package org.activiti.cloud.services.notifications.qraphql.ws.security;

import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.annotation.Order;
import org.springframework.messaging.Message;
import org.springframework.messaging.MessageChannel;
import org.springframework.messaging.simp.SimpMessageHeaderAccessor;
import org.springframework.messaging.simp.config.ChannelRegistration;
import org.springframework.messaging.support.ChannelInterceptor;
import org.springframework.messaging.support.MessageHeaderAccessor;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.web.socket.config.annotation.WebSocketMessageBrokerConfigurer;

@Order(-2147483549)
/* loaded from: input_file:BOOT-INF/lib/activiti-cloud-services-notifications-graphql-security-7.1.414.jar:org/activiti/cloud/services/notifications/qraphql/ws/security/KeycloakSecurityContextInerceptorConfigurer.class */
public class KeycloakSecurityContextInerceptorConfigurer implements WebSocketMessageBrokerConfigurer {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) KeycloakSecurityContextInerceptorConfigurer.class);
    private static final String GRAPHQL_MESSAGE_TYPE = "graphQLMessageType";
    private final KeycloakAccessTokenVerifier tokenVerifier;
    private List<String> headerValues = Arrays.asList("connection_init", "start");
    private String headerName = GRAPHQL_MESSAGE_TYPE;

    public KeycloakSecurityContextInerceptorConfigurer(KeycloakAccessTokenVerifier keycloakAccessTokenVerifier) {
        this.tokenVerifier = keycloakAccessTokenVerifier;
    }

    @Override // org.springframework.web.socket.config.annotation.WebSocketMessageBrokerConfigurer
    public void configureClientInboundChannel(ChannelRegistration channelRegistration) {
        channelRegistration.interceptors(new ChannelInterceptor() { // from class: org.activiti.cloud.services.notifications.qraphql.ws.security.KeycloakSecurityContextInerceptorConfigurer.1
            @Override // org.springframework.messaging.support.ChannelInterceptor
            public Message<?> preSend(Message<?> message, MessageChannel messageChannel) {
                SimpMessageHeaderAccessor simpMessageHeaderAccessor = (SimpMessageHeaderAccessor) MessageHeaderAccessor.getAccessor(message, SimpMessageHeaderAccessor.class);
                if (simpMessageHeaderAccessor != null && KeycloakSecurityContextInerceptorConfigurer.this.headerValues.contains(simpMessageHeaderAccessor.getHeader(KeycloakSecurityContextInerceptorConfigurer.this.headerName))) {
                    Optional ofNullable = Optional.ofNullable(simpMessageHeaderAccessor.getUser());
                    Class<KeycloakAuthenticationToken> cls = KeycloakAuthenticationToken.class;
                    Objects.requireNonNull(KeycloakAuthenticationToken.class);
                    Optional filter = ofNullable.filter((v1) -> {
                        return r1.isInstance(v1);
                    });
                    Class<KeycloakAuthenticationToken> cls2 = KeycloakAuthenticationToken.class;
                    Objects.requireNonNull(KeycloakAuthenticationToken.class);
                    Optional map = filter.map((v1) -> {
                        return r1.cast(v1);
                    }).map((v0) -> {
                        return v0.getCredentials();
                    });
                    Class<KeycloakSecurityContext> cls3 = KeycloakSecurityContext.class;
                    Objects.requireNonNull(KeycloakSecurityContext.class);
                    map.map(cls3::cast).ifPresent(keycloakSecurityContext -> {
                        try {
                            KeycloakSecurityContextInerceptorConfigurer.logger.info("Verifying Access Token for {}", simpMessageHeaderAccessor.getHeader(KeycloakSecurityContextInerceptorConfigurer.GRAPHQL_MESSAGE_TYPE));
                            KeycloakSecurityContextInerceptorConfigurer.this.tokenVerifier.verifyToken(keycloakSecurityContext.getTokenString());
                        } catch (Exception e) {
                            throw new BadCredentialsException("Invalid token", e);
                        }
                    });
                }
                return message;
            }
        });
    }

    public void setHeaderValues(List<String> list) {
        this.headerValues = list;
    }

    public void setHeaderName(String str) {
        this.headerName = str;
    }
}
