package com.nimbusds.common.oauth2;

import com.nimbusds.jose.crypto.utils.ConstantTimeUtils;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.oauth2.sdk.token.BearerTokenError;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import net.jcip.annotations.ThreadSafe;
import net.minidev.json.JSONObject;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.Logger;

@ThreadSafe
/* loaded from: input_file:com/nimbusds/common/oauth2/BasicAccessTokenValidator.class */
public class BasicAccessTokenValidator {
    public static final ErrorResponse MISSING_BEARER_TOKEN;
    public static final ErrorResponse INVALID_BEARER_TOKEN;
    public static final ErrorResponse WEB_API_DISABLED;
    private final List<byte[]> expectedTokenHashes;
    private final byte[] hashSalt;
    private Logger log;

    /* loaded from: input_file:com/nimbusds/common/oauth2/BasicAccessTokenValidator$ErrorResponse.class */
    public static class ErrorResponse {
        private final int statusCode;
        private final String wwwAuthHeader;
        private final String body;

        public ErrorResponse(int i, String str, String str2) {
            this.statusCode = i;
            this.wwwAuthHeader = str;
            this.body = str2;
        }

        public WebApplicationException toWebAppException() {
            Response.ResponseBuilder status = Response.status(this.statusCode);
            if (this.wwwAuthHeader != null) {
                status.header("WWW-Authenticate", this.wwwAuthHeader);
            }
            return new WebApplicationException(status.entity(this.body).type("application/json").build());
        }

        public void apply(HttpServletResponse httpServletResponse) throws IOException {
            httpServletResponse.setStatus(this.statusCode);
            if (this.wwwAuthHeader != null) {
                httpServletResponse.setHeader("WWW-Authenticate", this.wwwAuthHeader);
            }
            if (this.body != null) {
                httpServletResponse.setContentType("application/json");
                httpServletResponse.getWriter().print(this.body);
            }
        }
    }

    public BasicAccessTokenValidator(BearerAccessToken bearerAccessToken) {
        this(bearerAccessToken);
    }

    public BasicAccessTokenValidator(BearerAccessToken... bearerAccessTokenArr) {
        this.expectedTokenHashes = new ArrayList();
        this.hashSalt = generate32ByteSalt();
        for (BearerAccessToken bearerAccessToken : bearerAccessTokenArr) {
            if (bearerAccessToken != null) {
                this.expectedTokenHashes.add(computeSHA256(this.hashSalt, bearerAccessToken));
            }
        }
    }

    public boolean accessIsDisabled() {
        return this.expectedTokenHashes.isEmpty();
    }

    public Logger getLogger() {
        return this.log;
    }

    public void setLogger(Logger logger) {
        this.log = logger;
    }

    private static byte[] generate32ByteSalt() {
        byte[] bArr = new byte[32];
        new SecureRandom().nextBytes(bArr);
        return bArr;
    }

    private static byte[] computeSHA256(byte[] bArr, BearerAccessToken bearerAccessToken) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(bArr);
            return messageDigest.digest(bearerAccessToken.getValue().getBytes(StandardCharsets.UTF_8));
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    public void validateBearerAccessToken(String str) throws WebApplicationException {
        if (accessIsDisabled()) {
            throw WEB_API_DISABLED.toWebAppException();
        }
        if (StringUtils.isBlank(str)) {
            throw MISSING_BEARER_TOKEN.toWebAppException();
        }
        try {
            BearerAccessToken parse = BearerAccessToken.parse(str);
            if (null != this.log) {
                this.log.trace("[CM3000] Validating bearer access token: {}...", StringUtils.abbreviate(parse.getValue(), 8));
            }
            byte[] computeSHA256 = computeSHA256(this.hashSalt, parse);
            Iterator<byte[]> it = this.expectedTokenHashes.iterator();
            while (it.hasNext()) {
                if (ConstantTimeUtils.areEqual(computeSHA256, it.next())) {
                    return;
                }
            }
            throw INVALID_BEARER_TOKEN.toWebAppException();
        } catch (ParseException e) {
            throw MISSING_BEARER_TOKEN.toWebAppException();
        }
    }

    public boolean validateBearerAccessToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        BearerAccessToken bearerAccessToken;
        if (accessIsDisabled()) {
            WEB_API_DISABLED.apply(httpServletResponse);
            return false;
        }
        if (httpServletRequest.getHeader("Authorization") != null) {
            String header = httpServletRequest.getHeader("Authorization");
            if (StringUtils.isBlank(header)) {
                MISSING_BEARER_TOKEN.apply(httpServletResponse);
                return false;
            }
            try {
                bearerAccessToken = BearerAccessToken.parse(header);
            } catch (ParseException e) {
                MISSING_BEARER_TOKEN.apply(httpServletResponse);
                return false;
            }
        } else {
            if (httpServletRequest.getParameter("access_token") == null) {
                MISSING_BEARER_TOKEN.apply(httpServletResponse);
                return false;
            }
            String parameter = httpServletRequest.getParameter("access_token");
            if (StringUtils.isBlank(parameter)) {
                MISSING_BEARER_TOKEN.apply(httpServletResponse);
                return false;
            }
            bearerAccessToken = new BearerAccessToken(parameter);
        }
        if (null != this.log) {
            this.log.trace("[CM3000] Validating bearer access token: {}...", StringUtils.abbreviate(bearerAccessToken.getValue(), 8));
        }
        byte[] computeSHA256 = computeSHA256(this.hashSalt, bearerAccessToken);
        Iterator<byte[]> it = this.expectedTokenHashes.iterator();
        while (it.hasNext()) {
            if (ConstantTimeUtils.areEqual(computeSHA256, it.next())) {
                return true;
            }
        }
        INVALID_BEARER_TOKEN.apply(httpServletResponse);
        return false;
    }

    static {
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("error", "missing_token");
        jSONObject.put("error_description", "Unauthorized: Missing Bearer access token");
        MISSING_BEARER_TOKEN = new ErrorResponse(BearerTokenError.MISSING_TOKEN.getHTTPStatusCode(), BearerTokenError.MISSING_TOKEN.toWWWAuthenticateHeader(), jSONObject.toJSONString());
        JSONObject jSONObject2 = new JSONObject();
        jSONObject2.put("error", BearerTokenError.INVALID_TOKEN.getCode());
        jSONObject2.put("error_description", "Unauthorized: Invalid Bearer access token");
        INVALID_BEARER_TOKEN = new ErrorResponse(BearerTokenError.INVALID_TOKEN.getHTTPStatusCode(), BearerTokenError.INVALID_TOKEN.toWWWAuthenticateHeader(), jSONObject2.toJSONString());
        JSONObject jSONObject3 = new JSONObject();
        jSONObject3.put("error", "web_api_disabled");
        jSONObject3.put("error_description", "Forbidden: Web API disabled");
        WEB_API_DISABLED = new ErrorResponse(403, null, jSONObject3.toJSONString());
    }
}
