package org.wso2.carbon.apimgt.rest.api.common.impl;

import com.google.gson.reflect.TypeToken;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.util.Arrays;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.wso2.carbon.apimgt.core.exception.APIManagementException;
import org.wso2.carbon.apimgt.core.exception.ExceptionCodes;
import org.wso2.carbon.apimgt.core.exception.KeyManagementException;
import org.wso2.carbon.apimgt.core.factory.KeyManagerHolder;
import org.wso2.carbon.apimgt.core.impl.APIDefinitionFromSwagger20;
import org.wso2.carbon.apimgt.core.models.AccessTokenInfo;
import org.wso2.carbon.apimgt.rest.api.common.APIConstants;
import org.wso2.carbon.apimgt.rest.api.common.RestApiConstants;
import org.wso2.carbon.apimgt.rest.api.common.api.RESTAPIAuthenticator;
import org.wso2.carbon.apimgt.rest.api.common.exception.APIMgtSecurityException;
import org.wso2.carbon.apimgt.rest.api.common.util.RestApiUtil;
import org.wso2.carbon.messaging.Headers;
import org.wso2.msf4j.Request;
import org.wso2.msf4j.Response;
import org.wso2.msf4j.ServiceMethodInfo;
import org.wso2.msf4j.util.SystemVariableUtil;

/* loaded from: input_file:org/wso2/carbon/apimgt/rest/api/common/impl/OAuth2Authenticator.class */
public class OAuth2Authenticator implements RESTAPIAuthenticator {
    private static final Logger log = LoggerFactory.getLogger(OAuth2Authenticator.class);
    private static String authServerURL = SystemVariableUtil.getValue(RestApiConstants.AUTH_SERVER_URL_KEY, RestApiConstants.AUTH_SERVER_URL);

    /* loaded from: input_file:org/wso2/carbon/apimgt/rest/api/common/impl/OAuth2Authenticator$ExtendedTypeToken.class */
    private static class ExtendedTypeToken<T> extends TypeToken {
        private ExtendedTypeToken() {
        }
    }

    @Override // org.wso2.carbon.apimgt.rest.api.common.api.RESTAPIAuthenticator
    public boolean authenticate(Request request, Response response, ServiceMethodInfo serviceMethodInfo) throws APIMgtSecurityException {
        boolean z = false;
        Headers headers = request.getHeaders();
        if (headers != null && headers.contains(RestApiConstants.COOKIE_HEADER) && isCookieExists(headers, APIConstants.AccessTokenConstants.AM_TOKEN_MSF4J)) {
            String str = null;
            String extractPartialAccessTokenFromCookie = extractPartialAccessTokenFromCookie(headers.get(RestApiConstants.COOKIE_HEADER));
            if (extractPartialAccessTokenFromCookie != null && headers.contains(RestApiConstants.AUTHORIZATION_HTTP_HEADER)) {
                String extractAccessToken = extractAccessToken(headers.get(RestApiConstants.AUTHORIZATION_HTTP_HEADER));
                str = extractAccessToken != null ? extractAccessToken + extractPartialAccessTokenFromCookie : extractPartialAccessTokenFromCookie;
            }
            z = validateTokenAndScopes(request, serviceMethodInfo, str);
        } else {
            if (headers == null || !headers.contains(RestApiConstants.AUTHORIZATION_HTTP_HEADER)) {
                throw new APIMgtSecurityException("Missing Authorization header in the request.`", ExceptionCodes.INVALID_AUTHORIZATION_HEADER);
            }
            String extractAccessToken2 = extractAccessToken(headers.get(RestApiConstants.AUTHORIZATION_HTTP_HEADER));
            if (extractAccessToken2 != null) {
                z = validateTokenAndScopes(request, serviceMethodInfo, extractAccessToken2);
            }
        }
        return z;
    }

    private boolean validateTokenAndScopes(Request request, ServiceMethodInfo serviceMethodInfo, String str) throws APIMgtSecurityException {
        AccessTokenInfo validateToken = validateToken(str);
        return validateScopes(request, serviceMethodInfo, validateToken.getScopes(), getRestAPIResource(request));
    }

    private AccessTokenInfo validateToken(String str) throws APIMgtSecurityException {
        AccessTokenInfo validatedTokenResponse = getValidatedTokenResponse(str);
        if (validatedTokenResponse.isTokenValid()) {
            return validatedTokenResponse;
        }
        throw new APIMgtSecurityException("Invalid Access token.", ExceptionCodes.ACCESS_TOKEN_INACTIVE);
    }

    private String extractPartialAccessTokenFromCookie(String str) {
        String str2 = (String) Arrays.stream(str.trim().split(";")).filter(str3 -> {
            return str3.contains(APIConstants.AccessTokenConstants.AM_TOKEN_MSF4J);
        }).findFirst().orElse("");
        if (str2.split("=").length == 2) {
            return str2.split("=")[1];
        }
        return null;
    }

    private boolean isCookieExists(Headers headers, String str) {
        return ((String) Arrays.stream(headers.get(RestApiConstants.COOKIE_HEADER).trim().split(";")).filter(str2 -> {
            return str2.contains(str);
        }).findFirst().orElse(null)) != null;
    }

    private String getRestAPIResource(Request request) throws APIMgtSecurityException {
        String adminRestAPIResource;
        String str = (String) request.getProperty("REQUEST_URL");
        try {
            if (str.contains(RestApiConstants.REST_API_PUBLISHER_CONTEXT)) {
                adminRestAPIResource = RestApiUtil.getPublisherRestAPIResource();
            } else if (str.contains(RestApiConstants.REST_API_STORE_CONTEXT)) {
                adminRestAPIResource = RestApiUtil.getStoreRestAPIResource();
            } else {
                if (!str.contains(RestApiConstants.REST_API_ADMIN_CONTEXT)) {
                    throw new APIMgtSecurityException("No matching Rest Api definition found for path:" + str);
                }
                adminRestAPIResource = RestApiUtil.getAdminRestAPIResource();
            }
            return adminRestAPIResource;
        } catch (APIManagementException e) {
            throw new APIMgtSecurityException(e.getMessage(), ExceptionCodes.AUTH_GENERAL_ERROR);
        }
    }

    @SuppressFBWarnings({"DLS_DEAD_LOCAL_STORE"})
    private boolean validateScopes(Request request, ServiceMethodInfo serviceMethodInfo, String[] strArr, String str) throws APIMgtSecurityException {
        boolean[] zArr = {false};
        String str2 = (String) request.getProperty("REQUEST_URL");
        String str3 = (String) request.getProperty("HTTP_METHOD");
        String substring = str2.substring(str2.length() - 1);
        if (strArr.length > 0) {
            List asList = Arrays.asList(strArr);
            if (str != null) {
                try {
                    Map scopes = new APIDefinitionFromSwagger20().getScopes(str);
                    if (scopes.isEmpty()) {
                        if (log.isDebugEnabled()) {
                            log.debug("Scope not defined in swagger for matching resource " + substring + " and verb " + str3 + " . Hence consider as anonymous permission and let request to continue.");
                        }
                        zArr[0] = true;
                    }
                    scopes.keySet().forEach(str4 -> {
                        if (asList.stream().filter(str4 -> {
                            return str4.equalsIgnoreCase(str4);
                        }).findAny().isPresent()) {
                            zArr[0] = true;
                        }
                    });
                } catch (APIManagementException e) {
                    log.error("Error while validating scopes");
                    throw new APIMgtSecurityException("Error while validating scopes", ExceptionCodes.AUTH_GENERAL_ERROR);
                }
            } else if (log.isDebugEnabled()) {
                log.debug("Rest API resource could not be found for resource '" + substring + "'");
            }
        } else {
            zArr[0] = true;
        }
        if (zArr[0]) {
            return zArr[0];
        }
        throw new APIMgtSecurityException("Scope validation fails for the scopes " + Arrays.toString(strArr), ExceptionCodes.ACCESS_TOKEN_INACTIVE);
    }

    private String extractAccessToken(String str) throws APIMgtSecurityException {
        String trim = str.trim();
        if (trim.toLowerCase(Locale.US).startsWith(RestApiConstants.BEARER_PREFIX)) {
            String[] split = trim.split(" ");
            if (split.length == 2) {
                return split[1];
            }
            if (split.length < 2) {
                return null;
            }
        }
        throw new APIMgtSecurityException("Invalid Authorization header: " + trim, ExceptionCodes.INVALID_AUTHORIZATION_HEADER);
    }

    private AccessTokenInfo getValidatedTokenResponse(String str) throws APIMgtSecurityException {
        try {
            return KeyManagerHolder.getAMLoginKeyManagerInstance().getTokenMetaData(str);
        } catch (KeyManagementException e) {
            log.error("Error while validating access token", e);
            throw new APIMgtSecurityException("Error while validating access token", ExceptionCodes.AUTH_GENERAL_ERROR);
        }
    }

    static {
        if (authServerURL == null) {
            throw new RuntimeException("AUTH_SERVER_URL is not specified.");
        }
    }
}
