package com.sdl.web.oauth.validator;

import com.sdl.delivery.configuration.Configuration;
import com.sdl.delivery.configuration.xml.XMLConfigurationReaderImpl;
import com.sdl.web.ambient.api.RequestValidator;
import com.sdl.web.oauth.common.DefaultOAuthToken;
import com.sdl.web.oauth.common.OAuthException;
import com.tridion.ambientdata.AmbientDataConfig;
import com.tridion.ambientdata.AmbientDataContext;
import com.tridion.ambientdata.claimstore.ClaimStore;
import com.tridion.ambientdata.claimstore.ClaimStoreUtil;
import com.tridion.ambientdata.claimstore.ClaimType;
import com.tridion.ambientdata.web.WebClaims;
import com.tridion.configuration.ConfigurationException;
import com.tridion.security.UnauthorizedException;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sdl/web/oauth/validator/OAuth2RequestValidator.class */
public class OAuth2RequestValidator implements RequestValidator {
    private static final Logger LOG = LoggerFactory.getLogger(OAuth2RequestValidator.class);
    private static final Pattern ACCESS_TOKEN_PATTERN = Pattern.compile("Bearer(?:\\s*)(.+)");
    private static final Pattern LEGACY_ACCESS_TOKEN_PATTERN = Pattern.compile("OAuth(?:\\s*)(.+)");
    private static final String ALGORITHM = "HmacSHA256";
    private static final String TOKEN_SERVICE_URI = "token.svc";
    private static final String TOKEN_SERVICE_CAPABILITY_URI = "TokenServiceCapability";
    private static final String TOKEN_SERVICE_CAPABILITIES_URI = "TokenServiceCapabilities";
    private static final String HEALTH_ENDPOINT = "health";
    private static final String STORAGE_CONFIG_FILE = "cd_storage_conf.xml";
    private final String wwwAuthenticateValue;
    public static final String ATTRIBUTES_URI_PREFIX = "taf:claim:contentdelivery:webservice:client:";
    private SecretKey secretKey;

    public OAuth2RequestValidator() throws ConfigurationException {
        AmbientDataConfig ambientDataConfig = AmbientDataContext.getAmbientDataConfig();
        if (ambientDataConfig == null) {
            throw new ConfigurationException("Ambient Data framework configuration was not properly initialized!");
        }
        this.secretKey = new SecretKeySpec(ambientDataConfig.getSharedSecret().getBytes(), ALGORITHM);
        String str = "Content Delivery Web service";
        try {
            Configuration configuration = new XMLConfigurationReaderImpl().readConfiguration(STORAGE_CONFIG_FILE).getConfiguration("ConfigRepository");
            if (configuration != null && configuration.hasValue("ServiceUri")) {
                str = configuration.getValue("ServiceUri").asString();
            }
        } catch (com.sdl.delivery.configuration.ConfigurationException e) {
            LOG.debug("Unable to get discovery service endpoint URI from '{}'", STORAGE_CONFIG_FILE, e);
        }
        this.wwwAuthenticateValue = "Bearer realm='" + str + "'";
    }

    public void validate(ClaimStore claimStore) {
        try {
            if (!isTokenServiceOrCapabilityRequest(claimStore)) {
                DefaultOAuthToken defaultOAuthToken = new DefaultOAuthToken(this.secretKey, retrieveAccessToken(claimStore), "");
                for (String str : defaultOAuthToken.getAttributes().keySet()) {
                    claimStore.put(URI.create(ATTRIBUTES_URI_PREFIX + str), defaultOAuthToken.getAttributes().get(str), ClaimType.READ_ONLY);
                }
            }
        } catch (OAuthException e) {
            LOG.debug("Unauthorized: " + e.getMessage());
            throw new UnauthorizedException(e);
        }
    }

    public void handleUnauthorizedRequest(HttpServletResponse httpServletResponse) {
        writeOAuth2ErrorResponse(httpServletResponse, 401, "invalid_grant");
    }

    public void handleBadRequestWithCode(HttpServletResponse httpServletResponse, int i) {
        writeOAuth2ErrorResponse(httpServletResponse, i, "invalid_request");
    }

    private void writeOAuth2ErrorResponse(HttpServletResponse httpServletResponse, int i, String str) {
        httpServletResponse.setHeader("Cache-Control", "no-store");
        httpServletResponse.setHeader("WWW-Authenticate", this.wwwAuthenticateValue + ", error='" + str + "'");
        httpServletResponse.setContentType("application/json");
        httpServletResponse.setStatus(i);
        try {
            httpServletResponse.getWriter().print("{\"error\":\"" + str + "\"}");
        } catch (IOException e) {
            LOG.error("Error writing the error response body.", e);
        }
    }

    private static String retrieveAccessToken(ClaimStore claimStore) {
        String retrieveAccessTokenFromHeader = retrieveAccessTokenFromHeader(claimStore);
        if (retrieveAccessTokenFromHeader == null) {
            retrieveAccessTokenFromHeader = retrieveAccessTokenFromParameters(claimStore);
        }
        if (retrieveAccessTokenFromHeader == null) {
            throw new UnauthorizedException("No access token found.");
        }
        try {
            return URLDecoder.decode(retrieveAccessTokenFromHeader, StandardCharsets.UTF_8.name());
        } catch (UnsupportedEncodingException e) {
            throw new OAuthException("Could not parse access token.", e);
        }
    }

    private static String retrieveAccessTokenFromHeader(ClaimStore claimStore) {
        Map map = (Map) claimStore.get(WebClaims.REQUEST_HEADERS, Map.class);
        String[] strArr = map != null ? (String[]) map.get("authorization") : null;
        if (strArr == null || strArr.length <= 0) {
            return null;
        }
        Matcher matcher = ACCESS_TOKEN_PATTERN.matcher(strArr[0]);
        return matcher.matches() ? matcher.group(1) : retrieveLegacyAccessTokenFromHeader(strArr[0]);
    }

    @Deprecated
    private static String retrieveLegacyAccessTokenFromHeader(String str) {
        Matcher matcher = LEGACY_ACCESS_TOKEN_PATTERN.matcher(str);
        if (!matcher.matches()) {
            return null;
        }
        LOG.warn("Received token in legacy format");
        return matcher.group(1);
    }

    private static String retrieveAccessTokenFromParameters(ClaimStore claimStore) {
        String[] strArr;
        Map map = (Map) claimStore.get(WebClaims.REQUEST_PARAMETERS, Map.class);
        if (map == null || (strArr = (String[]) map.get("oauth_token")) == null || strArr.length <= 0) {
            return null;
        }
        return strArr[0];
    }

    private boolean isTokenServiceOrCapabilityRequest(ClaimStore claimStore) {
        String str = (String) claimStore.get(WebClaims.REQUEST_URI, String.class);
        return str.contains(TOKEN_SERVICE_URI) || ((str.endsWith(TOKEN_SERVICE_CAPABILITY_URI) || str.endsWith(TOKEN_SERVICE_CAPABILITIES_URI) || str.endsWith(HEALTH_ENDPOINT)) && ClaimStoreUtil.isGetRequest(claimStore));
    }
}
