package org.wso2.carbon.apimgt.gateway.handlers.security.basicauth;

import io.swagger.v3.oas.models.OpenAPI;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.MessageContext;
import org.apache.synapse.core.SynapseEnvironment;
import org.apache.synapse.core.axis2.Axis2MessageContext;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.util.Base64;
import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.gateway.APIMgtGatewayConstants;
import org.wso2.carbon.apimgt.gateway.MethodStats;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityConstants;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException;
import org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityUtils;
import org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationContext;
import org.wso2.carbon.apimgt.gateway.handlers.security.AuthenticationResponse;
import org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator;
import org.wso2.carbon.apimgt.gateway.handlers.streaming.websocket.WebSocketApiConstants;
import org.wso2.carbon.apimgt.gateway.internal.ServiceReferenceHolder;
import org.wso2.carbon.apimgt.gateway.threatprotection.utils.ThreatProtectorConstants;
import org.wso2.carbon.apimgt.gateway.utils.OpenAPIUtils;
import org.wso2.carbon.apimgt.impl.dto.BasicAuthValidationInfoDTO;
import org.wso2.carbon.apimgt.impl.dto.VerbInfoDTO;
import org.wso2.carbon.apimgt.impl.utils.APIUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/apimgt/gateway/handlers/security/basicauth/BasicAuthAuthenticator.class */
public class BasicAuthAuthenticator implements Authenticator {
    private static final Log log = LogFactory.getLog(BasicAuthAuthenticator.class);
    static final String PUBLISHER_TENANT_DOMAIN = "tenant.info.domain";
    private String securityHeader;
    private String requestOrigin;
    private BasicAuthCredentialValidator basicAuthCredentialValidator;
    private String apiLevelPolicy;
    private boolean isMandatory;
    private final String basicAuthKeyHeaderSegment = "Basic";
    private OpenAPI openAPI = null;

    public BasicAuthAuthenticator(String str, boolean z, String str2) {
        this.securityHeader = str;
        this.isMandatory = z;
        this.apiLevelPolicy = str2;
    }

    public void setBasicAuthCredentialValidator(BasicAuthCredentialValidator basicAuthCredentialValidator) {
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public void init(SynapseEnvironment synapseEnvironment) {
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public void destroy() {
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    @MethodStats
    public AuthenticationResponse authenticate(MessageContext messageContext) {
        ArrayList arrayList;
        if (log.isDebugEnabled()) {
            log.info("Basic Authentication initialized");
        }
        this.openAPI = (OpenAPI) messageContext.getProperty(APIMgtGatewayConstants.OPEN_API_OBJECT);
        if (this.openAPI == null && !"GRAPHQL".equals(messageContext.getProperty("API_TYPE"))) {
            log.error("OpenAPI definition is missing in the gateway. Basic authentication cannot be performed.");
            return new AuthenticationResponse(false, this.isMandatory, true, APISecurityConstants.API_AUTH_MISSING_OPEN_API_DEF, "Basic authentication cannot be performed.");
        }
        String extractBasicAuthHeader = extractBasicAuthHeader(messageContext);
        String str = (String) messageContext.getProperty(ThreatProtectorConstants.API_CONTEXT);
        String str2 = (String) messageContext.getProperty("SYNAPSE_REST_API_VERSION");
        String str3 = (String) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty(ThreatProtectorConstants.HTTP_METHOD);
        String str4 = (String) messageContext.getProperty("API_ELECTED_RESOURCE");
        if ("GRAPHQL".equals(messageContext.getProperty("API_TYPE"))) {
            HashMap hashMap = (HashMap) messageContext.getProperty("WSO2OperationAuthSchemeMapping");
            HashMap hashMap2 = (HashMap) messageContext.getProperty("WSO2OperationThrottlingMapping");
            String[] split = str4.split(APIMgtGatewayConstants.CUSTOM_ANALYTICS_PROPERTY_SEPARATOR);
            arrayList = new ArrayList(1);
            for (String str5 : split) {
                boolean booleanValue = ((Boolean) hashMap.get(str5)).booleanValue();
                VerbInfoDTO verbInfoDTO = new VerbInfoDTO();
                if (booleanValue) {
                    verbInfoDTO.setAuthType("Any");
                } else {
                    verbInfoDTO.setAuthType("None");
                }
                verbInfoDTO.setThrottling((String) hashMap2.get(str5));
                verbInfoDTO.setRequestKey(str + WebSocketApiConstants.URL_SEPARATOR + str2 + str5 + ":" + str3);
                arrayList.add(verbInfoDTO);
            }
        } else {
            String resourceAuthenticationScheme = OpenAPIUtils.getResourceAuthenticationScheme(this.openAPI, messageContext);
            arrayList = new ArrayList(1);
            VerbInfoDTO verbInfoDTO2 = new VerbInfoDTO();
            verbInfoDTO2.setAuthType(resourceAuthenticationScheme);
            verbInfoDTO2.setThrottling(OpenAPIUtils.getResourceThrottlingTier(this.openAPI, messageContext));
            verbInfoDTO2.setRequestKey(str + WebSocketApiConstants.URL_SEPARATOR + str2 + str4 + ":" + str3);
            arrayList.add(verbInfoDTO2);
        }
        try {
            String[] extractBasicAuthCredentials = extractBasicAuthCredentials(extractBasicAuthHeader);
            String endUserName = getEndUserName(extractBasicAuthCredentials[0]);
            String str6 = extractBasicAuthCredentials[1];
            if (!MultitenantUtils.getTenantDomain(endUserName).equals(messageContext.getProperty(PUBLISHER_TENANT_DOMAIN))) {
                log.error("Basic Authentication failure: tenant domain mismatch for user :" + endUserName);
                return new AuthenticationResponse(false, this.isMandatory, true, APISecurityConstants.API_AUTH_FORBIDDEN, APISecurityConstants.API_AUTH_FORBIDDEN_MESSAGE);
            }
            try {
                if (this.basicAuthCredentialValidator == null) {
                    this.basicAuthCredentialValidator = new BasicAuthCredentialValidator();
                }
                BasicAuthValidationInfoDTO validate = this.basicAuthCredentialValidator.validate(endUserName, str6);
                if (!validate.isAuthenticated()) {
                    log.error("Basic Authentication failure: Username and Password mismatch");
                    return new AuthenticationResponse(false, this.isMandatory, true, APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
                }
                if (log.isDebugEnabled()) {
                    log.debug("Basic Authentication: Username and Password authenticated");
                }
                try {
                    boolean validateScopes = this.basicAuthCredentialValidator.validateScopes(endUserName, this.openAPI, messageContext, validate);
                    String domainQualifiedUsername = validate.getDomainQualifiedUsername();
                    if (!validateScopes) {
                        return new AuthenticationResponse(false, this.isMandatory, true, APISecurityConstants.INVALID_SCOPE, "Scope validation failed");
                    }
                    if (APISecurityUtils.getAuthenticationContext(messageContext) == null) {
                        AuthenticationContext authenticationContext = new AuthenticationContext();
                        authenticationContext.setAuthenticated(true);
                        authenticationContext.setTier("Unauthenticated");
                        authenticationContext.setStopOnQuotaReach(true);
                        messageContext.setProperty("VERB_INFO", arrayList);
                        authenticationContext.setApiKey(domainQualifiedUsername);
                        authenticationContext.setKeyType("PRODUCTION");
                        authenticationContext.setUsername(domainQualifiedUsername);
                        authenticationContext.setCallerToken(null);
                        authenticationContext.setApplicationName("BasicAuthApplication");
                        authenticationContext.setApplicationId(domainQualifiedUsername);
                        authenticationContext.setApplicationUUID(domainQualifiedUsername);
                        authenticationContext.setSubscriber("BasicAuthApplicationOwner");
                        authenticationContext.setConsumerKey(null);
                        authenticationContext.setApiTier(this.apiLevelPolicy);
                        APISecurityUtils.setAuthenticationContext(messageContext, authenticationContext, null);
                    }
                    log.debug("Basic Authentication: Scope validation passed");
                    return new AuthenticationResponse(true, this.isMandatory, false, 0, null);
                } catch (APISecurityException e) {
                    return new AuthenticationResponse(false, this.isMandatory, true, e.getErrorCode(), e.getMessage());
                }
            } catch (APISecurityException e2) {
                return new AuthenticationResponse(false, this.isMandatory, true, e2.getErrorCode(), e2.getMessage());
            }
        } catch (APISecurityException e3) {
            return new AuthenticationResponse(false, this.isMandatory, true, e3.getErrorCode(), e3.getMessage());
        }
    }

    private String[] extractBasicAuthCredentials(String str) throws APISecurityException {
        if (str == null) {
            if (log.isDebugEnabled()) {
                log.debug("Basic Authentication: No Basic Auth Header found");
            }
            throw new APISecurityException(APISecurityConstants.API_AUTH_MISSING_CREDENTIALS, APISecurityConstants.API_AUTH_MISSING_CREDENTIALS_MESSAGE);
        }
        if (!str.contains("Basic")) {
            if (log.isDebugEnabled()) {
                log.debug("Basic Authentication: No Basic Auth Header found");
            }
            throw new APISecurityException(APISecurityConstants.API_AUTH_MISSING_CREDENTIALS, APISecurityConstants.API_AUTH_MISSING_CREDENTIALS_MESSAGE);
        }
        try {
            String str2 = new String(Base64.decode(str.substring("Basic".length() + 1).trim()));
            if (str2.contains(":")) {
                return str2.split(":");
            }
            log.error("Basic Authentication: Invalid Basic Auth token");
            throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
        } catch (WSSecurityException e) {
            log.error("Error occured during Basic Authentication: Invalid Basic Auth token");
            throw new APISecurityException(APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid Credentials");
        }
    }

    private String extractBasicAuthHeader(MessageContext messageContext) {
        Map map = (Map) ((Axis2MessageContext) messageContext).getAxis2MessageContext().getProperty(APIMgtGatewayConstants.TRANSPORT_HEADERS);
        boolean parseBoolean = Boolean.parseBoolean(ServiceReferenceHolder.getInstance().getAPIManagerConfiguration().getFirstProperty("OAuthConfigurations.RemoveOAuthHeadersFromOutMessage"));
        if (map == null) {
            return null;
        }
        String str = (String) map.get(getSecurityHeader());
        if (str == null) {
            if (!log.isDebugEnabled()) {
                return null;
            }
            log.debug("Basic Authentication: Expected authorization header with the name '".concat(getSecurityHeader()).concat("' was not found."));
            return null;
        }
        if (!str.contains("Basic")) {
            return null;
        }
        String[] split = str.split(APIMgtGatewayConstants.CUSTOM_ANALYTICS_PROPERTY_SEPARATOR);
        ArrayList arrayList = new ArrayList();
        String str2 = null;
        for (String str3 : split) {
            if (str3.trim().split(" ")[0].equals("Basic")) {
                str2 = str3.trim();
            } else {
                arrayList.add(str3.trim());
            }
        }
        String join = String.join(APIMgtGatewayConstants.CUSTOM_ANALYTICS_PROPERTY_SEPARATOR, arrayList);
        if (parseBoolean) {
            if (StringUtils.isNotBlank(join)) {
                map.put(getSecurityHeader(), join);
            } else {
                map.remove(getSecurityHeader());
            }
        }
        return str2;
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public String getChallengeString() {
        return "Basic Auth realm=\"WSO2 API Manager\"";
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public String getRequestOrigin() {
        return this.requestOrigin;
    }

    public void setRequestOrigin(String str) {
        this.requestOrigin = str;
    }

    public String getSecurityHeader() {
        if (this.securityHeader == null) {
            try {
                this.securityHeader = APIUtil.getOAuthConfigurationFromAPIMConfig("AuthorizationHeader");
            } catch (APIManagementException e) {
                log.error("Error while reading authorization header from APIM configurations", e);
            }
        }
        return this.securityHeader;
    }

    public void setSecurityHeader(String str) {
        this.securityHeader = str;
    }

    private String getEndUserName(String str) {
        return MultitenantUtils.getTenantAwareUsername(str) + "@" + MultitenantUtils.getTenantDomain(str);
    }

    @Override // org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator
    public int getPriority() {
        return 20;
    }
}
