package io.gravitee.policy.openid.userinfo;

import io.gravitee.gateway.api.ExecutionContext;
import io.gravitee.gateway.api.Request;
import io.gravitee.gateway.api.Response;
import io.gravitee.gateway.api.handler.Handler;
import io.gravitee.policy.api.PolicyChain;
import io.gravitee.policy.api.PolicyResult;
import io.gravitee.policy.api.annotations.OnRequest;
import io.gravitee.policy.openid.userinfo.configuration.UserInfoPolicyConfiguration;
import io.gravitee.resource.api.ResourceManager;
import io.gravitee.resource.oauth2.api.OAuth2Resource;
import io.gravitee.resource.oauth2.api.openid.UserInfoResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;

/* loaded from: input_file:io/gravitee/policy/openid/userinfo/UserInfoPolicy.class */
public class UserInfoPolicy {
    private static final Logger logger = LoggerFactory.getLogger(UserInfoPolicy.class);
    private static final String BEARER_TYPE = "Bearer";
    static final String CONTEXT_ATTRIBUTE_OAUTH_ACCESS_TOKEN = "oauth.access_token";
    static final String CONTEXT_ATTRIBUTE_OPENID_USERINFO_PAYLOAD = "openid.userinfo.payload";
    private UserInfoPolicyConfiguration userInfoPolicyConfiguration;

    public UserInfoPolicy(UserInfoPolicyConfiguration userInfoPolicyConfiguration) {
        this.userInfoPolicyConfiguration = userInfoPolicyConfiguration;
    }

    @OnRequest
    public void onRequest(Request request, Response response, ExecutionContext executionContext, PolicyChain policyChain) {
        logger.debug("Read access_token from request {}", request.id());
        OAuth2Resource oAuth2Resource = (OAuth2Resource) ((ResourceManager) executionContext.getComponent(ResourceManager.class)).getResource((String) executionContext.getTemplateEngine().getValue(this.userInfoPolicyConfiguration.getOauthResource(), String.class), OAuth2Resource.class);
        if (oAuth2Resource == null) {
            policyChain.failWith(PolicyResult.failure(401, "No OpenID Connect authorization server has been configured"));
            return;
        }
        String str = request.headers().get("Authorization");
        if (request.headers() == null || str == null || str.isEmpty() || !StringUtils.startsWithIgnoreCase(str, BEARER_TYPE)) {
            response.headers().add("WWW-Authenticate", "Bearer realm=gravitee.io - No OAuth authorization header was supplied");
            policyChain.failWith(PolicyResult.failure(401, "No OAuth authorization header was supplied"));
            return;
        }
        String trim = str.substring(BEARER_TYPE.length()).trim();
        if (trim.isEmpty()) {
            response.headers().add("WWW-Authenticate", "Bearer realm=gravitee.io - No OAuth access token was supplied");
            policyChain.failWith(PolicyResult.failure(401, "No OAuth access token was supplied"));
        } else {
            executionContext.setAttribute(CONTEXT_ATTRIBUTE_OAUTH_ACCESS_TOKEN, trim);
            oAuth2Resource.userInfo(trim, handleResponse(policyChain, request, response, executionContext));
        }
    }

    private Handler<UserInfoResponse> handleResponse(PolicyChain policyChain, Request request, Response response, ExecutionContext executionContext) {
        return userInfoResponse -> {
            if (userInfoResponse.isSuccess()) {
                if (this.userInfoPolicyConfiguration.isExtractPayload()) {
                    executionContext.setAttribute(CONTEXT_ATTRIBUTE_OPENID_USERINFO_PAYLOAD, userInfoResponse.getPayload());
                }
                policyChain.doNext(request, response);
            } else if (userInfoResponse.getThrowable() == null) {
                response.headers().add("WWW-Authenticate", String.format("%s realm=gravitee.io - Invalid OAuth access token was supplied", BEARER_TYPE));
                policyChain.failWith(PolicyResult.failure(401, userInfoResponse.getPayload(), "application/json"));
            } else {
                response.headers().add("WWW-Authenticate", String.format("%s realm=gravitee.io - Error occurs during OAuth access token validation: %s", BEARER_TYPE, userInfoResponse.getThrowable().getMessage()));
                policyChain.failWith(PolicyResult.failure(503, "Service Unavailable"));
            }
        };
    }
}
