package com.sap.cloud.security.xsuaa.extractor;

import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.xsuaa.XsuaaServiceConfiguration;
import com.sap.cloud.security.xsuaa.client.ClientCredentials;
import com.sap.cloud.security.xsuaa.client.OAuth2TokenService;
import com.sap.cloud.security.xsuaa.client.XsuaaDefaultEndpoints;
import com.sap.cloud.security.xsuaa.client.XsuaaOAuth2TokenService;
import com.sap.cloud.security.xsuaa.jwt.DecodedJwt;
import com.sap.cloud.security.xsuaa.tokenflows.TokenFlowException;
import com.sap.cloud.security.xsuaa.tokenflows.XsuaaTokenFlows;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import org.json.JSONException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;

/* loaded from: input_file:com/sap/cloud/security/xsuaa/extractor/IasXsuaaExchangeBroker.class */
public class IasXsuaaExchangeBroker implements BearerTokenResolver {
    private static final Logger logger = LoggerFactory.getLogger(IasXsuaaExchangeBroker.class);
    private final XsuaaTokenFlows xsuaaTokenFlows;
    private static final String AUTH_HEADER = "Authorization";

    public IasXsuaaExchangeBroker(XsuaaTokenFlows xsuaaTokenFlows) {
        this.xsuaaTokenFlows = xsuaaTokenFlows;
    }

    public IasXsuaaExchangeBroker(XsuaaServiceConfiguration xsuaaServiceConfiguration, OAuth2TokenService oAuth2TokenService) {
        this.xsuaaTokenFlows = new XsuaaTokenFlows(oAuth2TokenService, new XsuaaDefaultEndpoints(xsuaaServiceConfiguration.getUaaUrl()), new ClientCredentials(xsuaaServiceConfiguration.getClientId(), xsuaaServiceConfiguration.getClientSecret()));
    }

    public IasXsuaaExchangeBroker(XsuaaServiceConfiguration xsuaaServiceConfiguration) {
        this(xsuaaServiceConfiguration, new XsuaaOAuth2TokenService());
    }

    @Nullable
    public String resolve(HttpServletRequest httpServletRequest) {
        try {
            String extractTokenFromRequest = extractTokenFromRequest(httpServletRequest);
            if (TokenUtil.isIasToXsuaaXchangeEnabled()) {
                DecodedJwt decodeJwt = TokenUtil.decodeJwt(extractTokenFromRequest);
                if (!TokenUtil.isXsuaaToken(decodeJwt)) {
                    return doIasXsuaaXchange(decodeJwt);
                }
            }
            return extractTokenFromRequest;
        } catch (JSONException e) {
            logger.error("Couldn't decode the token: {}", e.getMessage());
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nullable
    public String doIasXsuaaXchange(DecodedJwt decodedJwt) {
        try {
            return this.xsuaaTokenFlows.userTokenFlow().token(createToken(decodedJwt)).execute().getAccessToken();
        } catch (TokenFlowException e) {
            logger.error("Xsuaa token request failed {}", e.getMessage());
            return null;
        }
    }

    private Token createToken(DecodedJwt decodedJwt) {
        return new IasToken(TokenUtil.parseJwt(decodedJwt));
    }

    private String extractTokenFromRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(AUTH_HEADER);
        if (header == null || !header.toLowerCase().startsWith("bearer")) {
            throw new InvalidBearerTokenException("Invalid authorization header");
        }
        return header.substring("bearer".length()).trim();
    }
}
