package com.networknt.security;

import com.networknt.audit.AuditHandler;
import com.networknt.config.Config;
import com.networknt.exception.ExpiredTokenException;
import com.networknt.handler.Handler;
import com.networknt.handler.MiddlewareHandler;
import com.networknt.httpstring.HttpStringConstants;
import com.networknt.swagger.ApiNormalisedPath;
import com.networknt.swagger.NormalisedPath;
import com.networknt.swagger.SwaggerHelper;
import com.networknt.swagger.SwaggerOperation;
import com.networknt.utility.Constants;
import com.networknt.utility.ModuleRegistry;
import io.swagger.models.HttpMethod;
import io.swagger.models.Operation;
import io.swagger.models.Path;
import io.undertow.Handlers;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HeaderMap;
import io.undertow.util.Headers;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/security/JwtVerifyHandler.class */
public class JwtVerifyHandler implements MiddlewareHandler {
    static final Logger logger = LoggerFactory.getLogger((Class<?>) JwtVerifyHandler.class);
    static final String SWAGGER_SECURITY_CONFIG = "swagger-security";
    static final String ENABLE_VERIFY_SCOPE = "enableVerifyScope";
    static final String STATUS_INVALID_AUTH_TOKEN = "ERR10000";
    static final String STATUS_AUTH_TOKEN_EXPIRED = "ERR10001";
    static final String STATUS_MISSING_AUTH_TOKEN = "ERR10002";
    static final String STATUS_INVALID_SCOPE_TOKEN = "ERR10003";
    static final String STATUS_SCOPE_TOKEN_EXPIRED = "ERR10004";
    static final String STATUS_AUTH_TOKEN_SCOPE_MISMATCH = "ERR10005";
    static final String STATUS_SCOPE_TOKEN_SCOPE_MISMATCH = "ERR10006";
    static final String STATUS_INVALID_REQUEST_PATH = "ERR10007";
    static final String STATUS_METHOD_NOT_ALLOWED = "ERR10008";
    static Map<String, Object> config;
    private volatile HttpHandler next;

    @Override // io.undertow.server.HttpHandler
    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        Operation operation;
        HeaderMap requestHeaders = httpServerExchange.getRequestHeaders();
        String jwtFromAuthorization = JwtHelper.getJwtFromAuthorization(requestHeaders.getFirst(Headers.AUTHORIZATION));
        if (jwtFromAuthorization == null) {
            setExchangeStatus(httpServerExchange, STATUS_MISSING_AUTH_TOKEN, new Object[0]);
            return;
        }
        try {
            JwtClaims verifyJwt = JwtHelper.verifyJwt(jwtFromAuthorization, false);
            Map map = (Map) httpServerExchange.getAttachment(AuditHandler.AUDIT_INFO);
            if (map == null) {
                map = new HashMap();
                httpServerExchange.putAttachment(AuditHandler.AUDIT_INFO, map);
            }
            map.put("client_id", verifyJwt.getStringClaimValue("client_id"));
            map.put(Constants.USER_ID_STRING, verifyJwt.getStringClaimValue(Constants.USER_ID_STRING));
            map.put(Constants.SUBJECT_CLAIMS, verifyJwt);
            if (config != null && ((Boolean) config.get(ENABLE_VERIFY_SCOPE)).booleanValue() && SwaggerHelper.swagger != null) {
                SwaggerOperation swaggerOperation = (SwaggerOperation) map.get(Constants.SWAGGER_OPERATION_STRING);
                if (swaggerOperation == null) {
                    Optional<NormalisedPath> findMatchingApiPath = SwaggerHelper.findMatchingApiPath(new ApiNormalisedPath(httpServerExchange.getRequestURI()));
                    if (!findMatchingApiPath.isPresent()) {
                        setExchangeStatus(httpServerExchange, STATUS_INVALID_REQUEST_PATH, new Object[0]);
                        return;
                    }
                    NormalisedPath normalisedPath = findMatchingApiPath.get();
                    Path path = SwaggerHelper.swagger.getPath(normalisedPath.original());
                    HttpMethod valueOf = HttpMethod.valueOf(httpServerExchange.getRequestMethod().toString());
                    operation = path.getOperationMap().get(valueOf);
                    if (operation == null) {
                        setExchangeStatus(httpServerExchange, STATUS_METHOD_NOT_ALLOWED, new Object[0]);
                        return;
                    } else {
                        map.put(Constants.SWAGGER_OPERATION_STRING, new SwaggerOperation(normalisedPath, path, valueOf, operation));
                        map.put(Constants.ENDPOINT_STRING, normalisedPath.normalised() + "@" + valueOf);
                    }
                } else {
                    operation = swaggerOperation.getOperation();
                }
                String first = requestHeaders.getFirst(HttpStringConstants.SCOPE_TOKEN);
                String jwtFromAuthorization2 = JwtHelper.getJwtFromAuthorization(first);
                List<String> list = null;
                if (jwtFromAuthorization2 != null) {
                    try {
                        JwtClaims verifyJwt2 = JwtHelper.verifyJwt(jwtFromAuthorization2, false);
                        list = verifyJwt2.getStringListClaimValue("scope");
                        map.put(Constants.SCOPE_CLIENT_ID_STRING, verifyJwt2.getStringClaimValue("client_id"));
                        map.put(Constants.ACCESS_CLAIMS, verifyJwt2);
                    } catch (ExpiredTokenException e) {
                        logger.error("ExpiredTokenException", (Throwable) e);
                        setExchangeStatus(httpServerExchange, STATUS_SCOPE_TOKEN_EXPIRED, new Object[0]);
                        return;
                    } catch (MalformedClaimException | InvalidJwtException e2) {
                        logger.error("InvalidJwtException", e2);
                        setExchangeStatus(httpServerExchange, STATUS_INVALID_SCOPE_TOKEN, new Object[0]);
                        return;
                    }
                }
                List<String> list2 = null;
                List<Map<String, List<String>>> security = operation.getSecurity();
                if (security != null) {
                    Iterator<Map<String, List<String>>> it = security.iterator();
                    while (it.hasNext()) {
                        list2 = it.next().get(SwaggerHelper.oauth2Name);
                        if (list2 != null) {
                            break;
                        }
                    }
                }
                if (first == null) {
                    try {
                        List<String> stringListClaimValue = verifyJwt.getStringListClaimValue("scope");
                        if (!matchedScopes(stringListClaimValue, list2)) {
                            setExchangeStatus(httpServerExchange, STATUS_AUTH_TOKEN_SCOPE_MISMATCH, stringListClaimValue, list2);
                            return;
                        }
                    } catch (MalformedClaimException e3) {
                        logger.error("MalformedClaimException", (Throwable) e3);
                        setExchangeStatus(httpServerExchange, STATUS_INVALID_AUTH_TOKEN, new Object[0]);
                        return;
                    }
                } else if (list == null || !matchedScopes(list, list2)) {
                    setExchangeStatus(httpServerExchange, STATUS_SCOPE_TOKEN_SCOPE_MISMATCH, list, list2);
                    return;
                }
            }
            Handler.next(httpServerExchange, this.next);
        } catch (ExpiredTokenException e4) {
            logger.error("ExpiredTokenException", (Throwable) e4);
            setExchangeStatus(httpServerExchange, STATUS_AUTH_TOKEN_EXPIRED, new Object[0]);
        } catch (InvalidJwtException e5) {
            logger.error("InvalidJwtException:", (Throwable) e5);
            setExchangeStatus(httpServerExchange, STATUS_INVALID_AUTH_TOKEN, new Object[0]);
        }
    }

    protected boolean matchedScopes(List<String> list, List<String> list2) {
        boolean z = false;
        if (list2 == null || list2.size() <= 0) {
            z = true;
        } else if (list != null && list.size() > 0) {
            Iterator<String> it = list2.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (list.contains(it.next())) {
                    z = true;
                    break;
                }
            }
        }
        return z;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public HttpHandler getNext() {
        return this.next;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public MiddlewareHandler setNext(HttpHandler httpHandler) {
        Handlers.handlerNotNull(httpHandler);
        this.next = httpHandler;
        return this;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public boolean isEnabled() {
        Object obj = config.get(JwtHelper.ENABLE_VERIFY_JWT);
        return obj != null && ((Boolean) obj).booleanValue();
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public void register() {
        ModuleRegistry.registerModule(JwtVerifyHandler.class.getName(), config, null);
    }

    static {
        config = Config.getInstance().getJsonMapConfig(SWAGGER_SECURITY_CONFIG);
        if (config == null) {
            config = Config.getInstance().getJsonMapConfig(JwtHelper.SECURITY_CONFIG);
        }
    }
}
