package com.networknt.auth;

import com.networknt.client.oauth.AuthorizationCodeRequest;
import com.networknt.client.oauth.OauthHelper;
import com.networknt.client.oauth.RefreshTokenRequest;
import com.networknt.client.oauth.TokenResponse;
import com.networknt.config.Config;
import com.networknt.config.JsonMapper;
import com.networknt.handler.Handler;
import com.networknt.handler.MiddlewareHandler;
import com.networknt.httpstring.HttpStringConstants;
import com.networknt.monad.Result;
import com.networknt.security.JwtVerifier;
import com.networknt.security.SecurityConfig;
import com.networknt.status.Status;
import com.networknt.utility.Constants;
import com.networknt.utility.ModuleRegistry;
import com.networknt.utility.Util;
import io.undertow.Handlers;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.handlers.Cookie;
import io.undertow.server.handlers.CookieImpl;
import io.undertow.server.handlers.CookieSameSiteMode;
import io.undertow.util.Headers;
import java.util.Deque;
import java.util.HashMap;
import java.util.List;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/auth/StatelessAuthHandler.class */
public class StatelessAuthHandler implements MiddlewareHandler {
    private static final String CODE = "code";
    private static final String AUTHORIZATION_CODE_MISSING = "ERR10035";
    private static final String JWT_NOT_FOUND_IN_COOKIES = "ERR10040";
    private static final String INVALID_AUTH_TOKEN = "ERR10000";
    private static final String CSRF_HEADER_MISSING = "ERR10036";
    private static final String CSRF_TOKEN_MISSING_IN_JWT = "ERR10038";
    private static final String HEADER_CSRF_JWT_CSRF_NOT_MATCH = "ERR10039";
    private static final String REFRESH_TOKEN_RESPONSE_EMPTY = "ERR10037";
    private static final String OPENAPI_SECURITY_CONFIG = "openapi-security";
    private static final String SWAGGER_SECURITY_CONFIG = "swagger-security";
    private static final String GRAPHQL_SECURITY_CONFIG = "graphql-security";
    private static final String HYBRID_SECURITY_CONFIG = "hybrid-security";
    private static final String ACCESS_TOKEN = "accessToken";
    private static final String REFRESH_TOKEN = "refreshToken";
    private static final String USER_TYPE = "userType";
    private static final String USER_ID = "userId";
    protected static final String SCOPES = "scopes";
    private static final String SCOPE = "scope";
    static SecurityConfig securityConfig;
    static JwtVerifier jwtVerifier;
    private volatile HttpHandler next;
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) StatelessAuthHandler.class);
    public static StatelessAuthConfig config = (StatelessAuthConfig) Config.getInstance().getJsonObjectConfig(StatelessAuthConfig.CONFIG_NAME, StatelessAuthConfig.class);

    public StatelessAuthHandler() {
        logger.info("StatelessAuthHandler is constructed.");
    }

    @Override // io.undertow.server.HttpHandler
    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        String renewToken;
        if (logger.isDebugEnabled()) {
            logger.debug("exchange path = " + httpServerExchange.getRelativePath() + " config path = " + config.getAuthPath());
        }
        if (httpServerExchange.getRelativePath().equals(config.getAuthPath())) {
            Deque<String> deque = httpServerExchange.getQueryParameters().get("code");
            String first = deque == null ? null : deque.getFirst();
            if (logger.isDebugEnabled()) {
                logger.debug("code = " + first);
            }
            if (first == null || first.trim().length() == 0) {
                setExchangeStatus(httpServerExchange, AUTHORIZATION_CODE_MISSING, new Object[0]);
                return;
            }
            String uuid = Util.getUUID();
            AuthorizationCodeRequest authorizationCodeRequest = new AuthorizationCodeRequest();
            authorizationCodeRequest.setAuthCode(first);
            authorizationCodeRequest.setCsrf(uuid);
            Result<TokenResponse> tokenResult = OauthHelper.getTokenResult(authorizationCodeRequest);
            if (tokenResult.isFailure()) {
                Status error = tokenResult.getError();
                httpServerExchange.setStatusCode(error.getStatusCode());
                httpServerExchange.getResponseSender().send(error.toString());
                logger.error(error.toString());
                return;
            }
            List<String> cookies = setCookies(httpServerExchange, tokenResult.getResult(), uuid);
            if (config.getRedirectUri() == null || config.getRedirectUri().length() <= 0) {
                httpServerExchange.setStatusCode(200);
                httpServerExchange.endExchange();
                return;
            }
            httpServerExchange.setStatusCode(200);
            HashMap hashMap = new HashMap();
            hashMap.put("scopes", cookies);
            hashMap.put("redirectUri", config.redirectUri);
            hashMap.put("denyUri", config.denyUri != null ? config.denyUri : config.redirectUri);
            httpServerExchange.getResponseSender().send(JsonMapper.toJson(hashMap));
            return;
        }
        if (httpServerExchange.getRelativePath().equals(config.getLogoutPath())) {
            removeCookies(httpServerExchange);
            httpServerExchange.endExchange();
            return;
        }
        Cookie requestCookie = httpServerExchange.getRequestCookie(ACCESS_TOKEN);
        if (requestCookie != null) {
            renewToken = requestCookie.getValue();
            JwtClaims verifyJwt = jwtVerifier.verifyJwt(renewToken, true, true);
            String stringClaimValue = verifyJwt.getStringClaimValue("csrf");
            String first2 = httpServerExchange.getRequestHeaders().getFirst(HttpStringConstants.CSRF_TOKEN);
            if (first2 == null || first2.trim().length() == 0) {
                setExchangeStatus(httpServerExchange, CSRF_HEADER_MISSING, new Object[0]);
                return;
            }
            if (stringClaimValue == null || stringClaimValue.trim().length() == 0) {
                setExchangeStatus(httpServerExchange, CSRF_TOKEN_MISSING_IN_JWT, new Object[0]);
                return;
            }
            if (logger.isDebugEnabled()) {
                logger.debug("headerCsrf = " + first2 + " jwtCsrf = " + stringClaimValue);
            }
            if (!first2.equals(stringClaimValue)) {
                setExchangeStatus(httpServerExchange, HEADER_CSRF_JWT_CSRF_NOT_MATCH, first2, stringClaimValue);
                return;
            } else if (verifyJwt.getExpirationTime().getValueInMillis() - System.currentTimeMillis() < 90000) {
                renewToken = renewToken(httpServerExchange, httpServerExchange.getRequestCookie(REFRESH_TOKEN));
            }
        } else {
            renewToken = renewToken(httpServerExchange, httpServerExchange.getRequestCookie(REFRESH_TOKEN));
        }
        if (logger.isDebugEnabled()) {
            logger.debug("jwt = " + renewToken);
        }
        if (renewToken != null) {
            httpServerExchange.getRequestHeaders().put(Headers.AUTHORIZATION, "Bearer " + renewToken);
        }
        if (httpServerExchange.isComplete()) {
            return;
        }
        Handler.next(httpServerExchange, this.next);
    }

    private String renewToken(HttpServerExchange httpServerExchange, Cookie cookie) throws Exception {
        String value;
        String str = null;
        if (cookie != null && (value = cookie.getValue()) != null) {
            RefreshTokenRequest refreshTokenRequest = new RefreshTokenRequest();
            String uuid = Util.getUUID();
            refreshTokenRequest.setCsrf(uuid);
            refreshTokenRequest.setRefreshToken(value);
            Result<TokenResponse> tokenResult = OauthHelper.getTokenResult(refreshTokenRequest);
            if (tokenResult.isSuccess()) {
                TokenResponse result = tokenResult.getResult();
                setCookies(httpServerExchange, result, uuid);
                str = result.getAccessToken();
            } else {
                if (logger.isDebugEnabled()) {
                    logger.debug("Failed to get the access token from refresh token", tokenResult.getError());
                }
                removeCookies(httpServerExchange);
                httpServerExchange.endExchange();
            }
        }
        return str;
    }

    private void removeCookies(HttpServerExchange httpServerExchange) {
        Cookie requestCookie = httpServerExchange.getRequestCookie(ACCESS_TOKEN);
        if (requestCookie != null) {
            requestCookie.setMaxAge(0).setValue("").setDomain(config.cookieDomain).setPath(config.cookiePath).setHttpOnly(true).setSecure(config.cookieSecure);
            httpServerExchange.setResponseCookie(requestCookie);
        }
        Cookie requestCookie2 = httpServerExchange.getRequestCookie(REFRESH_TOKEN);
        if (requestCookie2 != null) {
            requestCookie2.setMaxAge(0).setValue("").setDomain(config.cookieDomain).setPath(config.cookiePath).setHttpOnly(true).setSecure(config.cookieSecure);
            httpServerExchange.setResponseCookie(requestCookie2);
        }
        Cookie requestCookie3 = httpServerExchange.getRequestCookie("csrf");
        if (requestCookie3 != null) {
            requestCookie3.setMaxAge(0).setValue("").setDomain(config.cookieDomain).setPath(config.cookiePath).setHttpOnly(true).setSecure(config.cookieSecure);
            httpServerExchange.setResponseCookie(requestCookie3);
        }
        Cookie requestCookie4 = httpServerExchange.getRequestCookie(USER_ID);
        if (requestCookie4 != null) {
            requestCookie4.setMaxAge(0).setValue("").setDomain(config.cookieDomain).setPath(config.cookiePath).setHttpOnly(false).setSecure(config.cookieSecure);
            httpServerExchange.setResponseCookie(requestCookie4);
        }
        Cookie requestCookie5 = httpServerExchange.getRequestCookie(USER_TYPE);
        if (requestCookie5 != null) {
            requestCookie5.setMaxAge(0).setValue("").setDomain(config.cookieDomain).setPath(config.cookiePath).setHttpOnly(false).setSecure(config.cookieSecure);
            httpServerExchange.setResponseCookie(requestCookie5);
        }
        Cookie requestCookie6 = httpServerExchange.getRequestCookie(Constants.ROLES_STRING);
        if (requestCookie6 != null) {
            requestCookie6.setMaxAge(0).setValue("").setDomain(config.cookieDomain).setPath(config.cookiePath).setHttpOnly(false).setSecure(config.cookieSecure);
            httpServerExchange.setResponseCookie(requestCookie6);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<String> setCookies(HttpServerExchange httpServerExchange, TokenResponse tokenResponse, String str) throws Exception {
        String accessToken = tokenResponse.getAccessToken();
        String refreshToken = tokenResponse.getRefreshToken();
        String remember = tokenResponse.getRemember();
        int expiresIn = (int) tokenResponse.getExpiresIn();
        try {
            JwtClaims verifyJwt = jwtVerifier.verifyJwt(accessToken, true, true);
            String stringClaimValue = verifyJwt.getStringClaimValue(Constants.ROLES_STRING);
            String stringClaimValue2 = verifyJwt.getStringClaimValue(Constants.USER_TYPE_STRING);
            String stringClaimValue3 = verifyJwt.getStringClaimValue(Constants.USER_ID_STRING);
            List<String> stringListClaimValue = verifyJwt.getStringListClaimValue("scope");
            httpServerExchange.setResponseCookie(new CookieImpl(ACCESS_TOKEN, accessToken).setDomain(config.cookieDomain).setPath(config.getCookiePath()).setMaxAge(Integer.valueOf(expiresIn)).setHttpOnly(true).setSameSiteMode(CookieSameSiteMode.NONE.toString()).setSecure(config.cookieSecure));
            httpServerExchange.setResponseCookie(new CookieImpl(REFRESH_TOKEN, refreshToken).setDomain(config.cookieDomain).setPath(config.getCookiePath()).setMaxAge(Integer.valueOf((remember == null || remember.equals("N")) ? expiresIn : 7776000)).setHttpOnly(true).setSameSiteMode(CookieSameSiteMode.NONE.toString()).setSecure(config.cookieSecure));
            httpServerExchange.setResponseCookie(new CookieImpl(USER_ID, stringClaimValue3).setDomain(config.cookieDomain).setPath(config.cookiePath).setMaxAge(Integer.valueOf(expiresIn)).setHttpOnly(false).setSameSiteMode(CookieSameSiteMode.NONE.toString()).setSecure(config.cookieSecure));
            if (stringClaimValue2 != null) {
                httpServerExchange.setResponseCookie(new CookieImpl(USER_TYPE, stringClaimValue2).setDomain(config.cookieDomain).setPath(config.cookiePath).setMaxAge(Integer.valueOf(expiresIn)).setHttpOnly(false).setSameSiteMode(CookieSameSiteMode.NONE.toString()).setSecure(config.cookieSecure));
            }
            if (stringClaimValue != null) {
                httpServerExchange.setResponseCookie(new CookieImpl(Constants.ROLES_STRING, stringClaimValue).setDomain(config.cookieDomain).setPath(config.cookiePath).setMaxAge(Integer.valueOf(expiresIn)).setHttpOnly(false).setSameSiteMode(CookieSameSiteMode.NONE.toString()).setSecure(config.cookieSecure));
            }
            httpServerExchange.setResponseCookie(new CookieImpl("csrf", str).setDomain(config.cookieDomain).setPath(config.cookiePath).setMaxAge(Integer.valueOf(expiresIn)).setHttpOnly(false).setSameSiteMode(CookieSameSiteMode.NONE.toString()).setSecure(config.cookieSecure));
            return stringListClaimValue;
        } catch (InvalidJwtException e) {
            logger.error("Exception: ", (Throwable) e);
            setExchangeStatus(httpServerExchange, INVALID_AUTH_TOKEN, new Object[0]);
            return null;
        }
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public HttpHandler getNext() {
        return this.next;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public MiddlewareHandler setNext(HttpHandler httpHandler) {
        Handlers.handlerNotNull(httpHandler);
        this.next = httpHandler;
        return this;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public boolean isEnabled() {
        return config.isEnabled();
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public void register() {
        ModuleRegistry.registerModule(StatelessAuthConfig.CONFIG_NAME, StatelessAuthHandler.class.getName(), Config.getInstance().getJsonMapConfigNoCache(StatelessAuthConfig.CONFIG_NAME), null);
    }

    static {
        securityConfig = SecurityConfig.load(OPENAPI_SECURITY_CONFIG);
        if (securityConfig.getMappedConfig() == null) {
            securityConfig = SecurityConfig.load(GRAPHQL_SECURITY_CONFIG);
        }
        if (securityConfig.getMappedConfig() == null) {
            securityConfig = SecurityConfig.load(HYBRID_SECURITY_CONFIG);
        }
        if (securityConfig.getMappedConfig() == null) {
            securityConfig = SecurityConfig.load("security");
        }
        jwtVerifier = new JwtVerifier(securityConfig);
    }
}
