package org.wso2.choreo.connect.enforcer.security.oauth;

import com.google.gson.Gson;
import io.opentelemetry.context.Scope;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import org.apache.commons.io.IOUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.NameValuePair;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.apache.logging.log4j.ThreadContext;
import org.wso2.choreo.connect.enforcer.commons.model.AuthenticationContext;
import org.wso2.choreo.connect.enforcer.commons.model.RequestContext;
import org.wso2.choreo.connect.enforcer.constants.APIConstants;
import org.wso2.choreo.connect.enforcer.constants.APISecurityConstants;
import org.wso2.choreo.connect.enforcer.exception.APISecurityException;
import org.wso2.choreo.connect.enforcer.security.AccessTokenInfo;
import org.wso2.choreo.connect.enforcer.security.Authenticator;
import org.wso2.choreo.connect.enforcer.security.jwt.validator.JWTConstants;
import org.wso2.choreo.connect.enforcer.security.jwt.validator.JWTValidator;
import org.wso2.choreo.connect.enforcer.tracing.TracingConstants;
import org.wso2.choreo.connect.enforcer.tracing.TracingSpan;
import org.wso2.choreo.connect.enforcer.tracing.Utils;
import org.wso2.choreo.connect.enforcer.util.FilterUtils;

/* loaded from: input_file:org/wso2/choreo/connect/enforcer/security/oauth/OAuthAuthenticator.class */
public class OAuthAuthenticator implements Authenticator {
    private static final Log log = LogFactory.getLog(OAuthAuthenticator.class);
    private List<String> keyManagerList;
    protected JWTValidator jwtValidator;
    private String kmEndpoint;
    private String securityHeader;
    private String defaultAPIHeader;
    private String consumerKeyHeaderSegment;
    private String oauthHeaderSplitter;
    private String consumerKeySegmentDelimiter;
    private String securityContextHeader;
    private boolean removeOAuthHeadersFromOutMessage;
    private boolean removeDefaultAPIHeaderFromOutMessage;
    private String clientDomainHeader;
    private String requestOrigin;
    private String remainingAuthHeader;
    private boolean isMandatory;

    public OAuthAuthenticator() {
        this.kmEndpoint = "https://localhost:9443/oauth2";
        this.securityHeader = "Authorization";
        this.defaultAPIHeader = "WSO2_AM_API_DEFAULT_VERSION";
        this.consumerKeyHeaderSegment = "Bearer";
        this.oauthHeaderSplitter = ",";
        this.consumerKeySegmentDelimiter = " ";
        this.removeOAuthHeadersFromOutMessage = true;
        this.removeDefaultAPIHeaderFromOutMessage = true;
        this.clientDomainHeader = "referer";
    }

    public OAuthAuthenticator(String str, boolean z, boolean z2, List<String> list) {
        this.kmEndpoint = "https://localhost:9443/oauth2";
        this.securityHeader = "Authorization";
        this.defaultAPIHeader = "WSO2_AM_API_DEFAULT_VERSION";
        this.consumerKeyHeaderSegment = "Bearer";
        this.oauthHeaderSplitter = ",";
        this.consumerKeySegmentDelimiter = " ";
        this.removeOAuthHeadersFromOutMessage = true;
        this.removeDefaultAPIHeaderFromOutMessage = true;
        this.clientDomainHeader = "referer";
        this.securityHeader = str;
        this.removeOAuthHeadersFromOutMessage = z2;
        this.isMandatory = z;
        this.keyManagerList = list;
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public boolean canAuthenticate(RequestContext requestContext) {
        return !requestContext.getHeaders().get(JWTConstants.AUTHORIZATION).contains("\\.");
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public AuthenticationContext authenticate(RequestContext requestContext) throws APISecurityException {
        TracingSpan tracingSpan = null;
        Scope scope = null;
        try {
            if (Utils.tracingEnabled()) {
                tracingSpan = Utils.startSpan(TracingConstants.OAUTH_AUTHENTICATOR_SPAN, Utils.getGlobalTracer());
                scope = tracingSpan.getSpan().makeCurrent();
                Utils.setTag(tracingSpan, "traceId", ThreadContext.get("traceId"));
            }
            String str = requestContext.getHeaders().get(JWTConstants.AUTHORIZATION);
            AccessTokenInfo accessTokenInfo = new AccessTokenInfo();
            if (str == null || !str.toLowerCase().contains(JWTConstants.BEARER)) {
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), APISecurityConstants.API_AUTH_MISSING_CREDENTIALS, APISecurityConstants.API_AUTH_MISSING_CREDENTIALS_MESSAGE);
            }
            String str2 = str.split("\\s")[1];
            try {
                IntrospectInfo validateToken = validateToken(str2);
                accessTokenInfo.setAccessToken(str2);
                accessTokenInfo.setConsumerKey(validateToken.getClientId());
                AuthenticationContext authenticationContext = new AuthenticationContext();
                authenticationContext.setRawToken(str2);
                if (Utils.tracingEnabled()) {
                    scope.close();
                    Utils.finishSpan(tracingSpan);
                }
                return authenticationContext;
            } catch (IOException e) {
                throw new SecurityException(e);
            }
        } catch (Throwable th) {
            if (Utils.tracingEnabled()) {
                scope.close();
                Utils.finishSpan(tracingSpan);
            }
            throw th;
        }
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public int getPriority() {
        return 0;
    }

    public String extractCustomerKeyFromAuthHeader(Map map) {
        String str = (String) map.get(this.securityHeader);
        if (str == null) {
            if (!log.isDebugEnabled()) {
                return null;
            }
            log.debug("OAuth2 Authentication: Expected authorization header with the name '".concat(this.securityHeader).concat("' was not found."));
            return null;
        }
        ArrayList arrayList = new ArrayList();
        String str2 = null;
        boolean z = false;
        String[] split = str.split(this.oauthHeaderSplitter);
        if (split != null) {
            for (int i = 0; i < split.length; i++) {
                String[] split2 = split[i].split(this.consumerKeySegmentDelimiter);
                if (split2 != null && split2.length > 1) {
                    int i2 = 0;
                    boolean z2 = false;
                    for (String str3 : split2) {
                        if (!"".equals(str3.trim())) {
                            if (this.consumerKeyHeaderSegment.equals(split2[i2].trim())) {
                                z2 = true;
                            } else if (z2) {
                                str2 = removeLeadingAndTrailing(split2[i2].trim());
                                z = true;
                            }
                        }
                        i2++;
                    }
                }
                if (z) {
                    z = false;
                } else {
                    arrayList.add(split[i]);
                }
            }
        }
        this.remainingAuthHeader = String.join(this.oauthHeaderSplitter, arrayList);
        return str2;
    }

    private String removeLeadingAndTrailing(String str) {
        String str2 = str;
        if (str.startsWith("\"") || str.endsWith("\"")) {
            str2 = str.replace("\"", "");
        }
        return str2.trim();
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public String getChallengeString() {
        return "Bearer realm=\"WSO2 API Manager\"";
    }

    @Override // org.wso2.choreo.connect.enforcer.security.Authenticator
    public String getName() {
        return "OAuth";
    }

    private IntrospectInfo validateToken(String str) throws IOException {
        CloseableHttpClient closeableHttpClient = (CloseableHttpClient) FilterUtils.getHttpClient(new URL(this.kmEndpoint + "/introspect").getProtocol());
        try {
            HttpPost httpPost = new HttpPost(this.kmEndpoint + "/introspect");
            ArrayList arrayList = new ArrayList();
            arrayList.add(new BasicNameValuePair("token", str));
            httpPost.setEntity(new UrlEncodedFormEntity((List<? extends NameValuePair>) arrayList));
            httpPost.setHeader("Content-type", "application/x-www-form-urlencoded");
            httpPost.setHeader("Authorization", "Basic " + Base64.getEncoder().encodeToString("admin:admin".getBytes()));
            CloseableHttpResponse execute = closeableHttpClient.execute((HttpUriRequest) httpPost);
            try {
                if (execute.getStatusLine().getStatusCode() != 200) {
                    if (execute != null) {
                        execute.close();
                    }
                    if (closeableHttpClient != null) {
                        closeableHttpClient.close();
                    }
                    return null;
                }
                InputStream content = execute.getEntity().getContent();
                try {
                    IntrospectInfo introspectInfo = (IntrospectInfo) new Gson().fromJson(IOUtils.toString(content), IntrospectInfo.class);
                    if (content != null) {
                        content.close();
                    }
                    if (execute != null) {
                        execute.close();
                    }
                    if (closeableHttpClient != null) {
                        closeableHttpClient.close();
                    }
                    return introspectInfo;
                } catch (Throwable th) {
                    if (content != null) {
                        try {
                            content.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                if (execute != null) {
                    try {
                        execute.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                }
                throw th3;
            }
        } catch (Throwable th5) {
            if (closeableHttpClient != null) {
                try {
                    closeableHttpClient.close();
                } catch (Throwable th6) {
                    th5.addSuppressed(th6);
                }
            }
            throw th5;
        }
    }
}
