package org.wso2.carbon.identity.authenticator.signedjwt;

import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.security.interfaces.RSAPublicKey;
import javax.servlet.http.HttpServletRequest;
import org.apache.axiom.util.base64.Base64Utils;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.transport.http.HTTPConstants;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.osgi.framework.BundleContext;
import org.osgi.util.tracker.ServiceTracker;
import org.osgi.util.tracker.ServiceTrackerCustomizer;
import org.wso2.carbon.core.security.AuthenticatorsConfiguration;
import org.wso2.carbon.core.services.authentication.CarbonServerAuthenticator;
import org.wso2.carbon.core.services.util.CarbonAuthenticationUtil;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.authenticator.signedjwt.internal.SignedJWTAuthenticatorServiceComponent;
import org.wso2.carbon.utils.AuthenticationObserver;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/authenticator/signedjwt/SignedJWTAuthenticator.class */
public class SignedJWTAuthenticator implements CarbonServerAuthenticator {
    public static final String SIGNED_JWT_AUTH_USERNAME = "Username";
    private static final int DEFAULT_PRIORITY_LEVEL = 20;
    private static final String AUTHENTICATOR_NAME = "SignedJWTAuthenticator";
    private static final String AUTHORIZATION_HEADER_TYPE = "Bearer";
    private static final Log log = LogFactory.getLog(SignedJWTAuthenticator.class);

    public int getPriority() {
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig(AUTHENTICATOR_NAME);
        return (authenticatorConfig == null || authenticatorConfig.getPriority() <= 0) ? DEFAULT_PRIORITY_LEVEL : authenticatorConfig.getPriority();
    }

    public boolean isDisabled() {
        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = AuthenticatorsConfiguration.getInstance().getAuthenticatorConfig(AUTHENTICATOR_NAME);
        return authenticatorConfig != null && authenticatorConfig.isDisabled();
    }

    public boolean authenticateWithRememberMe(MessageContext messageContext) {
        return false;
    }

    public String getAuthenticatorName() {
        return AUTHENTICATOR_NAME;
    }

    public boolean isAuthenticated(MessageContext messageContext) {
        boolean z = false;
        HttpServletRequest httpServletRequest = (HttpServletRequest) messageContext.getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST);
        try {
            KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(-1234);
            keyStoreManager.getDefaultPrimaryCertificate();
            String decodeAuthorizationHeader = decodeAuthorizationHeader(httpServletRequest.getHeader("Authorization"));
            RSASSAVerifier rSASSAVerifier = new RSASSAVerifier((RSAPublicKey) keyStoreManager.getDefaultPublicKey());
            SignedJWT parse = SignedJWT.parse(decodeAuthorizationHeader);
            if (parse.verify(rSASSAVerifier)) {
                String stringClaim = parse.getJWTClaimsSet().getStringClaim(SIGNED_JWT_AUTH_USERNAME);
                String tenantDomain = MultitenantUtils.getTenantDomain(stringClaim);
                String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(stringClaim);
                int tenantId = SignedJWTAuthenticatorServiceComponent.getRealmService().getTenantManager().getTenantId(tenantDomain);
                if (tenantId == -1) {
                    log.error("tenantDomain is not valid. username : " + tenantAwareUsername + ", tenantDomain : " + tenantDomain);
                    return false;
                }
                handleAuthenticationStarted(tenantId);
                if (SignedJWTAuthenticatorServiceComponent.getRealmService().getTenantUserRealm(tenantId).getUserStoreManager().isExistingUser(tenantAwareUsername)) {
                    z = true;
                }
                if (z) {
                    CarbonAuthenticationUtil.onSuccessAdminLogin(httpServletRequest.getSession(), tenantAwareUsername, tenantId, tenantDomain, "Signed JWT Authentication");
                    handleAuthenticationCompleted(tenantId, true);
                    return true;
                }
                log.error("Authentication Request is rejected. User : " + tenantAwareUsername + " does not exists in tenant : " + tenantDomain + " 's UserStore");
                CarbonAuthenticationUtil.onFailedAdminLogin(httpServletRequest.getSession(), tenantAwareUsername, tenantId, "Signed JWT Authentication", "User does not exists in UserStore");
                handleAuthenticationCompleted(tenantId, false);
                return false;
            }
        } catch (Exception e) {
            log.error("Error authenticating the user " + e.getMessage(), e);
        }
        return false;
    }

    public boolean isHandle(MessageContext messageContext) {
        String header = ((HttpServletRequest) messageContext.getProperty(HTTPConstants.MC_HTTP_SERVLETREQUEST)).getHeader("Authorization");
        if (log.isDebugEnabled() && header != null) {
            log.debug("Authorization header found in the request");
        }
        if (header == null) {
            return false;
        }
        String authType = getAuthType(header);
        if (log.isDebugEnabled()) {
            log.debug("Authorization header type is : " + authType);
        }
        if (authType == null || !authType.equalsIgnoreCase(AUTHORIZATION_HEADER_TYPE)) {
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Request can be handled using this authenticator, so returning true");
        return true;
    }

    private String getAuthType(String str) {
        String[] strArr = null;
        if (str != null) {
            strArr = str.trim().split(" ");
        }
        if (strArr != null && strArr.length != 0) {
            return strArr[0].trim();
        }
        if (!log.isDebugEnabled()) {
            return null;
        }
        log.debug("Authorization Type is not defined. Hence returning null");
        return null;
    }

    private String decodeAuthorizationHeader(String str) {
        byte[] decode = Base64Utils.decode(str.trim().split(" ")[1].trim());
        if (decode != null) {
            return new String(decode);
        }
        if (!log.isDebugEnabled()) {
            return null;
        }
        log.debug("Error decoding authorization header.");
        return null;
    }

    private void handleAuthenticationStarted(int i) {
        BundleContext bundleContext = SignedJWTAuthenticatorServiceComponent.getBundleContext();
        if (bundleContext != null) {
            ServiceTracker serviceTracker = new ServiceTracker(bundleContext, AuthenticationObserver.class.getName(), (ServiceTrackerCustomizer) null);
            serviceTracker.open();
            Object[] services = serviceTracker.getServices();
            if (services != null) {
                for (Object obj : services) {
                    ((AuthenticationObserver) obj).startedAuthentication(i);
                }
            }
            serviceTracker.close();
        }
    }

    private void handleAuthenticationCompleted(int i, boolean z) {
        BundleContext bundleContext = SignedJWTAuthenticatorServiceComponent.getBundleContext();
        if (bundleContext != null) {
            ServiceTracker serviceTracker = new ServiceTracker(bundleContext, AuthenticationObserver.class.getName(), (ServiceTrackerCustomizer) null);
            serviceTracker.open();
            Object[] services = serviceTracker.getServices();
            if (services != null) {
                for (Object obj : services) {
                    ((AuthenticationObserver) obj).completedAuthentication(i, z);
                }
            }
            serviceTracker.close();
        }
    }
}
