package com.stormpath.sdk.servlet.http.authc;

import com.stormpath.sdk.account.Account;
import com.stormpath.sdk.account.AccountStatus;
import com.stormpath.sdk.api.ApiKey;
import com.stormpath.sdk.authc.AuthenticationResultVisitor;
import com.stormpath.sdk.client.Client;
import com.stormpath.sdk.lang.Assert;
import com.stormpath.sdk.oauth.Authenticators;
import com.stormpath.sdk.oauth.OAuthAuthenticationResult;
import com.stormpath.sdk.oauth.OAuthBearerRequestAuthentication;
import com.stormpath.sdk.oauth.OAuthBearerRequestAuthenticator;
import com.stormpath.sdk.oauth.OAuthRequests;
import com.stormpath.sdk.resource.ResourceException;
import com.stormpath.sdk.servlet.authc.impl.TransientAuthenticationResult;
import com.stormpath.sdk.servlet.filter.account.JwtSigningKeyResolver;
import com.stormpath.sdk.servlet.filter.oauth.OAuthErrorCode;
import com.stormpath.sdk.servlet.filter.oauth.OAuthException;
import com.stormpath.sdk.servlet.http.impl.StormpathHttpServletRequest;
import com.stormpath.sdk.servlet.oauth.AccessTokenValidationStrategy;
import io.jsonwebtoken.ExpiredJwtException;
import java.io.IOException;
import java.util.Collections;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/stormpath/sdk/servlet/http/authc/BearerAuthenticationScheme.class */
public class BearerAuthenticationScheme extends AbstractAuthenticationScheme {
    private static final Logger log = LoggerFactory.getLogger(BearerAuthenticationScheme.class);
    private static final String NAME = "Bearer";
    private JwtSigningKeyResolver jwtSigningKeyResolver;
    private boolean withLocalValidation;

    public BearerAuthenticationScheme(JwtSigningKeyResolver jwtSigningKeyResolver, AccessTokenValidationStrategy accessTokenValidationStrategy) {
        Assert.notNull(jwtSigningKeyResolver, "JwtSigningKeyResolver cannot be null.");
        this.jwtSigningKeyResolver = jwtSigningKeyResolver;
        this.withLocalValidation = accessTokenValidationStrategy.equals(AccessTokenValidationStrategy.LOCAL);
    }

    @Override // com.stormpath.sdk.servlet.http.authc.HttpAuthenticationScheme
    public String getName() {
        return "Bearer";
    }

    protected JwtSigningKeyResolver getJwtSigningKeyResolver() {
        return this.jwtSigningKeyResolver;
    }

    @Override // com.stormpath.sdk.servlet.http.authc.HttpAuthenticationScheme
    public HttpAuthenticationResult authenticate(HttpAuthenticationAttempt httpAuthenticationAttempt) throws HttpAuthenticationException {
        Assert.notNull(httpAuthenticationAttempt, "attempt cannot be null.");
        HttpServletRequest request = httpAuthenticationAttempt.getRequest();
        Assert.notNull(request, "attempt request property cannot be null.");
        HttpServletResponse response = httpAuthenticationAttempt.getResponse();
        Assert.notNull(response, "attempt response property cannot be null.");
        HttpCredentials credentials = httpAuthenticationAttempt.getCredentials();
        Assert.notNull(credentials, "credentials cannot be null.");
        Assert.isTrue("Bearer".equalsIgnoreCase(credentials.getSchemeName()), "Unsupported scheme.");
        String schemeValue = httpAuthenticationAttempt.getCredentials().getSchemeValue();
        Assert.hasText(schemeValue, "Cannot authenticate empty Bearer value.");
        try {
            HttpAuthenticationResult authenticate = authenticate(request, response, schemeValue);
            request.setAttribute(StormpathHttpServletRequest.AUTH_TYPE_REQUEST_ATTRIBUTE_NAME, "Bearer");
            return authenticate;
        } catch (OAuthException e) {
            response.setStatus(401);
            response.setContentType("application/json");
            response.setHeader("Cache-Control", "no-store, no-cache");
            response.setHeader("Pragma", "no-cache");
            try {
                response.getWriter().print(e.toJson());
                response.getWriter().flush();
                throw new HttpAuthenticationException("OAuth request authentication failed: " + e.getMessage(), e);
            } catch (IOException e2) {
                throw new HttpAuthenticationException("Unable to render OAuth error response body: " + e2.getMessage(), e2);
            }
        }
    }

    protected HttpAuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        try {
            OAuthBearerRequestAuthentication build = OAuthRequests.OAUTH_BEARER_REQUEST.builder().setJwt(str).build();
            OAuthBearerRequestAuthenticator forApplication = Authenticators.OAUTH_BEARER_REQUEST_AUTHENTICATOR.forApplication(getApplication(httpServletRequest));
            if (this.withLocalValidation) {
                forApplication.withLocalValidation();
            }
            return createAuthenticationResult(httpServletRequest, httpServletResponse, forApplication.authenticate(build).getAccount());
        } catch (OAuthException e) {
            throw e;
        } catch (Exception e2) {
            log.debug("JWT verification failed.", e2);
            throw new OAuthException(OAuthErrorCode.INVALID_CLIENT, "access_token is invalid.", e2);
        } catch (ExpiredJwtException e3) {
            throw new OAuthException(OAuthErrorCode.INVALID_CLIENT, "access_token is expired.", e3);
        }
    }

    protected HttpAuthenticationResult createAuthenticationResult(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Account account) throws OAuthException {
        OAuthAuthenticationResult transientAuthenticationResult;
        String href = account.getHref();
        if (account.getHref().contains("apiKeys")) {
            final ApiKey tokenApiKey = getTokenApiKey(httpServletRequest, href.substring(href.lastIndexOf(47) + 1));
            transientAuthenticationResult = new OAuthAuthenticationResult() { // from class: com.stormpath.sdk.servlet.http.authc.BearerAuthenticationScheme.1
                public Set<String> getScope() {
                    return Collections.emptySet();
                }

                public ApiKey getApiKey() {
                    return tokenApiKey;
                }

                public Account getAccount() {
                    return tokenApiKey.getAccount();
                }

                public void accept(AuthenticationResultVisitor authenticationResultVisitor) {
                    authenticationResultVisitor.visit(this);
                }

                public String getHref() {
                    return null;
                }
            };
        } else {
            if (account.getStatus() != AccountStatus.ENABLED) {
                throw new OAuthException(OAuthErrorCode.INVALID_CLIENT, "account is disabled.", null);
            }
            transientAuthenticationResult = new TransientAuthenticationResult(account);
        }
        return new DefaultHttpAuthenticationResult(httpServletRequest, httpServletResponse, transientAuthenticationResult);
    }

    protected Client getClient(HttpServletRequest httpServletRequest) {
        return (Client) httpServletRequest.getAttribute(Client.class.getName());
    }

    protected ApiKey getTokenApiKey(HttpServletRequest httpServletRequest, String str) throws OAuthException {
        try {
            return getEnabledApiKey(httpServletRequest, str);
        } catch (ResourceException e) {
            throw new OAuthException(OAuthErrorCode.INVALID_CLIENT, e.getStormpathError().getDeveloperMessage(), e);
        }
    }
}
