package com.networknt.openapi;

import com.networknt.client.oauth.TokenInfo;
import com.networknt.config.Config;
import com.networknt.exception.ClientException;
import com.networknt.handler.Handler;
import com.networknt.handler.MiddlewareHandler;
import com.networknt.handler.config.HandlerConfig;
import com.networknt.httpstring.AttachmentConstants;
import com.networknt.httpstring.HttpStringConstants;
import com.networknt.monad.Result;
import com.networknt.oas.model.Operation;
import com.networknt.oas.model.Path;
import com.networknt.oas.model.SecurityParameter;
import com.networknt.oas.model.SecurityRequirement;
import com.networknt.security.SecurityConfig;
import com.networknt.security.SwtVerifier;
import com.networknt.utility.Constants;
import com.networknt.utility.ModuleRegistry;
import com.networknt.utility.StringUtils;
import io.undertow.Handlers;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HeaderMap;
import io.undertow.util.Headers;
import io.undertow.util.HttpString;
import java.lang.reflect.Field;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/openapi/SwtVerifyHandler.class */
public class SwtVerifyHandler implements MiddlewareHandler {
    static final Logger logger = LoggerFactory.getLogger((Class<?>) SwtVerifyHandler.class);
    static final String OPENAPI_SECURITY_CONFIG = "openapi-security";
    static final String HANDLER_CONFIG = "handler";
    static final String STATUS_INVALID_AUTH_TOKEN = "ERR10000";
    static final String STATUS_AUTH_TOKEN_EXPIRED = "ERR10001";
    static final String STATUS_MISSING_AUTH_TOKEN = "ERR10002";
    static final String STATUS_INVALID_SCOPE_TOKEN = "ERR10003";
    static final String STATUS_SCOPE_TOKEN_EXPIRED = "ERR10004";
    static final String STATUS_AUTH_TOKEN_SCOPE_MISMATCH = "ERR10005";
    static final String STATUS_SCOPE_TOKEN_SCOPE_MISMATCH = "ERR10006";
    static final String STATUS_INVALID_REQUEST_PATH = "ERR10007";
    static final String STATUS_METHOD_NOT_ALLOWED = "ERR10008";
    static final String STATUS_CLIENT_EXCEPTION = "ERR10082";
    public static SwtVerifier swtVerifier;
    static SecurityConfig config;
    private volatile HttpHandler next;
    String basePath;

    @Override // com.networknt.handler.MiddlewareHandler
    public HttpHandler getNext() {
        return this.next;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public MiddlewareHandler setNext(HttpHandler httpHandler) {
        Handlers.handlerNotNull(httpHandler);
        this.next = httpHandler;
        return this;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public boolean isEnabled() {
        return config.isEnableVerifySwt();
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public void register() {
        ModuleRegistry.registerModule(SwtVerifyHandler.class.getName(), Config.getInstance().getJsonMapConfigNoCache(OPENAPI_SECURITY_CONFIG), null);
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public void reload() {
        config.reload(OPENAPI_SECURITY_CONFIG);
        ModuleRegistry.registerModule(SwtVerifyHandler.class.getName(), Config.getInstance().getJsonMapConfigNoCache(OPENAPI_SECURITY_CONFIG), null);
    }

    @Override // io.undertow.server.HttpHandler
    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        if (logger.isDebugEnabled()) {
            logger.debug("SwtVerifyHandler.handleRequest starts.");
        }
        String requestPath = httpServerExchange.getRequestPath();
        if (config.getSkipPathPrefixes() != null) {
            Stream<String> stream = config.getSkipPathPrefixes().stream();
            Objects.requireNonNull(requestPath);
            if (stream.anyMatch(requestPath::startsWith)) {
                if (logger.isTraceEnabled()) {
                    logger.trace("Skip request path base on skipPathPrefixes for " + requestPath);
                }
                Handler.next(httpServerExchange, this.next);
                if (logger.isDebugEnabled()) {
                    logger.debug("SwtVerifyHandler.handleRequest ends.");
                    return;
                }
                return;
            }
        }
        if (handleSwt(httpServerExchange, requestPath, null)) {
            if (logger.isDebugEnabled()) {
                logger.debug("SwtVerifyHandler.handleRequest ends.");
            }
            Handler.next(httpServerExchange, this.next);
        }
    }

    public boolean handleSwt(HttpServerExchange httpServerExchange, String str, List<String> list) throws Exception {
        HeaderMap requestHeaders = httpServerExchange.getRequestHeaders();
        String first = requestHeaders.getFirst(Headers.AUTHORIZATION);
        if (logger.isTraceEnabled() && first != null && first.length() > 10) {
            logger.trace("Authorization header = " + first.substring(0, 10));
        }
        if (first == null) {
            setExchangeStatus(httpServerExchange, STATUS_MISSING_AUTH_TOKEN, new Object[0]);
            httpServerExchange.endExchange();
            if (!logger.isDebugEnabled()) {
                return false;
            }
            logger.debug("SwtVerifyHandler.handleRequest ends with an error.");
            return false;
        }
        if (first.trim().length() < 6) {
            setExchangeStatus(httpServerExchange, STATUS_INVALID_AUTH_TOKEN, new Object[0]);
            httpServerExchange.endExchange();
            if (!logger.isDebugEnabled()) {
                return false;
            }
            logger.debug("SwtVerifyHandler.handleRequest ends with an error.");
            return false;
        }
        String tokenFromAuthorization = SwtVerifier.getTokenFromAuthorization(getScopeToken(first, requestHeaders));
        if (tokenFromAuthorization == null) {
            if (logger.isDebugEnabled()) {
                logger.debug("SwtVerifyHandler.handleRequest ends with an error.");
            }
            setExchangeStatus(httpServerExchange, STATUS_MISSING_AUTH_TOKEN, new Object[0]);
            httpServerExchange.endExchange();
            return false;
        }
        if (logger.isTraceEnabled()) {
            logger.trace("parsed swt from authorization = " + tokenFromAuthorization.substring(0, 10));
        }
        try {
            String first2 = requestHeaders.getFirst(config.getSwtClientIdHeader());
            String first3 = requestHeaders.getFirst(config.getSwtClientSecretHeader());
            if (logger.isTraceEnabled()) {
                logger.trace("header swtClientId = " + first2 + ", header swtClientSecret = " + StringUtils.maskHalfString(first3));
            }
            Result<TokenInfo> verifySwt = swtVerifier.verifySwt(tokenFromAuthorization, str, list, first2, first3);
            if (verifySwt.isFailure()) {
                setExchangeStatus(httpServerExchange, verifySwt.getError());
                if (!logger.isDebugEnabled()) {
                    return false;
                }
                logger.debug("SwtVerifyHandler.handleRequest ends with an error.");
                return false;
            }
            TokenInfo result = verifySwt.getResult();
            Map<String, Object> map = (Map) httpServerExchange.getAttachment(AttachmentConstants.AUDIT_INFO);
            if (map == null) {
                map = new HashMap();
                httpServerExchange.putAttachment(AttachmentConstants.AUDIT_INFO, map);
            }
            map.put("client_id", result.getClientId());
            map.put(Constants.ISSUER_CLAIMS, result.getIss());
            if (!config.isEnableH2c() && swtVerifier.checkForH2CRequest(requestHeaders)) {
                setExchangeStatus(httpServerExchange, STATUS_METHOD_NOT_ALLOWED, new Object[0]);
                if (!logger.isDebugEnabled()) {
                    return false;
                }
                logger.debug("SwtVerifyHandler.handleRequest ends with an error.");
                return false;
            }
            String first4 = requestHeaders.getFirst(HttpStringConstants.CALLER_ID);
            if (first4 != null) {
                map.put(Constants.CALLER_ID_STRING, first4);
            }
            if (config != null && config.isEnableVerifyScope()) {
                if (logger.isTraceEnabled()) {
                    logger.trace("verify scope from the primary token when enableVerifyScope is true");
                }
                Operation operation = getOperation(httpServerExchange, (OpenApiOperation) map.get(Constants.OPENAPI_OPERATION_STRING), map);
                if (operation == null) {
                    if (!config.isSkipVerifyScopeWithoutSpec()) {
                        return false;
                    }
                    if (logger.isDebugEnabled()) {
                        logger.debug("SwtVerifyHandler.handleRequest ends without verifying scope due to spec.");
                    }
                    Handler.next(httpServerExchange, this.next);
                    return false;
                }
                String first5 = requestHeaders.getFirst(HttpStringConstants.SCOPE_TOKEN);
                String tokenFromAuthorization2 = SwtVerifier.getTokenFromAuthorization(first5);
                ArrayList arrayList = new ArrayList();
                if (!hasValidSecondaryScopes(httpServerExchange, tokenFromAuthorization2, arrayList, str, list, map) || !hasValidScope(httpServerExchange, first5, arrayList, result, operation)) {
                    return false;
                }
            }
            if (config.getPassThroughClaims() != null && config.getPassThroughClaims().size() > 0) {
                for (Map.Entry<String, String> entry : config.getPassThroughClaims().entrySet()) {
                    String key = entry.getKey();
                    String value = entry.getValue();
                    Field declaredField = result.getClass().getDeclaredField(key);
                    declaredField.setAccessible(true);
                    Object obj = declaredField.get(result);
                    if (logger.isTraceEnabled()) {
                        logger.trace("pass through header {} with value {}", value, obj);
                    }
                    requestHeaders.put(new HttpString(value), obj.toString());
                }
            }
            if (logger.isTraceEnabled()) {
                logger.trace("complete SWT verification for request path = " + httpServerExchange.getRequestURI());
            }
            if (!logger.isDebugEnabled()) {
                return true;
            }
            logger.debug("SwtVerifyHandler.handleRequest ends.");
            return true;
        } catch (ClientException e) {
            logger.error("ClientException: ", (Throwable) e);
            if (logger.isDebugEnabled()) {
                logger.debug("SwtVerifyHandler.handleRequest ends with an error.");
            }
            setExchangeStatus(httpServerExchange, STATUS_CLIENT_EXCEPTION, e.getMessage());
            httpServerExchange.endExchange();
            return false;
        }
    }

    protected boolean hasValidScope(HttpServerExchange httpServerExchange, String str, List<String> list, TokenInfo tokenInfo, Operation operation) {
        if (!config.isEnableVerifyScope()) {
            return true;
        }
        List<String> list2 = null;
        List<SecurityRequirement> securityRequirements = operation.getSecurityRequirements();
        if (securityRequirements != null) {
            for (SecurityRequirement securityRequirement : securityRequirements) {
                SecurityParameter securityParameter = null;
                Iterator<String> it = OpenApiHandler.getHelper(httpServerExchange.getRequestPath()).oauth2Names.iterator();
                while (it.hasNext()) {
                    securityParameter = securityRequirement.getRequirement(it.next());
                    if (securityParameter != null) {
                        break;
                    }
                }
                if (securityParameter != null) {
                    list2 = securityParameter.getParameters();
                }
                if (list2 != null) {
                    break;
                }
            }
        }
        if (str != null) {
            if (logger.isTraceEnabled()) {
                logger.trace("validate the scope with scope token");
            }
            if (list != null && matchedScopes(list, list2)) {
                return true;
            }
            setExchangeStatus(httpServerExchange, STATUS_SCOPE_TOKEN_SCOPE_MISMATCH, list, list2);
            httpServerExchange.endExchange();
            return false;
        }
        if (logger.isTraceEnabled()) {
            logger.trace("validate the scope with primary token");
        }
        String scope = tokenInfo.getScope();
        List<String> asList = scope != null ? Arrays.asList(scope.split(" ")) : null;
        if (matchedScopes(asList, list2)) {
            return true;
        }
        setExchangeStatus(httpServerExchange, STATUS_AUTH_TOKEN_SCOPE_MISMATCH, asList, list2);
        httpServerExchange.endExchange();
        return false;
    }

    protected boolean matchedScopes(List<String> list, Collection<String> collection) {
        boolean z = false;
        if (collection == null || collection.size() <= 0) {
            z = true;
        } else if (list != null && list.size() > 0) {
            Iterator<String> it = collection.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (list.contains(it.next())) {
                    z = true;
                    break;
                }
            }
        }
        return z;
    }

    protected boolean hasValidSecondaryScopes(HttpServerExchange httpServerExchange, String str, List<String> list, String str2, List<String> list2, Map<String, Object> map) {
        if (str == null) {
            return true;
        }
        if (logger.isTraceEnabled()) {
            logger.trace("start verifying scope token = " + str.substring(0, 10));
        }
        try {
            HeaderMap requestHeaders = httpServerExchange.getRequestHeaders();
            String first = requestHeaders.getFirst(config.getSwtClientIdHeader());
            String first2 = requestHeaders.getFirst(config.getSwtClientSecretHeader());
            if (logger.isTraceEnabled()) {
                logger.trace("header swtClientId = " + first + ", header swtClientSecret = " + StringUtils.maskHalfString(first2));
            }
            Result<TokenInfo> verifySwt = swtVerifier.verifySwt(str, str2, list2, first, first2);
            if (verifySwt.isFailure()) {
                setExchangeStatus(httpServerExchange, verifySwt.getError());
                httpServerExchange.endExchange();
                return false;
            }
            TokenInfo result = verifySwt.getResult();
            String scope = result.getScope();
            if (scope != null) {
                list.addAll(Arrays.asList(scope.split(" ")));
                map.put(Constants.SCOPE_CLIENT_ID_STRING, result.getClientId());
            }
            return true;
        } catch (Exception e) {
            logger.error("Exception", (Throwable) e);
            setExchangeStatus(httpServerExchange, STATUS_CLIENT_EXCEPTION, e.getMessage());
            httpServerExchange.endExchange();
            return false;
        }
    }

    protected Operation getOperation(HttpServerExchange httpServerExchange, OpenApiOperation openApiOperation, Map<String, Object> map) {
        Operation operation;
        if (openApiOperation == null) {
            ApiNormalisedPath apiNormalisedPath = new ApiNormalisedPath(httpServerExchange.getRequestURI(), this.basePath);
            OpenApiHelper helper = OpenApiHandler.getHelper(httpServerExchange.getRequestPath());
            Optional<NormalisedPath> empty = helper == null ? Optional.empty() : helper.findMatchingApiPath(apiNormalisedPath);
            if (empty.isEmpty()) {
                if (config.isSkipVerifyScopeWithoutSpec()) {
                    return null;
                }
                setExchangeStatus(httpServerExchange, STATUS_INVALID_REQUEST_PATH, new Object[0]);
                return null;
            }
            NormalisedPath normalisedPath = empty.get();
            Path path = OpenApiHandler.getHelper(httpServerExchange.getRequestPath()).openApi3.getPath(normalisedPath.original());
            String lowerCase = httpServerExchange.getRequestMethod().toString().toLowerCase();
            operation = path.getOperation(lowerCase);
            if (operation == null) {
                setExchangeStatus(httpServerExchange, STATUS_METHOD_NOT_ALLOWED, lowerCase, normalisedPath.normalised());
                httpServerExchange.endExchange();
                return null;
            }
            map.put(Constants.OPENAPI_OPERATION_STRING, new OpenApiOperation(normalisedPath, path, lowerCase, operation));
            map.put("endpoint", normalisedPath.normalised() + "@" + lowerCase);
        } else {
            operation = openApiOperation.getOperation();
        }
        return operation;
    }

    protected String getScopeToken(String str, HeaderMap headerMap) {
        String str2 = str;
        if (str2 != null && !str2.substring(0, 6).equalsIgnoreCase("Bearer")) {
            str2 = headerMap.getFirst(HttpStringConstants.SCOPE_TOKEN);
            if (logger.isTraceEnabled() && str2 != null && str2.length() > 10) {
                logger.trace("The replaced authorization from X-Scope-Token header = " + str2.substring(0, 10));
            }
        }
        return str2;
    }

    public SwtVerifyHandler() {
        config = SecurityConfig.load(OPENAPI_SECURITY_CONFIG);
        swtVerifier = new SwtVerifier(config);
        HandlerConfig handlerConfig = (HandlerConfig) Config.getInstance().getJsonObjectConfig("handler", HandlerConfig.class);
        this.basePath = handlerConfig == null ? "/" : handlerConfig.getBasePath();
    }
}
