package io.gravitee.policy.v3.oauth2;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ArrayNode;
import io.gravitee.gateway.api.ExecutionContext;
import io.gravitee.gateway.api.Request;
import io.gravitee.gateway.api.Response;
import io.gravitee.gateway.api.handler.Handler;
import io.gravitee.policy.api.PolicyChain;
import io.gravitee.policy.api.PolicyResult;
import io.gravitee.policy.api.annotations.OnRequest;
import io.gravitee.policy.api.annotations.RequireResource;
import io.gravitee.policy.oauth2.configuration.OAuth2PolicyConfiguration;
import io.gravitee.policy.oauth2.resource.CacheElement;
import io.gravitee.resource.api.ResourceManager;
import io.gravitee.resource.cache.api.CacheResource;
import io.gravitee.resource.cache.api.Element;
import io.gravitee.resource.oauth2.api.OAuth2Resource;
import io.gravitee.resource.oauth2.api.OAuth2Response;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;

@RequireResource
/* loaded from: input_file:io/gravitee/policy/v3/oauth2/Oauth2PolicyV3.class */
public class Oauth2PolicyV3 {
    private final Logger logger = LoggerFactory.getLogger(Oauth2PolicyV3.class);
    public static final String BEARER_AUTHORIZATION_TYPE = "Bearer";
    public static final String OAUTH_PAYLOAD_SCOPE_NODE = "scope";
    public static final String OAUTH_PAYLOAD_SCOPE_NODE_LEGACY = "scp";
    public static final String OAUTH_PAYLOAD_CLIENT_ID_NODE = "client_id";
    public static final String OAUTH_PAYLOAD_SUB_NODE = "sub";
    public static final String OAUTH_PAYLOAD_EXP = "exp";
    public static final String CONTEXT_ATTRIBUTE_PREFIX = "oauth.";
    public static final String CONTEXT_ATTRIBUTE_OAUTH_PAYLOAD = "oauth.payload";
    public static final String CONTEXT_ATTRIBUTE_OAUTH_ACCESS_TOKEN = "oauth.access_token";
    public static final String CONTEXT_ATTRIBUTE_CLIENT_ID = "oauth.client_id";
    public static final String OAUTH2_MISSING_SERVER_KEY = "OAUTH2_MISSING_SERVER";
    public static final String OAUTH2_MISSING_HEADER_KEY = "OAUTH2_MISSING_HEADER";
    public static final String OAUTH2_MISSING_ACCESS_TOKEN_KEY = "OAUTH2_MISSING_ACCESS_TOKEN";
    public static final String OAUTH2_INVALID_ACCESS_TOKEN_KEY = "OAUTH2_INVALID_ACCESS_TOKEN";
    public static final String OAUTH2_INVALID_SERVER_RESPONSE_KEY = "OAUTH2_INVALID_SERVER_RESPONSE";
    public static final String OAUTH2_INSUFFICIENT_SCOPE_KEY = "OAUTH2_INSUFFICIENT_SCOPE";
    public static final String OAUTH2_SERVER_UNAVAILABLE_KEY = "OAUTH2_SERVER_UNAVAILABLE";
    public static final String OAUTH2_UNAUTHORIZED_MESSAGE = "Unauthorized";
    public static final String OAUTH2_TEMPORARILY_UNAVAILABLE_MESSAGE = "temporarily_unavailable";
    static final ObjectMapper MAPPER = new ObjectMapper();
    protected final OAuth2PolicyConfiguration oAuth2PolicyConfiguration;

    public Oauth2PolicyV3(OAuth2PolicyConfiguration oAuth2PolicyConfiguration) {
        this.oAuth2PolicyConfiguration = oAuth2PolicyConfiguration;
    }

    @OnRequest
    public void onRequest(Request request, Response response, ExecutionContext executionContext, PolicyChain policyChain) {
        this.logger.debug("Read access_token from request {}", request.id());
        this.oAuth2PolicyConfiguration.setOauthResource((String) executionContext.getTemplateEngine().getValue(this.oAuth2PolicyConfiguration.getOauthResource(), String.class));
        OAuth2Resource oAuth2Resource = (OAuth2Resource) ((ResourceManager) executionContext.getComponent(ResourceManager.class)).getResource(this.oAuth2PolicyConfiguration.getOauthResource(), OAuth2Resource.class);
        if (oAuth2Resource == null) {
            policyChain.failWith(PolicyResult.failure(OAUTH2_MISSING_SERVER_KEY, 401, OAUTH2_UNAUTHORIZED_MESSAGE));
            return;
        }
        String str = request.headers().get("Authorization");
        if (str == null || str.isEmpty() || !StringUtils.startsWithIgnoreCase(str, BEARER_AUTHORIZATION_TYPE)) {
            sendError(OAUTH2_MISSING_HEADER_KEY, response, policyChain);
            return;
        }
        String trim = str.substring(BEARER_AUTHORIZATION_TYPE.length()).trim();
        if (trim.isEmpty()) {
            sendError(OAUTH2_MISSING_ACCESS_TOKEN_KEY, response, policyChain);
            return;
        }
        executionContext.setAttribute(CONTEXT_ATTRIBUTE_OAUTH_ACCESS_TOKEN, trim);
        CacheResource cacheResource = (CacheResource) ((ResourceManager) executionContext.getComponent(ResourceManager.class)).getResource(this.oAuth2PolicyConfiguration.getOauthCacheResource(), CacheResource.class);
        if (cacheResource != null) {
            Element element = cacheResource.getCache(executionContext).get(trim);
            if (element != null) {
                handleSuccess(policyChain, request, response, executionContext, (String) element.value(), null);
            } else {
                oAuth2Resource.introspect(trim, handleResponse(policyChain, request, response, executionContext, cacheResource));
            }
        } else {
            oAuth2Resource.introspect(trim, handleResponse(policyChain, request, response, executionContext, null));
        }
        if (this.oAuth2PolicyConfiguration.isPropagateAuthHeader()) {
            return;
        }
        request.headers().remove("Authorization");
    }

    Handler<OAuth2Response> handleResponse(PolicyChain policyChain, Request request, Response response, ExecutionContext executionContext, CacheResource cacheResource) {
        return oAuth2Response -> {
            if (oAuth2Response.isSuccess()) {
                handleSuccess(policyChain, request, response, executionContext, oAuth2Response.getPayload(), cacheResource);
                return;
            }
            response.headers().add("WWW-Authenticate", "Bearer realm=gravitee.io");
            if (oAuth2Response.getThrowable() == null) {
                policyChain.failWith(PolicyResult.failure(OAUTH2_INVALID_ACCESS_TOKEN_KEY, 401, OAUTH2_UNAUTHORIZED_MESSAGE));
            } else {
                policyChain.failWith(PolicyResult.failure(OAUTH2_SERVER_UNAVAILABLE_KEY, 503, OAUTH2_TEMPORARILY_UNAVAILABLE_MESSAGE));
            }
        };
    }

    private void handleSuccess(PolicyChain policyChain, Request request, Response response, ExecutionContext executionContext, String str, CacheResource cacheResource) {
        JsonNode readPayload = readPayload(str);
        if (readPayload == null) {
            sendError(OAUTH2_INVALID_SERVER_RESPONSE_KEY, response, policyChain);
            return;
        }
        String asText = readPayload.path("client_id").asText();
        if (asText != null && !asText.trim().isEmpty()) {
            executionContext.setAttribute(CONTEXT_ATTRIBUTE_CLIENT_ID, asText);
        }
        OAuth2Resource oAuth2Resource = (OAuth2Resource) ((ResourceManager) executionContext.getComponent(ResourceManager.class)).getResource(this.oAuth2PolicyConfiguration.getOauthResource(), OAuth2Resource.class);
        String asText2 = readPayload.path(oAuth2Resource.getUserClaim() == null ? "sub" : oAuth2Resource.getUserClaim()).asText();
        if (asText2 != null && !asText2.trim().isEmpty()) {
            executionContext.setAttribute("gravitee.attribute.user", asText2);
            request.metrics().setUser(asText2);
        }
        List<String> extractScopes = extractScopes(readPayload, oAuth2Resource.getScopeSeparator());
        executionContext.setAttribute("gravitee.attribute.user.roles", extractScopes);
        if (this.oAuth2PolicyConfiguration.isCheckRequiredScopes() && !hasRequiredScopes(extractScopes, this.oAuth2PolicyConfiguration.getRequiredScopes(), this.oAuth2PolicyConfiguration.isModeStrict())) {
            sendError(OAUTH2_INSUFFICIENT_SCOPE_KEY, response, policyChain);
            return;
        }
        if (this.oAuth2PolicyConfiguration.isExtractPayload()) {
            executionContext.setAttribute(CONTEXT_ATTRIBUTE_OAUTH_PAYLOAD, str);
        }
        if (cacheResource != null) {
            CacheElement cacheElement = new CacheElement((String) executionContext.getAttribute(CONTEXT_ATTRIBUTE_OAUTH_ACCESS_TOKEN), str);
            if (readPayload.has("exp")) {
                cacheElement.setTimeToLive(Long.valueOf(readPayload.get("exp").asLong() - (System.currentTimeMillis() / 1000)).intValue());
            }
            cacheResource.getCache(executionContext).put(cacheElement);
        }
        policyChain.doNext(request, response);
    }

    private void sendError(String str, Response response, PolicyChain policyChain) {
        response.headers().add("WWW-Authenticate", "Bearer realm=\"gravitee.io\"");
        policyChain.failWith(PolicyResult.failure(str, 401, OAUTH2_UNAUTHORIZED_MESSAGE));
    }

    protected JsonNode readPayload(String str) {
        try {
            return MAPPER.readTree(str);
        } catch (IOException e) {
            this.logger.error("Unable to check required scope from introspection endpoint payload: {}", str);
            return null;
        }
    }

    protected static List<String> extractScopes(JsonNode jsonNode, String str) {
        List<String> asList;
        JsonNode path = jsonNode.path("scope");
        if (path.isMissingNode()) {
            path = jsonNode.path("scp");
        }
        if (path instanceof ArrayNode) {
            Iterator elements = path.elements();
            asList = new ArrayList(path.size());
            elements.forEachRemaining(jsonNode2 -> {
                asList.add(jsonNode2.asText());
            });
        } else {
            asList = Arrays.asList(path.asText().split(str));
        }
        return asList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static boolean hasRequiredScopes(Collection<String> collection, List<String> list, boolean z) {
        if (list == null || list.isEmpty()) {
            return true;
        }
        if (collection == null || collection.isEmpty()) {
            return false;
        }
        if (z) {
            return collection.containsAll(list);
        }
        Stream<String> stream = collection.stream();
        Objects.requireNonNull(list);
        return stream.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }
}
