package org.apache.cxf.rs.security.oauth2.filters;

import com.fasterxml.jackson.core.util.MinimalPrettyPrinter;
import java.io.IOException;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.Priority;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Context;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.ClassHelper;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.rs.security.oauth2.common.OAuthContext;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.utils.OAuthContextUtils;
import org.springframework.jmx.export.naming.IdentityNamingStrategy;

@Priority(1001)
/* loaded from: input_file:BOOT-INF/lib/cxf-rt-rs-security-oauth2-3.1.8.jar:org/apache/cxf/rs/security/oauth2/filters/OAuthScopesFilter.class */
public class OAuthScopesFilter implements ContainerRequestFilter {
    private static final Logger LOG = LogUtils.getL7dLogger(OAuthScopesFilter.class);
    private static final Set<String> SKIP_METHODS = new HashSet();

    @Context
    private MessageContext mc;
    private Map<String, List<String>> scopesMap = new HashMap();
    private Map<String, Boolean> scopesMatchAllMap = new HashMap();
    private Set<String> confidentialClientMethods = new HashSet();

    public void setSecuredObject(Object obj) {
        checkSecureClass(ClassHelper.getRealClass(obj));
        if (this.scopesMap.isEmpty()) {
            LOG.warning("The scopes map is empty");
        } else if (LOG.isLoggable(Level.FINE)) {
            for (Map.Entry<String, List<String>> entry : this.scopesMap.entrySet()) {
                LOG.fine("Method: " + entry.getKey() + ", scopes: " + entry.getValue());
            }
        }
    }

    protected void checkSecureClass(Class<?> cls) {
        if (cls == null || cls == Object.class) {
            return;
        }
        Scopes scopes = (Scopes) cls.getAnnotation(Scopes.class);
        ConfidentialClient confidentialClient = (ConfidentialClient) cls.getAnnotation(ConfidentialClient.class);
        for (Method method : cls.getMethods()) {
            if (!SKIP_METHODS.contains(method.getName())) {
                Scopes scopes2 = (Scopes) method.getAnnotation(Scopes.class);
                Scopes scopes3 = scopes2 == null ? scopes : scopes2;
                if (scopes3 != null) {
                    this.scopesMap.put(method.getName(), Arrays.asList(scopes3.value()));
                    this.scopesMatchAllMap.put(method.getName(), Boolean.valueOf(scopes3.matchAll()));
                }
                ConfidentialClient confidentialClient2 = (ConfidentialClient) method.getAnnotation(ConfidentialClient.class);
                if (confidentialClient != null || confidentialClient2 != null) {
                    this.confidentialClientMethods.add(method.getName());
                }
            }
        }
        checkSecureClass(cls.getSuperclass());
        for (Class<?> cls2 : cls.getInterfaces()) {
            checkSecureClass(cls2);
        }
    }

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        Method targetMethod = getTargetMethod();
        checkClient(targetMethod);
        checkScopes(targetMethod);
    }

    protected void checkClient(Method method) {
        if (this.confidentialClientMethods.contains(method.getName())) {
            OAuthContext context = OAuthContextUtils.getContext(this.mc);
            if (context.isClientConfidential()) {
                return;
            }
            LOG.warning("Non confidential client " + context.getClientId() + " has attempted to invoke " + method.getName());
            throw ExceptionUtils.toForbiddenException(null, null);
        }
    }

    protected void checkScopes(Method method) {
        List<String> list = this.scopesMap.get(method.getName());
        if (list == null) {
            return;
        }
        boolean booleanValue = this.scopesMatchAllMap.get(method.getName()).booleanValue();
        OAuthContext context = OAuthContextUtils.getContext(this.mc);
        LinkedList linkedList = new LinkedList();
        for (OAuthPermission oAuthPermission : context.getPermissions()) {
            if (booleanValue) {
                linkedList.add(oAuthPermission.getPermission());
            } else if (list.contains(oAuthPermission.getPermission())) {
                return;
            }
        }
        if (linkedList.containsAll(list)) {
            return;
        }
        LOG.warning("Scopes do not match");
        throw ExceptionUtils.toForbiddenException(null, null);
    }

    protected Method getTargetMethod() {
        Method method = (Method) this.mc.get("org.apache.cxf.resource.method");
        if (method != null) {
            return method;
        }
        throw ExceptionUtils.toForbiddenException(null, null);
    }

    public void setScopesMap(Map<String, List<String>> map) {
        this.scopesMap = map;
    }

    public void setScopesStringMap(Map<String, String> map) {
        for (Map.Entry<String, String> entry : map.entrySet()) {
            this.scopesMap.put(entry.getKey(), Arrays.asList(entry.getValue().split(MinimalPrettyPrinter.DEFAULT_ROOT_VALUE_SEPARATOR)));
        }
    }

    public void setScopesMatchAllMap(Map<String, Boolean> map) {
        this.scopesMatchAllMap = map;
    }

    public void setConfidentialClientMethods(Set<String> set) {
        this.confidentialClientMethods = set;
    }

    static {
        SKIP_METHODS.addAll(Arrays.asList("wait", "notify", "notifyAll", "equals", "toString", IdentityNamingStrategy.HASH_CODE_KEY));
    }
}
