package org.wso2.carbon.apimgt.rest.api.util.interceptors.auth;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.interceptor.security.AuthenticationException;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.aspectj.lang.JoinPoint;
import org.aspectj.runtime.internal.AroundClosure;
import org.aspectj.runtime.internal.Conversions;
import org.aspectj.runtime.reflect.Factory;
import org.wso2.carbon.apimgt.api.model.Scope;
import org.wso2.carbon.apimgt.api.model.URITemplate;
import org.wso2.carbon.apimgt.impl.utils.APIUtil;
import org.wso2.carbon.apimgt.impl.utils.RealmUtil;
import org.wso2.carbon.apimgt.rest.api.common.RestApiCommonUtil;
import org.wso2.carbon.apimgt.rest.api.util.MethodStats;
import org.wso2.carbon.apimgt.rest.api.util.MethodTimeLogger;
import org.wso2.carbon.apimgt.rest.api.util.RestApiConstants;
import org.wso2.carbon.apimgt.rest.api.util.utils.RestApiUtil;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
import org.wso2.uri.template.URITemplateException;

/* loaded from: input_file:org/wso2/carbon/apimgt/rest/api/util/interceptors/auth/BasicAuthenticationInterceptor.class */
public class BasicAuthenticationInterceptor extends AbstractPhaseInterceptor {
    private static final Log log;
    private static final JoinPoint.StaticPart ajc$tjp_0 = null;
    private static final JoinPoint.StaticPart ajc$tjp_1 = null;
    private static final JoinPoint.StaticPart ajc$tjp_2 = null;
    private static final JoinPoint.StaticPart ajc$tjp_3 = null;
    private static final JoinPoint.StaticPart ajc$tjp_4 = null;

    /* loaded from: input_file:org/wso2/carbon/apimgt/rest/api/util/interceptors/auth/BasicAuthenticationInterceptor$AjcClosure1.class */
    public class AjcClosure1 extends AroundClosure {
        public AjcClosure1(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            BasicAuthenticationInterceptor.handleMessage_aroundBody0((BasicAuthenticationInterceptor) objArr2[0], (Message) objArr2[1], (JoinPoint) objArr2[2]);
            return null;
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/rest/api/util/interceptors/auth/BasicAuthenticationInterceptor$AjcClosure3.class */
    public class AjcClosure3 extends AroundClosure {
        public AjcClosure3(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return Conversions.booleanObject(BasicAuthenticationInterceptor.authenticate_aroundBody2((BasicAuthenticationInterceptor) objArr2[0], (Message) objArr2[1], (String) objArr2[2], (String) objArr2[3], (JoinPoint) objArr2[4]));
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/rest/api/util/interceptors/auth/BasicAuthenticationInterceptor$AjcClosure5.class */
    public class AjcClosure5 extends AroundClosure {
        public AjcClosure5(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return Conversions.booleanObject(BasicAuthenticationInterceptor.validateRoles_aroundBody4((BasicAuthenticationInterceptor) objArr2[0], (Message) objArr2[1], (UserRealm) objArr2[2], (String) objArr2[3], (String) objArr2[4], (JoinPoint) objArr2[5]));
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/rest/api/util/interceptors/auth/BasicAuthenticationInterceptor$AjcClosure7.class */
    public class AjcClosure7 extends AroundClosure {
        public AjcClosure7(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return Conversions.booleanObject(BasicAuthenticationInterceptor.validateUserRolesWithRESTAPIScopes_aroundBody6((BasicAuthenticationInterceptor) objArr2[0], (List) objArr2[1], (Map) objArr2[2], (String[]) objArr2[3], (String) objArr2[4], (String) objArr2[5], (String) objArr2[6], (Message) objArr2[7], (JoinPoint) objArr2[8]));
        }
    }

    /* loaded from: input_file:org/wso2/carbon/apimgt/rest/api/util/interceptors/auth/BasicAuthenticationInterceptor$AjcClosure9.class */
    public class AjcClosure9 extends AroundClosure {
        public AjcClosure9(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            BasicAuthenticationInterceptor.lambda$0_aroundBody8((List) objArr2[0], (Scope) objArr2[1], (JoinPoint) objArr2[2]);
            return null;
        }
    }

    static {
        ajc$preClinit();
        log = LogFactory.getLog(BasicAuthenticationInterceptor.class);
    }

    public BasicAuthenticationInterceptor() {
        super("pre-invoke");
    }

    @MethodStats
    public void handleMessage(Message message) {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_0, this, this, message);
        if (MethodTimeLogger.isConfigEnabled() || ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled()))) {
            MethodTimeLogger.aspectOf().log(new AjcClosure1(new Object[]{this, message, makeJP}).linkClosureAndJoinPoint(69648));
        } else {
            handleMessage_aroundBody0(this, message, makeJP);
        }
    }

    private boolean authenticate(Message message, String str, String str2) {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_1, this, this, new Object[]{message, str, str2});
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? Conversions.booleanValue(MethodTimeLogger.aspectOf().log(new AjcClosure3(new Object[]{this, message, str, str2, makeJP}).linkClosureAndJoinPoint(69648))) : authenticate_aroundBody2(this, message, str, str2, makeJP);
    }

    private boolean validateRoles(Message message, UserRealm userRealm, String str, String str2) {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_2, this, this, new Object[]{message, userRealm, str, str2});
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? Conversions.booleanValue(MethodTimeLogger.aspectOf().log(new AjcClosure5(new Object[]{this, message, userRealm, str, str2, makeJP}).linkClosureAndJoinPoint(69648))) : validateRoles_aroundBody4(this, message, userRealm, str, str2, makeJP);
    }

    private boolean validateUserRolesWithRESTAPIScopes(List<Scope> list, Map<String, String> map, String[] strArr, String str, String str2, String str3, Message message) {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_3, this, this, new Object[]{list, map, strArr, str, str2, str3, message});
        return ((MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) || (this != null && getClass().isAnnotationPresent(MethodStats.class) && MethodTimeLogger.isConfigEnabled())) ? Conversions.booleanValue(MethodTimeLogger.aspectOf().log(new AjcClosure7(new Object[]{this, list, map, strArr, str, str2, str3, message, makeJP}).linkClosureAndJoinPoint(69648))) : validateUserRolesWithRESTAPIScopes_aroundBody6(this, list, map, strArr, str, str2, str3, message, makeJP);
    }

    static final void handleMessage_aroundBody0(BasicAuthenticationInterceptor basicAuthenticationInterceptor, Message message, JoinPoint joinPoint) {
        if (RestApiUtil.checkIfAnonymousAPI(message)) {
            return;
        }
        message.put(RestApiConstants.TENANT_DOMAIN, CarbonContext.getThreadLocalCarbonContext().getTenantDomain());
        AuthorizationPolicy authorizationPolicy = (AuthorizationPolicy) message.get(AuthorizationPolicy.class);
        if (authorizationPolicy != null) {
            message.put(RestApiConstants.REQUEST_AUTHENTICATION_SCHEME, RestApiConstants.BASIC_AUTHENTICATION);
            String trim = StringUtils.trim(authorizationPolicy.getUserName());
            String trim2 = StringUtils.trim(authorizationPolicy.getPassword());
            if (StringUtils.isEmpty(trim) || StringUtils.isEmpty(trim2)) {
                log.error("Basic Authentication failed: " + (StringUtils.isEmpty(trim) ? "username cannot be null/empty." : "password cannot be null/empty."));
                throw new AuthenticationException("Unauthenticated request");
            }
            if (!basicAuthenticationInterceptor.authenticate(message, trim, trim2)) {
                throw new AuthenticationException("Unauthenticated request");
            }
            log.debug("User logged into web app using Basic Authentication");
        }
    }

    static final boolean authenticate_aroundBody2(BasicAuthenticationInterceptor basicAuthenticationInterceptor, Message message, String str, String str2, JoinPoint joinPoint) {
        PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
        String tenantDomain = MultitenantUtils.getTenantDomain(str);
        int tenantIdFromTenantDomain = APIUtil.getTenantIdFromTenantDomain(tenantDomain);
        try {
            PrivilegedCarbonContext.startTenantFlow();
            PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain);
            PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(tenantIdFromTenantDomain);
            UserRealm tenantUserRealm = RealmUtil.getTenantUserRealm(tenantIdFromTenantDomain);
            if (tenantUserRealm == null) {
                log.error("Authentication failed: invalid domain or unactivated tenant login");
                return false;
            }
            if (!tenantUserRealm.getUserStoreManager().authenticate(MultitenantUtils.getTenantAwareUsername(str), str2)) {
                return false;
            }
            String addDomainToName = UserCoreUtil.addDomainToName(str, UserCoreUtil.getDomainFromThreadLocal());
            RestApiCommonUtil.setThreadLocalRequestedTenant(MultitenantUtils.getTenantAwareUsername(str));
            threadLocalCarbonContext.setTenantDomain(tenantDomain);
            threadLocalCarbonContext.setTenantId(tenantIdFromTenantDomain);
            threadLocalCarbonContext.setUsername(addDomainToName);
            if (!tenantDomain.equals("carbon.super")) {
                APIUtil.loadTenantConfigBlockingMode(tenantDomain);
            }
            boolean validateRoles = basicAuthenticationInterceptor.validateRoles(message, tenantUserRealm, tenantDomain, str);
            PrivilegedCarbonContext.endTenantFlow();
            return validateRoles;
        } catch (UserStoreException e) {
            log.error("Error occurred while authenticating user: " + str, e);
            return false;
        } finally {
            PrivilegedCarbonContext.endTenantFlow();
        }
    }

    static final boolean validateRoles_aroundBody4(BasicAuthenticationInterceptor basicAuthenticationInterceptor, Message message, UserRealm userRealm, String str, String str2, JoinPoint joinPoint) {
        String str3 = (String) message.get(Message.BASE_PATH);
        String str4 = (String) message.get("org.apache.cxf.request.uri");
        String str5 = (String) message.get("org.apache.cxf.request.method");
        String substring = str4.substring(str3.length() - 1);
        String str6 = (String) message.get(RestApiConstants.API_VERSION);
        Set<URITemplate> uRITemplatesForBasePath = RestApiUtil.getURITemplatesForBasePath(String.valueOf(str3) + str6);
        if (uRITemplatesForBasePath.isEmpty()) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("No matching scopes found for request with path: " + str3 + str6 + ". Skipping role validation.");
            return true;
        }
        for (Object obj : uRITemplatesForBasePath.toArray()) {
            HashMap hashMap = new HashMap();
            String uriTemplate = ((URITemplate) obj).getUriTemplate();
            try {
                if (new org.wso2.uri.template.URITemplate(uriTemplate).matches(substring, hashMap) && str5 != null && str5.equalsIgnoreCase(((URITemplate) obj).getHTTPVerb())) {
                    List<Scope> retrieveAllScopes = ((URITemplate) obj).retrieveAllScopes();
                    if (retrieveAllScopes.isEmpty()) {
                        if (!log.isDebugEnabled()) {
                            return true;
                        }
                        log.debug("Scope not defined in swagger for matching resource " + substring + " and verb " + str5 + ". So consider as anonymous permission and let request to continue.");
                        return true;
                    }
                    Map<String, String> rESTAPIScopesForTenant = APIUtil.getRESTAPIScopesForTenant(str);
                    if (rESTAPIScopesForTenant == null) {
                        return false;
                    }
                    String[] roleListOfUser = userRealm.getUserStoreManager().getRoleListOfUser(MultitenantUtils.getTenantAwareUsername(str2));
                    if (roleListOfUser != null) {
                        return basicAuthenticationInterceptor.validateUserRolesWithRESTAPIScopes(retrieveAllScopes, rESTAPIScopesForTenant, roleListOfUser, str2, str4, str5, message);
                    }
                    log.error("Error while validating roles. Invalid user roles found for user: " + str2);
                    return false;
                }
            } catch (URITemplateException e) {
                log.error("Error while creating URI Template object to validate request. Template pattern: " + uriTemplate, e);
            } catch (UserStoreException e2) {
                log.error("Error while getting role list of user: " + str2, e2);
            }
        }
        log.error("Error while validating roles. No matching resource URI template found in swagger for resource " + substring + " and verb " + str5);
        return false;
    }

    static final boolean validateUserRolesWithRESTAPIScopes_aroundBody6(BasicAuthenticationInterceptor basicAuthenticationInterceptor, List list, Map map, String[] strArr, String str, String str2, String str3, Message message, JoinPoint joinPoint) {
        ArrayList arrayList = new ArrayList();
        Iterator it = list.iterator();
        while (it.hasNext()) {
            Scope scope = (Scope) it.next();
            String str4 = (String) map.get(scope.getKey());
            if (StringUtils.isNotBlank(str4)) {
                List asList = Arrays.asList(str4.split("\\s*,\\s*"));
                int length = strArr.length;
                int i = 0;
                while (true) {
                    if (i < length) {
                        if (asList.contains(strArr[i])) {
                            arrayList.add(scope);
                            if (log.isDebugEnabled()) {
                                log.debug("Basic Authentication: role validation successful for user: " + str + " with scope: " + scope.getKey() + " for resource path: " + str2 + " and verb " + str3);
                                log.debug("Added scope: " + scope.getKey() + " to validated user scope list");
                            }
                        } else {
                            i++;
                        }
                    }
                }
            } else {
                arrayList.add(scope);
                if (log.isDebugEnabled()) {
                    log.debug("Role validation skipped. No REST API scope to role mapping defined for resource scope: " + scope.getKey() + " Treated as anonymous scope.");
                }
            }
        }
        ArrayList arrayList2 = new ArrayList();
        arrayList.forEach(scope2 -> {
            JoinPoint makeJP = Factory.makeJP(ajc$tjp_4, (Object) null, (Object) null, arrayList2, scope2);
            if (MethodTimeLogger.isConfigEnabled() && MethodTimeLogger.pointCutAll()) {
                MethodTimeLogger.aspectOf().log(new AjcClosure9(new Object[]{arrayList2, scope2, makeJP}).linkClosureAndJoinPoint(65536));
            } else {
                lambda$0_aroundBody8(arrayList2, scope2, makeJP);
            }
        });
        message.getExchange().put(RestApiConstants.USER_REST_API_SCOPES, arrayList2.toArray(new String[0]));
        if (arrayList.isEmpty()) {
            log.error("Insufficient privileges. Role validation failed for user: " + str + " to access resource path: " + str2 + " and verb " + str3);
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Successfully validated REST API Scopes for the user " + str);
        return true;
    }

    static final void lambda$0_aroundBody8(List list, Scope scope, JoinPoint joinPoint) {
        list.add(scope.getKey());
    }

    private static void ajc$preClinit() {
        Factory factory = new Factory("BasicAuthenticationInterceptor.java", BasicAuthenticationInterceptor.class);
        ajc$tjp_0 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "handleMessage", "org.wso2.carbon.apimgt.rest.api.util.interceptors.auth.BasicAuthenticationInterceptor", "org.apache.cxf.message.Message", "inMessage", "", "void"), 76);
        ajc$tjp_1 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "authenticate", "org.wso2.carbon.apimgt.rest.api.util.interceptors.auth.BasicAuthenticationInterceptor", "org.apache.cxf.message.Message:java.lang.String:java.lang.String", "inMessage:username:password", "", "boolean"), 113);
        ajc$tjp_2 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "validateRoles", "org.wso2.carbon.apimgt.rest.api.util.interceptors.auth.BasicAuthenticationInterceptor", "org.apache.cxf.message.Message:org.wso2.carbon.user.api.UserRealm:java.lang.String:java.lang.String", "inMessage:userRealm:tenantDomain:username", "", "boolean"), 163);
        ajc$tjp_3 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "validateUserRolesWithRESTAPIScopes", "org.wso2.carbon.apimgt.rest.api.util.interceptors.auth.BasicAuthenticationInterceptor", "java.util.List:java.util.Map:[Ljava.lang.String;:java.lang.String:java.lang.String:java.lang.String:org.apache.cxf.message.Message", "resourceScopeList:restAPIScopes:userRoles:username:path:verb:inMessage", "", "boolean"), 251);
        ajc$tjp_4 = factory.makeSJP("method-execution", factory.makeMethodSig("100a", "lambda$0", "org.wso2.carbon.apimgt.rest.api.util.interceptors.auth.BasicAuthenticationInterceptor", "java.util.List:org.wso2.carbon.apimgt.api.model.Scope", "arg0:scope", "", "void"), 291);
    }
}
