package org.wso2.carbon.apimgt.rest.api.authenticator;

import com.google.gson.Gson;
import com.google.gson.JsonObject;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.ws.rs.core.NewCookie;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.wso2.carbon.apimgt.core.api.IdentityProvider;
import org.wso2.carbon.apimgt.core.api.KeyManager;
import org.wso2.carbon.apimgt.core.configuration.APIMConfigurationService;
import org.wso2.carbon.apimgt.core.dao.SystemApplicationDao;
import org.wso2.carbon.apimgt.core.exception.APIManagementException;
import org.wso2.carbon.apimgt.core.exception.APIMgtDAOException;
import org.wso2.carbon.apimgt.core.exception.ExceptionCodes;
import org.wso2.carbon.apimgt.core.exception.IdentityProviderException;
import org.wso2.carbon.apimgt.core.exception.KeyManagementException;
import org.wso2.carbon.apimgt.core.impl.APIDefinitionFromSwagger20;
import org.wso2.carbon.apimgt.core.models.AccessTokenInfo;
import org.wso2.carbon.apimgt.core.models.AccessTokenRequest;
import org.wso2.carbon.apimgt.core.models.OAuthAppRequest;
import org.wso2.carbon.apimgt.core.models.OAuthApplicationInfo;
import org.wso2.carbon.apimgt.rest.api.authenticator.configuration.APIMAppConfigurationService;
import org.wso2.carbon.apimgt.rest.api.authenticator.configuration.models.APIMAppConfigurations;
import org.wso2.carbon.apimgt.rest.api.authenticator.constants.AuthenticatorConstants;
import org.wso2.carbon.apimgt.rest.api.authenticator.utils.AuthUtil;
import org.wso2.carbon.apimgt.rest.api.authenticator.utils.bean.AuthResponseBean;
import org.wso2.carbon.apimgt.rest.api.common.util.RestApiUtil;

/* loaded from: input_file:org/wso2/carbon/apimgt/rest/api/authenticator/AuthenticatorService.class */
public class AuthenticatorService {
    private static final Logger log = LoggerFactory.getLogger(AuthenticatorAPI.class);
    private KeyManager keyManager;
    private SystemApplicationDao systemApplicationDao;
    private APIMConfigurationService apimConfigurationService;
    private APIMAppConfigurationService apimAppConfigurationService;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/wso2/carbon/apimgt/rest/api/authenticator/AuthenticatorService$JWTTokenPayload.class */
    public class JWTTokenPayload {
        private String sub;
        private String iss;
        private String exp;
        private String iat;
        private String[] aud;

        private JWTTokenPayload() {
        }

        public String getSub() {
            return this.sub;
        }

        public String getIss() {
            return this.iss;
        }

        public String getExp() {
            return this.exp;
        }

        public String getIat() {
            return this.iat;
        }

        public String[] getAud() {
            return this.aud;
        }
    }

    public AuthenticatorService(KeyManager keyManager, SystemApplicationDao systemApplicationDao, APIMConfigurationService aPIMConfigurationService, APIMAppConfigurationService aPIMAppConfigurationService) {
        this.keyManager = keyManager;
        this.systemApplicationDao = systemApplicationDao;
        this.apimConfigurationService = aPIMConfigurationService;
        this.apimAppConfigurationService = aPIMAppConfigurationService;
    }

    public JsonObject getAuthenticationConfigurations(String str) throws APIManagementException {
        JsonObject jsonObject = new JsonObject();
        boolean isEnabled = this.apimConfigurationService.getEnvironmentConfigurations().getMultiEnvironmentOverview().isEnabled();
        ArrayList arrayList = new ArrayList();
        arrayList.add(AuthenticatorConstants.PASSWORD_GRANT);
        arrayList.add("authorization_code");
        arrayList.add(AuthenticatorConstants.REFRESH_GRANT);
        arrayList.add("client_credentials");
        if (isEnabled) {
            arrayList.add("urn:ietf:params:oauth:grant-type:jwt-bearer");
        }
        APIMAppConfigurations apimAppConfigurations = this.apimAppConfigurationService.getApimAppConfigurations();
        String str2 = apimAppConfigurations.getApimBaseUrl() + AuthenticatorConstants.AUTHORIZATION_CODE_CALLBACK_URL + str;
        String applicationScopes = getApplicationScopes(str);
        log.debug("Set scopes for {} application using swagger definition.", str);
        try {
            OAuthApplicationInfo createDCRApplication = createDCRApplication(str, str2, arrayList);
            if (createDCRApplication != null) {
                log.debug("Created DCR Application successfully for {}.", str);
                String clientId = createDCRApplication.getClientId();
                String callBackURL = createDCRApplication.getCallBackURL();
                jsonObject.addProperty("client_id", clientId);
                jsonObject.addProperty("callback_url", callBackURL);
                jsonObject.addProperty("scopes", applicationScopes);
                jsonObject.addProperty("authorizationEndpoint", apimAppConfigurations.getAuthorizationEndpoint());
                jsonObject.addProperty(AuthenticatorConstants.SSO_ENABLED, Boolean.valueOf(apimAppConfigurations.isSsoEnabled()));
                jsonObject.addProperty(AuthenticatorConstants.MULTI_ENVIRONMENT_OVERVIEW_ENABLED, Boolean.valueOf(isEnabled));
            } else {
                log.error("No information available in OAuth application.", ExceptionCodes.OAUTH2_APP_CREATION_FAILED);
            }
            return jsonObject;
        } catch (APIManagementException e) {
            String str3 = "Error while creating the keys for OAuth application : " + str;
            log.error(str3, e, ExceptionCodes.OAUTH2_APP_CREATION_FAILED);
            throw new APIManagementException(str3, e, ExceptionCodes.OAUTH2_APP_CREATION_FAILED);
        }
    }

    public AccessTokenInfo getTokens(String str, String str2, String str3, String str4, String str5, long j, String str6, String str7, IdentityProvider identityProvider, String str8) throws APIManagementException {
        AccessTokenInfo accessTokenInfo = new AccessTokenInfo();
        AccessTokenRequest accessTokenRequest = new AccessTokenRequest();
        boolean isEnabled = this.apimConfigurationService.getEnvironmentConfigurations().getMultiEnvironmentOverview().isEnabled();
        log.debug("Set scopes for {} application using swagger definition.", str);
        Map<String, String> consumerKeySecret = getConsumerKeySecret(str);
        log.debug("Received consumer key & secret for {} application.", str);
        try {
            if (AuthenticatorConstants.PASSWORD_GRANT.equals(str2) || AuthenticatorConstants.REFRESH_GRANT.equals(str2) || "client_credentials".equals(str2)) {
                accessTokenInfo = getKeyManager().getNewAccessToken(AuthUtil.createAccessTokenRequest(str3, str4, str2, str5, null, j, str8, consumerKeySecret.get(AuthenticatorConstants.CONSUMER_KEY), consumerKeySecret.get(AuthenticatorConstants.CONSUMER_SECRET)));
            } else if ("authorization_code".equals(str2)) {
                String str9 = this.apimAppConfigurationService.getApimAppConfigurations().getApimBaseUrl() + AuthenticatorConstants.AUTHORIZATION_CODE_CALLBACK_URL + str;
                if (str6 == null) {
                    log.error("No Authorization Code available.", ExceptionCodes.ACCESS_TOKEN_GENERATION_FAILED);
                    throw new APIManagementException("No Authorization Code available.", ExceptionCodes.ACCESS_TOKEN_GENERATION_FAILED);
                }
                accessTokenRequest.setClientId(consumerKeySecret.get(AuthenticatorConstants.CONSUMER_KEY));
                accessTokenRequest.setClientSecret(consumerKeySecret.get(AuthenticatorConstants.CONSUMER_SECRET));
                accessTokenRequest.setGrantType(str2);
                accessTokenRequest.setAuthorizationCode(str6);
                accessTokenRequest.setScopes(str8);
                accessTokenRequest.setValidityPeriod(j);
                accessTokenRequest.setCallbackURI(str9);
                accessTokenInfo = getKeyManager().getNewAccessToken(accessTokenRequest);
            } else if (isEnabled) {
                accessTokenRequest.setClientId(consumerKeySecret.get(AuthenticatorConstants.CONSUMER_KEY));
                accessTokenRequest.setClientSecret(consumerKeySecret.get(AuthenticatorConstants.CONSUMER_SECRET));
                accessTokenRequest.setAssertion(str7);
                accessTokenRequest.setGrantType("urn:ietf:params:oauth:grant-type:jwt-bearer");
                accessTokenRequest.setScopes(str8);
                accessTokenRequest.setValidityPeriod(j);
                accessTokenInfo = getKeyManager().getNewAccessToken(accessTokenRequest);
                String usernameFromJWT = getUsernameFromJWT(accessTokenInfo.getIdToken());
                try {
                    identityProvider.getIdOfUser(usernameFromJWT);
                } catch (IdentityProviderException e) {
                    throw new APIManagementException("User " + usernameFromJWT + " does not exists in this environment.", e, ExceptionCodes.USER_NOT_AUTHENTICATED);
                }
            }
            log.debug("Received access token for {} application.", str);
            return accessTokenInfo;
        } catch (KeyManagementException e2) {
            String str10 = "Error while receiving tokens for OAuth application : " + str;
            log.error(str10, e2, ExceptionCodes.ACCESS_TOKEN_GENERATION_FAILED);
            throw new APIManagementException(str10, e2, ExceptionCodes.ACCESS_TOKEN_GENERATION_FAILED);
        }
    }

    public void revokeAccessToken(String str, String str2) throws APIManagementException {
        Map<String, String> consumerKeySecret = getConsumerKeySecret(str);
        getKeyManager().revokeAccessToken(str2, consumerKeySecret.get(AuthenticatorConstants.CONSUMER_KEY), consumerKeySecret.get(AuthenticatorConstants.CONSUMER_SECRET));
    }

    public AuthResponseBean getResponseBeanFromTokenInfo(AccessTokenInfo accessTokenInfo) throws KeyManagementException {
        String str = null;
        if (accessTokenInfo.getIdToken() != null) {
            str = getUsernameFromJWT(accessTokenInfo.getIdToken());
        }
        if (str == null) {
            str = "admin";
        }
        AuthResponseBean authResponseBean = new AuthResponseBean();
        authResponseBean.setTokenValid(true);
        authResponseBean.setAuthUser(str);
        authResponseBean.setScopes(accessTokenInfo.getScopes());
        authResponseBean.setType(AuthenticatorConstants.BEARER_PREFIX);
        authResponseBean.setValidityPeriod(accessTokenInfo.getValidityPeriod());
        authResponseBean.setIdToken(accessTokenInfo.getIdToken());
        return authResponseBean;
    }

    public void setupAccessTokenParts(Map<String, NewCookie> map, AuthResponseBean authResponseBean, String str, Map<String, String> map2, boolean z) {
        String substring = str.substring(0, str.length() / 2);
        String substring2 = str.substring(str.length() / 2);
        authResponseBean.setPartialToken(substring);
        String environmentLabel = this.apimConfigurationService.getEnvironmentConfigurations().getEnvironmentLabel();
        NewCookie cookieBuilder = AuthUtil.cookieBuilder("WSO2_AM_TOKEN_MSF4J", substring2, map2.get(AuthenticatorConstants.Context.REST_API_CONTEXT), true, true, "", environmentLabel);
        NewCookie cookieBuilder2 = AuthUtil.cookieBuilder(AuthenticatorConstants.ACCESS_TOKEN_2, substring2, map2.get(AuthenticatorConstants.Context.LOGOUT_CONTEXT), true, true, "", environmentLabel);
        map.put(AuthenticatorConstants.Context.REST_API_CONTEXT, cookieBuilder);
        map.put(AuthenticatorConstants.Context.LOGOUT_CONTEXT, cookieBuilder2);
        if (z) {
            map.put(AuthenticatorConstants.AUTH_USER, AuthUtil.cookieBuilder(AuthenticatorConstants.AUTH_USER, authResponseBean.getAuthUser(), map2.get(AuthenticatorConstants.Context.APP_CONTEXT), true, false, "", environmentLabel));
        }
    }

    public void setupRefreshTokenParts(Map<String, NewCookie> map, String str, Map<String, String> map2) {
        String substring = str.substring(0, str.length() / 2);
        String substring2 = str.substring(str.length() / 2);
        String environmentLabel = this.apimConfigurationService.getEnvironmentConfigurations().getEnvironmentLabel();
        NewCookie cookieBuilder = AuthUtil.cookieBuilder(AuthenticatorConstants.REFRESH_TOKEN_1, substring, map2.get(AuthenticatorConstants.Context.APP_CONTEXT), true, false, "", environmentLabel);
        NewCookie cookieBuilder2 = AuthUtil.cookieBuilder(AuthenticatorConstants.REFRESH_TOKEN_2, substring2, map2.get(AuthenticatorConstants.Context.LOGIN_CONTEXT), true, true, "", environmentLabel);
        map.put(AuthenticatorConstants.Context.APP_CONTEXT, cookieBuilder);
        map.put(AuthenticatorConstants.Context.LOGIN_CONTEXT, cookieBuilder2);
    }

    public URI getUIServiceRedirectionURI(String str, AuthResponseBean authResponseBean) throws URISyntaxException, UnsupportedEncodingException {
        String str2 = (String) this.apimConfigurationService.getEnvironmentConfigurations().getAllowedHosts().get(0);
        String apimBaseUrl = StringUtils.isEmpty(str2) ? this.apimAppConfigurationService.getApimAppConfigurations().getApimBaseUrl() : "https://" + str2 + AuthenticatorConstants.URL_PATH_SEPARATOR;
        log.debug("Read UI Service url from configurations. value: {}", apimBaseUrl);
        if (authResponseBean == null) {
            return new URI(apimBaseUrl + str);
        }
        return new URI(apimBaseUrl + str + "/login?" + URLEncoder.encode("user_name=" + authResponseBean.getAuthUser() + "&id_token=" + authResponseBean.getIdToken() + "&partial_token=" + authResponseBean.getPartialToken() + "&scopes=" + authResponseBean.getScopes() + "&validity_period=" + authResponseBean.getValidityPeriod(), "UTF-8").replaceAll("\\+", "%20").replaceAll("%26", "&").replaceAll("%3D", "="));
    }

    private Map<String, String> getConsumerKeySecret(String str) throws APIManagementException {
        if (AuthUtil.getConsumerKeySecretMap().containsKey(str)) {
            return AuthUtil.getConsumerKeySecretMap().get(str);
        }
        HashMap hashMap = new HashMap();
        ArrayList arrayList = new ArrayList();
        arrayList.add(AuthenticatorConstants.PASSWORD_GRANT);
        arrayList.add(AuthenticatorConstants.REFRESH_GRANT);
        arrayList.add("client_credentials");
        OAuthApplicationInfo createDCRApplication = createDCRApplication(str, "http://temporary.callback/url", arrayList);
        hashMap.put(AuthenticatorConstants.CONSUMER_KEY, createDCRApplication.getClientId());
        hashMap.put(AuthenticatorConstants.CONSUMER_SECRET, createDCRApplication.getClientSecret());
        AuthUtil.getConsumerKeySecretMap().put(str, hashMap);
        return hashMap;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getApplicationScopes(String str) throws APIManagementException {
        String str2 = null;
        if (AuthenticatorConstants.STORE_APPLICATION.equals(str)) {
            str2 = RestApiUtil.getStoreRestAPIResource();
        } else if (AuthenticatorConstants.PUBLISHER_APPLICATION.equals(str)) {
            str2 = RestApiUtil.getPublisherRestAPIResource();
        } else if ("admin".equals(str)) {
            str2 = RestApiUtil.getAdminRestAPIResource();
        }
        try {
            if (str2 != null) {
                String join = String.join(" ", new APIDefinitionFromSwagger20().getScopesFromSecurityDefinitionForWebApps(str2).keySet());
                return StringUtils.isEmpty(join) ? "openid" : join + " openid";
            }
            log.error("Error while getting application rest API resource.", ExceptionCodes.INTERNAL_ERROR);
            throw new APIManagementException("Error while getting application rest API resource.", ExceptionCodes.INTERNAL_ERROR);
        } catch (APIManagementException e) {
            log.error("Error while reading scopes from swagger definition.", e, ExceptionCodes.INTERNAL_ERROR);
            throw new APIManagementException("Error while reading scopes from swagger definition.", e, ExceptionCodes.INTERNAL_ERROR);
        }
    }

    private OAuthApplicationInfo createDCRApplication(String str, String str2, List<String> list) throws APIManagementException {
        OAuthApplicationInfo createApplication;
        try {
            OAuthAppRequest oAuthAppRequest = new OAuthAppRequest(str, str2, AuthenticatorConstants.APPLICATION_KEY_TYPE, list);
            if (this.systemApplicationDao.isConsumerKeyExistForApplication(str)) {
                createApplication = getKeyManager().retrieveApplication(this.systemApplicationDao.getConsumerKeyForApplication(str));
            } else {
                createApplication = getKeyManager().createApplication(oAuthAppRequest);
                if (createApplication != null) {
                    this.systemApplicationDao.addApplicationKey(str, createApplication.getClientId());
                }
            }
            return createApplication;
        } catch (KeyManagementException | APIMgtDAOException e) {
            String str3 = "Error while creating the keys for OAuth application : " + str;
            log.error(str3, e, ExceptionCodes.OAUTH2_APP_CREATION_FAILED);
            throw new APIManagementException(str3, e, ExceptionCodes.OAUTH2_APP_CREATION_FAILED);
        }
    }

    private String getUsernameFromJWT(String str) throws KeyManagementException {
        if (str == null || !str.contains(".")) {
            log.error("JWT Parsing failed. Invalid JWT: " + str);
            throw new KeyManagementException("JWT Parsing failed. Invalid JWT.", ExceptionCodes.JWT_PARSING_FAILED);
        }
        return ((JWTTokenPayload) new Gson().fromJson(new String(Base64.getDecoder().decode(str.split("\\.")[1]), StandardCharsets.UTF_8), JWTTokenPayload.class)).getSub().replace("@carbon.super", "");
    }

    protected KeyManager getKeyManager() {
        return this.keyManager;
    }
}
