package org.apache.stratos.metadata.service.handlers;

import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.security.interfaces.RSAPublicKey;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.cxf.jaxrs.impl.HttpHeadersImpl;
import org.apache.cxf.jaxrs.model.ClassResourceInfo;
import org.apache.cxf.message.Message;
import org.apache.stratos.metadata.service.context.AuthenticationContext;
import org.wso2.carbon.core.util.KeyStoreManager;

/* loaded from: input_file:WEB-INF/classes/org/apache/stratos/metadata/service/handlers/OAuthHandler.class */
public class OAuthHandler extends AbstractAuthenticationAuthorizationHandler {
    public static final String BEARER = "Bearer ";
    public static final String APPLICATION = "applications";
    private static Log log = LogFactory.getLog(OAuthHandler.class);
    private static String SUPPORTED_AUTHENTICATION_TYPE = "Bearer";
    private static String oauthValidationEndpoint;
    private static String username;
    private static String password;

    public void setOauthValidationEndpoint(String str) {
        oauthValidationEndpoint = str;
    }

    public void setUsername(String str) {
        username = str;
    }

    public void setPassword(String str) {
        password = str;
    }

    @Override // org.apache.stratos.metadata.service.handlers.AbstractAuthenticationAuthorizationHandler
    public boolean canHandle(String str) {
        return SUPPORTED_AUTHENTICATION_TYPE.equals(str);
    }

    @Override // org.apache.stratos.metadata.service.handlers.AbstractAuthenticationAuthorizationHandler
    public Response handle(Message message, ClassResourceInfo classResourceInfo) {
        boolean z;
        try {
            String str = (String) new HttpHeadersImpl(message).getRequestHeaders().getFirst("Authorization");
            if (!str.startsWith(BEARER)) {
                return Response.status(Response.Status.FORBIDDEN).build();
            }
            String extractAppIdFromIdToken = extractAppIdFromIdToken(str.substring(7).trim());
            String extractApplicationIdFromUrl = extractApplicationIdFromUrl((String) message.get("org.apache.cxf.request.uri"), (String) message.get(Message.BASE_PATH));
            if (StringUtils.isEmpty(extractAppIdFromIdToken) || StringUtils.isEmpty(extractApplicationIdFromUrl)) {
                z = false;
            } else {
                z = extractAppIdFromIdToken.equals(extractApplicationIdFromUrl);
                if (!z) {
                    log.error("The token presented is only valid for " + extractAppIdFromIdToken + " , but it tries to access metadata for " + extractApplicationIdFromUrl);
                }
            }
            if (!z) {
                return Response.status(Response.Status.FORBIDDEN).build();
            }
            AuthenticationContext.setAuthenticated(true);
            return null;
        } catch (Exception e) {
            log.error("Error while validating access token", e);
            return Response.status(Response.Status.FORBIDDEN).build();
        }
    }

    private String extractApplicationIdFromUrl(String str, String str2) {
        String str3 = null;
        String[] split = str.split("/");
        int i = 0;
        while (true) {
            if (i >= split.length) {
                break;
            }
            if (APPLICATION.equals(split[i])) {
                str3 = split[i + 1];
                break;
            }
            i++;
        }
        return str3;
    }

    private String extractAppIdFromIdToken(String str) {
        String str2 = null;
        KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(-1234);
        try {
            keyStoreManager.getDefaultPrimaryCertificate();
            RSASSAVerifier rSASSAVerifier = new RSASSAVerifier((RSAPublicKey) keyStoreManager.getDefaultPublicKey());
            SignedJWT parse = SignedJWT.parse(str);
            if (parse.verify(rSASSAVerifier)) {
                str2 = parse.getJWTClaimsSet().getStringClaim("appId");
            }
        } catch (Exception e) {
            log.error("Could not extract application id from id token", e);
        }
        return str2;
    }
}
