package com.atlassian.asap.core.server.interceptor;

import com.atlassian.asap.api.Jwt;
import com.atlassian.asap.api.exception.AuthorizationFailedException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.lang.annotation.Annotation;
import java.lang.reflect.AnnotatedElement;
import java.lang.reflect.Method;
import java.util.Optional;
import java.util.function.Supplier;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerInterceptor;

/* loaded from: input_file:com/atlassian/asap/core/server/interceptor/AuthorizationInterceptor.class */
public class AuthorizationInterceptor implements HandlerInterceptor {
    private static final Logger LOG = LoggerFactory.getLogger(AuthorizationInterceptor.class);
    private AsapValidator asapValidator;

    public AuthorizationInterceptor(AsapValidator asapValidator) {
        this.asapValidator = asapValidator;
    }

    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj) throws Exception {
        if (!(obj instanceof HandlerMethod)) {
            return true;
        }
        Jwt jwt = (Jwt) httpServletRequest.getAttribute("asap.authentic.jwt");
        HandlerMethod handlerMethod = (HandlerMethod) obj;
        Optional<Asap> findAsapAnnotation = findAsapAnnotation(handlerMethod.getMethod());
        if (!findAsapAnnotation.isPresent()) {
            LOG.debug("method {} of class {} is unsecured, allowing request", handlerMethod.getMethod().getName(), handlerMethod.getMethod().getDeclaringClass().getSimpleName());
            return true;
        }
        Asap asap = findAsapAnnotation.get();
        httpServletRequest.setAttribute("asap.annotation", asap);
        if (!asap.mandatory()) {
            return true;
        }
        if (jwt == null) {
            httpServletResponse.sendError(401, "Authorization header is missing.");
            LOG.debug("Authorization header is missing");
            return false;
        }
        if (isAuthorized(jwt, asap)) {
            return true;
        }
        LOG.debug("Request is not authorized.");
        httpServletResponse.sendError(403, "Request is not authorized.");
        return false;
    }

    private Optional<Asap> findAsapAnnotation(Method method) {
        return findFirstNonNullAnnotation(Asap.class, () -> {
            return method;
        }, () -> {
            return method.getDeclaringClass();
        }, () -> {
            return method.getDeclaringClass().getPackage();
        });
    }

    @SafeVarargs
    private static <A extends Annotation> Optional<A> findFirstNonNullAnnotation(Class<A> cls, Supplier<? extends AnnotatedElement>... supplierArr) {
        return Stream.of((Object[]) supplierArr).map((v0) -> {
            return v0.get();
        }).filter(annotatedElement -> {
            return annotatedElement.isAnnotationPresent(cls);
        }).map(annotatedElement2 -> {
            return annotatedElement2.getAnnotation(cls);
        }).findFirst();
    }

    private boolean isAuthorized(Jwt jwt, Asap asap) {
        try {
            this.asapValidator.validate(asap, jwt);
            LOG.trace("Accepting authorized token with identifier '{}'", jwt.getClaims().getJwtId());
            return true;
        } catch (AuthorizationFailedException e) {
            LOG.debug("Authorization failed", e);
            return false;
        }
    }
}
