package com.networknt.openapi;

import com.networknt.config.Config;
import com.networknt.exception.ExpiredTokenException;
import com.networknt.handler.Handler;
import com.networknt.handler.MiddlewareHandler;
import com.networknt.handler.config.HandlerConfig;
import com.networknt.httpstring.AttachmentConstants;
import com.networknt.httpstring.HttpStringConstants;
import com.networknt.oas.model.Operation;
import com.networknt.oas.model.Path;
import com.networknt.oas.model.SecurityParameter;
import com.networknt.oas.model.SecurityRequirement;
import com.networknt.security.IJwtVerifyHandler;
import com.networknt.security.JwtVerifier;
import com.networknt.utility.Constants;
import com.networknt.utility.ModuleRegistry;
import io.undertow.Handlers;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HeaderMap;
import io.undertow.util.Headers;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/openapi/JwtVerifyHandler.class */
public class JwtVerifyHandler implements MiddlewareHandler, IJwtVerifyHandler {
    static final Logger logger = LoggerFactory.getLogger((Class<?>) JwtVerifyHandler.class);
    static final String OPENAPI_YML_CONFIG = "openapi.yml";
    static final String OPENAPI_YAML_CONFIG = "openapi.yaml";
    static final String OPENAPI_JSON_CONFIG = "openapi.json";
    static final String HANDLER_CONFIG = "handler";
    static final String OPENAPI_SECURITY_CONFIG = "openapi-security";
    static final String ENABLE_VERIFY_SCOPE = "enableVerifyScope";
    static final String ENABLE_VERIFY_JWT_SCOPE_TOKEN = "enableExtractScopeToken";
    static final String IGNORE_JWT_EXPIRY = "ignoreJwtExpiry";
    static final String STATUS_INVALID_AUTH_TOKEN = "ERR10000";
    static final String STATUS_AUTH_TOKEN_EXPIRED = "ERR10001";
    static final String STATUS_MISSING_AUTH_TOKEN = "ERR10002";
    static final String STATUS_INVALID_SCOPE_TOKEN = "ERR10003";
    static final String STATUS_SCOPE_TOKEN_EXPIRED = "ERR10004";
    static final String STATUS_AUTH_TOKEN_SCOPE_MISMATCH = "ERR10005";
    static final String STATUS_SCOPE_TOKEN_SCOPE_MISMATCH = "ERR10006";
    static final String STATUS_INVALID_REQUEST_PATH = "ERR10007";
    static final String STATUS_METHOD_NOT_ALLOWED = "ERR10008";
    static Map<String, Object> config;
    String basePath;
    public static JwtVerifier jwtVerifier;
    private volatile HttpHandler next;

    public JwtVerifyHandler() {
        if (OpenApiHelper.getInstance() == null) {
            String stringFromFile = Config.getInstance().getStringFromFile("openapi.yml");
            if (stringFromFile == null) {
                stringFromFile = Config.getInstance().getStringFromFile("openapi.yaml");
                if (stringFromFile == null) {
                    stringFromFile = Config.getInstance().getStringFromFile("openapi.json");
                }
            }
            OpenApiHelper.init(stringFromFile);
        }
        jwtVerifier = new JwtVerifier(config);
        HandlerConfig handlerConfig = (HandlerConfig) Config.getInstance().getJsonObjectConfig("handler", HandlerConfig.class);
        this.basePath = handlerConfig == null ? null : handlerConfig.getBasePath();
    }

    @Override // io.undertow.server.HttpHandler
    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        Operation operation;
        HeaderMap requestHeaders = httpServerExchange.getRequestHeaders();
        String first = requestHeaders.getFirst(Headers.AUTHORIZATION);
        JwtVerifier jwtVerifier2 = jwtVerifier;
        String jwtFromAuthorization = JwtVerifier.getJwtFromAuthorization(first);
        boolean booleanValue = config.get(IGNORE_JWT_EXPIRY) == null ? false : ((Boolean) config.get(IGNORE_JWT_EXPIRY)).booleanValue();
        if (jwtFromAuthorization == null) {
            setExchangeStatus(httpServerExchange, STATUS_MISSING_AUTH_TOKEN, new Object[0]);
            return;
        }
        try {
            JwtClaims verifyJwt = jwtVerifier.verifyJwt(jwtFromAuthorization, booleanValue, true);
            Map map = (Map) httpServerExchange.getAttachment(AttachmentConstants.AUDIT_INFO);
            if (map == null) {
                map = new HashMap();
                httpServerExchange.putAttachment(AttachmentConstants.AUDIT_INFO, map);
            }
            String stringClaimValue = verifyJwt.getStringClaimValue("client_id");
            if (stringClaimValue == null) {
                stringClaimValue = verifyJwt.getStringClaimValue(Constants.CID_STRING);
            }
            map.put("client_id", stringClaimValue);
            String stringClaimValue2 = verifyJwt.getStringClaimValue(Constants.USER_ID_STRING);
            if (stringClaimValue2 == null) {
                stringClaimValue2 = verifyJwt.getStringClaimValue(Constants.UID_STRING);
            }
            map.put(Constants.USER_ID_STRING, stringClaimValue2);
            map.put(Constants.SUBJECT_CLAIMS, verifyJwt);
            String first2 = requestHeaders.getFirst(HttpStringConstants.CALLER_ID);
            if (first2 != null) {
                map.put(Constants.CALLER_ID_STRING, first2);
            }
            if (config != null && ((Boolean) config.get(ENABLE_VERIFY_JWT_SCOPE_TOKEN)).booleanValue() && OpenApiHelper.openApi3 != null) {
                OpenApiOperation openApiOperation = (OpenApiOperation) map.get(Constants.OPENAPI_OPERATION_STRING);
                if (openApiOperation == null) {
                    Optional<NormalisedPath> findMatchingApiPath = OpenApiHelper.getInstance().findMatchingApiPath(new ApiNormalisedPath(httpServerExchange.getRequestURI(), this.basePath));
                    if (!findMatchingApiPath.isPresent()) {
                        setExchangeStatus(httpServerExchange, STATUS_INVALID_REQUEST_PATH, new Object[0]);
                        return;
                    }
                    NormalisedPath normalisedPath = findMatchingApiPath.get();
                    Path path = OpenApiHelper.openApi3.getPath(normalisedPath.original());
                    String lowerCase = httpServerExchange.getRequestMethod().toString().toLowerCase();
                    operation = path.getOperation(lowerCase);
                    if (operation == null) {
                        setExchangeStatus(httpServerExchange, STATUS_METHOD_NOT_ALLOWED, lowerCase, normalisedPath.normalised());
                        return;
                    } else {
                        map.put(Constants.OPENAPI_OPERATION_STRING, new OpenApiOperation(normalisedPath, path, lowerCase, operation));
                        map.put(Constants.ENDPOINT_STRING, normalisedPath.normalised() + "@" + lowerCase);
                    }
                } else {
                    operation = openApiOperation.getOperation();
                }
                String first3 = requestHeaders.getFirst(HttpStringConstants.SCOPE_TOKEN);
                JwtVerifier jwtVerifier3 = jwtVerifier;
                String jwtFromAuthorization2 = JwtVerifier.getJwtFromAuthorization(first3);
                List<String> list = null;
                if (jwtFromAuthorization2 != null) {
                    try {
                        JwtClaims verifyJwt2 = jwtVerifier.verifyJwt(jwtFromAuthorization2, booleanValue, true);
                        Object claimValue = verifyJwt2.getClaimValue("scope");
                        if (claimValue instanceof String) {
                            list = Arrays.asList(verifyJwt2.getStringClaimValue("scope").split(" "));
                        } else if (claimValue instanceof List) {
                            list = verifyJwt2.getStringListClaimValue("scope");
                        }
                        if (list == null || list.isEmpty()) {
                            Object claimValue2 = verifyJwt2.getClaimValue(Constants.SCP_STRING);
                            if (claimValue2 instanceof String) {
                                list = Arrays.asList(verifyJwt2.getStringClaimValue(Constants.SCP_STRING).split(" "));
                            } else if (claimValue2 instanceof List) {
                                list = verifyJwt2.getStringListClaimValue(Constants.SCP_STRING);
                            }
                        }
                        map.put(Constants.SCOPE_CLIENT_ID_STRING, verifyJwt2.getStringClaimValue("client_id"));
                        map.put(Constants.ACCESS_CLAIMS, verifyJwt2);
                    } catch (ExpiredTokenException e) {
                        logger.error("ExpiredTokenException", (Throwable) e);
                        setExchangeStatus(httpServerExchange, STATUS_SCOPE_TOKEN_EXPIRED, new Object[0]);
                        return;
                    } catch (MalformedClaimException | InvalidJwtException e2) {
                        logger.error("InvalidJwtException", e2);
                        setExchangeStatus(httpServerExchange, STATUS_INVALID_SCOPE_TOKEN, new Object[0]);
                        return;
                    }
                }
                if (((Boolean) config.get(ENABLE_VERIFY_SCOPE)).booleanValue()) {
                    List<String> list2 = null;
                    List<SecurityRequirement> securityRequirements = operation.getSecurityRequirements();
                    if (securityRequirements != null) {
                        for (SecurityRequirement securityRequirement : securityRequirements) {
                            SecurityParameter securityParameter = null;
                            Iterator<String> it = OpenApiHelper.oauth2Names.iterator();
                            while (it.hasNext()) {
                                securityParameter = securityRequirement.getRequirement(it.next());
                                if (securityParameter != null) {
                                    break;
                                }
                            }
                            if (securityParameter != null) {
                                list2 = securityParameter.getParameters();
                            }
                            if (list2 != null) {
                                break;
                            }
                        }
                    }
                    if (first3 == null) {
                        List<String> list3 = null;
                        try {
                            Object claimValue3 = verifyJwt.getClaimValue("scope");
                            if (claimValue3 instanceof String) {
                                list3 = Arrays.asList(verifyJwt.getStringClaimValue("scope").split(" "));
                            } else if (claimValue3 instanceof List) {
                                list3 = verifyJwt.getStringListClaimValue("scope");
                            }
                            if (list3 == null || list3.isEmpty()) {
                                Object claimValue4 = verifyJwt.getClaimValue(Constants.SCP_STRING);
                                if (claimValue4 instanceof String) {
                                    list3 = Arrays.asList(verifyJwt.getStringClaimValue(Constants.SCP_STRING).split(" "));
                                } else if (claimValue4 instanceof List) {
                                    list3 = verifyJwt.getStringListClaimValue(Constants.SCP_STRING);
                                }
                            }
                            if (!matchedScopes(list3, list2)) {
                                setExchangeStatus(httpServerExchange, STATUS_AUTH_TOKEN_SCOPE_MISMATCH, list3, list2);
                                return;
                            }
                        } catch (MalformedClaimException e3) {
                            logger.error("MalformedClaimException", (Throwable) e3);
                            setExchangeStatus(httpServerExchange, STATUS_INVALID_AUTH_TOKEN, new Object[0]);
                            return;
                        }
                    } else if (list == null || !matchedScopes(list, list2)) {
                        setExchangeStatus(httpServerExchange, STATUS_SCOPE_TOKEN_SCOPE_MISMATCH, list, list2);
                        return;
                    }
                }
            }
            Handler.next(httpServerExchange, this.next);
        } catch (ExpiredTokenException e4) {
            logger.error("ExpiredTokenException", (Throwable) e4);
            setExchangeStatus(httpServerExchange, STATUS_AUTH_TOKEN_EXPIRED, new Object[0]);
        } catch (InvalidJwtException e5) {
            logger.error("InvalidJwtException: ", (Throwable) e5);
            setExchangeStatus(httpServerExchange, STATUS_INVALID_AUTH_TOKEN, new Object[0]);
        }
    }

    protected boolean matchedScopes(List<String> list, Collection<String> collection) {
        boolean z = false;
        if (collection == null || collection.size() <= 0) {
            z = true;
        } else if (list != null && list.size() > 0) {
            Iterator<String> it = collection.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (list.contains(it.next())) {
                    z = true;
                    break;
                }
            }
        }
        return z;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public HttpHandler getNext() {
        return this.next;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public MiddlewareHandler setNext(HttpHandler httpHandler) {
        Handlers.handlerNotNull(httpHandler);
        this.next = httpHandler;
        return this;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public boolean isEnabled() {
        Object obj = config.get(JwtVerifier.ENABLE_VERIFY_JWT);
        return obj != null && Boolean.valueOf(obj.toString()).booleanValue();
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public void register() {
        ModuleRegistry.registerModule(JwtVerifyHandler.class.getName(), config, null);
        ModuleRegistry.registerModule(JwtVerifyHandler.class.getName(), Config.getInstance().getJsonMapConfigNoCache(OPENAPI_SECURITY_CONFIG), null);
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public void reload() {
        config = Config.getInstance().getJsonMapConfig(OPENAPI_SECURITY_CONFIG);
        if (config == null) {
            config = Config.getInstance().getJsonMapConfig(JwtVerifier.SECURITY_CONFIG);
        }
    }

    @Override // com.networknt.security.IJwtVerifyHandler
    public JwtVerifier getJwtVerifier() {
        return jwtVerifier;
    }

    static {
        config = Config.getInstance().getJsonMapConfig(OPENAPI_SECURITY_CONFIG);
        if (config == null) {
            config = Config.getInstance().getJsonMapConfig(JwtVerifier.SECURITY_CONFIG);
        }
    }
}
