package org.wso2.carbon.apimgt.rest.api.util.interceptors.auth;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.interceptor.security.AuthenticationException;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.wso2.carbon.CarbonException;
import org.wso2.carbon.apimgt.api.model.Scope;
import org.wso2.carbon.apimgt.api.model.URITemplate;
import org.wso2.carbon.apimgt.impl.utils.APIUtil;
import org.wso2.carbon.apimgt.rest.api.util.RestApiConstants;
import org.wso2.carbon.apimgt.rest.api.util.utils.RestApiUtil;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.core.util.AnonymousSessionUtil;
import org.wso2.carbon.registry.core.service.RegistryService;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.UserRealm;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
import org.wso2.uri.template.URITemplateException;

/* loaded from: input_file:org/wso2/carbon/apimgt/rest/api/util/interceptors/auth/BasicAuthenticationInterceptor.class */
public class BasicAuthenticationInterceptor extends AbstractPhaseInterceptor {
    private static final Log log = LogFactory.getLog(BasicAuthenticationInterceptor.class);

    public BasicAuthenticationInterceptor() {
        super("pre-invoke");
    }

    public void handleMessage(Message message) {
        AuthorizationPolicy authorizationPolicy;
        if (RestApiUtil.checkIfAnonymousAPI(message) || (authorizationPolicy = (AuthorizationPolicy) message.get(AuthorizationPolicy.class)) == null) {
            return;
        }
        message.put(RestApiConstants.REQUEST_AUTHENTICATION_SCHEME, RestApiConstants.BASIC_AUTHENTICATION);
        String trim = StringUtils.trim(authorizationPolicy.getUserName());
        String trim2 = StringUtils.trim(authorizationPolicy.getPassword());
        if (StringUtils.isEmpty(trim) || StringUtils.isEmpty(trim2)) {
            log.error("Basic Authentication failed: " + (StringUtils.isEmpty(trim) ? "username cannot be null/empty." : "password cannot be null/empty."));
            throw new AuthenticationException("Unauthenticated request");
        }
        if (!authenticate(message, trim, trim2)) {
            throw new AuthenticationException("Unauthenticated request");
        }
        log.debug("User logged into web app using Basic Authentication");
    }

    private boolean authenticate(Message message, String str, String str2) {
        PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
        RealmService realmService = (RealmService) threadLocalCarbonContext.getOSGiService(RealmService.class, (Hashtable) null);
        RegistryService registryService = (RegistryService) threadLocalCarbonContext.getOSGiService(RegistryService.class, (Hashtable) null);
        String tenantDomain = MultitenantUtils.getTenantDomain(str);
        try {
            int tenantId = realmService.getTenantManager().getTenantId(tenantDomain);
            UserRealm realmByTenantDomain = AnonymousSessionUtil.getRealmByTenantDomain(registryService, realmService, tenantDomain);
            if (realmByTenantDomain == null) {
                log.error("Authentication failed: invalid domain or unactivated tenant login");
                return false;
            }
            if (!realmByTenantDomain.getUserStoreManager().authenticate(MultitenantUtils.getTenantAwareUsername(str), str2)) {
                log.error("Authentication failed: Invalid credentials");
                return false;
            }
            threadLocalCarbonContext.setTenantDomain(tenantDomain);
            threadLocalCarbonContext.setTenantId(tenantId);
            threadLocalCarbonContext.setUsername(str);
            if (!tenantDomain.equals("carbon.super")) {
                APIUtil.loadTenantConfigBlockingMode(tenantDomain);
            }
            return validateRoles(message, realmByTenantDomain, tenantDomain, str);
        } catch (UserStoreException | CarbonException e) {
            log.error("Error occurred while authenticating user: " + str, e);
            return false;
        }
    }

    private boolean validateRoles(Message message, UserRealm userRealm, String str, String str2) {
        String str3 = (String) message.get(Message.BASE_PATH);
        String str4 = (String) message.get("org.apache.cxf.request.uri");
        String str5 = (String) message.get("org.apache.cxf.request.method");
        String substring = str4.substring(str3.length() - 1);
        String str6 = (String) message.get(RestApiConstants.API_VERSION);
        Set<URITemplate> uRITemplatesForBasePath = RestApiUtil.getURITemplatesForBasePath(str3 + str6);
        if (uRITemplatesForBasePath.isEmpty()) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("No matching scopes found for request with path: " + str3 + str6 + ". Skipping role validation.");
            return true;
        }
        for (Object obj : uRITemplatesForBasePath.toArray()) {
            HashMap hashMap = new HashMap();
            String uriTemplate = ((URITemplate) obj).getUriTemplate();
            try {
                if (new org.wso2.uri.template.URITemplate(uriTemplate).matches(substring, hashMap) && str5 != null && str5.equalsIgnoreCase(((URITemplate) obj).getHTTPVerb())) {
                    List<Scope> retrieveAllScopes = ((URITemplate) obj).retrieveAllScopes();
                    if (retrieveAllScopes.isEmpty()) {
                        if (!log.isDebugEnabled()) {
                            return true;
                        }
                        log.debug("Scope not defined in swagger for matching resource " + substring + " and verb " + str5 + ". So consider as anonymous permission and let request to continue.");
                        return true;
                    }
                    Map<String, String> rESTAPIScopesForTenant = APIUtil.getRESTAPIScopesForTenant(str);
                    if (rESTAPIScopesForTenant == null) {
                        return false;
                    }
                    String[] roleListOfUser = userRealm.getUserStoreManager().getRoleListOfUser(MultitenantUtils.getTenantAwareUsername(str2));
                    if (roleListOfUser != null) {
                        return validateUserRolesWithRESTAPIScopes(retrieveAllScopes, rESTAPIScopesForTenant, roleListOfUser, str2, str4, str5, message);
                    }
                    log.error("Error while validating roles. Invalid user roles found for user: " + str2);
                    return false;
                }
            } catch (UserStoreException e) {
                log.error("Error while getting role list of user: " + str2, e);
            } catch (URITemplateException e2) {
                log.error("Error while creating URI Template object to validate request. Template pattern: " + uriTemplate, e2);
            }
        }
        log.error("Error while validating roles. No matching resource URI template found in swagger for resource " + substring + " and verb " + str5);
        return false;
    }

    private boolean validateUserRolesWithRESTAPIScopes(List<Scope> list, Map<String, String> map, String[] strArr, String str, String str2, String str3, Message message) {
        ArrayList arrayList = new ArrayList();
        for (Scope scope : list) {
            String str4 = map.get(scope.getKey());
            if (StringUtils.isNotBlank(str4)) {
                List asList = Arrays.asList(str4.split("\\s*,\\s*"));
                int length = strArr.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    if (asList.contains(strArr[i])) {
                        arrayList.add(scope);
                        if (log.isDebugEnabled()) {
                            log.debug("Basic Authentication: role validation successful for user: " + str + " with scope: " + scope.getKey() + " for resource path: " + str2 + " and verb " + str3);
                            log.debug("Added scope: " + scope.getKey() + " to validated user scope list");
                        }
                    } else {
                        i++;
                    }
                }
            } else {
                arrayList.add(scope);
                if (log.isDebugEnabled()) {
                    log.debug("Role validation skipped. No REST API scope to role mapping defined for resource scope: " + scope.getKey() + " Treated as anonymous scope.");
                }
            }
        }
        ArrayList arrayList2 = new ArrayList();
        arrayList.forEach(scope2 -> {
            arrayList2.add(scope2.getKey());
        });
        message.getExchange().put(RestApiConstants.USER_REST_API_SCOPES, arrayList2.toArray(new String[0]));
        if (arrayList.isEmpty()) {
            log.error("Insufficient privileges. Role validation failed for user: " + str + " to access resource path: " + str2 + " and verb " + str3);
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Successfully validated REST API Scopes for the user " + str);
        return true;
    }
}
