package io.gravitee.policy.v3.jwt;

import com.nimbusds.jwt.JWTClaimsSet;
import io.gravitee.gateway.api.ExecutionContext;
import io.gravitee.gateway.api.Request;
import io.gravitee.gateway.api.Response;
import io.gravitee.node.api.configuration.Configuration;
import io.gravitee.policy.api.PolicyChain;
import io.gravitee.policy.api.PolicyResult;
import io.gravitee.policy.api.annotations.OnRequest;
import io.gravitee.policy.jwt.alg.Signature;
import io.gravitee.policy.jwt.configuration.JWTPolicyConfiguration;
import io.gravitee.policy.jwt.utils.TokenExtractor;
import io.gravitee.policy.v3.jwt.exceptions.InvalidTokenException;
import io.gravitee.policy.v3.jwt.jwks.URLJWKSourceResolver;
import io.gravitee.policy.v3.jwt.jwks.hmac.MACJWKSourceResolver;
import io.gravitee.policy.v3.jwt.jwks.retriever.VertxResourceRetriever;
import io.gravitee.policy.v3.jwt.jwks.rsa.RSAJWKSourceResolver;
import io.gravitee.policy.v3.jwt.processor.AbstractKeyProcessor;
import io.gravitee.policy.v3.jwt.processor.HMACKeyProcessor;
import io.gravitee.policy.v3.jwt.processor.JWKSKeyProcessor;
import io.gravitee.policy.v3.jwt.processor.NoAlgorithmRSAKeyProcessor;
import io.gravitee.policy.v3.jwt.processor.RSAKeyProcessor;
import io.gravitee.policy.v3.jwt.resolver.GatewaySignatureKeyResolver;
import io.gravitee.policy.v3.jwt.resolver.KeyResolver;
import io.gravitee.policy.v3.jwt.resolver.SignatureKeyResolver;
import io.gravitee.policy.v3.jwt.resolver.TemplatableSignatureKeyResolver;
import io.gravitee.policy.v3.jwt.resolver.UserDefinedSignatureKeyResolver;
import io.vertx.core.Vertx;
import java.util.List;
import java.util.concurrent.CompletableFuture;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.MDC;
import org.springframework.core.env.Environment;
import org.springframework.util.ObjectUtils;

/* loaded from: input_file:io/gravitee/policy/v3/jwt/JWTPolicyV3.class */
public class JWTPolicyV3 {
    private static final Logger LOGGER = LoggerFactory.getLogger(JWTPolicyV3.class);
    public static final String CONTEXT_ATTRIBUTE_PREFIX = "jwt.";
    public static final String CONTEXT_ATTRIBUTE_JWT_CLAIMS = "jwt.claims";
    public static final String CONTEXT_ATTRIBUTE_TOKEN = "jwt.token";
    public static final String CONTEXT_ATTRIBUTE_CLIENT_ID = "client_id";
    public static final String CONTEXT_ATTRIBUTE_AUDIENCE = "aud";
    public static final String CONTEXT_ATTRIBUTE_AUTHORIZED_PARTY = "azp";
    public static final String CONTEXT_ATTRIBUTE_OAUTH_PREFIX = "oauth.";
    public static final String CONTEXT_ATTRIBUTE_OAUTH_CLIENT_ID = "oauth.client_id";
    public static final String UNAUTHORIZED_MESSAGE = "Unauthorized";
    public static final String JWT_MISSING_TOKEN_KEY = "JWT_MISSING_TOKEN";
    public static final String JWT_INVALID_TOKEN_KEY = "JWT_INVALID_TOKEN";
    static final String errorMessageFormat = "[api-id:%s] [request-id:%s] [request-path:%s] %s";
    protected JWTPolicyConfiguration configuration;

    public JWTPolicyV3(JWTPolicyConfiguration jWTPolicyConfiguration) {
        this.configuration = jWTPolicyConfiguration;
    }

    @OnRequest
    public void onRequest(Request request, Response response, ExecutionContext executionContext, PolicyChain policyChain) {
        try {
            String extract = TokenExtractor.extract(request);
            validate(executionContext, extract).whenComplete((jWTClaimsSet, th) -> {
                String valueOf = String.valueOf(executionContext.getAttribute("gravitee.attribute.api"));
                try {
                    if (th != null) {
                        if (th.getCause() instanceof InvalidTokenException) {
                            LOGGER.debug(String.format(errorMessageFormat, valueOf, request.id(), request.path(), th.getMessage()), th.getCause());
                            request.metrics().setMessage(th.getCause().getCause().getMessage());
                        } else {
                            LOGGER.error(String.format(errorMessageFormat, valueOf, request.id(), request.path(), th.getMessage()), th.getCause());
                            request.metrics().setMessage(th.getCause().getMessage());
                        }
                        MDC.remove("api");
                        policyChain.failWith(PolicyResult.failure(JWT_INVALID_TOKEN_KEY, 401, UNAUTHORIZED_MESSAGE));
                        return;
                    }
                    executionContext.setAttribute(CONTEXT_ATTRIBUTE_TOKEN, extract);
                    executionContext.setAttribute(CONTEXT_ATTRIBUTE_OAUTH_CLIENT_ID, getClientId(jWTClaimsSet));
                    String subject = (this.configuration.getUserClaim() == null || this.configuration.getUserClaim().isEmpty()) ? jWTClaimsSet.getSubject() : (String) jWTClaimsSet.getClaim(this.configuration.getUserClaim());
                    executionContext.setAttribute("gravitee.attribute.user", subject);
                    request.metrics().setUser(subject);
                    if (this.configuration.isExtractClaims()) {
                        executionContext.setAttribute(CONTEXT_ATTRIBUTE_JWT_CLAIMS, jWTClaimsSet.getClaims());
                    }
                    if (!this.configuration.isPropagateAuthHeader()) {
                        request.headers().remove("Authorization");
                    }
                    policyChain.doNext(request, response);
                    MDC.remove("api");
                } catch (Exception e) {
                    LOGGER.error(String.format(errorMessageFormat, valueOf, request.id(), request.path(), e.getMessage()), e.getCause());
                    policyChain.failWith(PolicyResult.failure(JWT_INVALID_TOKEN_KEY, 401, UNAUTHORIZED_MESSAGE));
                } finally {
                    MDC.remove("api");
                }
            });
        } catch (Exception e) {
            MDC.put("api", String.valueOf(executionContext.getAttribute("gravitee.attribute.api")));
            LOGGER.error(String.format(errorMessageFormat, executionContext.getAttribute("gravitee.attribute.api"), request.id(), request.path(), e.getMessage()), e.getCause());
            MDC.remove("api");
            policyChain.failWith(PolicyResult.failure(JWT_MISSING_TOKEN_KEY, 401, UNAUTHORIZED_MESSAGE));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getClientId(JWTClaimsSet jWTClaimsSet) {
        if (!ObjectUtils.isEmpty(this.configuration.getClientIdClaim())) {
            return extractClientId(jWTClaimsSet.getClaim(this.configuration.getClientIdClaim()));
        }
        String str = null;
        String str2 = (String) jWTClaimsSet.getClaim(CONTEXT_ATTRIBUTE_AUTHORIZED_PARTY);
        if (str2 != null && !str2.isEmpty()) {
            str = str2;
        }
        if (str == null) {
            str = extractClientId(jWTClaimsSet.getClaim(CONTEXT_ATTRIBUTE_AUDIENCE));
        }
        if (str == null) {
            str = (String) jWTClaimsSet.getClaim(CONTEXT_ATTRIBUTE_CLIENT_ID);
        }
        return str;
    }

    protected String extractClientId(Object obj) {
        if (obj != null) {
            return obj instanceof List ? (String) ((List) obj).get(0) : (String) obj;
        }
        return null;
    }

    private CompletableFuture<JWTClaimsSet> validate(ExecutionContext executionContext, String str) throws Exception {
        SignatureKeyResolver gatewaySignatureKeyResolver;
        Signature signature = this.configuration.getSignature();
        AbstractKeyProcessor abstractKeyProcessor = null;
        if (this.configuration.getPublicKeyResolver() != KeyResolver.JWKS_URL) {
            switch (this.configuration.getPublicKeyResolver()) {
                case GIVEN_KEY:
                    gatewaySignatureKeyResolver = new TemplatableSignatureKeyResolver(executionContext.getTemplateEngine(), new UserDefinedSignatureKeyResolver(this.configuration.getResolverParameter()));
                    break;
                case GATEWAY_KEYS:
                    gatewaySignatureKeyResolver = new GatewaySignatureKeyResolver((Environment) executionContext.getComponent(Environment.class), str);
                    break;
                default:
                    throw new IllegalArgumentException("Unexpected signature key resolver");
            }
            if (signature != null) {
                switch (signature) {
                    case RSA_RS256:
                    case RSA_RS384:
                    case RSA_RS512:
                        abstractKeyProcessor = new RSAKeyProcessor();
                        abstractKeyProcessor.setJwkSourceResolver(new RSAJWKSourceResolver(gatewaySignatureKeyResolver));
                        break;
                    case HMAC_HS256:
                    case HMAC_HS384:
                    case HMAC_HS512:
                        abstractKeyProcessor = new HMACKeyProcessor();
                        abstractKeyProcessor.setJwkSourceResolver(new MACJWKSourceResolver(gatewaySignatureKeyResolver));
                        break;
                }
            } else {
                abstractKeyProcessor = new NoAlgorithmRSAKeyProcessor();
                abstractKeyProcessor.setJwkSourceResolver(new RSAJWKSourceResolver(gatewaySignatureKeyResolver));
            }
        } else {
            abstractKeyProcessor = new JWKSKeyProcessor();
            abstractKeyProcessor.setJwkSourceResolver(new URLJWKSourceResolver(executionContext.getTemplateEngine(), this.configuration.getResolverParameter(), new VertxResourceRetriever((Vertx) executionContext.getComponent(Vertx.class), (Configuration) executionContext.getComponent(Configuration.class), this.configuration.isUseSystemProxy())));
        }
        return abstractKeyProcessor.process(signature, str);
    }
}
