package ch.usp.core.waap.spec.v1.render.auth;

import ch.usp.core.waap.spec.EnvoyPrototypes;
import ch.usp.core.waap.spec.v1.render.EnvoyConfigData;
import ch.usp.core.waap.spec.v1.render.WaapRenderUtil;
import ch.usp.core.waap.spec.v1.render.WaapToEnvoyContext;
import ch.usp.core.waap.spec.v1.render.protocol.WaapToEnvoyProtocol;
import ch.usp.core.waap.spec.v1.render.traffic.WaapToEnvoyTrafficProcessing;
import ch.usp.core.waap.spec.v1.spec.WaapSpec;
import ch.usp.core.waap.spec.v1.spec.auth.WaapAuth;
import ch.usp.core.waap.spec.v1.spec.auth.WaapAuthCredentials;
import ch.usp.core.waap.spec.v1.spec.auth.WaapAuthJwtClaimToHeader;
import ch.usp.core.waap.spec.v1.spec.crs.WaapCrsRuleException;
import ch.usp.core.waap.spec.v1.spec.route.WaapRouteBackendProtocol;
import com.google.protobuf.Any;
import com.google.protobuf.BoolValue;
import com.google.protobuf.Duration;
import io.envoyproxy.envoy.config.cluster.v3.Cluster;
import io.envoyproxy.envoy.config.core.v3.ConfigSource;
import io.envoyproxy.envoy.config.core.v3.HttpUri;
import io.envoyproxy.envoy.config.core.v3.PathConfigSource;
import io.envoyproxy.envoy.config.endpoint.v3.ClusterLoadAssignment;
import io.envoyproxy.envoy.config.endpoint.v3.Endpoint;
import io.envoyproxy.envoy.config.endpoint.v3.LbEndpoint;
import io.envoyproxy.envoy.config.endpoint.v3.LocalityLbEndpoints;
import io.envoyproxy.envoy.config.route.v3.DirectResponseAction;
import io.envoyproxy.envoy.config.route.v3.Route;
import io.envoyproxy.envoy.config.route.v3.RouteMatch;
import io.envoyproxy.envoy.config.route.v3.VirtualHost;
import io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication;
import io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v3.JwtClaimToHeader;
import io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v3.JwtProvider;
import io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v3.JwtRequirement;
import io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v3.RemoteJwks;
import io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v3.RequirementRule;
import io.envoyproxy.envoy.extensions.filters.http.oauth2.v3.OAuth2;
import io.envoyproxy.envoy.extensions.filters.http.oauth2.v3.OAuth2Config;
import io.envoyproxy.envoy.extensions.filters.http.oauth2.v3.OAuth2Credentials;
import io.envoyproxy.envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SdsSecretConfig;
import io.envoyproxy.envoy.type.matcher.v3.PathMatcher;
import io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import javax.annotation.Nullable;

/* loaded from: input_file:ch/usp/core/waap/spec/v1/render/auth/WaapToEnvoyAuth.class */
public final class WaapToEnvoyAuth {
    private static final String JWT_PROVIDER_NAME_PREFIX = "provider-";

    private WaapToEnvoyAuth() {
    }

    public static List<Cluster> getClustersForAuthentication(WaapToEnvoyContext waapToEnvoyContext) {
        WaapSpec waapSpec = waapToEnvoyContext.getWaapSpec();
        LinkedList linkedList = new LinkedList();
        for (WaapAuth waapAuth : waapSpec.getAuthentications()) {
            String authClusterName = getAuthClusterName(waapAuth);
            String opEndpointAddress = getOpEndpointAddress(waapAuth);
            int opEndpointPort = getOpEndpointPort(waapAuth);
            boolean isOpEndpointHttps = isOpEndpointHttps(waapAuth);
            Cluster.Builder loadAssignment = Cluster.newBuilder(EnvoyPrototypes.CLUSTER_PROTOTYPE).setName(authClusterName).setLoadAssignment(ClusterLoadAssignment.newBuilder().setClusterName(authClusterName).addEndpoints(LocalityLbEndpoints.newBuilder().addLbEndpoints(LbEndpoint.newBuilder().setEndpoint(Endpoint.newBuilder().setAddress(EnvoyPrototypes.newAddressFromSocketAddressAndPort(opEndpointAddress, opEndpointPort)).build()).build())).build());
            WaapRouteBackendProtocol.Selection selection = WaapRouteBackendProtocol.Selection.h1;
            if (isOpEndpointHttps) {
                WaapToEnvoyProtocol.addClusterTlsSettings(loadAssignment, authClusterName, opEndpointAddress, true, selection);
            }
            linkedList.add(loadAssignment.build());
        }
        return linkedList;
    }

    public static void addAuthRelatedFilters(WaapToEnvoyContext waapToEnvoyContext, List<HttpFilter> list) {
        for (WaapAuth waapAuth : waapToEnvoyContext.getWaapSpec().getAuthentications()) {
            if (waapAuth.isWithOAuth()) {
                list.add(getOAuth2HttpFilter(waapToEnvoyContext, waapAuth));
            }
            list.add(getJwtHttpFilter(waapAuth));
        }
    }

    public static void disableAuthFiltersIfNotConfigured(WaapSpec waapSpec, @Nullable String str, Route.Builder builder) {
        for (WaapAuth waapAuth : waapSpec.getAuthentications()) {
            boolean z = false;
            boolean z2 = false;
            if (waapAuth.getName().equals(str)) {
                z = true;
                z2 = waapAuth.isWithOAuth();
            }
            if (!z) {
                WaapRenderUtil.disableFilterInRoute(getJwtFilterName(waapAuth), builder);
            }
            if (!z2) {
                WaapRenderUtil.disableFilterInRoute(getOAuth2FilterName(waapAuth), builder);
            }
        }
    }

    public static void addTechnicalLocationsRoutes(WaapSpec waapSpec, VirtualHost.Builder builder) {
        for (WaapAuth waapAuth : waapSpec.getAuthentications()) {
            if (waapAuth.isWithOAuth()) {
                Route.Builder directResponse = Route.newBuilder().setMatch(RouteMatch.newBuilder().setPrefix(getAuthTechLocationsPrefix(waapAuth)).build()).setDirectResponse(DirectResponseAction.newBuilder().setStatus(404).build());
                disableAuthFiltersIfNotConfigured(waapSpec, waapAuth.getName(), directResponse);
                WaapToEnvoyTrafficProcessing.disableTrafficProcessingFiltersIfNotConfigured(waapSpec, List.of(), directResponse);
                builder.addRoutes(directResponse.build());
            }
        }
    }

    private static HttpFilter getOAuth2HttpFilter(WaapToEnvoyContext waapToEnvoyContext, WaapAuth waapAuth) {
        WaapAuthCredentials credentials = waapAuth.getCredentials();
        OAuth2Credentials.Builder clientId = OAuth2Credentials.newBuilder().setClientId(credentials.getClientId());
        if (credentials.getClientSecret() != null) {
            String str = "oauth-" + waapAuth.getName() + "-clientSecret";
            waapToEnvoyContext.getStaticSecrets().put(str, credentials.getClientSecret());
            clientId.setTokenSecret(SdsSecretConfig.newBuilder().setName(str).build());
        } else {
            clientId.setTokenSecret(getOauthDynamicSecretConfig(waapToEnvoyContext, waapAuth, credentials.getClientSecretRef(), "clientSecret"));
        }
        if (credentials.getHmacSecret() != null) {
            String str2 = "oauth-" + waapAuth.getName() + "-hmacSecret";
            waapToEnvoyContext.getStaticSecrets().put(str2, credentials.getHmacSecret());
            clientId.setHmacSecret(SdsSecretConfig.newBuilder().setName(str2).build());
        } else {
            clientId.setHmacSecret(getOauthDynamicSecretConfig(waapToEnvoyContext, waapAuth, credentials.getHmacSecretRef(), "hmacSecret"));
        }
        OAuth2Config.Builder credentials2 = OAuth2Config.newBuilder().setTokenEndpoint(HttpUri.newBuilder().setCluster(getAuthClusterName(waapAuth)).setUri(waapAuth.getTokenEndpoint()).setTimeout(Duration.newBuilder().setSeconds(5L).build()).build()).setAuthorizationEndpoint(waapAuth.getAuthorizationEndpoint()).setAuthType(toEnvoyAuthType(waapAuth.getTokenEndpointAuthType())).setUseRefreshToken(BoolValue.of(waapAuth.isUseRefreshToken())).setRedirectUri("%REQ(x-forwarded-proto)%://%REQ(:authority)%" + getAuthCallbackLocation(waapAuth)).setForwardBearerToken(true).setRedirectPathMatcher(PathMatcher.newBuilder().setPath(StringMatcher.newBuilder().setExact(getAuthCallbackLocation(waapAuth)).build()).build()).setSignoutPath(PathMatcher.newBuilder().setPath(StringMatcher.newBuilder().setExact(getAuthSignoutLocation(waapAuth)).build()).build()).setCredentials(clientId.build());
        List<String> scopes = waapAuth.getScopes();
        Objects.requireNonNull(credentials2);
        scopes.forEach(credentials2::addAuthScopes);
        return HttpFilter.newBuilder().setName(getOAuth2FilterName(waapAuth)).setTypedConfig(Any.pack(OAuth2.newBuilder().setConfig(credentials2.build()).build())).build();
    }

    private static OAuth2Config.AuthType toEnvoyAuthType(WaapAuth.TokenEndpointAuthType tokenEndpointAuthType) {
        return tokenEndpointAuthType == WaapAuth.TokenEndpointAuthType.BASIC ? OAuth2Config.AuthType.BASIC_AUTH : OAuth2Config.AuthType.URL_ENCODED_BODY;
    }

    private static SdsSecretConfig getOauthDynamicSecretConfig(WaapToEnvoyContext waapToEnvoyContext, WaapAuth waapAuth, String str, String str2) {
        String str3 = "/etc/envoy/secrets/oauth/" + waapAuth.getName() + "/" + str2;
        String str4 = str3 + "/" + (str2 + ".yaml");
        waapToEnvoyContext.getSecretFileMounts().put(str3, EnvoyConfigData.SecretFileMount.builder().mount(str3).name(str).build());
        return SdsSecretConfig.newBuilder().setName(str).setSdsConfig(ConfigSource.newBuilder().setPathConfigSource(PathConfigSource.newBuilder().setPath(str4).build()).build()).build();
    }

    private static HttpFilter getJwtHttpFilter(WaapAuth waapAuth) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        JwtProvider.Builder newBuilder = JwtProvider.newBuilder();
        if (waapAuth.getIssuer() != null) {
            newBuilder.setIssuer(waapAuth.getIssuer());
        }
        List<WaapAuthJwtClaimToHeader> jwtClaimToHeader = waapAuth.getBackend().getJwtClaimToHeader();
        if (jwtClaimToHeader != null) {
            jwtClaimToHeader.forEach(waapAuthJwtClaimToHeader -> {
                newBuilder.addClaimToHeaders(JwtClaimToHeader.newBuilder().setHeaderName(waapAuthJwtClaimToHeader.getHeaderName()).setClaimName(waapAuthJwtClaimToHeader.getClaim()).build());
            });
        }
        newBuilder.addAllAudiences(waapAuth.getAudiences()).setRemoteJwks(RemoteJwks.newBuilder().setHttpUri(HttpUri.newBuilder().setUri(waapAuth.getJwksEndpoint()).setCluster(getAuthClusterName(waapAuth)).setTimeout(Duration.newBuilder().setSeconds(5L).build()).build()).build()).setForward(waapAuth.getBackend().isForwardJwt());
        if (waapAuth.isWithOAuth()) {
            newBuilder.addFromCookies("IdToken");
        }
        String name = waapAuth.getName();
        linkedHashMap.put("provider-" + name, newBuilder.build());
        return HttpFilter.newBuilder().setName(getJwtFilterName(waapAuth)).setTypedConfig(Any.pack(JwtAuthentication.newBuilder().putAllProviders(linkedHashMap).addRules(RequirementRule.newBuilder().setMatch(RouteMatch.newBuilder().setPrefix(WaapCrsRuleException.ROOT_LOCATION).build()).setRequires(JwtRequirement.newBuilder().setProviderName("provider-" + name).build()).build()).build())).build();
    }

    private static String getAuthClusterName(WaapAuth waapAuth) {
        return "core.waap.cluster.auth-" + waapAuth.getName();
    }

    private static String getAuthTechLocationsPrefix(WaapAuth waapAuth) {
        return "/core-waap/oauth/" + waapAuth.getName() + "/";
    }

    private static String getAuthCallbackLocation(WaapAuth waapAuth) {
        return getAuthTechLocationsPrefix(waapAuth) + "callback";
    }

    private static String getAuthSignoutLocation(WaapAuth waapAuth) {
        return getAuthTechLocationsPrefix(waapAuth) + "signout";
    }

    private static String getOAuth2FilterName(WaapAuth waapAuth) {
        return "core.waap.listener.filters.http.httpFilter.oauth2.auth-" + waapAuth.getName();
    }

    private static String getJwtFilterName(WaapAuth waapAuth) {
        return "core.waap.listener.filters.http.httpFilter.jwt.auth-" + waapAuth.getName();
    }

    private static String getOpEndpointAddress(WaapAuth waapAuth) {
        return waapAuth.getOpEndpointUri().getHost();
    }

    private static int getOpEndpointPort(WaapAuth waapAuth) {
        int port = waapAuth.getOpEndpointUri().getPort();
        return port >= 0 ? port : isOpEndpointHttps(waapAuth) ? 443 : 80;
    }

    private static boolean isOpEndpointHttps(WaapAuth waapAuth) {
        return waapAuth.getOpEndpointUri().getScheme().equals("https");
    }
}
