(), str, buildAuthHeader);
        clientRequest.getHeaders().putSingle("Authorization", buildAuthHeader);
    }

    private String buildContentMD5(Object obj) {
        try {
            return new String(Base64.encode(DigestUtils.md5(this.mapper.writeValueAsBytes(obj))), HTTP.ASCII);
        } catch (IOException e) {
            LOG.error("Failed to serialize http entity [{}]", obj);
            throw Throwables.propagate(e);
        }
    }

    public static String getAppKeyFromRequest(RequestHeaderAccessor requestHeaderAccessor) {
        if (!StringUtils.startsWith(requestHeaderAccessor.getHeader("Authorization"), "GBIF ")) {
            return null;
        }
        String[] split = COLON_PATTERN.split(requestHeaderAccessor.getHeader("Authorization").substring(5), 2);
        if (split.length == 2) {
            return split[0];
        }
        return null;
    }

    public boolean isValidRequest(ContainerRequest containerRequest) {
        String headerValue = containerRequest.getHeaderValue("Authorization");
        if (Strings.isNullOrEmpty(headerValue) || !headerValue.startsWith("GBIF ")) {
            LOG.info("Authorization header is no GBIF scheme");
            return false;
        }
        String[] split = COLON_PATTERN.split(headerValue.substring(5), 2);
        if (split.length < 2) {
            LOG.warn("Invalid syntax for application key and signature: {}", headerValue);
            return false;
        }
        String str = split[0];
        String str2 = split[1];
        if (str == null || str2 == null) {
            LOG.warn("Authentication header missing applicationKey or signature: {}", headerValue);
            return false;
        }
        String privateKey = getPrivateKey(str);
        if (privateKey == null) {
            LOG.warn("Unknown application key: {}", str);
            return false;
        }
        String buildStringToSign = buildStringToSign(containerRequest);
        if (str2.equals(buildSignature(buildStringToSign, privateKey))) {
            LOG.debug("Trusted application with matching signatures");
            return true;
        }
        LOG.info("Invalid signature: {}", headerValue);
        LOG.debug("StringToSign: {}", buildStringToSign);
        return false;
    }

    private String getPrivateKey(String str) {
        return this.keyStore.get(str);
    }
}
