package org.wso2.carbon.apimgt.keymgt.handlers;

import java.sql.Timestamp;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.api.model.AccessTokenInfo;
import org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO;
import org.wso2.carbon.apimgt.impl.factory.KeyManagerHolder;
import org.wso2.carbon.apimgt.impl.utils.APIUtil;
import org.wso2.carbon.apimgt.keymgt.APIKeyMgtException;
import org.wso2.carbon.apimgt.keymgt.service.TokenValidationContext;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator;

/* loaded from: input_file:org/wso2/carbon/apimgt/keymgt/handlers/DefaultKeyValidationHandler.class */
public class DefaultKeyValidationHandler extends AbstractKeyValidationHandler {
    private static final Log log = LogFactory.getLog(DefaultKeyValidationHandler.class);

    public DefaultKeyValidationHandler() {
        log.info(getClass().getName() + " Initialised");
    }

    @Override // org.wso2.carbon.apimgt.keymgt.handlers.KeyValidationHandler
    public boolean validateToken(TokenValidationContext tokenValidationContext) throws APIKeyMgtException {
        if (tokenValidationContext.isCacheHit()) {
            APIKeyValidationInfoDTO validationInfoDTO = tokenValidationContext.getValidationInfoDTO();
            if (!APIUtil.isAccessTokenExpired(validationInfoDTO)) {
                return true;
            }
            validationInfoDTO.setAuthorized(false);
            validationInfoDTO.setValidationStatus(900901);
            log.debug("Token " + tokenValidationContext.getAccessToken() + " expired.");
            return false;
        }
        try {
            AccessTokenInfo tokenMetaData = KeyManagerHolder.getKeyManagerInstance().getTokenMetaData(tokenValidationContext.getAccessToken());
            if (tokenMetaData == null) {
                return false;
            }
            tokenValidationContext.setTokenInfo(tokenMetaData);
            APIKeyValidationInfoDTO aPIKeyValidationInfoDTO = new APIKeyValidationInfoDTO();
            tokenValidationContext.setValidationInfoDTO(aPIKeyValidationInfoDTO);
            if (!tokenMetaData.isTokenValid()) {
                aPIKeyValidationInfoDTO.setAuthorized(false);
                if (tokenMetaData.getErrorcode() > 0) {
                    aPIKeyValidationInfoDTO.setValidationStatus(tokenMetaData.getErrorcode());
                    return false;
                }
                aPIKeyValidationInfoDTO.setValidationStatus(900900);
                return false;
            }
            aPIKeyValidationInfoDTO.setAuthorized(tokenMetaData.isTokenValid());
            aPIKeyValidationInfoDTO.setEndUserName(tokenMetaData.getEndUserName());
            aPIKeyValidationInfoDTO.setConsumerKey(tokenMetaData.getConsumerKey());
            aPIKeyValidationInfoDTO.setIssuedTime(tokenMetaData.getIssuedTime());
            aPIKeyValidationInfoDTO.setValidityPeriod(tokenMetaData.getValidityPeriod());
            if (tokenMetaData.getScopes() != null) {
                aPIKeyValidationInfoDTO.setScopes(new HashSet(Arrays.asList(tokenMetaData.getScopes())));
            }
            return tokenMetaData.isTokenValid();
        } catch (APIManagementException e) {
            log.error("Error while obtaining Token Metadata from Authorization Server", e);
            throw new APIKeyMgtException("Error while obtaining Token Metadata from Authorization Server");
        }
    }

    @Override // org.wso2.carbon.apimgt.keymgt.handlers.KeyValidationHandler
    public boolean validateScopes(TokenValidationContext tokenValidationContext) throws APIKeyMgtException {
        if (tokenValidationContext.isCacheHit()) {
            return true;
        }
        APIKeyValidationInfoDTO validationInfoDTO = tokenValidationContext.getValidationInfoDTO();
        if (validationInfoDTO == null) {
            throw new APIKeyMgtException("Key Validation information not set");
        }
        String[] strArr = null;
        Set scopes = validationInfoDTO.getScopes();
        if (scopes != null && !scopes.isEmpty()) {
            strArr = (String[]) scopes.toArray(new String[scopes.size()]);
            if (log.isDebugEnabled() && strArr != null) {
                StringBuilder sb = new StringBuilder();
                for (String str : strArr) {
                    sb.append(str);
                    sb.append(ResourceConstants.ATTRIBUTE_VALUE_SEPERATER);
                }
                sb.deleteCharAt(sb.length() - 1);
                log.debug("Scopes allowed for token : " + tokenValidationContext.getAccessToken() + " : " + sb.toString());
            }
        }
        AuthenticatedUser authenticatedUser = new AuthenticatedUser();
        authenticatedUser.setUserName(validationInfoDTO.getEndUserName());
        if ("FEDERATED".equalsIgnoreCase(IdentityUtil.extractDomainFromName(authenticatedUser.getUserName()))) {
            authenticatedUser.setFederatedUser(true);
        }
        AccessTokenDO accessTokenDO = new AccessTokenDO(validationInfoDTO.getConsumerKey(), authenticatedUser, strArr, (Timestamp) null, (Timestamp) null, validationInfoDTO.getValidityPeriod(), validationInfoDTO.getValidityPeriod(), validationInfoDTO.getType());
        accessTokenDO.setAccessToken(tokenValidationContext.getAccessToken());
        String version = tokenValidationContext.getVersion();
        if (version != null && version.startsWith("_default_")) {
            version = version.split("_default_")[1];
        }
        String str2 = tokenValidationContext.getContext() + "/" + version + tokenValidationContext.getMatchingResource() + ":" + tokenValidationContext.getHttpVerb();
        boolean z = false;
        try {
            for (OAuth2ScopeValidator oAuth2ScopeValidator : OAuthServerConfiguration.getInstance().getOAuth2ScopeValidators()) {
                if (oAuth2ScopeValidator != null) {
                    if (!oAuth2ScopeValidator.validateScope(accessTokenDO, str2)) {
                        if (log.isDebugEnabled()) {
                            log.debug("Scope validation failed from " + oAuth2ScopeValidator);
                        }
                        validationInfoDTO.setAuthorized(false);
                        validationInfoDTO.setValidationStatus(900910);
                        return false;
                    }
                    z = true;
                }
            }
        } catch (IdentityOAuth2Exception e) {
            log.error("ERROR while validating token scope " + e.getMessage(), e);
            validationInfoDTO.setAuthorized(false);
            validationInfoDTO.setValidationStatus(900910);
        }
        return z;
    }
}
