package org.eclipse.basyx.vab.protocol.http.server;

import de.iip_ecosphere.platform.transport.TransportAas;
import java.io.File;
import java.util.ArrayList;
import java.util.Collection;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.Map;
import java.util.UUID;
import javax.servlet.http.HttpServlet;
import org.apache.catalina.Context;
import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.LifecycleListener;
import org.apache.catalina.LifecycleState;
import org.apache.catalina.connector.Connector;
import org.apache.catalina.startup.Tomcat;
import org.apache.catalina.valves.HealthCheckValve;
import org.apache.coyote.http11.Constants;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.lang.Nullable;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtClaimValidator;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.ExceptionTranslationFilter;
import org.springframework.security.web.firewall.HttpFirewall;
import org.springframework.security.web.firewall.StrictHttpFirewall;
import org.springframework.security.web.util.matcher.AnyRequestMatcher;

/* JADX WARN: Classes with same name are omitted:
  input_file:BOOT-INF/classes/support.aas.basyx1_0-0.7.1-SNAPSHOT.zip:target/jars/org.eclipse.basyx.basyx.sdk-1.0.1.jar:org/eclipse/basyx/vab/protocol/http/server/BaSyxHTTPServer.class
 */
/* loaded from: input_file:BOOT-INF/lib/basyx.sdk-1.3.0.jar:org/eclipse/basyx/vab/protocol/http/server/BaSyxHTTPServer.class */
public class BaSyxHTTPServer {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) BaSyxHTTPServer.class);
    private final Tomcat tomcat = new Tomcat();

    public BaSyxHTTPServer(BaSyxContext baSyxContext) {
        this.tomcat.getEngine().setName(UUID.randomUUID().toString());
        if (baSyxContext.isSecuredConnectionEnabled()) {
            configureSslConnector(baSyxContext, this.tomcat.getConnector());
        } else {
            this.tomcat.setPort(baSyxContext.port);
        }
        this.tomcat.setHostname(baSyxContext.hostname);
        this.tomcat.getHost().setAppBase(".");
        configureHealthEndpoint();
        Context addContext = this.tomcat.addContext(baSyxContext.contextPath, new File(baSyxContext.docBasePath).getAbsolutePath());
        baSyxContext.getJwtBearerTokenAuthenticationConfiguration().ifPresent(jwtBearerTokenAuthenticationConfiguration -> {
            addSecurityFiltersToContext(addContext, jwtBearerTokenAuthenticationConfiguration);
        });
        Iterator<Map.Entry<String, HttpServlet>> it = baSyxContext.entrySet().iterator();
        while (it.hasNext()) {
            addNewServletAndMappingToTomcatEnvironment(baSyxContext, addContext, it.next());
        }
    }

    private void configureHealthEndpoint() {
        this.tomcat.getHost().getPipeline().addValve(new HealthCheckValve());
    }

    private void addNewServletAndMappingToTomcatEnvironment(BaSyxContext baSyxContext, Context context, Map.Entry<String, HttpServlet> entry) {
        String key = entry.getKey();
        HttpServlet value = entry.getValue();
        configureCorsOrigin(baSyxContext, value);
        Tomcat.addServlet(context, Integer.toString(value.hashCode()), value);
        context.addServletMappingDecoded(key, Integer.toString(value.hashCode()));
    }

    private void configureCorsOrigin(BaSyxContext baSyxContext, HttpServlet httpServlet) {
        if (isCorsOriginDefined(baSyxContext)) {
            try {
                ((BasysHTTPServlet) httpServlet).setCorsOrigin(baSyxContext.getAccessControlAllowOrigin());
            } catch (RuntimeException e) {
                logger.info("DefaultServlet cannot be cast to BasysHTTPServlet " + e);
            }
        }
    }

    private boolean isCorsOriginDefined(BaSyxContext baSyxContext) {
        return baSyxContext.getAccessControlAllowOrigin() != null;
    }

    private void addSecurityFiltersToContext(Context context, JwtBearerTokenAuthenticationConfiguration jwtBearerTokenAuthenticationConfiguration) {
        addFilterChainProxyFilterToContext(context, createFilterChainProxy(jwtBearerTokenAuthenticationConfiguration));
    }

    private void addFilterChainProxyFilterToContext(Context context, FilterChainProxy filterChainProxy) {
        context.addFilterDef(createFilterChainProxyFilterDefinition(filterChainProxy));
        context.addFilterMap(createFilterChainProxyFilterMap());
    }

    private FilterMap createFilterChainProxyFilterMap() {
        FilterMap filterMap = new FilterMap();
        filterMap.setFilterName(FilterChainProxy.class.getSimpleName());
        filterMap.addURLPattern("/*");
        return filterMap;
    }

    private FilterDef createFilterChainProxyFilterDefinition(FilterChainProxy filterChainProxy) {
        FilterDef filterDef = new FilterDef();
        filterDef.setFilterName(FilterChainProxy.class.getSimpleName());
        filterDef.setFilterClass(FilterChainProxy.class.getName());
        filterDef.setFilter(filterChainProxy);
        return filterDef;
    }

    private FilterChainProxy createFilterChainProxy(JwtBearerTokenAuthenticationConfiguration jwtBearerTokenAuthenticationConfiguration) {
        FilterChainProxy filterChainProxy = new FilterChainProxy(createSecurityFilterChain(jwtBearerTokenAuthenticationConfiguration));
        filterChainProxy.setFirewall(createHttpFirewall());
        return filterChainProxy;
    }

    private HttpFirewall createHttpFirewall() {
        StrictHttpFirewall strictHttpFirewall = new StrictHttpFirewall();
        strictHttpFirewall.setAllowUrlEncodedSlash(true);
        return strictHttpFirewall;
    }

    private SecurityFilterChain createSecurityFilterChain(JwtBearerTokenAuthenticationConfiguration jwtBearerTokenAuthenticationConfiguration) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(createBearerTokenAuthenticationFilter(jwtBearerTokenAuthenticationConfiguration));
        arrayList.add(createExceptionTranslationFilter());
        return new DefaultSecurityFilterChain(AnyRequestMatcher.INSTANCE, arrayList);
    }

    private ExceptionTranslationFilter createExceptionTranslationFilter() {
        return new ExceptionTranslationFilter(new BearerTokenAuthenticationEntryPoint());
    }

    private BearerTokenAuthenticationFilter createBearerTokenAuthenticationFilter(JwtBearerTokenAuthenticationConfiguration jwtBearerTokenAuthenticationConfiguration) {
        return new BearerTokenAuthenticationFilter(new ProviderManager(new JwtAuthenticationProvider(createJwtDecoder(jwtBearerTokenAuthenticationConfiguration.getIssuerUri(), jwtBearerTokenAuthenticationConfiguration.getJwkSetUri(), jwtBearerTokenAuthenticationConfiguration.getRequiredAud().orElse(null)))));
    }

    private JwtDecoder createJwtDecoder(String str, String str2, @Nullable String str3) {
        NimbusJwtDecoder build = NimbusJwtDecoder.withJwkSetUri(str2).jwsAlgorithm(SignatureAlgorithm.from("RS256")).build();
        build.setJwtValidator(createOAuth2TokenValidator(str, str3));
        return build;
    }

    private OAuth2TokenValidator<Jwt> createOAuth2TokenValidator(String str, @Nullable String str2) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(JwtValidators.createDefaultWithIssuer(str));
        if (str2 != null) {
            arrayList.add(createJwtClaimValidatorForRequiredAudience(str2));
        }
        return new DelegatingOAuth2TokenValidator(arrayList);
    }

    private JwtClaimValidator<Collection<String>> createJwtClaimValidatorForRequiredAudience(String str) {
        return new JwtClaimValidator<>("aud", collection -> {
            return null != collection && collection.contains(str);
        });
    }

    private void configureSslConnector(BaSyxContext baSyxContext, Connector connector) {
        connector.setPort(baSyxContext.port);
        connector.setSecure(true);
        connector.setScheme("https");
        connector.setAttribute("keystoreFile", baSyxContext.getCertificatePath());
        connector.setAttribute("clientAuth", "false");
        connector.setAttribute("sslProtocol", "TLS");
        connector.setAttribute("SSLEnabled", true);
        connector.setAttribute(TransportAas.NAME_VAR_CONNECTOR, Constants.HTTP_11);
        connector.setAttribute("keystorePass", baSyxContext.getKeyPassword());
        connector.setAttribute("keyAlias", "tomcat");
        connector.setAttribute("maxThreads", "200");
        connector.setAttribute(TransportAas.NAME_VAR_CONNECTOR, "org.apache.coyote.http11.Http11AprProtocol");
    }

    public void start() {
        logger.trace("Starting Tomcat.....");
        new Thread(() -> {
            try {
                stopTomcatServerIfRunningAlready();
                this.tomcat.getServer().addLifecycleListener(new LifecycleListener() { // from class: org.eclipse.basyx.vab.protocol.http.server.BaSyxHTTPServer.1
                    @Override // org.apache.catalina.LifecycleListener
                    public void lifecycleEvent(LifecycleEvent lifecycleEvent) {
                        if (lifecycleEvent.getLifecycle().getState() == LifecycleState.STARTED) {
                            synchronized (BaSyxHTTPServer.this.tomcat) {
                                BaSyxHTTPServer.this.tomcat.notifyAll();
                            }
                        }
                    }
                });
                this.tomcat.getConnector();
                this.tomcat.start();
                this.tomcat.getServer().await();
            } catch (LifecycleException e) {
                logger.error("Failed to start HTTP server.", (Throwable) e);
                synchronized (this.tomcat) {
                    this.tomcat.notifyAll();
                }
            }
        }).start();
        EnumSet of = EnumSet.of(LifecycleState.STARTED, LifecycleState.FAILED);
        synchronized (this.tomcat) {
            while (!of.contains(this.tomcat.getServer().getState())) {
                try {
                    this.tomcat.wait();
                } catch (InterruptedException e) {
                    logger.error("Interrupted while waiting for tomcat to start. Stopping tomcat.", (Throwable) e);
                    shutdown();
                }
            }
        }
    }

    private void stopTomcatServerIfRunningAlready() throws LifecycleException {
        if (isTomcatServerRunning()) {
            this.tomcat.stop();
        }
    }

    private boolean isTomcatServerRunning() {
        return this.tomcat != null && this.tomcat.getServer().getState() == LifecycleState.STARTED;
    }

    public void shutdown() {
        logger.trace("Shutting down BaSyx HTTP Server...");
        try {
            this.tomcat.stop();
            this.tomcat.destroy();
        } catch (LifecycleException e) {
            logger.error("Exception in shutdown", (Throwable) e);
        }
    }

    public boolean hasEnded() {
        return this.tomcat.getServer().getState() != LifecycleState.STARTED;
    }

    static {
        System.setProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH", "true");
        if (System.getProperty("org.apache.catalina.startup.EXIT_ON_INIT_FAILURE") == null) {
            System.setProperty("org.apache.catalina.startup.EXIT_ON_INIT_FAILURE", "true");
        }
    }
}
