package io.gravitee.policy.httpsignature;

import io.gravitee.gateway.api.ExecutionContext;
import io.gravitee.gateway.api.Request;
import io.gravitee.gateway.api.Response;
import io.gravitee.gateway.api.http.HttpHeaders;
import io.gravitee.policy.api.PolicyChain;
import io.gravitee.policy.api.PolicyResult;
import io.gravitee.policy.api.annotations.OnRequest;
import io.gravitee.policy.httpsignature.configuration.HttpSignaturePolicyConfiguration;
import io.gravitee.policy.httpsignature.configuration.HttpSignatureScheme;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.List;
import java.util.Objects;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Stream;
import javax.crypto.spec.SecretKeySpec;
import org.tomitribe.auth.signatures.Signature;
import org.tomitribe.auth.signatures.Signer;

/* loaded from: input_file:io/gravitee/policy/httpsignature/HttpSignaturePolicy.class */
public class HttpSignaturePolicy {
    private static final String HTTP_SIGNATURE_INVALID_SIGNATURE = "HTTP_SIGNATURE_INVALID_SIGNATURE";
    static final String HTTP_HEADER_SIGNATURE = "Signature";
    private final HttpSignaturePolicyConfiguration configuration;
    private static final Pattern RFC_2617_PARAM_NON_STRICT = Pattern.compile("(?<key>\\w+)=((?<stringValue>.*?)($|,))");

    public HttpSignaturePolicy(HttpSignaturePolicyConfiguration httpSignaturePolicyConfiguration) {
        this.configuration = httpSignaturePolicyConfiguration;
    }

    @OnRequest
    public void onRequest(Request request, Response response, ExecutionContext executionContext, PolicyChain policyChain) {
        Signature extractSignature = extractSignature(request);
        if (extractSignature != null && enforceAlgorithm(extractSignature) && enforceHeaders(extractSignature) && validateHeaders(extractSignature, request) && verifySignatureValidityDates(extractSignature) && verifySignature(extractSignature, executionContext, request)) {
            policyChain.doNext(request, response);
        } else {
            policyChain.failWith(PolicyResult.failure(HTTP_SIGNATURE_INVALID_SIGNATURE, 401, "Invalid HTTP Signature"));
        }
    }

    private boolean verifySignature(Signature signature, ExecutionContext executionContext, Request request) {
        try {
            Long l = null;
            if (signature.getSignatureCreationTimeMilliseconds() != null && signature.getSignatureExpirationTimeMilliseconds() != null) {
                l = Long.valueOf(signature.getSignatureExpirationTimeMilliseconds().longValue() - signature.getSignatureCreationTimeMilliseconds().longValue());
            }
            Signature signature2 = new Signature(signature.getKeyId(), signature.getSigningAlgorithm(), signature.getAlgorithm(), signature.getParameterSpec(), null, signature.getHeaders(), l, signature.getSignatureCreationTimeMilliseconds(), signature.getSignatureExpirationTimeMilliseconds());
            executionContext.getTemplateEngine().getTemplateContext().setVariable("keyId", signature.getKeyId());
            Signature sign = new Signer(new SecretKeySpec(((String) executionContext.getTemplateEngine().getValue(this.configuration.getSecret(), String.class)).getBytes(), signature.getAlgorithm().getJvmName()), signature2).sign(request.method().name().toLowerCase(), request.path(), request.headers().toSingleValueMap(), signature.getSignatureCreationTimeMilliseconds(), signature.getSignatureExpirationTimeMilliseconds());
            String signature3 = signature.getSignature();
            if (this.configuration.isDecodeSignature()) {
                signature3 = URLDecoder.decode(signature3, StandardCharsets.UTF_8.name());
            }
            return sign.getSignature().equals(signature3);
        } catch (Exception e) {
            return false;
        }
    }

    private boolean verifySignatureValidityDates(Signature signature) {
        if (this.configuration.getClockSkew() <= 0) {
            return true;
        }
        if (signature.getSignatureCreationTimeMilliseconds() == null || signature.getSignatureCreationTimeMilliseconds().longValue() <= System.currentTimeMillis() + (this.configuration.getClockSkew() * 1000)) {
            return signature.getSignatureExpirationTimeMilliseconds() == null || signature.getSignatureExpirationTimeMilliseconds().longValue() >= System.currentTimeMillis();
        }
        return false;
    }

    private boolean enforceHeaders(Signature signature) {
        List<String> headers = signature.getHeaders();
        if (this.configuration.getEnforceHeaders() == null || this.configuration.getEnforceHeaders().isEmpty()) {
            return true;
        }
        if (this.configuration.getEnforceHeaders().size() > headers.size()) {
            return false;
        }
        Stream filter = this.configuration.getEnforceHeaders().stream().map((v0) -> {
            return v0.toLowerCase();
        }).filter(str -> {
            return (str.startsWith("(") || str.endsWith(")")) ? false : true;
        });
        Objects.requireNonNull(headers);
        return filter.allMatch((v1) -> {
            return r1.contains(v1);
        });
    }

    private boolean validateHeaders(Signature signature, Request request) {
        Stream<String> filter = signature.getHeaders().stream().filter(str -> {
            return (str.startsWith("(") || str.endsWith(")")) ? false : true;
        });
        HttpHeaders headers = request.headers();
        Objects.requireNonNull(headers);
        return filter.allMatch((v1) -> {
            return r1.containsKey(v1);
        });
    }

    private boolean enforceAlgorithm(Signature signature) {
        if (this.configuration.getAlgorithms() == null || this.configuration.getAlgorithms().isEmpty()) {
            return true;
        }
        return this.configuration.getAlgorithms().stream().anyMatch(algorithm -> {
            return algorithm.getAlg() == signature.getAlgorithm();
        });
    }

    private Signature extractSignature(Request request) {
        String str = null;
        if (this.configuration.getScheme() == HttpSignatureScheme.AUTHORIZATION) {
            str = request.headers().get("Authorization");
        } else if (this.configuration.getScheme() == HttpSignatureScheme.SIGNATURE) {
            str = request.headers().getFirst(HTTP_HEADER_SIGNATURE);
        }
        if (str == null) {
            return null;
        }
        try {
            if (!this.configuration.isStrictMode() && !str.contains("\"")) {
                str = convertToStrictSignature(str);
            }
            return Signature.fromString(str);
        } catch (Exception e) {
            request.metrics().setMessage(e.getMessage());
            return null;
        }
    }

    private String convertToStrictSignature(String str) {
        Matcher matcher = RFC_2617_PARAM_NON_STRICT.matcher(str);
        HashMap hashMap = new HashMap();
        while (matcher.find()) {
            String lowerCase = matcher.group("key").toLowerCase();
            String group = matcher.group("stringValue");
            try {
                Long.parseLong(group);
                hashMap.put(lowerCase, group);
            } catch (NumberFormatException e) {
                hashMap.put(lowerCase, "\"" + group + "\"");
            }
        }
        return "Signature " + ((String) hashMap.entrySet().stream().map(entry -> {
            return ((String) entry.getKey()) + "=" + ((String) entry.getValue());
        }).reduce((str2, str3) -> {
            return str2 + "," + str3;
        }).get());
    }
}
