package org.apache.cxf.rs.security.oauth2.filters;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.security.SimplePrincipal;
import org.apache.cxf.jaxrs.ext.RequestHandler;
import org.apache.cxf.jaxrs.model.ClassResourceInfo;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation;
import org.apache.cxf.rs.security.oauth2.common.OAuthContext;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.security.SecurityContext;

@Provider
/* loaded from: input_file:plugins/cxf-bundle-2.6.1.wso2v1.jar:org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.class */
public class OAuthRequestFilter extends AbstractAccessTokenValidator implements RequestHandler {
    private static final Logger LOG = LogUtils.getL7dLogger(OAuthRequestFilter.class);
    private boolean useUserSubject;

    @Override // org.apache.cxf.jaxrs.ext.RequestHandler
    public Response handleRequest(Message message, ClassResourceInfo classResourceInfo) {
        AccessTokenValidation accessTokenValidation = getAccessTokenValidation();
        List<OAuthPermission> tokenScopes = accessTokenValidation.getTokenScopes();
        ArrayList arrayList = new ArrayList();
        HttpServletRequest httpServletRequest = getMessageContext().getHttpServletRequest();
        for (OAuthPermission oAuthPermission : tokenScopes) {
            boolean checkRequestURI = checkRequestURI(httpServletRequest, oAuthPermission.getUris());
            boolean checkHttpVerb = checkHttpVerb(httpServletRequest, oAuthPermission.getHttpVerbs());
            if (checkRequestURI && checkHttpVerb) {
                arrayList.add(oAuthPermission);
            }
        }
        if (tokenScopes.size() > 0 && arrayList.isEmpty()) {
            LOG.warning("Client has no valid permissions");
            throw new WebApplicationException(403);
        }
        message.put((Class<Class>) SecurityContext.class, (Class) createSecurityContext(httpServletRequest, accessTokenValidation));
        message.setContent(OAuthContext.class, new OAuthContext(accessTokenValidation.getTokenSubject(), arrayList, accessTokenValidation.getTokenGrantType()));
        return null;
    }

    protected boolean checkHttpVerb(HttpServletRequest httpServletRequest, List<String> list) {
        if (list.isEmpty() || list.contains(httpServletRequest.getMethod())) {
            return true;
        }
        LOG.fine("Invalid http verb");
        return false;
    }

    protected boolean checkRequestURI(HttpServletRequest httpServletRequest, List<String> list) {
        if (list.isEmpty()) {
            return true;
        }
        String pathInfo = httpServletRequest.getPathInfo();
        boolean z = false;
        Iterator<String> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (OAuthUtils.checkRequestURI(pathInfo, it.next())) {
                z = true;
                break;
            }
        }
        if (!z) {
            LOG.fine("Invalid request URI");
        }
        return z;
    }

    public void setUseUserSubject(boolean z) {
        this.useUserSubject = z;
    }

    protected SecurityContext createSecurityContext(HttpServletRequest httpServletRequest, AccessTokenValidation accessTokenValidation) {
        final UserSubject tokenSubject = this.useUserSubject ? accessTokenValidation.getTokenSubject() : accessTokenValidation.getClientSubject();
        return new SecurityContext() { // from class: org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter.1
            @Override // org.apache.cxf.security.SecurityContext
            public Principal getUserPrincipal() {
                if (tokenSubject != null) {
                    return new SimplePrincipal(tokenSubject.getLogin());
                }
                return null;
            }

            @Override // org.apache.cxf.security.SecurityContext
            public boolean isUserInRole(String str) {
                if (tokenSubject == null) {
                    return false;
                }
                return tokenSubject.getRoles().contains(str);
            }
        };
    }
}
