package io.gravitee.policy.oauth2;

import io.gravitee.common.security.jwt.LazyJWT;
import io.gravitee.gateway.reactive.api.ExecutionFailure;
import io.gravitee.gateway.reactive.api.context.HttpExecutionContext;
import io.gravitee.gateway.reactive.api.policy.SecurityPolicy;
import io.gravitee.gateway.reactive.api.policy.SecurityToken;
import io.gravitee.policy.api.annotations.RequireResource;
import io.gravitee.policy.oauth2.configuration.OAuth2PolicyConfiguration;
import io.gravitee.policy.oauth2.introspection.TokenIntrospectionCache;
import io.gravitee.policy.oauth2.introspection.TokenIntrospectionResult;
import io.gravitee.policy.oauth2.resource.CacheElement;
import io.gravitee.policy.oauth2.utils.TokenExtractor;
import io.gravitee.policy.v3.oauth2.Oauth2PolicyV3;
import io.gravitee.resource.api.ResourceManager;
import io.gravitee.resource.cache.api.Cache;
import io.gravitee.resource.cache.api.CacheResource;
import io.gravitee.resource.cache.api.Element;
import io.gravitee.resource.oauth2.api.OAuth2Resource;
import io.reactivex.rxjava3.core.Completable;
import io.reactivex.rxjava3.core.Maybe;
import io.reactivex.rxjava3.core.Single;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RequireResource
/* loaded from: input_file:io/gravitee/policy/oauth2/Oauth2Policy.class */
public class Oauth2Policy extends Oauth2PolicyV3 implements SecurityPolicy {
    public static final String CONTEXT_ATTRIBUTE_JWT = "jwt";
    public static final String CONTEXT_ATTRIBUTE_TOKEN = "oauth.token";
    public static final String ATTR_INTERNAL_TOKEN_INTROSPECTIONS = "token-introspection-cache";
    private static final Logger log = LoggerFactory.getLogger(Oauth2Policy.class);

    public Oauth2Policy(OAuth2PolicyConfiguration oAuth2PolicyConfiguration) {
        super(oAuth2PolicyConfiguration);
    }

    public String id() {
        return "oauth2";
    }

    public int order() {
        return 100;
    }

    public boolean requireSubscription() {
        return true;
    }

    public Maybe<SecurityToken> extractSecurityToken(HttpExecutionContext httpExecutionContext) {
        OAuth2Resource<?> oauth2Resource = getOauth2Resource(httpExecutionContext);
        if (oauth2Resource != null) {
            return extractAccessToken(httpExecutionContext, true).flatMap(str -> {
                return introspectAccessToken(httpExecutionContext, str, oauth2Resource).toMaybe();
            }).flatMap(tokenIntrospectionResult -> {
                return tokenIntrospectionResult.hasClientId() ? Maybe.just(SecurityToken.forClientId(tokenIntrospectionResult.getClientId())) : Maybe.just(SecurityToken.invalid(SecurityToken.TokenType.CLIENT_ID));
            });
        }
        log.debug("Skipping security token extraction cause no oauth2 resource configured");
        return Maybe.empty();
    }

    public Completable onRequest(HttpExecutionContext httpExecutionContext) {
        return handleSecurity(httpExecutionContext);
    }

    private Completable handleSecurity(HttpExecutionContext httpExecutionContext) {
        return Completable.defer(() -> {
            log.debug("Read access_token from request {}", httpExecutionContext.request().id());
            OAuth2Resource<?> oauth2Resource = getOauth2Resource(httpExecutionContext);
            return oauth2Resource == null ? httpExecutionContext.interruptWith(new ExecutionFailure(401).key(Oauth2PolicyV3.OAUTH2_MISSING_SERVER_KEY).message(Oauth2PolicyV3.OAUTH2_UNAUTHORIZED_MESSAGE)) : extractAccessToken(httpExecutionContext, false).switchIfEmpty(Maybe.defer(() -> {
                return sendError(httpExecutionContext, Oauth2PolicyV3.OAUTH2_MISSING_HEADER_KEY).toMaybe();
            })).flatMapCompletable(str -> {
                if (str.isBlank()) {
                    return sendError(httpExecutionContext, Oauth2PolicyV3.OAUTH2_MISSING_ACCESS_TOKEN_KEY);
                }
                httpExecutionContext.setAttribute(Oauth2PolicyV3.CONTEXT_ATTRIBUTE_OAUTH_ACCESS_TOKEN, str);
                return introspectAndValidateAccessToken(httpExecutionContext, str, oauth2Resource);
            });
        }).doOnTerminate(() -> {
            if (this.oAuth2PolicyConfiguration.isPropagateAuthHeader()) {
                return;
            }
            httpExecutionContext.request().headers().remove("Authorization");
        });
    }

    private Maybe<String> extractAccessToken(HttpExecutionContext httpExecutionContext, boolean z) {
        return Maybe.defer(() -> {
            LazyJWT lazyJWT = z ? (LazyJWT) httpExecutionContext.getAttribute(CONTEXT_ATTRIBUTE_JWT) : null;
            if (lazyJWT == null) {
                Optional<String> extract = TokenExtractor.extract(httpExecutionContext.request());
                if (extract.isEmpty()) {
                    return Maybe.empty();
                }
                lazyJWT = new LazyJWT(extract.get());
                httpExecutionContext.setAttribute(CONTEXT_ATTRIBUTE_JWT, lazyJWT);
            }
            return Maybe.just(lazyJWT.getToken());
        }).doOnSuccess(str -> {
            httpExecutionContext.setAttribute(CONTEXT_ATTRIBUTE_TOKEN, str);
        });
    }

    private Completable validateOAuth2Payload(HttpExecutionContext httpExecutionContext, TokenIntrospectionResult tokenIntrospectionResult, OAuth2Resource<?> oAuth2Resource) {
        if (!tokenIntrospectionResult.hasValidPayload()) {
            return sendError(httpExecutionContext, Oauth2PolicyV3.OAUTH2_INVALID_SERVER_RESPONSE_KEY);
        }
        if (tokenIntrospectionResult.hasClientId()) {
            httpExecutionContext.setAttribute(Oauth2PolicyV3.CONTEXT_ATTRIBUTE_CLIENT_ID, tokenIntrospectionResult.getClientId());
        }
        String extractUser = tokenIntrospectionResult.extractUser(oAuth2Resource.getUserClaim());
        if (extractUser != null && !extractUser.trim().isEmpty()) {
            httpExecutionContext.setAttribute("gravitee.attribute.user", extractUser);
            httpExecutionContext.metrics().setUser(extractUser);
        }
        List<String> extractScopes = tokenIntrospectionResult.extractScopes(oAuth2Resource.getScopeSeparator());
        httpExecutionContext.setAttribute("gravitee.attribute.user.roles", extractScopes);
        if (this.oAuth2PolicyConfiguration.isCheckRequiredScopes() && !hasRequiredScopes(extractScopes, this.oAuth2PolicyConfiguration.getRequiredScopes(), this.oAuth2PolicyConfiguration.isModeStrict())) {
            return sendError(httpExecutionContext, Oauth2PolicyV3.OAUTH2_INSUFFICIENT_SCOPE_KEY);
        }
        if (this.oAuth2PolicyConfiguration.isExtractPayload()) {
            httpExecutionContext.setAttribute(Oauth2PolicyV3.CONTEXT_ATTRIBUTE_OAUTH_PAYLOAD, tokenIntrospectionResult.getOauth2ResponsePayload());
        }
        return Completable.complete();
    }

    protected Single<TokenIntrospectionResult> introspectAccessToken(HttpExecutionContext httpExecutionContext, String str, OAuth2Resource<?> oAuth2Resource) {
        Element element;
        TokenIntrospectionCache contextTokenIntrospectionCache = getContextTokenIntrospectionCache(httpExecutionContext);
        if (contextTokenIntrospectionCache.contains(str, oAuth2Resource)) {
            log.debug("Token as already been introspected by this Oauth resource on the current request. Re-using cached response.");
            return Single.just(contextTokenIntrospectionCache.get(str, oAuth2Resource).get());
        }
        Cache policyTokenIntrospectionCache = getPolicyTokenIntrospectionCache(httpExecutionContext);
        if (policyTokenIntrospectionCache == null || (element = policyTokenIntrospectionCache.get(str)) == null) {
            return Single.create(singleEmitter -> {
                Objects.requireNonNull(singleEmitter);
                oAuth2Resource.introspect(str, (v1) -> {
                    r2.onSuccess(v1);
                });
            }).map(TokenIntrospectionResult::new).doOnSuccess(tokenIntrospectionResult -> {
                fillTokenIntrospectionCache(str, oAuth2Resource, contextTokenIntrospectionCache, policyTokenIntrospectionCache, tokenIntrospectionResult);
            });
        }
        log.debug("Token as already been introspected in the policy level cache. Re-using cached response.");
        return Single.just(new TokenIntrospectionResult((String) element.value()));
    }

    private Completable introspectAndValidateAccessToken(HttpExecutionContext httpExecutionContext, String str, OAuth2Resource<?> oAuth2Resource) {
        return introspectAccessToken(httpExecutionContext, str, oAuth2Resource).flatMapCompletable(tokenIntrospectionResult -> {
            if (tokenIntrospectionResult.isSuccess()) {
                return validateOAuth2Payload(httpExecutionContext, tokenIntrospectionResult, oAuth2Resource);
            }
            httpExecutionContext.response().headers().add("WWW-Authenticate", "Bearer realm=gravitee.io ");
            return tokenIntrospectionResult.getOauth2ResponseThrowable() == null ? httpExecutionContext.interruptWith(new ExecutionFailure(401).key(Oauth2PolicyV3.OAUTH2_INVALID_ACCESS_TOKEN_KEY).message(Oauth2PolicyV3.OAUTH2_UNAUTHORIZED_MESSAGE)) : httpExecutionContext.interruptWith(new ExecutionFailure(503).key(Oauth2PolicyV3.OAUTH2_SERVER_UNAVAILABLE_KEY).message(Oauth2PolicyV3.OAUTH2_TEMPORARILY_UNAVAILABLE_MESSAGE));
        });
    }

    private Completable sendError(HttpExecutionContext httpExecutionContext, String str) {
        httpExecutionContext.response().headers().add("WWW-Authenticate", "Bearer realm=\"gravitee.io\"");
        return httpExecutionContext.interruptWith(new ExecutionFailure(401).key(str).message(Oauth2PolicyV3.OAUTH2_UNAUTHORIZED_MESSAGE));
    }

    private OAuth2Resource<?> getOauth2Resource(HttpExecutionContext httpExecutionContext) {
        if (this.oAuth2PolicyConfiguration.getOauthResource() == null) {
            return null;
        }
        return (OAuth2Resource) ((ResourceManager) httpExecutionContext.getComponent(ResourceManager.class)).getResource((String) httpExecutionContext.getTemplateEngine().getValue(this.oAuth2PolicyConfiguration.getOauthResource(), String.class), OAuth2Resource.class);
    }

    private Cache getPolicyTokenIntrospectionCache(HttpExecutionContext httpExecutionContext) {
        CacheResource cacheResource;
        if (this.oAuth2PolicyConfiguration.getOauthCacheResource() == null || (cacheResource = (CacheResource) ((ResourceManager) httpExecutionContext.getComponent(ResourceManager.class)).getResource(this.oAuth2PolicyConfiguration.getOauthCacheResource(), CacheResource.class)) == null) {
            return null;
        }
        return cacheResource.getCache(httpExecutionContext);
    }

    private TokenIntrospectionCache getContextTokenIntrospectionCache(HttpExecutionContext httpExecutionContext) {
        TokenIntrospectionCache tokenIntrospectionCache = (TokenIntrospectionCache) httpExecutionContext.getInternalAttribute(ATTR_INTERNAL_TOKEN_INTROSPECTIONS);
        if (tokenIntrospectionCache == null) {
            tokenIntrospectionCache = new TokenIntrospectionCache();
            httpExecutionContext.setInternalAttribute(ATTR_INTERNAL_TOKEN_INTROSPECTIONS, tokenIntrospectionCache);
        }
        return tokenIntrospectionCache;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void fillTokenIntrospectionCache(String str, OAuth2Resource<?> oAuth2Resource, TokenIntrospectionCache tokenIntrospectionCache, Cache cache, TokenIntrospectionResult tokenIntrospectionResult) {
        tokenIntrospectionCache.put(str, oAuth2Resource, tokenIntrospectionResult);
        if (cache != null && tokenIntrospectionResult.isSuccess() && tokenIntrospectionResult.hasValidPayload()) {
            CacheElement cacheElement = new CacheElement(str, tokenIntrospectionResult.getOauth2ResponsePayload());
            if (tokenIntrospectionResult.hasExpirationTime()) {
                cacheElement.setTimeToLive(Long.valueOf(tokenIntrospectionResult.getExpirationTime().longValue() - (System.currentTimeMillis() / 1000)).intValue());
            }
            cache.put(cacheElement);
        }
    }
}
