package com.networknt.auth;

import com.networknt.client.oauth.AuthorizationCodeRequest;
import com.networknt.client.oauth.OauthHelper;
import com.networknt.client.oauth.RefreshTokenRequest;
import com.networknt.client.oauth.TokenResponse;
import com.networknt.config.Config;
import com.networknt.exception.ExpiredTokenException;
import com.networknt.handler.Handler;
import com.networknt.handler.MiddlewareHandler;
import com.networknt.httpstring.AttachmentConstants;
import com.networknt.httpstring.HttpStringConstants;
import com.networknt.monad.Result;
import com.networknt.security.JwtVerifier;
import com.networknt.status.Status;
import com.networknt.utility.ModuleRegistry;
import com.networknt.utility.Util;
import io.undertow.Handlers;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.handlers.Cookie;
import io.undertow.server.handlers.CookieImpl;
import io.undertow.util.Headers;
import java.util.Deque;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.jose4j.json.internal.json_simple.JSONObject;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/auth/StatelessAuthHandler.class */
public class StatelessAuthHandler implements MiddlewareHandler {
    private static final String CODE = "code";
    private static final String AUTHORIZATION_CODE_MISSING = "ERR10035";
    private static final String JWT_NOT_FOUND_IN_COOKIES = "ERR10040";
    private static final String INVALID_AUTH_TOKEN = "ERR10000";
    private static final String CSRF_HEADER_MISSING = "ERR10036";
    private static final String CSRF_TOKEN_MISSING_IN_JWT = "ERR10038";
    private static final String HEADER_CSRF_JWT_CSRF_NOT_MATCH = "ERR10039";
    private static final String REFRESH_TOKEN_RESPONSE_EMPTY = "ERR10037";
    private static final String OPENAPI_SECURITY_CONFIG = "openapi-security";
    private static final String SWAGGER_SECURITY_CONFIG = "swagger-security";
    private static final String GRAPHQL_SECURITY_CONFIG = "graphql-security";
    private static final String HYBRID_SECURITY_CONFIG = "hybrid-security";
    static Map<String, Object> securityConfig;
    static JwtVerifier jwtVerifier;
    private volatile HttpHandler next;
    private static final Logger logger = LoggerFactory.getLogger(StatelessAuthHandler.class);
    private static final String CONFIG_NAME = "statelessAuth";
    public static StatelessAuthConfig config = (StatelessAuthConfig) Config.getInstance().getJsonObjectConfig(CONFIG_NAME, StatelessAuthConfig.class);

    public StatelessAuthHandler() {
        logger.info("StatelessAuthHandler is constructed.");
    }

    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        String stringClaimValue;
        Cookie cookie;
        if (logger.isDebugEnabled()) {
            logger.debug("exchange path = " + httpServerExchange.getRelativePath() + " config path = " + config.getAuthPath());
        }
        if (httpServerExchange.getRelativePath().equals(config.getAuthPath())) {
            Deque deque = (Deque) httpServerExchange.getQueryParameters().get(CODE);
            String str = deque == null ? null : (String) deque.getFirst();
            if (logger.isDebugEnabled()) {
                logger.debug("code = " + str);
            }
            if (str == null || str.trim().length() == 0) {
                setExchangeStatus(httpServerExchange, AUTHORIZATION_CODE_MISSING, new Object[0]);
                return;
            }
            String uuid = Util.getUUID();
            AuthorizationCodeRequest authorizationCodeRequest = new AuthorizationCodeRequest();
            authorizationCodeRequest.setAuthCode(str);
            authorizationCodeRequest.setCsrf(uuid);
            Result tokenResult = OauthHelper.getTokenResult(authorizationCodeRequest);
            if (tokenResult.isFailure()) {
                Status error = tokenResult.getError();
                httpServerExchange.setStatusCode(error.getStatusCode());
                httpServerExchange.getResponseSender().send(error.toString());
                logger.error(error.toString());
                return;
            }
            setCookies(httpServerExchange, (TokenResponse) tokenResult.getResult(), uuid);
            if (config.getRedirectUri() == null || config.getRedirectUri().length() <= 0) {
                httpServerExchange.setStatusCode(200);
            } else {
                httpServerExchange.setStatusCode(302);
                httpServerExchange.getResponseHeaders().put(Headers.LOCATION, config.getRedirectUri());
            }
            httpServerExchange.endExchange();
            return;
        }
        String str2 = null;
        Map requestCookies = httpServerExchange.getRequestCookies();
        if (requestCookies != null && (cookie = (Cookie) requestCookies.get("accessToken")) != null) {
            str2 = cookie.getValue();
        }
        if (logger.isDebugEnabled()) {
            logger.debug("jwt = " + str2);
        }
        if (str2 == null || str2.trim().length() == 0) {
            httpServerExchange.setStatusCode(302);
            httpServerExchange.getResponseHeaders().put(Headers.LOCATION, config.getCookieTimeoutUri());
            httpServerExchange.endExchange();
            return;
        }
        JwtClaims jwtClaims = null;
        boolean z = false;
        try {
            jwtClaims = jwtVerifier.verifyJwt(str2, false, true);
            Map map = (Map) httpServerExchange.getAttachment(AttachmentConstants.AUDIT_INFO);
            if (map == null) {
                map = new HashMap();
                httpServerExchange.putAttachment(AttachmentConstants.AUDIT_INFO, map);
            }
            map.put("client_id", jwtClaims.getStringClaimValue("client_id"));
            map.put("user_id", jwtClaims.getStringClaimValue("user_id"));
            map.put("subject_claims", jwtClaims);
        } catch (InvalidJwtException e) {
            logger.error("Exception: ", e);
            setExchangeStatus(httpServerExchange, INVALID_AUTH_TOKEN, new Object[0]);
            return;
        } catch (ExpiredTokenException e2) {
            z = true;
        }
        if (z) {
            try {
                stringClaimValue = jwtVerifier.verifyJwt(str2, true, true).getStringClaimValue("csrf");
            } catch (InvalidJwtException e3) {
                logger.error("Exception: ", e3);
                setExchangeStatus(httpServerExchange, INVALID_AUTH_TOKEN, new Object[0]);
                return;
            }
        } else {
            stringClaimValue = jwtClaims.getStringClaimValue("csrf");
        }
        String first = httpServerExchange.getRequestHeaders().getFirst(HttpStringConstants.CSRF_TOKEN);
        if (first == null || first.trim().length() == 0) {
            setExchangeStatus(httpServerExchange, CSRF_HEADER_MISSING, new Object[0]);
            return;
        }
        if (stringClaimValue == null || stringClaimValue.trim().length() == 0) {
            setExchangeStatus(httpServerExchange, CSRF_TOKEN_MISSING_IN_JWT, new Object[0]);
            return;
        }
        if (logger.isDebugEnabled()) {
            logger.debug("headerCsrf = " + first + " jwtCsrf = " + stringClaimValue);
        }
        if (!first.equals(stringClaimValue)) {
            setExchangeStatus(httpServerExchange, HEADER_CSRF_JWT_CSRF_NOT_MATCH, new Object[]{first, stringClaimValue});
            return;
        }
        if (z) {
            String uuid2 = Util.getUUID();
            RefreshTokenRequest refreshTokenRequest = new RefreshTokenRequest();
            refreshTokenRequest.setCsrf(uuid2);
            Cookie cookie2 = (Cookie) requestCookies.get("refreshToken");
            if (cookie2 != null) {
                String value = cookie2.getValue();
                if (logger.isDebugEnabled()) {
                    logger.debug("refreshToken = " + value + " csrf = " + uuid2);
                }
                refreshTokenRequest.setRefreshToken(value);
            }
            Result tokenResult2 = OauthHelper.getTokenResult(refreshTokenRequest);
            if (tokenResult2.isFailure()) {
                Status error2 = tokenResult2.getError();
                httpServerExchange.setStatusCode(error2.getStatusCode());
                httpServerExchange.getResponseSender().send(error2.toString());
                logger.error(error2.toString());
                return;
            }
            TokenResponse tokenResponse = (TokenResponse) tokenResult2.getResult();
            setCookies(httpServerExchange, tokenResponse, uuid2);
            str2 = tokenResponse.getAccessToken();
        }
        httpServerExchange.getRequestHeaders().put(Headers.AUTHORIZATION, "Bearer " + str2);
        Handler.next(httpServerExchange, this.next);
    }

    private void setCookies(HttpServerExchange httpServerExchange, TokenResponse tokenResponse, String str) throws Exception {
        String accessToken = tokenResponse.getAccessToken();
        String refreshToken = tokenResponse.getRefreshToken();
        long expiresIn = tokenResponse.getExpiresIn();
        JSONObject jSONObject = new JSONObject();
        try {
            JwtClaims verifyJwt = jwtVerifier.verifyJwt(accessToken, true, true);
            jSONObject.put("roles", verifyJwt.getStringListClaimValue("roles").toArray(new String[0]));
            jSONObject.put("userType", verifyJwt.getStringClaimValue("user_type"));
            jSONObject.put("userID", verifyJwt.getStringClaimValue("user_id"));
            if (logger.isDebugEnabled()) {
                logger.debug("accessToken = " + accessToken + " refreshToken = " + refreshToken + " expiresIn = " + expiresIn);
            }
            httpServerExchange.setResponseCookie(new CookieImpl("accessToken", accessToken).setDomain(config.cookieDomain).setPath(config.getCookiePath()).setMaxAge(Integer.valueOf(config.cookieMaxAge)).setHttpOnly(true).setSecure(config.cookieSecure));
            httpServerExchange.setResponseCookie(new CookieImpl("refreshToken", refreshToken).setDomain(config.cookieDomain).setPath(config.getCookiePath()).setMaxAge(Integer.valueOf(config.cookieMaxAge)).setHttpOnly(true).setSecure(config.cookieSecure));
            httpServerExchange.setResponseCookie(new CookieImpl("userInfo", jSONObject.toString()).setDomain(config.cookieDomain).setPath(config.cookiePath).setMaxAge(Integer.valueOf(config.cookieMaxAge)).setHttpOnly(false).setSecure(config.cookieSecure));
            httpServerExchange.setResponseCookie(new CookieImpl("csrf", str).setDomain(config.cookieDomain).setPath(config.cookiePath).setMaxAge(Integer.valueOf(config.cookieMaxAge)).setHttpOnly(false).setSecure(config.cookieSecure));
        } catch (InvalidJwtException e) {
            logger.error("Exception: ", e);
            setExchangeStatus(httpServerExchange, INVALID_AUTH_TOKEN, new Object[0]);
        }
    }

    public HttpHandler getNext() {
        return this.next;
    }

    public MiddlewareHandler setNext(HttpHandler httpHandler) {
        Handlers.handlerNotNull(httpHandler);
        this.next = httpHandler;
        return this;
    }

    public boolean isEnabled() {
        return config.isEnabled();
    }

    public void register() {
        ModuleRegistry.registerModule(StatelessAuthHandler.class.getName(), Config.getInstance().getJsonMapConfigNoCache(CONFIG_NAME), (List) null);
    }

    static {
        securityConfig = Config.getInstance().getJsonMapConfig(OPENAPI_SECURITY_CONFIG);
        if (securityConfig == null) {
            securityConfig = Config.getInstance().getJsonMapConfig(SWAGGER_SECURITY_CONFIG);
        }
        if (securityConfig == null) {
            securityConfig = Config.getInstance().getJsonMapConfig(GRAPHQL_SECURITY_CONFIG);
        }
        if (securityConfig == null) {
            securityConfig = Config.getInstance().getJsonMapConfig(HYBRID_SECURITY_CONFIG);
        }
        if (securityConfig == null) {
            securityConfig = Config.getInstance().getJsonMapConfig("security");
        }
        jwtVerifier = new JwtVerifier(securityConfig);
    }
}
