package org.lognet.springboot.grpc.security;

import io.grpc.Context;
import io.grpc.Contexts;
import io.grpc.ForwardingServerCallListener;
import io.grpc.Metadata;
import io.grpc.MethodDescriptor;
import io.grpc.ServerCall;
import io.grpc.ServerCallHandler;
import io.grpc.Status;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Optional;
import org.lognet.springboot.grpc.FailureHandlingServerInterceptor;
import org.lognet.springboot.grpc.GRpcErrorHandler;
import org.lognet.springboot.grpc.autoconfigure.GRpcServerProperties;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.Ordered;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:org/lognet/springboot/grpc/security/SecurityInterceptor.class */
public class SecurityInterceptor extends AbstractSecurityInterceptor implements FailureHandlingServerInterceptor, Ordered {
    private static final Logger log = LoggerFactory.getLogger(SecurityInterceptor.class);
    private final GrpcSecurityMetadataSource securedMethods;
    private final AuthenticationSchemeSelector schemeSelector;
    private GRpcServerProperties.SecurityProperties.Auth authCfg;
    private GRpcErrorHandler errorHandler;

    public SecurityInterceptor(GrpcSecurityMetadataSource grpcSecurityMetadataSource, AuthenticationSchemeSelector authenticationSchemeSelector) {
        this.securedMethods = grpcSecurityMetadataSource;
        this.schemeSelector = authenticationSchemeSelector;
    }

    @Autowired
    public void setErrorHandler(Optional<GRpcErrorHandler> optional) {
        this.errorHandler = optional.orElseGet(() -> {
            return new GRpcErrorHandler() { // from class: org.lognet.springboot.grpc.security.SecurityInterceptor.1
            };
        });
    }

    public void setConfig(GRpcServerProperties.SecurityProperties.Auth auth) {
        this.authCfg = (GRpcServerProperties.SecurityProperties.Auth) Optional.ofNullable(auth).orElseGet(GRpcServerProperties.SecurityProperties.Auth::new);
    }

    public int getOrder() {
        return ((Integer) Optional.ofNullable(this.authCfg.getInterceptorOrder()).orElse(Integer.MIN_VALUE)).intValue();
    }

    public Class<?> getSecureObjectClass() {
        return MethodDescriptor.class;
    }

    /* renamed from: obtainSecurityMetadataSource, reason: merged with bridge method [inline-methods] */
    public GrpcSecurityMetadataSource m8obtainSecurityMetadataSource() {
        return this.securedMethods;
    }

    public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler) {
        CharSequence charSequence = (CharSequence) Optional.ofNullable((byte[]) metadata.get(Metadata.Key.of("Authorization-bin", Metadata.BINARY_BYTE_MARSHALLER))).map(bArr -> {
            return StandardCharsets.UTF_8.decode(ByteBuffer.wrap(bArr));
        }).orElse((CharSequence) metadata.get(Metadata.Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER)));
        Authentication orElseThrow = null == charSequence ? null : this.schemeSelector.getAuthScheme(charSequence).orElseThrow(() -> {
            return new RuntimeException("Can't get authentication from authorization header");
        });
        try {
            try {
                try {
                    SecurityContext createEmptyContext = SecurityContextHolder.createEmptyContext();
                    createEmptyContext.setAuthentication(orElseThrow);
                    SecurityContextHolder.setContext(createEmptyContext);
                    beforeInvocation(serverCall.getMethodDescriptor());
                    ServerCall.Listener<ReqT> interceptCall = Contexts.interceptCall(Context.current().withValue(GrpcSecurity.AUTHENTICATION_CONTEXT_KEY, SecurityContextHolder.getContext().getAuthentication()), serverCall, metadata, serverCallHandler);
                    SecurityContextHolder.getContext().setAuthentication((Authentication) null);
                    return interceptCall;
                } catch (AccessDeniedException e) {
                    ServerCall.Listener<ReqT> fail = fail(serverCallHandler, serverCall, metadata, Status.PERMISSION_DENIED, e);
                    SecurityContextHolder.getContext().setAuthentication((Authentication) null);
                    return fail;
                }
            } catch (Exception e2) {
                ServerCall.Listener<ReqT> fail2 = fail(serverCallHandler, serverCall, metadata, Status.UNAUTHENTICATED, e2);
                SecurityContextHolder.getContext().setAuthentication((Authentication) null);
                return fail2;
            }
        } catch (Throwable th) {
            SecurityContextHolder.getContext().setAuthentication((Authentication) null);
            throw th;
        }
    }

    private <RespT, ReqT> ServerCall.Listener<ReqT> fail(ServerCallHandler<ReqT, RespT> serverCallHandler, final ServerCall<ReqT, RespT> serverCall, final Metadata metadata, final Status status, final Exception exc) {
        if (this.authCfg.isFailFast()) {
            throw closeCall(null, this.errorHandler, serverCall, metadata, status, exc);
        }
        return new ForwardingServerCallListener.SimpleForwardingServerCallListener<ReqT>(serverCallHandler.startCall(serverCall, metadata)) { // from class: org.lognet.springboot.grpc.security.SecurityInterceptor.2
            public void onMessage(ReqT reqt) {
                throw SecurityInterceptor.this.closeCall(reqt, SecurityInterceptor.this.errorHandler, serverCall, metadata, status, exc);
            }
        };
    }
}
