package org.wso2.carbon.mss.security.oauth2;

import com.google.common.base.Charsets;
import com.google.common.collect.ArrayListMultimap;
import com.google.common.io.ByteStreams;
import com.google.gson.Gson;
import com.google.gson.reflect.TypeToken;
import io.netty.handler.codec.http.HttpHeaders;
import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpRequest;
import io.netty.handler.codec.http.HttpResponseStatus;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.mss.HttpResponder;
import org.wso2.carbon.mss.Interceptor;
import org.wso2.carbon.mss.ServiceMethodInfo;
import org.wso2.carbon.mss.security.MSSSecurityException;
import org.wso2.carbon.mss.security.SecurityErrorCode;
import org.wso2.carbon.mss.util.SystemVariableUtil;

/* loaded from: input_file:org/wso2/carbon/mss/security/oauth2/OAuth2SecurityInterceptor.class */
public class OAuth2SecurityInterceptor implements Interceptor {
    private final Log log = LogFactory.getLog(OAuth2SecurityInterceptor.class);
    private static final String AUTHORIZATION_HTTP_HEADER = "Authorization";
    private static final String AUTH_TYPE_OAUTH2 = "OAuth2";
    private static final String BEARER_PREFIX = "bearer";
    private static final String AUTH_SERVER_URL_KEY = "AUTH_SERVER_URL";
    private static final String AUTH_SERVER_URL = SystemVariableUtil.getValue(AUTH_SERVER_URL_KEY, null);
    private static final String TRUST_STORE = "TRUST_STORE";
    private static final String TRUST_STORE_PASSWORD = "TRUST_STORE_PASSWORD";

    @Override // org.wso2.carbon.mss.Interceptor
    public boolean preCall(HttpRequest httpRequest, HttpResponder httpResponder, ServiceMethodInfo serviceMethodInfo) {
        try {
            HttpHeaders headers = httpRequest.headers();
            if (headers == null || !headers.contains("Authorization")) {
                throw new MSSSecurityException(SecurityErrorCode.AUTHENTICATION_FAILURE, "Missing Authorization header is the request.`");
            }
            return validateToken(headers.get("Authorization"));
        } catch (MSSSecurityException e) {
            SecurityErrorCode errorCode = e.getErrorCode();
            this.log.error(e.getMessage() + " Requested Path: " + httpRequest.getUri());
            handleSecurityError(errorCode, httpResponder);
            return false;
        }
    }

    @Override // org.wso2.carbon.mss.Interceptor
    public void postCall(HttpRequest httpRequest, HttpResponseStatus httpResponseStatus, ServiceMethodInfo serviceMethodInfo) {
    }

    private boolean validateToken(String str) throws MSSSecurityException {
        if (Boolean.parseBoolean(getResponseDataMap(getValidatedTokenResponse(extractAccessToken(str))).get("active"))) {
            return true;
        }
        throw new MSSSecurityException(SecurityErrorCode.AUTHENTICATION_FAILURE, "Invalid Access token.");
    }

    private String extractAccessToken(String str) throws MSSSecurityException {
        String trim = str.trim();
        if (trim.toLowerCase().startsWith(BEARER_PREFIX)) {
            String[] split = trim.split(" ");
            if (split.length == 2) {
                return split[1];
            }
        }
        throw new MSSSecurityException(SecurityErrorCode.INVALID_AUTHORIZATION_HEADER, "Invalid Authorization header: " + trim);
    }

    private String getValidatedTokenResponse(String str) throws MSSSecurityException {
        try {
            HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(AUTH_SERVER_URL).openConnection();
            httpURLConnection.setDoOutput(true);
            httpURLConnection.setRequestMethod(HttpMethod.POST.name());
            httpURLConnection.getOutputStream().write(("token=" + str).getBytes(Charsets.UTF_8));
            return new String(ByteStreams.toByteArray(httpURLConnection.getInputStream()), Charsets.UTF_8);
        } catch (IOException e) {
            this.log.error("Error invoking Authorization Server", e);
            throw new MSSSecurityException(SecurityErrorCode.GENERIC_ERROR, "Error invoking Authorization Server", e);
        }
    }

    private Map<String, String> getResponseDataMap(String str) {
        return (Map) new Gson().fromJson(str, new TypeToken<Map<String, String>>() { // from class: org.wso2.carbon.mss.security.oauth2.OAuth2SecurityInterceptor.1
        }.getType());
    }

    private void handleSecurityError(SecurityErrorCode securityErrorCode, HttpResponder httpResponder) {
        if (securityErrorCode == SecurityErrorCode.AUTHENTICATION_FAILURE || securityErrorCode == SecurityErrorCode.INVALID_AUTHORIZATION_HEADER) {
            ArrayListMultimap create = ArrayListMultimap.create();
            create.put("WWW-Authenticate", AUTH_TYPE_OAUTH2);
            httpResponder.sendStatus(HttpResponseStatus.UNAUTHORIZED, create);
        } else if (securityErrorCode == SecurityErrorCode.AUTHORIZATION_FAILURE) {
            httpResponder.sendStatus(HttpResponseStatus.FORBIDDEN);
        } else {
            httpResponder.sendStatus(HttpResponseStatus.INTERNAL_SERVER_ERROR);
        }
    }

    static {
        if (AUTH_SERVER_URL == null) {
            throw new RuntimeException("AUTH_SERVER_URL is not specified.");
        }
        String value = SystemVariableUtil.getValue(TRUST_STORE, null);
        String value2 = SystemVariableUtil.getValue(TRUST_STORE_PASSWORD, null);
        if (value == null || value.isEmpty() || value2 == null || value2.isEmpty()) {
            return;
        }
        System.setProperty("javax.net.ssl.trustStore", value);
        System.setProperty("javax.net.ssl.trustStorePassword", value2);
    }
}
