package org.wso2.carbon.webapp.authenticator.framework;

import java.util.HashMap;
import java.util.StringTokenizer;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.owasp.encoder.Encode;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve;
import org.wso2.carbon.tomcat.ext.valves.CompositeValve;
import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
import org.wso2.carbon.webapp.authenticator.framework.authorizer.WebappTenantAuthorizer;

/* loaded from: input_file:org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.class */
public class WebappAuthenticationValve extends CarbonTomcatValve {
    private static final Log log = LogFactory.getLog(WebappAuthenticationValve.class);
    private static HashMap<String, String> nonSecuredEndpoints = new HashMap<>();

    public void invoke(Request request, Response response, CompositeValve compositeValve) {
        if (isContextSkipped(request) || skipAuthentication(request)) {
            getNext().invoke(request, response, compositeValve);
            return;
        }
        WebappAuthenticator authenticator = WebappAuthenticatorFactory.getAuthenticator(request);
        if (authenticator == null) {
            AuthenticationFrameworkUtil.handleResponse(request, response, 401, "Failed to load an appropriate authenticator to authenticate the request");
            return;
        }
        AuthenticationInfo authenticate = authenticator.authenticate(request, response);
        if (isManagedAPI(request) && (authenticate.getStatus() == WebappAuthenticator.Status.CONTINUE || authenticate.getStatus() == WebappAuthenticator.Status.SUCCESS)) {
            authenticate.setStatus(WebappTenantAuthorizer.authorize(request, authenticate));
        }
        if (authenticate.getTenantId() == -1) {
            processRequest(request, response, compositeValve, authenticate);
            return;
        }
        try {
            PrivilegedCarbonContext.startTenantFlow();
            PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
            threadLocalCarbonContext.setTenantId(authenticate.getTenantId());
            threadLocalCarbonContext.setTenantDomain(authenticate.getTenantDomain());
            threadLocalCarbonContext.setUsername(authenticate.getUsername());
            processRequest(request, response, compositeValve, authenticate);
        } finally {
            PrivilegedCarbonContext.endTenantFlow();
        }
    }

    private boolean skipAuthentication(Request request) {
        String findParameter = request.getContext().findParameter("doAuthentication");
        return findParameter == null || !Boolean.parseBoolean(findParameter) || isNonSecuredEndPoint(request);
    }

    private boolean isManagedAPI(Request request) {
        String findParameter = request.getContext().findParameter("managed-api-enabled");
        return findParameter != null && Boolean.parseBoolean(findParameter);
    }

    private boolean isContextSkipped(Request request) {
        String path = request.getContext().getPath();
        if (path == null || "".equals(path)) {
            path = request.getContextPath();
            if (path == null || "".equals(path)) {
                if ("/".equals(request.getRequestURI())) {
                    return true;
                }
                StringTokenizer stringTokenizer = new StringTokenizer(request.getRequestURI(), "/");
                if (!stringTokenizer.hasMoreTokens()) {
                    return false;
                }
                path = stringTokenizer.nextToken();
            }
        }
        return "carbon".equalsIgnoreCase(path) || "services".equalsIgnoreCase(path);
    }

    private boolean isNonSecuredEndPoint(Request request) {
        String findParameter;
        String requestURI = request.getRequestURI();
        if (!requestURI.endsWith("/")) {
            requestURI = requestURI + "/";
        }
        String contextPath = request.getContextPath();
        if (!nonSecuredEndpoints.containsKey(contextPath) && (findParameter = request.getContext().findParameter("nonSecuredEndPoints")) != null && !findParameter.isEmpty()) {
            StringTokenizer stringTokenizer = new StringTokenizer(findParameter, ",");
            nonSecuredEndpoints.put(contextPath, "true");
            while (stringTokenizer.hasMoreTokens()) {
                String trim = stringTokenizer.nextToken().replace("\n", "").replace("\r", "").trim();
                if (!trim.endsWith("/")) {
                    trim = trim + "/";
                }
                nonSecuredEndpoints.put(trim, "true");
            }
        }
        return nonSecuredEndpoints.containsKey(requestURI);
    }

    private void processRequest(Request request, Response response, CompositeValve compositeValve, AuthenticationInfo authenticationInfo) {
        switch (authenticationInfo.getStatus()) {
            case SUCCESS:
            case CONTINUE:
                getNext().invoke(request, response, compositeValve);
                return;
            case FAILURE:
                String str = "Failed to authorize incoming request";
                if (authenticationInfo.getMessage() != null && !authenticationInfo.getMessage().isEmpty()) {
                    str = authenticationInfo.getMessage();
                    response.setHeader("WWW-Authenticate", str);
                }
                if (log.isDebugEnabled()) {
                    log.debug(str + " , API : " + Encode.forUriComponent(request.getRequestURI()));
                }
                AuthenticationFrameworkUtil.handleResponse(request, response, 401, str);
                return;
            default:
                return;
        }
    }
}
