package org.jboss.resteasy.skeleton.key.jaxrs;

import java.io.IOException;
import java.security.Principal;
import javax.annotation.Priority;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.jboss.resteasy.logging.Logger;
import org.jboss.resteasy.skeleton.key.RSATokenVerifier;
import org.jboss.resteasy.skeleton.key.ResourceMetadata;
import org.jboss.resteasy.skeleton.key.SkeletonKeyPrincipal;
import org.jboss.resteasy.skeleton.key.SkeletonKeySession;
import org.jboss.resteasy.skeleton.key.VerificationException;
import org.jboss.resteasy.skeleton.key.representations.SkeletonKeyToken;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.jgroups.Event;

@Priority(Event.USER_DEFINED)
/* loaded from: input_file:WEB-INF/lib/skeleton-key-core-3.0-rc-1.jar:org/jboss/resteasy/skeleton/key/jaxrs/JaxrsBearerTokenFilter.class */
public class JaxrsBearerTokenFilter implements ContainerRequestFilter {
    protected ResourceMetadata resourceMetadata;
    private static Logger log = Logger.getLogger(JaxrsBearerTokenFilter.class);

    @Context
    protected SecurityContext securityContext;

    public JaxrsBearerTokenFilter(ResourceMetadata resourceMetadata) {
        this.resourceMetadata = resourceMetadata;
    }

    protected void challengeResponse(ContainerRequestContext containerRequestContext, String str, String str2) {
        StringBuilder sb = new StringBuilder("Bearer realm=\"");
        sb.append(this.resourceMetadata.getRealm()).append("\"");
        if (str != null) {
            sb.append(", error=\"").append(str).append("\"");
        }
        if (str2 != null) {
            sb.append(", error_description=\"").append(str2).append("\"");
        }
        containerRequestContext.abortWith(Response.status(401).header("WWW-Authenticate", sb.toString()).build());
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        String headerString = containerRequestContext.getHeaderString("Authorization");
        if (headerString == null) {
            challengeResponse(containerRequestContext, null, null);
            return;
        }
        String[] split = headerString.trim().split("\\s+");
        if (split == null || split.length != 2) {
            challengeResponse(containerRequestContext, null, null);
        }
        if (!split[0].equalsIgnoreCase("Bearer")) {
            challengeResponse(containerRequestContext, null, null);
        }
        String str = split[1];
        try {
            SkeletonKeyToken verifyToken = RSATokenVerifier.verifyToken(str, this.resourceMetadata);
            ResteasyProviderFactory.pushContext(SkeletonKeySession.class, new SkeletonKeySession(str, this.resourceMetadata));
            final SkeletonKeyPrincipal skeletonKeyPrincipal = new SkeletonKeyPrincipal(verifyToken.getPrincipal(), this.securityContext.getUserPrincipal() != null ? this.securityContext.getUserPrincipal().getName() : null);
            final boolean isSecure = this.securityContext.isSecure();
            final SkeletonKeyToken.Access resourceAccess = this.resourceMetadata.getResourceName() != null ? verifyToken.getResourceAccess(this.resourceMetadata.getResourceName()) : verifyToken.getRealmAccess();
            containerRequestContext.setSecurityContext(new SecurityContext() { // from class: org.jboss.resteasy.skeleton.key.jaxrs.JaxrsBearerTokenFilter.1
                public Principal getUserPrincipal() {
                    return skeletonKeyPrincipal;
                }

                public boolean isUserInRole(String str2) {
                    if (resourceAccess.getRoles() == null) {
                        return false;
                    }
                    return resourceAccess.getRoles().contains(str2);
                }

                public boolean isSecure() {
                    return isSecure;
                }

                public String getAuthenticationScheme() {
                    return "OAUTH_BEARER";
                }
            });
        } catch (VerificationException e) {
            log.error("Failed to verify token", e);
            challengeResponse(containerRequestContext, "invalid_token", e.getMessage());
        }
    }
}
