package org.wso2.carbon.apimgt.rest.api.util.impl;

import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.cxf.message.Message;
import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.api.model.AccessTokenInfo;
import org.wso2.carbon.apimgt.api.model.Scope;
import org.wso2.carbon.apimgt.impl.factory.KeyManagerHolder;
import org.wso2.carbon.apimgt.impl.utils.APIUtil;
import org.wso2.carbon.apimgt.rest.api.util.RestApiConstants;
import org.wso2.carbon.apimgt.rest.api.util.authenticators.WebAppAuthenticator;
import org.wso2.carbon.apimgt.rest.api.util.utils.RestApiUtil;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
import org.wso2.uri.template.URITemplate;
import org.wso2.uri.template.URITemplateException;

/* loaded from: input_file:WEB-INF/lib/org.wso2.carbon.apimgt.rest.api.util-6.5.49.jar:org/wso2/carbon/apimgt/rest/api/util/impl/WebAppAuthenticatorImpl.class */
public class WebAppAuthenticatorImpl implements WebAppAuthenticator {
    private static final Log log = LogFactory.getLog(WebAppAuthenticatorImpl.class);
    private static final String SUPER_TENANT_SUFFIX = "@carbon.super";

    @Override // org.wso2.carbon.apimgt.rest.api.util.authenticators.WebAppAuthenticator
    public boolean authenticate(Message message) throws APIManagementException {
        String extractOAuthAccessTokenFromMessage = RestApiUtil.extractOAuthAccessTokenFromMessage(message, RestApiConstants.REGEX_BEARER_PATTERN, RestApiConstants.AUTH_HEADER_NAME);
        AccessTokenInfo accessTokenInfo = null;
        try {
            accessTokenInfo = KeyManagerHolder.getKeyManagerInstance().getTokenMetaData(extractOAuthAccessTokenFromMessage);
        } catch (APIManagementException e) {
            log.error("Error while retrieving token information for token: " + extractOAuthAccessTokenFromMessage, e);
        }
        if (accessTokenInfo == null || !accessTokenInfo.isTokenValid()) {
            log.error("Authentication failed. Please check your username/password");
            return false;
        }
        if (!validateScopes(message, accessTokenInfo)) {
            log.error("You cannot access API as scope validation failed");
            return false;
        }
        String tenantDomain = MultitenantUtils.getTenantDomain(accessTokenInfo.getEndUserName());
        PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
        RealmService realmService = (RealmService) threadLocalCarbonContext.getOSGiService(RealmService.class, (Hashtable) null);
        try {
            String endUserName = accessTokenInfo.getEndUserName();
            if ("carbon.super".equals(tenantDomain) && endUserName.endsWith(SUPER_TENANT_SUFFIX)) {
                endUserName = endUserName.substring(0, endUserName.length() - SUPER_TENANT_SUFFIX.length());
            }
            int tenantId = realmService.getTenantManager().getTenantId(tenantDomain);
            threadLocalCarbonContext.setTenantDomain(tenantDomain);
            threadLocalCarbonContext.setTenantId(tenantId);
            threadLocalCarbonContext.setUsername(endUserName);
            if (tenantDomain.equals("carbon.super")) {
                return true;
            }
            APIUtil.loadTenantConfigBlockingMode(tenantDomain);
            return true;
        } catch (UserStoreException e2) {
            log.error("Error while retrieving tenant id for tenant domain: " + tenantDomain, e2);
            return false;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private boolean validateScopes(Message message, AccessTokenInfo accessTokenInfo) {
        String str = (String) message.get(Message.BASE_PATH);
        String str2 = (String) message.get(Message.PATH_INFO);
        String str3 = (String) message.get("org.apache.cxf.request.method");
        String substring = str2.substring(str.length() - 1);
        String[] scopes = accessTokenInfo.getScopes();
        Set hashSet = new HashSet();
        if (str.contains(RestApiConstants.REST_API_PUBLISHER_CONTEXT_FULL_0)) {
            hashSet = RestApiUtil.getPublisherAppResourceMapping("v0.14");
        } else if (str.contains(RestApiConstants.REST_API_PUBLISHER_CONTEXT_FULL_1)) {
            hashSet = RestApiUtil.getPublisherAppResourceMapping("v1");
        } else if (str.contains(RestApiConstants.REST_API_STORE_CONTEXT_FULL_0)) {
            hashSet = RestApiUtil.getStoreAppResourceMapping("v0.14");
        } else if (str.contains(RestApiConstants.REST_API_STORE_CONTEXT_FULL_1)) {
            hashSet = RestApiUtil.getStoreAppResourceMapping("v1");
        } else if (str.contains(RestApiConstants.REST_API_ADMIN_CONTEXT)) {
            hashSet = RestApiUtil.getAdminAPIAppResourceMapping();
        } else {
            log.error("No matching scope validation logic found for app request with path: " + str);
        }
        for (Object obj : hashSet.toArray()) {
            URITemplate uRITemplate = null;
            HashMap hashMap = new HashMap();
            String uriTemplate = ((org.wso2.carbon.apimgt.api.model.URITemplate) obj).getUriTemplate();
            try {
                uRITemplate = new URITemplate(uriTemplate);
            } catch (URITemplateException e) {
                log.error("Error while creating URI Template object to validate request. Template pattern: " + uriTemplate, e);
            }
            if (uRITemplate != null && uRITemplate.matches(substring, hashMap) && scopes != null && str3 != null && str3.equalsIgnoreCase(((org.wso2.carbon.apimgt.api.model.URITemplate) obj).getHTTPVerb())) {
                for (String str4 : scopes) {
                    Scope scope = ((org.wso2.carbon.apimgt.api.model.URITemplate) obj).getScope();
                    if (scope != null) {
                        if (str4.equalsIgnoreCase(scope.getKey())) {
                            if (!log.isDebugEnabled()) {
                                return true;
                            }
                            log.debug("Scope validation successful for access token: " + accessTokenInfo.getAccessToken() + " with scope: " + scope.getKey() + " for resource path: " + str2 + " and verb " + str3);
                            return true;
                        }
                    } else {
                        if (((org.wso2.carbon.apimgt.api.model.URITemplate) obj).retrieveAllScopes().isEmpty()) {
                            if (!log.isDebugEnabled()) {
                                return true;
                            }
                            log.debug("Scope not defined in swagger for matching resource " + substring + " and verb " + str3 + " . So consider as anonymous permission and let request to continue.");
                            return true;
                        }
                        for (Scope scope2 : ((org.wso2.carbon.apimgt.api.model.URITemplate) obj).retrieveAllScopes()) {
                            if (str4.equalsIgnoreCase(scope2.getKey())) {
                                if (!log.isDebugEnabled()) {
                                    return true;
                                }
                                log.debug("Scope validation successful for access token: " + accessTokenInfo.getAccessToken() + " with scope: " + scope2.getKey() + " for resource path: " + str2 + " and verb " + str3);
                                return true;
                            }
                        }
                    }
                }
            }
        }
        return false;
    }
}
