package org.wso2.carbon.appmgt.rest.api.util.interceptors.auth;

import java.io.IOException;
import java.lang.reflect.Method;
import java.util.Hashtable;
import java.util.List;
import java.util.TreeMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.ws.rs.Path;
import javax.ws.rs.core.Response;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.json.simple.JSONObject;
import org.json.simple.parser.JSONParser;
import org.json.simple.parser.ParseException;
import org.wso2.carbon.appmgt.rest.api.util.RestApiConstants;
import org.wso2.carbon.appmgt.rest.api.util.dto.ErrorDTO;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationRequestDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationResponseDTO;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:WEB-INF/lib/org.wso2.carbon.appmgt.rest.api.util-1.4.16.jar:org/wso2/carbon/appmgt/rest/api/util/interceptors/auth/OAuthInterceptor.class */
public class OAuthInterceptor extends AbstractPhaseInterceptor {
    public static final String HTTP_HEADER_AUTHORIZATION = "Authorization";
    private static final String SUPER_TENANT_SUFFIX = "@carbon.super";
    private static final Log log = LogFactory.getLog(OAuthInterceptor.class);
    private static final String OAUTH_TOKEN_TYPE_NAME_PATTERN_STRING = "Bearer\\s";
    private static final Pattern OAUTH_TOKEN_TYPE_NAME_PATTERN = Pattern.compile(OAUTH_TOKEN_TYPE_NAME_PATTERN_STRING);

    public OAuthInterceptor() {
        super(Phase.PRE_INVOKE);
    }

    @Override // org.apache.cxf.interceptor.Interceptor
    public void handleMessage(Message message) {
        if (message.get(RestApiConstants.AUTHENTICATION_REQUIRED) == null || Boolean.parseBoolean(RestApiConstants.AUTHENTICATION_REQUIRED)) {
            String accessToken = getAccessToken(message);
            if (accessToken == null) {
                sendErrorResponse(new ErrorDTO(401L, "Access token header is not available."), message);
                return;
            }
            OAuth2TokenValidationResponseDTO validateToken = validateToken(accessToken);
            if (!validateToken.isValid()) {
                sendErrorResponse(new ErrorDTO(401L, validateToken.getErrorMsg()), message);
                return;
            }
            try {
                if (hasValidScopes(message, validateToken)) {
                    setUserDetails(validateToken.getAuthorizedUser());
                } else {
                    sendErrorResponse(new ErrorDTO(403L, "Not authorized to access the API resource."), message);
                }
            } catch (UserStoreException e) {
                log.error("Can't set user details after authentication.", e);
                sendErrorResponse(new ErrorDTO(500L, "Can't set user details after authentication."), message);
            }
        }
    }

    private boolean hasValidScopes(Message message, OAuth2TokenValidationResponseDTO oAuth2TokenValidationResponseDTO) {
        String[] scope = oAuth2TokenValidationResponseDTO.getScope();
        String resourceScope = getResourceScope(message);
        if (resourceScope == null) {
            return true;
        }
        return ArrayUtils.contains(scope, resourceScope);
    }

    private String getResourceScope(Message message) {
        String str = (String) message.get(Message.BASE_PATH);
        String str2 = (String) message.get(Message.HTTP_REQUEST_METHOD);
        return (String) ((JSONObject) ((JSONObject) ((JSONObject) getAPIDefinition(str).get("paths")).get(getMatchedURITemplate(message))).get(str2.toLowerCase())).get("x-scope");
    }

    private String getMatchedURITemplate(Message message) {
        Method method = (Method) message.get("org.apache.cxf.resource.method");
        Path path = (Path) method.getDeclaringClass().getAnnotation(Path.class);
        String value = path != null ? path.value() : "";
        Path path2 = (Path) method.getAnnotation(Path.class);
        if (path2 != null) {
            value = "/".equals(value) ? path2.value() : value + path2.value();
        }
        return value;
    }

    private JSONObject getAPIDefinition(String str) {
        String str2 = null;
        if (str.contains("/api/appm/publisher/")) {
            str2 = "publisher-api.json";
        } else if (str.contains("/api/appm/store/")) {
            str2 = "store-api.json";
        } else if (str.contains("/api/appm/storeadmin/")) {
            str2 = "storeadmin-api.json";
        }
        if (str2 == null) {
            return null;
        }
        try {
            String iOUtils = IOUtils.toString(OAuthInterceptor.class.getResourceAsStream("/" + str2), "UTF-8");
            if (iOUtils != null) {
                return (JSONObject) new JSONParser().parse(iOUtils);
            }
            return null;
        } catch (ParseException e) {
            log.error(String.format("Can't read the API definition '%s'", str2));
            return null;
        } catch (IOException e2) {
            log.error(String.format("Can't read the API definition '%s'", str2));
            return null;
        }
    }

    private void setUserDetails(String str) throws UserStoreException {
        String tenantDomain = MultitenantUtils.getTenantDomain(str);
        PrivilegedCarbonContext threadLocalCarbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
        RealmService realmService = (RealmService) threadLocalCarbonContext.getOSGiService(RealmService.class, (Hashtable) null);
        if ("carbon.super".equals(tenantDomain) && str.endsWith(SUPER_TENANT_SUFFIX)) {
            str = str.substring(0, str.length() - SUPER_TENANT_SUFFIX.length());
        }
        int tenantId = realmService.getTenantManager().getTenantId(tenantDomain);
        threadLocalCarbonContext.setTenantDomain(tenantDomain);
        threadLocalCarbonContext.setTenantId(tenantId);
        threadLocalCarbonContext.setUsername(str);
    }

    private OAuth2TokenValidationResponseDTO validateToken(String str) {
        OAuth2TokenValidationService oAuth2TokenValidationService = new OAuth2TokenValidationService();
        OAuth2TokenValidationRequestDTO oAuth2TokenValidationRequestDTO = new OAuth2TokenValidationRequestDTO();
        oAuth2TokenValidationRequestDTO.getClass();
        OAuth2TokenValidationRequestDTO.OAuth2AccessToken oAuth2AccessToken = new OAuth2TokenValidationRequestDTO.OAuth2AccessToken(oAuth2TokenValidationRequestDTO);
        oAuth2AccessToken.setIdentifier(str);
        oAuth2AccessToken.setTokenType("bearer");
        oAuth2TokenValidationRequestDTO.setAccessToken(oAuth2AccessToken);
        oAuth2TokenValidationRequestDTO.getClass();
        OAuth2TokenValidationRequestDTO.TokenValidationContextParam tokenValidationContextParam = new OAuth2TokenValidationRequestDTO.TokenValidationContextParam(oAuth2TokenValidationRequestDTO);
        tokenValidationContextParam.setKey("dummy");
        tokenValidationContextParam.setValue("dummy");
        oAuth2TokenValidationRequestDTO.setContext(new OAuth2TokenValidationRequestDTO.TokenValidationContextParam[]{tokenValidationContextParam});
        return oAuth2TokenValidationService.findOAuthConsumerIfTokenIsValid(oAuth2TokenValidationRequestDTO).getAccessTokenValidationResponse();
    }

    private String getAccessToken(Message message) {
        List list = (List) ((TreeMap) message.get(Message.PROTOCOL_HEADERS)).get("Authorization");
        if (list == null) {
            return null;
        }
        String str = (String) list.get(0);
        Matcher matcher = OAUTH_TOKEN_TYPE_NAME_PATTERN.matcher(str);
        String str2 = null;
        if (matcher.find()) {
            str2 = str.substring(matcher.end());
        }
        return str2;
    }

    private void sendErrorResponse(ErrorDTO errorDTO, Message message) {
        message.getExchange().put((Class<Class>) Response.class, (Class) Response.status(Response.Status.fromStatusCode(errorDTO.getCode().intValue())).entity(errorDTO).build());
    }
}
