package org.wso2.carbon.apimgt.rest.api.common.utils;

import java.text.ParseException;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Set;
import net.minidev.json.JSONObject;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.api.OAuthTokenInfo;
import org.wso2.carbon.apimgt.api.model.Scope;
import org.wso2.carbon.apimgt.impl.jwt.SignedJWTInfo;
import org.wso2.carbon.apimgt.impl.utils.APIUtil;
import org.wso2.carbon.apimgt.rest.api.common.RestApiConstants;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.CarbonUtils;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
import org.wso2.uri.template.URITemplate;
import org.wso2.uri.template.URITemplateException;

/* loaded from: input_file:org/wso2/carbon/apimgt/rest/api/common/utils/JWTUtil.class */
public class JWTUtil {
    private static final Log log = LogFactory.getLog(JWTUtil.class);
    private static final String SUPER_TENANT_SUFFIX = "@carbon.super";

    public static boolean handleScopeValidation(HashMap<String, Object> hashMap, SignedJWTInfo signedJWTInfo, String str) throws APIManagementException, ParseException {
        String obj = hashMap.get(RestApiConstants.MASKED_TOKEN).toString();
        OAuthTokenInfo oAuthTokenInfo = new OAuthTokenInfo();
        oAuthTokenInfo.setAccessToken(str);
        oAuthTokenInfo.setEndUserName(signedJWTInfo.getJwtClaimsSet().getSubject());
        String stringClaim = signedJWTInfo.getJwtClaimsSet().getStringClaim("scope");
        if (stringClaim == null) {
            log.error("scopes validation failed for the token" + obj);
            return false;
        }
        String str2 = (String) hashMap.get(RestApiConstants.ORG_ID);
        if (str2 == null) {
            log.error("Organization is not present in the request");
            return false;
        }
        oAuthTokenInfo.setScopes(stringClaim.split(" "));
        String orgIdFromJwt = getOrgIdFromJwt(signedJWTInfo);
        if (orgIdFromJwt == null) {
            log.error("Unable to get organization claim from the jwt");
            return false;
        }
        if (!str2.equals(orgIdFromJwt)) {
            log.error(String.format("Requested OrgId (%s) and the token's organization uuid (%s) mismatch!", str2, orgIdFromJwt));
            return false;
        }
        if (!validateScopes(hashMap, oAuthTokenInfo)) {
            log.error("scopes validation failed for the token" + obj);
            return false;
        }
        hashMap.put(RestApiConstants.USER_REST_API_SCOPES, oAuthTokenInfo.getScopes());
        String tenantDomain = MultitenantUtils.getTenantDomain(oAuthTokenInfo.getEndUserName());
        PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
        RealmService realmService = (RealmService) threadLocalCarbonContext.getOSGiService(RealmService.class, (Hashtable) null);
        try {
            String endUserName = oAuthTokenInfo.getEndUserName();
            if ("carbon.super".equals(tenantDomain)) {
                long count = endUserName.chars().filter(i -> {
                    return i == 64;
                }).count();
                if (Boolean.parseBoolean(CarbonUtils.getServerConfiguration().getFirstProperty("EnableEmailUserName")) || (endUserName.endsWith(SUPER_TENANT_SUFFIX) && count <= 1)) {
                    endUserName = MultitenantUtils.getTenantAwareUsername(endUserName);
                }
            }
            if (log.isDebugEnabled()) {
                log.debug("username = " + endUserName + "masked token " + obj);
            }
            int tenantId = realmService.getTenantManager().getTenantId(tenantDomain);
            threadLocalCarbonContext.setTenantDomain(tenantDomain);
            threadLocalCarbonContext.setTenantId(tenantId);
            threadLocalCarbonContext.setUsername(endUserName);
            hashMap.put(RestApiConstants.AUTH_TOKEN_INFO, oAuthTokenInfo);
            if (tenantDomain.equals("carbon.super")) {
                return true;
            }
            APIUtil.loadTenantConfigBlockingMode(tenantDomain);
            return true;
        } catch (UserStoreException e) {
            log.error("Error while retrieving tenant id for tenant domain: " + tenantDomain, e);
            log.debug("Scope validation success for the token " + obj);
            return true;
        }
    }

    public static boolean validateScopes(HashMap<String, Object> hashMap, OAuthTokenInfo oAuthTokenInfo) {
        String str = (String) hashMap.get(RestApiConstants.BASE_PATH);
        String str2 = (String) hashMap.get(RestApiConstants.REQUEST_URL);
        String str3 = (String) hashMap.get(RestApiConstants.REQUEST_METHOD);
        String substring = str2.substring(str.length() - 1);
        String[] scopes = oAuthTokenInfo.getScopes();
        Set set = (Set) hashMap.get(RestApiConstants.URI_TEMPLATES);
        if (set.isEmpty()) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("No matching scopes found for request with path: " + str + ". Skipping scope validation.");
            return true;
        }
        for (Object obj : set.toArray()) {
            URITemplate uRITemplate = null;
            HashMap hashMap2 = new HashMap();
            String uriTemplate = ((org.wso2.carbon.apimgt.api.model.URITemplate) obj).getUriTemplate();
            try {
                uRITemplate = new URITemplate(uriTemplate);
            } catch (URITemplateException e) {
                log.error("Error while creating URI Template object to validate request. Template pattern: " + uriTemplate, e);
            }
            if (uRITemplate != null && uRITemplate.matches(substring, hashMap2) && scopes != null && str3 != null && str3.equalsIgnoreCase(((org.wso2.carbon.apimgt.api.model.URITemplate) obj).getHTTPVerb())) {
                for (String str4 : scopes) {
                    Scope scope = ((org.wso2.carbon.apimgt.api.model.URITemplate) obj).getScope();
                    if (scope != null) {
                        if (str4.equalsIgnoreCase(scope.getKey())) {
                            if (!log.isDebugEnabled()) {
                                return true;
                            }
                            log.debug("Scope validation successful for access token: " + hashMap.get(RestApiConstants.MASKED_TOKEN) + " with scope: " + scope.getKey() + " for resource path: " + str2 + " and verb " + str3);
                            return true;
                        }
                    } else {
                        if (((org.wso2.carbon.apimgt.api.model.URITemplate) obj).retrieveAllScopes().isEmpty()) {
                            if (!log.isDebugEnabled()) {
                                return true;
                            }
                            log.debug("Scope not defined in swagger for matching resource " + substring + " and verb " + str3 + " . So consider as anonymous permission and let request to continue.");
                            return true;
                        }
                        for (Scope scope2 : ((org.wso2.carbon.apimgt.api.model.URITemplate) obj).retrieveAllScopes()) {
                            if (str4.equalsIgnoreCase(scope2.getKey())) {
                                if (!log.isDebugEnabled()) {
                                    return true;
                                }
                                log.debug("Scope validation successful for access token: " + hashMap.get(RestApiConstants.MASKED_TOKEN) + " with scope: " + scope2.getKey() + " for resource path: " + str2 + " and verb " + str3);
                                return true;
                            }
                        }
                    }
                }
            }
        }
        return false;
    }

    public static String getOrgIdFromJwt(SignedJWTInfo signedJWTInfo) {
        try {
            JSONObject jSONObjectClaim = signedJWTInfo.getJwtClaimsSet().getJSONObjectClaim(RestApiConstants.ORGANIZATION);
            if (log.isDebugEnabled()) {
                log.debug("Retrieved organization claim from jwt: " + jSONObjectClaim);
            }
            if (jSONObjectClaim.getAsString("uuid") == null) {
                log.debug("Unable to get organization claim from the jwt");
                return null;
            }
            if (jSONObjectClaim == null || !jSONObjectClaim.containsKey("uuid")) {
                return null;
            }
            return jSONObjectClaim.getAsString("uuid");
        } catch (ParseException e) {
            if (log.isDebugEnabled()) {
                log.error("Failed to parse organization claim from JWT claims", e);
                return null;
            }
            log.error("Failed to parse organization claim from JWT claims: " + e.getMessage());
            return null;
        }
    }
}
