package io.jans.as.server.authzen.ws.rs;

import io.jans.as.common.model.registration.Client;
import io.jans.as.model.common.FeatureFlagType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.server.model.common.AbstractToken;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.common.ExecutionContext;
import io.jans.as.server.service.ClientService;
import io.jans.as.server.service.ScopeService;
import io.jans.as.server.service.external.ExternalAccessEvaluationService;
import io.jans.as.server.service.token.TokenService;
import io.jans.model.authzen.AccessEvaluationRequest;
import io.jans.model.authzen.AccessEvaluationResponse;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.BooleanUtils;
import org.slf4j.Logger;

@ApplicationScoped
/* loaded from: input_file:io/jans/as/server/authzen/ws/rs/AccessEvaluationService.class */
public class AccessEvaluationService {
    public static final String ACCESS_EVALUATION_SCOPE = "access_evaluation";

    @Inject
    private Logger log;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private ExternalAccessEvaluationService externalAccessEvaluationService;

    @Inject
    private AccessEvaluationValidator accessEvaluationValidator;

    @Inject
    private TokenService tokenService;

    @Inject
    private ClientService clientService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private ScopeService scopeService;

    public AccessEvaluationResponse evaluation(AccessEvaluationRequest accessEvaluationRequest, ExecutionContext executionContext) {
        this.errorResponseFactory.validateFeatureEnabled(FeatureFlagType.ACCESS_EVALUATION);
        this.accessEvaluationValidator.validateAccessEvaluationRequest(accessEvaluationRequest);
        AccessEvaluationResponse externalEvaluate = this.externalAccessEvaluationService.externalEvaluate(accessEvaluationRequest, executionContext);
        this.log.debug("Access Evaluation response {}", externalEvaluate);
        return externalEvaluate;
    }

    public void validateAuthorization(String str) {
        AuthorizationGrant bearerAuthorizationGrant = this.tokenService.getBearerAuthorizationGrant(str);
        if (bearerAuthorizationGrant != null) {
            AbstractToken accessToken = bearerAuthorizationGrant.getAccessToken(this.tokenService.getBearerToken(str));
            if (accessToken == null || !accessToken.isValid()) {
                this.log.debug("Unable to find valid access token.");
            } else {
                if (bearerAuthorizationGrant.getScopes() != null && bearerAuthorizationGrant.getScopes().contains(ACCESS_EVALUATION_SCOPE)) {
                    this.log.debug("Authorized with bearer token.");
                    return;
                }
                this.log.error("access_token does not have {} scope.", ACCESS_EVALUATION_SCOPE);
            }
        } else {
            this.log.debug("Unable to find grant by bearer access token.");
        }
        if (BooleanUtils.isTrue(this.appConfiguration.getAccessEvaluationAllowBasicClientAuthorization()) && this.tokenService.isBasicAuthToken(str)) {
            this.log.debug("Trying to perform basic client authorization ...");
            String str2 = new String(Base64.decodeBase64(this.tokenService.getBasicToken(str)), StandardCharsets.UTF_8);
            int indexOf = str2.indexOf(":");
            if (indexOf != -1) {
                String decode = URLDecoder.decode(str2.substring(0, indexOf), StandardCharsets.UTF_8);
                if (this.clientService.authenticate(decode, URLDecoder.decode(str2.substring(indexOf + 1), StandardCharsets.UTF_8))) {
                    this.log.debug("Authorized with basic client authentication successfully. client_id: {}", decode);
                    Client client = this.clientService.getClient(decode);
                    if (this.scopeService.getScopeIdsByDns(client.getScopes() != null ? Arrays.asList(client.getScopes()) : new ArrayList<>()).contains(ACCESS_EVALUATION_SCOPE)) {
                        this.log.debug("Granted access to /evaluation endpoint. Client {} has scope {}.", decode, ACCESS_EVALUATION_SCOPE);
                        return;
                    }
                    this.log.debug("Access denied to /evaluation endpoint. Client {} has no scope {}.", decode, ACCESS_EVALUATION_SCOPE);
                }
            }
            this.log.debug("Unable to perform basic client authorization.");
        }
        this.log.error("Authorization is not valid. Please provide valid authorization in 'Authorization' header.");
        throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).type(MediaType.APPLICATION_JSON_TYPE).entity("Authorization is not valid. Please provide valid authorization in 'Authorization' header.").build());
    }
}
