package com.kolich.havalo.filters;

import com.google.common.net.HttpHeaders;
import com.kolich.curacao.annotations.Injectable;
import com.kolich.curacao.handlers.requests.CuracaoContext;
import com.kolich.curacao.handlers.requests.filters.CuracaoRequestFilter;
import com.kolich.havalo.components.RepositoryManagerComponent;
import com.kolich.havalo.entities.types.KeyPair;
import com.kolich.havalo.exceptions.authentication.AuthenticationException;
import com.kolich.havalo.exceptions.authentication.BadCredentialsException;
import java.util.UUID;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.StringUtils;
import org.apache.commons.io.IOUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/havalo-kvs-2.1.jar:com/kolich/havalo/filters/HavaloAuthenticationFilter.class */
public final class HavaloAuthenticationFilter implements CuracaoRequestFilter {
    private static final Logger logger__ = LoggerFactory.getLogger(HavaloAuthenticationFilter.class);
    public static final String HAVALO_AUTHENTICATION_ATTRIBUTE = "havalo.authentication";
    private static final String HAVALO_AUTHORIZATION_PREFIX = "Havalo ";
    private static final String HAVALO_AUTHORIZATION_SEPARATOR = ":";
    private final HavaloUserService userService_;

    /* loaded from: input_file:WEB-INF/lib/havalo-kvs-2.1.jar:com/kolich/havalo/filters/HavaloAuthenticationFilter$HMACSHA256Signer.class */
    private static final class HMACSHA256Signer {
        private static final String HMAC_SHA256_ALGORITHM_NAME = "HmacSHA256";

        private HMACSHA256Signer() {
        }

        public static final String sign(KeyPair keyPair, String str) {
            try {
                Mac mac = Mac.getInstance(HMAC_SHA256_ALGORITHM_NAME);
                mac.init(new SecretKeySpec(StringUtils.getBytesUtf8(keyPair.getSecret()), HMAC_SHA256_ALGORITHM_NAME));
                return StringUtils.newStringUtf8(Base64.encodeBase64(mac.doFinal(StringUtils.getBytesUtf8(str))));
            } catch (Exception e) {
                throw new AuthenticationException("Failed to SHA-256 sign input string: " + str, e);
            }
        }
    }

    @Injectable
    public HavaloAuthenticationFilter(RepositoryManagerComponent repositoryManagerComponent) {
        this.userService_ = new HavaloUserService(repositoryManagerComponent.getRepositoryManager());
    }

    @Override // com.kolich.curacao.handlers.requests.filters.CuracaoRequestFilter
    public final void filter(CuracaoContext curacaoContext) throws Exception {
        try {
            HttpServletRequest httpServletRequest = curacaoContext.request_;
            String header = httpServletRequest.getHeader(HttpHeaders.AUTHORIZATION);
            if (header == null || !header.startsWith(HAVALO_AUTHORIZATION_PREFIX)) {
                throw new AuthenticationException("Request did not contain a valid 'Authorization' header.");
            }
            String[] split = header.substring(HAVALO_AUTHORIZATION_PREFIX.length()).split(HAVALO_AUTHORIZATION_SEPARATOR, 2);
            if (split == null || split.length != 2) {
                throw new AuthenticationException("Failed to extract correct number of tokens from 'Authorization' header.");
            }
            String str = split[0];
            String str2 = split[1];
            KeyPair loadKeyPairById = this.userService_.loadKeyPairById(UUID.fromString(str));
            if (loadKeyPairById == null) {
                throw new AuthenticationException("User service returned null, which is an interface contract violation.");
            }
            String sign = HMACSHA256Signer.sign(loadKeyPairById, getStringToSign(httpServletRequest));
            if (!sign.equals(str2)) {
                throw new BadCredentialsException("Signatures did not match (request=" + str2 + ", computed=" + sign + ")");
            }
            httpServletRequest.setAttribute(HAVALO_AUTHENTICATION_ATTRIBUTE, loadKeyPairById);
        } catch (Exception e) {
            logger__.debug("Authentication failure; service failed to authenticate request.", (Throwable) e);
            throw new AuthenticationException("Authentication failed; either the provided signature did not match, or you do not have permission to access the requested resource.", e);
        }
    }

    private static final String getStringToSign(HttpServletRequest httpServletRequest) {
        StringBuilder sb = new StringBuilder();
        sb.append(httpServletRequest.getMethod().toUpperCase()).append(IOUtils.LINE_SEPARATOR_UNIX);
        String header = httpServletRequest.getHeader(HttpHeaders.DATE);
        if (header == null) {
            throw new BadCredentialsException("Incoming request missing required 'Date' request header.");
        }
        sb.append(header).append(IOUtils.LINE_SEPARATOR_UNIX);
        String header2 = httpServletRequest.getHeader(HttpHeaders.CONTENT_TYPE);
        if (header2 != null) {
            sb.append(header2);
        }
        sb.append(IOUtils.LINE_SEPARATOR_UNIX);
        sb.append(httpServletRequest.getRequestURI());
        return sb.toString();
    }
}
