package org.wso2.choreo.connect.enforcer.security;

import java.util.ArrayList;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.wso2.choreo.connect.enforcer.commons.Filter;
import org.wso2.choreo.connect.enforcer.commons.exception.APISecurityException;
import org.wso2.choreo.connect.enforcer.commons.logging.ErrorDetails;
import org.wso2.choreo.connect.enforcer.commons.logging.LoggingConstants;
import org.wso2.choreo.connect.enforcer.commons.model.APIConfig;
import org.wso2.choreo.connect.enforcer.commons.model.EndpointCluster;
import org.wso2.choreo.connect.enforcer.commons.model.RequestContext;
import org.wso2.choreo.connect.enforcer.commons.model.ResourceConfig;
import org.wso2.choreo.connect.enforcer.commons.model.RetryConfig;
import org.wso2.choreo.connect.enforcer.commons.model.SecuritySchemaConfig;
import org.wso2.choreo.connect.enforcer.config.ConfigHolder;
import org.wso2.choreo.connect.enforcer.constants.APIConstants;
import org.wso2.choreo.connect.enforcer.constants.AdapterConstants;
import org.wso2.choreo.connect.enforcer.constants.InterceptorConstants;
import org.wso2.choreo.connect.enforcer.security.jwt.APIKeyAuthenticator;
import org.wso2.choreo.connect.enforcer.security.jwt.InternalAPIKeyAuthenticator;
import org.wso2.choreo.connect.enforcer.security.jwt.JWTAuthenticator;
import org.wso2.choreo.connect.enforcer.security.jwt.UnsecuredAPIAuthenticator;
import org.wso2.choreo.connect.enforcer.util.EndpointSecurityUtils;
import org.wso2.choreo.connect.enforcer.util.FilterUtils;

/* loaded from: input_file:org/wso2/choreo/connect/enforcer/security/AuthFilter.class */
public class AuthFilter implements Filter {
    private List<Authenticator> authenticators = new ArrayList();
    private static final Logger log = LogManager.getLogger(AuthFilter.class);

    @Override // org.wso2.choreo.connect.enforcer.commons.Filter
    public void init(APIConfig aPIConfig, Map<String, String> map) {
        initializeAuthenticators(aPIConfig);
    }

    private void initializeAuthenticators(APIConfig aPIConfig) {
        boolean z = true;
        boolean z2 = false;
        if (aPIConfig.getSecuritySchemeDefinitions() == null) {
            z = true;
        } else {
            Iterator<Map.Entry<String, SecuritySchemaConfig>> it = aPIConfig.getSecuritySchemeDefinitions().entrySet().iterator();
            while (it.hasNext()) {
                String type = it.next().getValue().getType();
                if (type.trim().equalsIgnoreCase(APIConstants.API_SECURITY_OAUTH2)) {
                    z = true;
                } else if (!type.trim().equalsIgnoreCase(APIConstants.API_SECURITY_MUTUAL_SSL) && !type.trim().equalsIgnoreCase(APIConstants.API_SECURITY_BASIC_AUTH) && !type.trim().equalsIgnoreCase(APIConstants.API_SECURITY_MUTUAL_SSL_MANDATORY) && !type.trim().equalsIgnoreCase(APIConstants.API_SECURITY_OAUTH_BASIC_AUTH_API_KEY_MANDATORY) && type.trim().equalsIgnoreCase("apiKey")) {
                    z2 = true;
                }
            }
        }
        if (z) {
            this.authenticators.add(new JWTAuthenticator());
        }
        if (z2) {
            this.authenticators.add(new APIKeyAuthenticator());
        }
        this.authenticators.add(new InternalAPIKeyAuthenticator(ConfigHolder.getInstance().getConfig().getAuthHeader().getTestConsoleHeaderName().toLowerCase()));
        this.authenticators.add(new UnsecuredAPIAuthenticator());
        this.authenticators.sort(new Comparator<Authenticator>() { // from class: org.wso2.choreo.connect.enforcer.security.AuthFilter.1
            @Override // java.util.Comparator
            public int compare(Authenticator authenticator, Authenticator authenticator2) {
                return authenticator.getPriority() - authenticator2.getPriority();
            }
        });
    }

    @Override // org.wso2.choreo.connect.enforcer.commons.Filter
    public boolean handleRequest(RequestContext requestContext) {
        if (APIConstants.PROTOTYPED_LIFE_CYCLE_STATUS.equals(requestContext.getMatchedAPI().getApiLifeCycleState()) && !requestContext.getMatchedAPI().isMockedApi()) {
            requestContext.addOrModifyHeaders(AdapterConstants.CLUSTER_HEADER, requestContext.getProdClusterHeader());
            requestContext.getRemoveHeaders().remove(AdapterConstants.CLUSTER_HEADER);
            return true;
        }
        boolean z = false;
        for (Authenticator authenticator : this.authenticators) {
            if (authenticator.canAuthenticate(requestContext)) {
                z = true;
                AuthenticationResponse authenticate = authenticate(authenticator, requestContext);
                if (authenticate.isAuthenticated() && !authenticate.isContinueToNextAuthenticator()) {
                    setInterceptorAuthContextMetadata(authenticator, requestContext);
                    return true;
                }
            }
        }
        if (!z) {
            FilterUtils.setUnauthenticatedErrorToContext(requestContext);
        }
        log.error("None of the authenticators were able to authenticate the request: " + requestContext.getRequestPath(), ErrorDetails.errorLog(LoggingConstants.Severity.MINOR, 6600));
        requestContext.addOrModifyHeaders("WWW-Authenticate", getAuthenticatorsChallengeString() + ", error=\"invalid_token\", error_description=\"The provided token is invalid\"");
        return false;
    }

    private AuthenticationResponse authenticate(Authenticator authenticator, RequestContext requestContext) {
        try {
            org.wso2.choreo.connect.enforcer.commons.model.AuthenticationContext authenticate = authenticator.authenticate(requestContext);
            requestContext.setAuthenticationContext(authenticate);
            if (authenticate.isAuthenticated()) {
                if (!requestContext.getMatchedAPI().isMockedApi()) {
                    updateClusterHeaderAndCheckEnv(requestContext, authenticate);
                    EndpointSecurityUtils.addEndpointSecurity(requestContext);
                }
                return new AuthenticationResponse(true, false, false);
            }
        } catch (APISecurityException e) {
            FilterUtils.setErrorToContext(requestContext, e);
        }
        return new AuthenticationResponse(false, false, true);
    }

    private void updateClusterHeaderAndCheckEnv(RequestContext requestContext, org.wso2.choreo.connect.enforcer.commons.model.AuthenticationContext authenticationContext) throws APISecurityException {
        String keyType = authenticationContext.getKeyType();
        if (StringUtils.isEmpty(authenticationContext.getKeyType())) {
            keyType = APIConstants.API_KEY_TYPE_PRODUCTION;
        }
        if (keyType.equalsIgnoreCase(APIConstants.API_KEY_TYPE_PRODUCTION) && !StringUtils.isEmpty(requestContext.getProdClusterHeader())) {
            requestContext.addOrModifyHeaders(AdapterConstants.CLUSTER_HEADER, requestContext.getProdClusterHeader());
            requestContext.getRemoveHeaders().remove(AdapterConstants.CLUSTER_HEADER);
            addRouterHttpHeaders(requestContext, APIConstants.API_KEY_TYPE_PRODUCTION);
        } else if (keyType.equalsIgnoreCase(APIConstants.API_KEY_TYPE_SANDBOX) && !StringUtils.isEmpty(requestContext.getSandClusterHeader())) {
            requestContext.addOrModifyHeaders(AdapterConstants.CLUSTER_HEADER, requestContext.getSandClusterHeader());
            requestContext.getRemoveHeaders().remove(AdapterConstants.CLUSTER_HEADER);
            addRouterHttpHeaders(requestContext, APIConstants.API_KEY_TYPE_SANDBOX);
        } else {
            if (keyType.equalsIgnoreCase(APIConstants.API_KEY_TYPE_PRODUCTION)) {
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900901, "Production key offered to an API with no production endpoint");
            }
            if (!keyType.equalsIgnoreCase(APIConstants.API_KEY_TYPE_SANDBOX)) {
                throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900901, "Invalid key type.");
            }
            throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(), 900901, "Sandbox key offered to an API with no sandbox endpoint");
        }
    }

    private String getAuthenticatorsChallengeString() {
        StringBuilder sb = new StringBuilder();
        if (this.authenticators != null) {
            Iterator<Authenticator> it = this.authenticators.iterator();
            while (it.hasNext()) {
                sb.append(it.next().getChallengeString()).append(" ");
            }
        }
        return sb.toString().trim();
    }

    private void addRouterHttpHeaders(RequestContext requestContext, String str) {
        if (requestContext.getMatchedAPI().getEndpoints().containsKey(str)) {
            addAPILevelRetryConfigHeaders(requestContext, str);
            addAPILevelTimeoutHeaders(requestContext, str);
        }
        ResourceConfig matchedResourcePath = requestContext.getMatchedResourcePath();
        if (matchedResourcePath.getEndpoints() == null || !matchedResourcePath.getEndpoints().containsKey(str)) {
            return;
        }
        EndpointCluster endpointCluster = matchedResourcePath.getEndpoints().get(str);
        if (endpointCluster.getRetryConfig() != null) {
            addRetryConfigHeaders(requestContext, endpointCluster.getRetryConfig());
        }
        if (endpointCluster.getRouteTimeoutInMillis() != null) {
            addTimeoutHeaders(requestContext, endpointCluster.getRouteTimeoutInMillis());
        }
    }

    private void addAPILevelRetryConfigHeaders(RequestContext requestContext, String str) {
        RetryConfig retryConfig = requestContext.getMatchedAPI().getEndpoints().get(str).getRetryConfig();
        if (retryConfig != null) {
            addRetryConfigHeaders(requestContext, retryConfig);
        }
    }

    private void addAPILevelTimeoutHeaders(RequestContext requestContext, String str) {
        Integer routeTimeoutInMillis = requestContext.getMatchedAPI().getEndpoints().get(str).getRouteTimeoutInMillis();
        if (routeTimeoutInMillis != null) {
            addTimeoutHeaders(requestContext, routeTimeoutInMillis);
        }
    }

    private void addRetryConfigHeaders(RequestContext requestContext, RetryConfig retryConfig) {
        requestContext.addOrModifyHeaders(AdapterConstants.HttpRouterHeaders.RETRY_ON, AdapterConstants.HttpRouterHeaderValues.RETRIABLE_STATUS_CODES);
        requestContext.addOrModifyHeaders(AdapterConstants.HttpRouterHeaders.MAX_RETRIES, Integer.toString(retryConfig.getCount()));
        requestContext.addOrModifyHeaders(AdapterConstants.HttpRouterHeaders.RETRIABLE_STATUS_CODES, StringUtils.join(retryConfig.getStatusCodes(), ","));
    }

    private void addTimeoutHeaders(RequestContext requestContext, Integer num) {
        requestContext.addOrModifyHeaders(AdapterConstants.HttpRouterHeaders.UPSTREAM_REQ_TIMEOUT_MS, Integer.toString(num.intValue()));
    }

    private void setInterceptorAuthContextMetadata(Authenticator authenticator, RequestContext requestContext) {
        org.wso2.choreo.connect.enforcer.commons.model.AuthenticationContext authenticationContext = requestContext.getAuthenticationContext();
        String name = authenticator.getName();
        authenticationContext.setTokenType(name);
        requestContext.addMetadataToMap(InterceptorConstants.AuthContextFields.TOKEN_TYPE, Objects.toString(name, ""));
        requestContext.addMetadataToMap("token", Objects.toString(authenticationContext.getRawToken(), ""));
        requestContext.addMetadataToMap("keyType", Objects.toString(authenticationContext.getKeyType(), ""));
    }
}
