package org.wso2.carbon.identity.auth.service.handler.impl;

import java.util.Map;
import java.util.Optional;
import org.apache.catalina.connector.Request;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.slf4j.MDC;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.model.ProvisioningServiceProviderType;
import org.wso2.carbon.identity.application.common.model.ThreadLocalProvisioningServiceProvider;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.auth.service.AuthenticationContext;
import org.wso2.carbon.identity.auth.service.AuthenticationRequest;
import org.wso2.carbon.identity.auth.service.AuthenticationResult;
import org.wso2.carbon.identity.auth.service.AuthenticationStatus;
import org.wso2.carbon.identity.auth.service.handler.AuthenticationHandler;
import org.wso2.carbon.identity.auth.service.util.AuthConfigurationUtil;
import org.wso2.carbon.identity.auth.service.util.Constants;
import org.wso2.carbon.identity.core.bean.context.MessageContext;
import org.wso2.carbon.identity.core.handler.InitConfig;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService;
import org.wso2.carbon.identity.oauth2.dto.OAuth2IntrospectionResponseDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationRequestDTO;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.token.bindings.TokenBinding;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;

/* loaded from: input_file:org/wso2/carbon/identity/auth/service/handler/impl/OAuth2AccessTokenHandler.class */
public class OAuth2AccessTokenHandler extends AuthenticationHandler {
    private static final Log log = LogFactory.getLog(OAuth2AccessTokenHandler.class);
    private final String OAUTH_HEADER = "Bearer";
    private final String CONSUMER_KEY = "consumer-key";
    private final String SERVICE_PROVIDER = "serviceProvider";
    private final String SERVICE_PROVIDER_TENANT_DOMAIN = "serviceProviderTenantDomain";
    private final String SCIM_ME_ENDPOINT_URI = "scim2/me";

    @Override // org.wso2.carbon.identity.auth.service.handler.AuthenticationHandler
    protected AuthenticationResult doAuthenticate(MessageContext messageContext) {
        AuthenticationResult authenticationResult = new AuthenticationResult(AuthenticationStatus.FAILED);
        AuthenticationContext authenticationContext = (AuthenticationContext) messageContext;
        AuthenticationRequest authenticationRequest = authenticationContext.getAuthenticationRequest();
        if (authenticationRequest != null) {
            String header = authenticationRequest.getHeader("Authorization");
            if (StringUtils.isNotEmpty(header) && header.startsWith("Bearer")) {
                String str = null;
                String[] split = header.split(" ");
                if (split.length == 2) {
                    str = split[1];
                }
                OAuth2TokenValidationService oAuth2TokenValidationService = new OAuth2TokenValidationService();
                OAuth2TokenValidationRequestDTO oAuth2TokenValidationRequestDTO = new OAuth2TokenValidationRequestDTO();
                oAuth2TokenValidationRequestDTO.getClass();
                OAuth2TokenValidationRequestDTO.OAuth2AccessToken oAuth2AccessToken = new OAuth2TokenValidationRequestDTO.OAuth2AccessToken(oAuth2TokenValidationRequestDTO);
                oAuth2AccessToken.setIdentifier(str);
                oAuth2AccessToken.setTokenType("Bearer");
                oAuth2TokenValidationRequestDTO.setAccessToken(oAuth2AccessToken);
                oAuth2TokenValidationRequestDTO.getClass();
                OAuth2TokenValidationRequestDTO.TokenValidationContextParam tokenValidationContextParam = new OAuth2TokenValidationRequestDTO.TokenValidationContextParam(oAuth2TokenValidationRequestDTO);
                tokenValidationContextParam.setKey("dummy");
                tokenValidationContextParam.setValue("dummy");
                oAuth2TokenValidationRequestDTO.setContext(new OAuth2TokenValidationRequestDTO.TokenValidationContextParam[]{tokenValidationContextParam});
                OAuth2IntrospectionResponseDTO buildIntrospectionResponse = oAuth2TokenValidationService.buildIntrospectionResponse(oAuth2TokenValidationRequestDTO);
                if (!buildIntrospectionResponse.isActive()) {
                    return authenticationResult;
                }
                if (Optional.ofNullable(authenticationRequest.getRequest()).map((v0) -> {
                    return v0.getRequestURI();
                }).filter(str2 -> {
                    return str2.toLowerCase().endsWith("scim2/me");
                }).isPresent() && str != null) {
                    setCurrentTokenIdThreadLocal(getTokenIdFromAccessToken(str));
                }
                if (!isTokenBindingValid(messageContext, new TokenBinding(buildIntrospectionResponse.getBindingType(), buildIntrospectionResponse.getBindingReference()), buildIntrospectionResponse.getClientId(), str)) {
                    return authenticationResult;
                }
                authenticationResult.setAuthenticationStatus(AuthenticationStatus.SUCCESS);
                AuthenticatedUser authorizedUser = buildIntrospectionResponse.getAuthorizedUser();
                if (authorizedUser != null) {
                    authenticationContext.setUser(authorizedUser);
                    if (authorizedUser instanceof AuthenticatedUser) {
                        ((Map) IdentityUtil.threadLocalProperties.get()).put(Constants.IS_FEDERATED_USER, Boolean.valueOf(authorizedUser.isFederatedUser()));
                        ((Map) IdentityUtil.threadLocalProperties.get()).put(Constants.IDP_NAME, authorizedUser.getFederatedIdPName());
                    } else {
                        AuthenticatedUser authenticatedUser = new AuthenticatedUser(authorizedUser);
                        ((Map) IdentityUtil.threadLocalProperties.get()).put(Constants.IS_FEDERATED_USER, Boolean.valueOf(authenticatedUser.isFederatedUser()));
                        ((Map) IdentityUtil.threadLocalProperties.get()).put(Constants.IDP_NAME, authenticatedUser.getFederatedIdPName());
                    }
                }
                authenticationContext.addParameter("consumer-key", buildIntrospectionResponse.getClientId());
                authenticationContext.addParameter(Constants.OAUTH2_ALLOWED_SCOPES, OAuth2Util.buildScopeArray(buildIntrospectionResponse.getScope()));
                authenticationContext.addParameter(Constants.OAUTH2_VALIDATE_SCOPE, Boolean.valueOf(AuthConfigurationUtil.getInstance().isScopeValidationEnabled()));
                String str3 = null;
                try {
                    str3 = OAuth2Util.getServiceProvider(buildIntrospectionResponse.getClientId()).getApplicationName();
                } catch (IdentityOAuth2Exception e) {
                    log.error("Error occurred while getting the Service Provider by Consumer key: " + buildIntrospectionResponse.getClientId(), e);
                }
                String str4 = null;
                try {
                    str4 = OAuth2Util.getTenantDomainOfOauthApp(buildIntrospectionResponse.getClientId());
                } catch (InvalidOAuthClientException | IdentityOAuth2Exception e2) {
                    log.error("Error occurred while getting the OAuth App tenantDomain by Consumer key: " + buildIntrospectionResponse.getClientId(), e2);
                }
                if (str3 != null) {
                    authenticationContext.addParameter("serviceProvider", str3);
                    if (str4 != null) {
                        authenticationContext.addParameter("serviceProviderTenantDomain", str4);
                    }
                    MDC.put("serviceProvider", str3);
                    setProvisioningServiceProviderThreadLocal(buildIntrospectionResponse.getClientId(), str4);
                }
            }
        }
        return authenticationResult;
    }

    public void init(InitConfig initConfig) {
    }

    public String getName() {
        return "OAuthAuthentication";
    }

    public boolean isEnabled(MessageContext messageContext) {
        return true;
    }

    public int getPriority(MessageContext messageContext) {
        return getPriority(messageContext, 25);
    }

    public boolean canHandle(MessageContext messageContext) {
        return AuthConfigurationUtil.isAuthHeaderMatch(messageContext, "Bearer");
    }

    private boolean isTokenBindingValid(MessageContext messageContext, TokenBinding tokenBinding, String str, String str2) {
        if (tokenBinding == null || StringUtils.isBlank(tokenBinding.getBindingReference())) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("TokenBinding or binding reference is empty.");
            return true;
        }
        try {
            OAuthAppDO appInformationByClientId = OAuth2Util.getAppInformationByClientId(str);
            Request request = ((AuthenticationContext) messageContext).getAuthenticationRequest().getRequest();
            if (!appInformationByClientId.isTokenBindingValidationEnabled()) {
                if (log.isDebugEnabled()) {
                    log.debug("TokenBinding validation is not enabled for application: " + appInformationByClientId.getApplicationName());
                }
                if (!request.getRequestURI().toLowerCase().endsWith("scim2/me") || !isSSOSessionBasedTokenBinding(tokenBinding.getBindingType())) {
                    return true;
                }
                setCurrentSessionIdThreadLocal(getTokenBindingValueFromAccessToken(str2));
                return true;
            }
            if (!OAuth2Util.isValidTokenBinding(tokenBinding, request)) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("TokenBinding validation is failed.");
                return false;
            }
            if (log.isDebugEnabled()) {
                log.debug("TokenBinding validation is successful. TokenBinding: " + tokenBinding.getBindingType());
            }
            if (!request.getRequestURI().toLowerCase().endsWith("scim2/me") || !isSSOSessionBasedTokenBinding(tokenBinding.getBindingType())) {
                return true;
            }
            setCurrentSessionIdThreadLocal(tokenBinding.getBindingValue());
            return true;
        } catch (IdentityOAuth2Exception | InvalidOAuthClientException e) {
            log.error("Failed to retrieve application information by client id: " + str, e);
            return false;
        }
    }

    private String getTokenBindingValueFromAccessToken(String str) {
        String str2 = null;
        try {
            AccessTokenDO findAccessToken = OAuth2Util.findAccessToken(str, false);
            if (findAccessToken != null && findAccessToken.getTokenBinding() != null && StringUtils.isNotBlank(findAccessToken.getTokenBinding().getBindingValue()) && isSSOSessionBasedTokenBinding(findAccessToken.getTokenBinding().getBindingType())) {
                str2 = findAccessToken.getTokenBinding().getBindingValue();
            }
        } catch (IdentityOAuth2Exception e) {
            log.error("Error occurred while getting the access token from the token identifier", e);
        }
        return str2;
    }

    private String getTokenIdFromAccessToken(String str) {
        String str2 = null;
        try {
            AccessTokenDO findAccessToken = OAuth2Util.findAccessToken(str, false);
            if (findAccessToken != null) {
                str2 = findAccessToken.getTokenId();
            }
        } catch (IdentityOAuth2Exception e) {
            log.error("Error occurred while getting the access token id from the token", e);
        }
        return str2;
    }

    private void setCurrentSessionIdThreadLocal(String str) {
        if (StringUtils.isNotBlank(str)) {
            ((Map) IdentityUtil.threadLocalProperties.get()).put(Constants.CURRENT_SESSION_IDENTIFIER, str);
            if (log.isDebugEnabled()) {
                log.debug("Current session identifier: " + str + " is added to thread local.");
            }
        }
    }

    private void setCurrentTokenIdThreadLocal(String str) {
        if (StringUtils.isNotBlank(str)) {
            ((Map) IdentityUtil.threadLocalProperties.get()).put("currentTokenIdentifier", str);
            if (log.isDebugEnabled()) {
                log.debug("Current token identifier is added to thread local. Token id: " + str);
            }
        }
    }

    private boolean isSSOSessionBasedTokenBinding(String str) {
        return "sso-session".equals(str);
    }

    private void setProvisioningServiceProviderThreadLocal(String str, String str2) {
        if (str2 != null) {
            ThreadLocalProvisioningServiceProvider threadLocalProvisioningServiceProvider = new ThreadLocalProvisioningServiceProvider();
            threadLocalProvisioningServiceProvider.setServiceProviderName(str);
            threadLocalProvisioningServiceProvider.setServiceProviderType(ProvisioningServiceProviderType.OAUTH);
            threadLocalProvisioningServiceProvider.setTenantDomain(str2);
            IdentityApplicationManagementUtil.setThreadLocalProvisioningServiceProvider(threadLocalProvisioningServiceProvider);
        }
    }
}
