package org.wso2.carbon.apimgt.gateway.handlers.security.oauth;

import java.util.Map;
import java.util.TreeMap;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.MessageContext;
import org.apache.synapse.core.SynapseEnvironment;
import org.apache.synapse.core.axis2.Axis2MessageContext;
import org.wso2.carbon.apimgt.gateway.APIMgtGatewayConstants;
import org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityConstants;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityUtils;
import org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext;
import org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator;
import org.wso2.carbon.apimgt.gateway.internal.ServiceReferenceHolder;
import org.wso2.carbon.apimgt.impl.APIManagerConfiguration;
import org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO;
import org.wso2.carbon.metrics.manager.Level;
import org.wso2.carbon.metrics.manager.MetricManager;
import org.wso2.carbon.metrics.manager.Timer;

/* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/oauth/OAuthAuthenticator.class */
public class OAuthAuthenticator implements Authenticator {
    private static final Log log = LogFactory.getLog(OAuthAuthenticator.class);
    protected APIKeyValidator keyValidator;
    private String securityContextHeader;
    private String requestOrigin;
    private String securityHeader = APIMgtGatewayConstants.AUTHORIZATION;
    private String defaultAPIHeader = "WSO2_AM_API_DEFAULT_VERSION";
    private String consumerKeyHeaderSegment = "Bearer";
    private String oauthHeaderSplitter = ",";
    private String consumerKeySegmentDelimiter = " ";
    private boolean removeOAuthHeadersFromOutMessage = true;
    private boolean removeDefaultAPIHeaderFromOutMessage = true;
    private String clientDomainHeader = "referer";

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public void init(SynapseEnvironment synapseEnvironment) {
        this.keyValidator = new APIKeyValidator(synapseEnvironment.getSynapseConfiguration().getAxisConfiguration());
        initOAuthParams();
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public void destroy() {
        this.keyValidator.cleanup();
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public boolean authenticate(MessageContext messageContext) throws APISecurityException {
        APIKeyValidationInfoDTO keyValidationInfo;
        String str = null;
        boolean z = false;
        Map map = (Map) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty("TRANSPORT_HEADERS");
        if (map != null) {
            this.requestOrigin = (String) map.get("Origin");
            str = extractCustomerKeyFromAuthHeader(map);
            if (log.isDebugEnabled()) {
                log.debug(str != null ? "Received Token ".concat(str) : "No valid Authorization header found");
            }
            z = map.containsKey(this.defaultAPIHeader);
        }
        if (log.isDebugEnabled()) {
            log.debug("Default Version API invoked");
        }
        if (this.removeOAuthHeadersFromOutMessage) {
            map.remove(this.securityHeader);
            if (log.isDebugEnabled()) {
                log.debug("Removing Authorization header from headers");
            }
        }
        if (this.removeDefaultAPIHeaderFromOutMessage) {
            map.remove(this.defaultAPIHeader);
        }
        String str2 = (String) messageContext.getProperty("REST_API_CONTEXT");
        String str3 = (String) messageContext.getProperty("SYNAPSE_REST_API_VERSION");
        String str4 = (String) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty("HTTP_METHOD");
        String clientDomain = getClientDomain(messageContext);
        if (log.isDebugEnabled() && null != clientDomain) {
            log.debug("Received Client Domain ".concat(clientDomain));
        }
        Timer.Context start = MetricManager.timer(Level.INFO, MetricManager.name("org.wso2.am", new String[]{getClass().getSimpleName(), "GET_RESOURCE_AUTH"})).start();
        String resourceAuthenticationScheme = this.keyValidator.getResourceAuthenticationScheme(messageContext);
        start.stop();
        if ("None".equals(resourceAuthenticationScheme)) {
            if (log.isDebugEnabled()) {
                log.debug("Found Authentication Scheme: ".concat(resourceAuthenticationScheme));
            }
            String str5 = null;
            org.apache.axis2.context.MessageContext axis2MessageContext = ((Axis2MessageContext) messageContext).getAxis2MessageContext();
            TreeMap treeMap = (TreeMap) axis2MessageContext.getProperty("TRANSPORT_HEADERS");
            if (treeMap != null) {
                str5 = (String) treeMap.get(APIMgtGatewayConstants.X_FORWARDED_FOR);
            }
            if (str5 == null || str5.isEmpty()) {
                str5 = (String) axis2MessageContext.getProperty("REMOTE_ADDR");
            } else if (str5.indexOf(",") > 0) {
                str5 = str5.substring(0, str5.indexOf(","));
            }
            AuthenticationContext authenticationContext = new AuthenticationContext();
            authenticationContext.setAuthenticated(true);
            authenticationContext.setTier("Unauthenticated");
            authenticationContext.setStopOnQuotaReach(true);
            authenticationContext.setApiKey(str5);
            authenticationContext.setKeyType("PRODUCTION");
            authenticationContext.setUsername("anonymous");
            authenticationContext.setCallerToken(null);
            authenticationContext.setApplicationName(null);
            authenticationContext.setApplicationId(str5);
            authenticationContext.setConsumerKey(null);
            APISecurityUtils.setAuthenticationContext(messageContext, authenticationContext, this.securityContextHeader);
            return true;
        }
        if ("noMatchedAuthScheme".equals(resourceAuthenticationScheme)) {
            keyValidationInfo = new APIKeyValidationInfoDTO();
            keyValidationInfo.setAuthorized(false);
            keyValidationInfo.setValidationStatus(APISecurityConstants.API_AUTH_INCORRECT_API_RESOURCE);
        } else {
            if (str == null || str2 == null || str3 == null) {
                if (log.isDebugEnabled()) {
                    if (str == null) {
                        log.debug("OAuth headers not found");
                    } else if (str2 == null) {
                        log.debug("Couldn't find API Context");
                    } else if (str3 == null) {
                        log.debug("Could not find api version");
                    }
                }
                throw new APISecurityException(APISecurityConstants.API_AUTH_MISSING_CREDENTIALS, "Required OAuth credentials not provided");
            }
            String str6 = (String) messageContext.getProperty("API_ELECTED_RESOURCE");
            if (log.isDebugEnabled()) {
                log.debug("Matching resource is: ".concat(str6));
            }
            org.apache.axis2.context.MessageContext.setCurrentMessageContext(((Axis2MessageContext) messageContext).getAxis2MessageContext());
            Timer.Context start2 = MetricManager.timer(Level.INFO, MetricManager.name("org.wso2.am", new String[]{getClass().getSimpleName(), "GET_KEY_VALIDATION_INFO"})).start();
            keyValidationInfo = this.keyValidator.getKeyValidationInfo(str2, str, str3, resourceAuthenticationScheme, clientDomain, str6, str4, z);
            start2.stop();
            messageContext.setProperty(APIMgtGatewayConstants.APPLICATION_NAME, keyValidationInfo.getApplicationName());
            messageContext.setProperty(APIMgtGatewayConstants.END_USER_NAME, keyValidationInfo.getEndUserName());
            messageContext.setProperty(APIMgtGatewayConstants.SCOPES, keyValidationInfo.getScopes() == null ? null : keyValidationInfo.getScopes().toString());
        }
        if (!keyValidationInfo.isAuthorized()) {
            if (log.isDebugEnabled()) {
                log.debug("User is NOT authorized to access the Resource");
            }
            throw new APISecurityException(keyValidationInfo.getValidationStatus(), "Access failure for API: " + str2 + ", version: " + str3 + " status: (" + keyValidationInfo.getValidationStatus() + ") - " + APISecurityConstants.getAuthenticationFailureMessage(keyValidationInfo.getValidationStatus()));
        }
        AuthenticationContext authenticationContext2 = new AuthenticationContext();
        authenticationContext2.setAuthenticated(true);
        authenticationContext2.setTier(keyValidationInfo.getTier());
        authenticationContext2.setApiKey(str);
        authenticationContext2.setKeyType(keyValidationInfo.getType());
        if (keyValidationInfo.getEndUserName() != null) {
            authenticationContext2.setUsername(keyValidationInfo.getEndUserName());
        } else {
            authenticationContext2.setUsername("anonymous");
        }
        authenticationContext2.setCallerToken(keyValidationInfo.getEndUserToken());
        authenticationContext2.setApplicationId(keyValidationInfo.getApplicationId());
        authenticationContext2.setApplicationName(keyValidationInfo.getApplicationName());
        authenticationContext2.setApplicationTier(keyValidationInfo.getApplicationTier());
        authenticationContext2.setSubscriber(keyValidationInfo.getSubscriber());
        authenticationContext2.setConsumerKey(keyValidationInfo.getConsumerKey());
        authenticationContext2.setApiTier(keyValidationInfo.getApiTier());
        authenticationContext2.setThrottlingDataList(keyValidationInfo.getThrottlingDataList());
        authenticationContext2.setSubscriberTenantDomain(keyValidationInfo.getSubscriberTenantDomain());
        authenticationContext2.setSpikeArrestLimit(keyValidationInfo.getSpikeArrestLimit());
        authenticationContext2.setSpikeArrestUnit(keyValidationInfo.getSpikeArrestUnit());
        authenticationContext2.setStopOnQuotaReach(keyValidationInfo.isStopOnQuotaReach());
        authenticationContext2.setIsContentAware(keyValidationInfo.isContentAware());
        APISecurityUtils.setAuthenticationContext(messageContext, authenticationContext2, this.securityContextHeader);
        messageContext.setProperty(APIMgtGatewayConstants.API_PUBLISHER, keyValidationInfo.getApiPublisher());
        messageContext.setProperty("API_NAME", keyValidationInfo.getApiName());
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("User is authorized to access the Resource");
        return true;
    }

    public String extractCustomerKeyFromAuthHeader(Map map) {
        String str = (String) map.get(this.securityHeader);
        if (str == null) {
            return null;
        }
        if (str.startsWith("OAuth ") || str.startsWith("oauth ")) {
            str = str.substring(str.indexOf(111));
        }
        String[] split = str.split(this.oauthHeaderSplitter);
        if (split == null) {
            return null;
        }
        for (String str2 : split) {
            String[] split2 = str2.split(this.consumerKeySegmentDelimiter);
            if (split2 != null && split2.length > 1) {
                int i = 0;
                boolean z = false;
                for (String str3 : split2) {
                    if (!"".equals(str3.trim())) {
                        if (this.consumerKeyHeaderSegment.equals(split2[i].trim())) {
                            z = true;
                        } else if (z) {
                            return removeLeadingAndTrailing(split2[i].trim());
                        }
                    }
                    i++;
                }
            }
        }
        return null;
    }

    private String removeLeadingAndTrailing(String str) {
        String str2 = str;
        if (str.startsWith("\"") || str.endsWith("\"")) {
            str2 = str.replace("\"", "");
        }
        return str2.trim();
    }

    protected void initOAuthParams() {
        APIManagerConfiguration aPIManagerConfiguration = ServiceReferenceHolder.getInstance().getAPIManagerConfiguration();
        String firstProperty = aPIManagerConfiguration.getFirstProperty("OAuthConfigurations.RemoveOAuthHeadersFromOutMessage");
        if (firstProperty != null) {
            this.removeOAuthHeadersFromOutMessage = Boolean.parseBoolean(firstProperty);
        }
        String firstProperty2 = aPIManagerConfiguration.getFirstProperty("JWTConfiguration.JWTHeader");
        if (firstProperty2 != null) {
            setSecurityContextHeader(firstProperty2);
        }
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public String getChallengeString() {
        return "OAuth2 realm=\"WSO2 API Manager\"";
    }

    private String getClientDomain(MessageContext messageContext) {
        String str = null;
        Map map = (Map) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty("TRANSPORT_HEADERS");
        if (map != null) {
            str = (String) map.get(this.clientDomainHeader);
        }
        return str;
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public String getRequestOrigin() {
        return this.requestOrigin;
    }

    public String getSecurityHeader() {
        return this.securityHeader;
    }

    public void setSecurityHeader(String str) {
        this.securityHeader = str;
    }

    public String getDefaultAPIHeader() {
        return this.defaultAPIHeader;
    }

    public void setDefaultAPIHeader(String str) {
        this.defaultAPIHeader = str;
    }

    public String getConsumerKeyHeaderSegment() {
        return this.consumerKeyHeaderSegment;
    }

    public void setConsumerKeyHeaderSegment(String str) {
        this.consumerKeyHeaderSegment = str;
    }

    public String getOauthHeaderSplitter() {
        return this.oauthHeaderSplitter;
    }

    public void setOauthHeaderSplitter(String str) {
        this.oauthHeaderSplitter = str;
    }

    public String getConsumerKeySegmentDelimiter() {
        return this.consumerKeySegmentDelimiter;
    }

    public void setConsumerKeySegmentDelimiter(String str) {
        this.consumerKeySegmentDelimiter = str;
    }

    public String getSecurityContextHeader() {
        return this.securityContextHeader;
    }

    public void setSecurityContextHeader(String str) {
        this.securityContextHeader = str;
    }

    public boolean isRemoveOAuthHeadersFromOutMessage() {
        return this.removeOAuthHeadersFromOutMessage;
    }

    public void setRemoveOAuthHeadersFromOutMessage(boolean z) {
        this.removeOAuthHeadersFromOutMessage = z;
    }

    public String getClientDomainHeader() {
        return this.clientDomainHeader;
    }

    public void setClientDomainHeader(String str) {
        this.clientDomainHeader = str;
    }

    public boolean isRemoveDefaultAPIHeaderFromOutMessage() {
        return this.removeDefaultAPIHeaderFromOutMessage;
    }

    public void setRemoveDefaultAPIHeaderFromOutMessage(boolean z) {
        this.removeDefaultAPIHeaderFromOutMessage = z;
    }

    public void setRequestOrigin(String str) {
        this.requestOrigin = str;
    }
}
