package com.networknt.security;

import com.networknt.client.oauth.TokenInfo;
import com.networknt.handler.Handler;
import com.networknt.handler.MiddlewareHandler;
import com.networknt.httpstring.AttachmentConstants;
import com.networknt.httpstring.HttpStringConstants;
import com.networknt.monad.Result;
import com.networknt.status.Status;
import com.networknt.utility.Constants;
import com.networknt.utility.StringUtils;
import io.undertow.Handlers;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HeaderMap;
import io.undertow.util.Headers;
import io.undertow.util.HttpString;
import java.lang.reflect.Field;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/security/AbstractSwtVerifyHandler.class */
public abstract class AbstractSwtVerifyHandler extends UndertowVerifyHandler implements MiddlewareHandler {
    static final Logger logger = LoggerFactory.getLogger((Class<?>) AbstractSwtVerifyHandler.class);
    static final String STATUS_INVALID_AUTH_TOKEN = "ERR10000";
    static final String STATUS_AUTH_TOKEN_EXPIRED = "ERR10001";
    static final String STATUS_MISSING_AUTH_TOKEN = "ERR10002";
    static final String STATUS_INVALID_SCOPE_TOKEN = "ERR10003";
    static final String STATUS_SCOPE_TOKEN_EXPIRED = "ERR10004";
    static final String STATUS_AUTH_TOKEN_SCOPE_MISMATCH = "ERR10005";
    static final String STATUS_SCOPE_TOKEN_SCOPE_MISMATCH = "ERR10006";
    static final String STATUS_INVALID_REQUEST_PATH = "ERR10007";
    static final String STATUS_METHOD_NOT_ALLOWED = "ERR10008";
    static final String STATUS_CLIENT_EXCEPTION = "ERR10082";
    public static SwtVerifier swtVerifier;
    public static SecurityConfig config;
    public volatile HttpHandler next;

    @Override // com.networknt.handler.MiddlewareHandler
    public HttpHandler getNext() {
        return this.next;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public MiddlewareHandler setNext(HttpHandler httpHandler) {
        Handlers.handlerNotNull(httpHandler);
        this.next = httpHandler;
        return this;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public boolean isEnabled() {
        return config.isEnableVerifySwt();
    }

    @Override // io.undertow.server.HttpHandler
    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        if (logger.isDebugEnabled()) {
            logger.debug("SwtVerifyHandler.handleRequest starts.");
        }
        String requestPath = httpServerExchange.getRequestPath();
        if (config.getSkipPathPrefixes() != null) {
            Stream<String> stream = config.getSkipPathPrefixes().stream();
            Objects.requireNonNull(requestPath);
            if (stream.anyMatch(requestPath::startsWith)) {
                if (logger.isTraceEnabled()) {
                    logger.trace("Skip request path base on skipPathPrefixes for " + requestPath);
                }
                Handler.next(httpServerExchange, this.next);
                if (logger.isDebugEnabled()) {
                    logger.debug("SwtVerifyHandler.handleRequest ends.");
                    return;
                }
                return;
            }
        }
        Status handleSwt = handleSwt(httpServerExchange, requestPath, null);
        if (handleSwt != null) {
            setExchangeStatus(httpServerExchange, handleSwt);
            httpServerExchange.endExchange();
        } else {
            if (logger.isDebugEnabled()) {
                logger.debug("SwtVerifyHandler.handleRequest ends.");
            }
            Handler.next(httpServerExchange, this.next);
        }
    }

    public Status handleSwt(HttpServerExchange httpServerExchange, String str, List<String> list) throws Exception {
        HeaderMap requestHeaders = httpServerExchange.getRequestHeaders();
        String first = requestHeaders.getFirst(Headers.AUTHORIZATION);
        if (logger.isTraceEnabled() && first != null && first.length() > 10) {
            logger.trace("Authorization header = " + first.substring(0, 10));
        }
        if (first == null) {
            Status status = new Status(STATUS_MISSING_AUTH_TOKEN, new Object[0]);
            if (logger.isTraceEnabled()) {
                logger.trace("SwtVerifyHandler.handleRequest ends with an error {}", status);
            }
            return status;
        }
        if (first.trim().length() < 6) {
            Status status2 = new Status(STATUS_INVALID_AUTH_TOKEN, new Object[0]);
            if (logger.isTraceEnabled()) {
                logger.trace("SwtVerifyHandler.handleRequest ends with an error {}", status2);
            }
            return status2;
        }
        String tokenFromAuthorization = SwtVerifier.getTokenFromAuthorization(getScopeToken(first, requestHeaders));
        if (tokenFromAuthorization == null) {
            if (logger.isDebugEnabled()) {
                logger.debug("SwtVerifyHandler.handleRequest ends with an error.");
            }
            return new Status(STATUS_MISSING_AUTH_TOKEN, new Object[0]);
        }
        if (logger.isTraceEnabled()) {
            logger.trace("parsed swt from authorization = " + tokenFromAuthorization.substring(0, 10));
        }
        String first2 = requestHeaders.getFirst(config.getSwtClientIdHeader());
        String first3 = requestHeaders.getFirst(config.getSwtClientSecretHeader());
        if (logger.isTraceEnabled()) {
            logger.trace("header swtClientId = " + first2 + ", header swtClientSecret = " + StringUtils.maskHalfString(first3));
        }
        Result<TokenInfo> verifySwt = swtVerifier.verifySwt(tokenFromAuthorization, str, list, first2, first3);
        if (verifySwt.isFailure()) {
            if (logger.isTraceEnabled()) {
                logger.trace("SwtVerifyHandler.handleRequest ends with an error {}", verifySwt.getError());
            }
            return verifySwt.getError();
        }
        TokenInfo result = verifySwt.getResult();
        Map<String, Object> map = (Map) httpServerExchange.getAttachment(AttachmentConstants.AUDIT_INFO);
        if (map == null) {
            map = new HashMap();
            httpServerExchange.putAttachment(AttachmentConstants.AUDIT_INFO, map);
        }
        map.put("client_id", result.getClientId());
        map.put(Constants.ISSUER_CLAIMS, result.getIss());
        if (!config.isEnableH2c() && checkForH2CRequest(requestHeaders)) {
            Status status3 = new Status(STATUS_METHOD_NOT_ALLOWED, new Object[0]);
            if (logger.isTraceEnabled()) {
                logger.trace("SwtVerifyHandler.handleRequest ends with an error {}", status3);
            }
            return status3;
        }
        String first4 = requestHeaders.getFirst(HttpStringConstants.CALLER_ID);
        if (first4 != null) {
            map.put(Constants.CALLER_ID_STRING, first4);
        }
        if (config != null && config.isEnableVerifyScope()) {
            if (logger.isTraceEnabled()) {
                logger.trace("verify scope from the primary token when enableVerifyScope is true");
            }
            String first5 = requestHeaders.getFirst(HttpStringConstants.SCOPE_TOKEN);
            String tokenFromAuthorization2 = SwtVerifier.getTokenFromAuthorization(first5);
            ArrayList arrayList = new ArrayList();
            Status hasValidSecondaryScopes = hasValidSecondaryScopes(httpServerExchange, tokenFromAuthorization2, arrayList, str, list, map);
            if (hasValidSecondaryScopes != null) {
                return hasValidSecondaryScopes;
            }
            Status hasValidScope = hasValidScope(httpServerExchange, first5, arrayList, result, getSpecScopes(httpServerExchange, map));
            if (hasValidScope != null) {
                return hasValidScope;
            }
        }
        if (config.getPassThroughClaims() != null && config.getPassThroughClaims().size() > 0) {
            for (Map.Entry<String, String> entry : config.getPassThroughClaims().entrySet()) {
                String key = entry.getKey();
                String value = entry.getValue();
                Field declaredField = result.getClass().getDeclaredField(key);
                declaredField.setAccessible(true);
                Object obj = declaredField.get(result);
                if (logger.isTraceEnabled()) {
                    logger.trace("pass through header {} with value {}", value, obj);
                }
                requestHeaders.put(new HttpString(value), obj.toString());
            }
        }
        if (logger.isTraceEnabled()) {
            logger.trace("complete SWT verification for request path = " + httpServerExchange.getRequestURI());
        }
        if (!logger.isDebugEnabled()) {
            return null;
        }
        logger.debug("SwtVerifyHandler.handleRequest ends.");
        return null;
    }

    protected Status hasValidScope(HttpServerExchange httpServerExchange, String str, List<String> list, TokenInfo tokenInfo, List<String> list2) {
        if (!config.isEnableVerifyScope()) {
            return null;
        }
        if (str != null) {
            if (logger.isTraceEnabled()) {
                logger.trace("validate the scope with scope token");
            }
            if (list == null || !matchedScopes(list, list2)) {
                return new Status(STATUS_SCOPE_TOKEN_SCOPE_MISMATCH, list, list2);
            }
            return null;
        }
        if (logger.isTraceEnabled()) {
            logger.trace("validate the scope with primary token");
        }
        List<String> list3 = null;
        String scope = tokenInfo.getScope();
        if (scope != null) {
            list3 = Arrays.asList(scope.split(" "));
        }
        if (matchedScopes(list3, list2)) {
            return null;
        }
        return new Status(STATUS_AUTH_TOKEN_SCOPE_MISMATCH, list3, list2);
    }

    protected boolean matchedScopes(List<String> list, Collection<String> collection) {
        boolean z = false;
        if (collection == null || collection.size() <= 0) {
            z = true;
        } else if (list != null && list.size() > 0) {
            Iterator<String> it = collection.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (list.contains(it.next())) {
                    z = true;
                    break;
                }
            }
        }
        return z;
    }

    protected Status hasValidSecondaryScopes(HttpServerExchange httpServerExchange, String str, List<String> list, String str2, List<String> list2, Map<String, Object> map) {
        if (str == null) {
            return null;
        }
        if (logger.isTraceEnabled()) {
            logger.trace("start verifying scope token = " + str.substring(0, 10));
        }
        try {
            HeaderMap requestHeaders = httpServerExchange.getRequestHeaders();
            String first = requestHeaders.getFirst(config.getSwtClientIdHeader());
            String first2 = requestHeaders.getFirst(config.getSwtClientSecretHeader());
            if (logger.isTraceEnabled()) {
                logger.trace("header swtClientId = " + first + ", header swtClientSecret = " + StringUtils.maskHalfString(first2));
            }
            Result<TokenInfo> verifySwt = swtVerifier.verifySwt(str, str2, list2, first, first2);
            if (verifySwt.isFailure()) {
                return verifySwt.getError();
            }
            TokenInfo result = verifySwt.getResult();
            String scope = result.getScope();
            if (scope != null) {
                list.addAll(Arrays.asList(scope.split(" ")));
                map.put(Constants.SCOPE_CLIENT_ID_STRING, result.getClientId());
            }
            return null;
        } catch (Exception e) {
            logger.error("Exception", (Throwable) e);
            return new Status(STATUS_CLIENT_EXCEPTION, e.getMessage());
        }
    }

    public abstract List<String> getSpecScopes(HttpServerExchange httpServerExchange, Map<String, Object> map) throws Exception;

    protected String getScopeToken(String str, HeaderMap headerMap) {
        String str2 = str;
        if (str2 != null && !str2.substring(0, 6).equalsIgnoreCase("Bearer")) {
            str2 = headerMap.getFirst(HttpStringConstants.SCOPE_TOKEN);
            if (logger.isTraceEnabled() && str2 != null && str2.length() > 10) {
                logger.trace("The replaced authorization from X-Scope-Token header = " + str2.substring(0, 10));
            }
        }
        return str2;
    }
}
