package org.wso2.ei.dashboard.core.commons.auth;

import com.google.gson.JsonElement;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.openid.connect.sdk.Nonce;
import io.asgardeo.java.oidc.sdk.exception.SSOAgentServerException;
import io.asgardeo.java.oidc.sdk.validators.IDTokenValidator;
import java.net.URI;
import java.net.URISyntaxException;
import java.text.ParseException;
import java.util.Iterator;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.wso2.ei.dashboard.core.commons.Constants;
import org.wso2.ei.dashboard.core.commons.utils.HttpUtils;
import org.wso2.ei.dashboard.core.commons.utils.TokenUtils;
import org.wso2.ei.dashboard.core.exception.DashboardServerException;
import org.wso2.micro.integrator.dashboard.utils.SSOConfig;

/* loaded from: input_file:WEB-INF/classes/org/wso2/ei/dashboard/core/commons/auth/JWTSecurityHandler.class */
public class JWTSecurityHandler implements SecurityHandler {
    private static final Logger logger = LogManager.getLogger((Class<?>) JWTSecurityHandler.class);

    @Override // org.wso2.ei.dashboard.core.commons.auth.SecurityHandler
    public boolean isAuthenticated(SSOConfig sSOConfig, String str) {
        try {
            JWT parse = JWTParser.parse(str);
            if (sSOConfig.getOidcAgentConfig().getJwksEndpoint() == null) {
                sSOConfig.getOidcAgentConfig().setJwksEndpoint(getJWKSEndpointFromWellKnownEndpoint(sSOConfig.getWellKnownEndpoint()));
            }
            new IDTokenValidator(sSOConfig.getOidcAgentConfig(), parse).validate((Nonce) null);
            return true;
        } catch (ParseException | DashboardServerException | SSOAgentServerException e) {
            if (!logger.isDebugEnabled()) {
                return false;
            }
            logger.error("Error validating the access token", e);
            return false;
        }
    }

    @Override // org.wso2.ei.dashboard.core.commons.auth.SecurityHandler
    public boolean isAuthorized(SSOConfig sSOConfig, String str) {
        return isUserInAdminGroup(TokenUtils.getParsedToken(str), sSOConfig);
    }

    private boolean isUserInAdminGroup(JsonElement jsonElement, SSOConfig sSOConfig) {
        Iterator<JsonElement> it = jsonElement.getAsJsonObject().getAsJsonArray(sSOConfig.getAdminGroupAttribute()).iterator();
        while (it.hasNext()) {
            if (sSOConfig.getAllowedAdminGroups().contains(it.next().getAsString())) {
                return true;
            }
        }
        return false;
    }

    private URI getJWKSEndpointFromWellKnownEndpoint(String str) {
        CloseableHttpResponse doGet = HttpUtils.doGet(new HttpGet(str));
        if (doGet.getStatusLine().getStatusCode() != 200) {
            throw new DashboardServerException("Cannot find jwks_uri in well known endpoint response. " + doGet.getStatusLine().getReasonPhrase());
        }
        try {
            return new URI(HttpUtils.getJsonResponse(doGet).get(Constants.JWKS_URI).getAsString());
        } catch (URISyntaxException e) {
            throw new DashboardServerException("Invalid url for jwks_uri", e);
        }
    }
}
