package io.gravitee.policy.jwt;

import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import io.gravitee.common.security.jwt.LazyJWT;
import io.gravitee.gateway.reactive.api.ExecutionFailure;
import io.gravitee.gateway.reactive.api.context.HttpExecutionContext;
import io.gravitee.gateway.reactive.api.context.HttpRequest;
import io.gravitee.gateway.reactive.api.policy.SecurityPolicy;
import io.gravitee.gateway.reactive.api.policy.SecurityToken;
import io.gravitee.policy.jwt.configuration.JWTPolicyConfiguration;
import io.gravitee.policy.jwt.jwk.provider.DefaultJWTProcessorProvider;
import io.gravitee.policy.jwt.jwk.provider.JWTProcessorProvider;
import io.gravitee.policy.jwt.utils.TokenExtractor;
import io.gravitee.policy.v3.jwt.JWTPolicyV3;
import io.gravitee.reporter.api.http.SecurityType;
import io.gravitee.reporter.api.v4.metric.Metrics;
import io.reactivex.rxjava3.core.Completable;
import io.reactivex.rxjava3.core.Maybe;
import io.reactivex.rxjava3.core.Single;
import io.vertx.rxjava3.core.http.HttpHeaders;
import java.text.ParseException;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.MDC;

/* loaded from: input_file:io/gravitee/policy/jwt/JWTPolicy.class */
public class JWTPolicy extends JWTPolicyV3 implements SecurityPolicy {
    public static final String CONTEXT_ATTRIBUTE_JWT = "jwt";
    private static final Logger log = LoggerFactory.getLogger(JWTPolicy.class);
    private final JWTProcessorProvider jwtProcessorResolver;

    public JWTPolicy(JWTPolicyConfiguration jWTPolicyConfiguration) {
        super(jWTPolicyConfiguration);
        this.jwtProcessorResolver = new DefaultJWTProcessorProvider(jWTPolicyConfiguration);
    }

    public String id() {
        return CONTEXT_ATTRIBUTE_JWT;
    }

    public int order() {
        return 0;
    }

    public Maybe<SecurityToken> extractSecurityToken(HttpExecutionContext httpExecutionContext) {
        LazyJWT lazyJWT = (LazyJWT) httpExecutionContext.getAttribute(CONTEXT_ATTRIBUTE_JWT);
        if (lazyJWT == null) {
            lazyJWT = (LazyJWT) TokenExtractor.extract(httpExecutionContext.request()).map(LazyJWT::new).orElse(null);
        }
        if (lazyJWT == null) {
            return Maybe.empty();
        }
        httpExecutionContext.setAttribute(CONTEXT_ATTRIBUTE_JWT, lazyJWT);
        String clientId = getClientId(lazyJWT);
        return clientId != null ? Maybe.just(SecurityToken.forClientId(clientId)) : Maybe.just(SecurityToken.invalid(SecurityToken.TokenType.CLIENT_ID));
    }

    public boolean requireSubscription() {
        return true;
    }

    public Completable onRequest(HttpExecutionContext httpExecutionContext) {
        return handleSecurity(httpExecutionContext);
    }

    private Completable handleSecurity(HttpExecutionContext httpExecutionContext) {
        return extractToken(httpExecutionContext).flatMapSingle(lazyJWT -> {
            return validateToken(httpExecutionContext, lazyJWT).doOnSuccess(jWTClaimsSet -> {
                setAuthContextInfos(httpExecutionContext, lazyJWT, jWTClaimsSet);
            });
        }).ignoreElement();
    }

    private void setAuthContextInfos(HttpExecutionContext httpExecutionContext, LazyJWT lazyJWT, JWTClaimsSet jWTClaimsSet) {
        HttpRequest request = httpExecutionContext.request();
        httpExecutionContext.setAttribute(JWTPolicyV3.CONTEXT_ATTRIBUTE_TOKEN, lazyJWT.getToken());
        String clientId = getClientId(jWTClaimsSet);
        httpExecutionContext.setAttribute(JWTPolicyV3.CONTEXT_ATTRIBUTE_OAUTH_CLIENT_ID, clientId);
        String subject = (this.configuration.getUserClaim() == null || this.configuration.getUserClaim().isEmpty()) ? jWTClaimsSet.getSubject() : (String) jWTClaimsSet.getClaim(this.configuration.getUserClaim());
        httpExecutionContext.setAttribute("gravitee.attribute.user", subject);
        Metrics metrics = httpExecutionContext.metrics();
        metrics.setUser(subject);
        metrics.setSecurityType(SecurityType.JWT);
        metrics.setSecurityToken(clientId);
        if (this.configuration.isExtractClaims()) {
            httpExecutionContext.setAttribute(JWTPolicyV3.CONTEXT_ATTRIBUTE_JWT_CLAIMS, jWTClaimsSet.getClaims());
        }
        if (this.configuration.isPropagateAuthHeader()) {
            return;
        }
        request.headers().remove(HttpHeaders.AUTHORIZATION);
    }

    private Maybe<LazyJWT> extractToken(HttpExecutionContext httpExecutionContext) {
        Optional<String> extract = TokenExtractor.extract(httpExecutionContext.request());
        return extract.isEmpty() ? interrupt401AsMaybe(httpExecutionContext, JWTPolicyV3.JWT_MISSING_TOKEN_KEY) : extract.get().isEmpty() ? interrupt401AsMaybe(httpExecutionContext, JWTPolicyV3.JWT_INVALID_TOKEN_KEY) : Maybe.just(new LazyJWT(extract.get()));
    }

    private Single<JWTClaimsSet> validateToken(HttpExecutionContext httpExecutionContext, LazyJWT lazyJWT) {
        return this.jwtProcessorResolver.provide(httpExecutionContext).flatMapSingle(jWTProcessor -> {
            try {
                return Single.just(jWTProcessor.process(lazyJWT.getDelegate(), (SecurityContext) null));
            } catch (Throwable th) {
                reportError(httpExecutionContext, th);
                return interrupt401AsSingle(httpExecutionContext, JWTPolicyV3.JWT_INVALID_TOKEN_KEY);
            }
        }).toSingle();
    }

    private <T> Maybe<T> interrupt401AsMaybe(HttpExecutionContext httpExecutionContext, String str) {
        return interrupt401(httpExecutionContext, str).toMaybe();
    }

    private <T> Single<T> interrupt401AsSingle(HttpExecutionContext httpExecutionContext, String str) {
        return interrupt401(httpExecutionContext, str).toMaybe().toSingle();
    }

    private Completable interrupt401(HttpExecutionContext httpExecutionContext, String str) {
        return httpExecutionContext.interruptWith(new ExecutionFailure(401).key(str).message(JWTPolicyV3.UNAUTHORIZED_MESSAGE));
    }

    private void reportError(HttpExecutionContext httpExecutionContext, Throwable th) {
        if (th != null) {
            HttpRequest request = httpExecutionContext.request();
            httpExecutionContext.metrics().setErrorMessage(th.getMessage());
            if (log.isDebugEnabled()) {
                try {
                    String str = (String) httpExecutionContext.getAttribute("gravitee.attribute.api");
                    MDC.put("api", str);
                    log.debug("[api-id:{}] [request-id:{}] [request-path:{}] {}", new Object[]{str, request.id(), request.path(), th.getMessage(), th});
                    MDC.remove("api");
                } catch (Throwable th2) {
                    MDC.remove("api");
                    throw th2;
                }
            }
        }
    }

    private String getClientId(LazyJWT lazyJWT) {
        try {
            JWT delegate = lazyJWT.getDelegate();
            if (delegate != null) {
                return getClientId(delegate.getJWTClaimsSet());
            }
            return null;
        } catch (ParseException e) {
            log.error("Failed to parse JWT claim set while looking for clientId", e);
            return null;
        }
    }
}
