package io.jans.configapi.security.service;

import io.jans.as.model.common.IntrospectionResponse;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.configapi.core.util.Jackson;
import io.jans.configapi.core.util.ProtectionScopeType;
import io.jans.configapi.util.JwtUtil;
import jakarta.annotation.Priority;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.inject.Alternative;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.container.ResourceInfo;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.Response;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;

@ApplicationScoped
@Named("openIdAuthorizationService")
@Alternative
@Priority(1)
/* loaded from: input_file:io/jans/configapi/security/service/OpenIdAuthorizationService.class */
public class OpenIdAuthorizationService extends AuthorizationService implements Serializable {
    private static final long serialVersionUID = 1;
    private static final String AUTHENTICATION_SCHEME = "Bearer ";

    @Inject
    transient Logger logger;

    @Context
    transient HttpServletRequest request;

    @Context
    transient HttpServletResponse response;

    @Inject
    transient JwtUtil jwtUtil;

    @Inject
    OpenIdService openIdService;

    @Inject
    ExternalInterceptionService externalInterceptionService;

    @Override // io.jans.configapi.security.service.AuthorizationService
    public String processAuthorization(String str, String str2, ResourceInfo resourceInfo, String str3, String str4) throws WebApplicationException, Exception {
        this.logger.debug("oAuth  Authorization parameters , token:{}, issuer:{}, resourceInfo:{}, method: {}, path: {} ", new Object[]{str, str2, resourceInfo, str3, str4});
        if (StringUtils.isBlank(str)) {
            this.logger.error("Token is blank !!!");
            throw new WebApplicationException("Token is blank.", Response.status(Response.Status.UNAUTHORIZED).build());
        }
        this.logger.info("Validate issuer");
        if (StringUtils.isNotBlank(str2) && !this.authUtil.isValidIssuer(str2)) {
            throw new WebApplicationException("Header Issuer is Invalid.", Response.status(Response.Status.UNAUTHORIZED).build());
        }
        this.logger.info("Verify if JWT");
        String trim = str.substring("Bearer".length()).trim();
        if (this.jwtUtil.isJwt(trim)) {
            try {
                this.logger.info("Since token is JWT Validate it");
                this.jwtUtil.parse(trim);
                List<String> validateToken = this.jwtUtil.validateToken(trim);
                this.logger.debug(" tokenScopes:{} ", validateToken);
                return validateScope(trim, validateToken, resourceInfo, str2);
            } catch (InvalidJwtException e) {
                this.logger.error("oAuth Invalid Jwt token:{}, exception:{} ", str, e);
                throw new WebApplicationException("Jwt Token is Invalid.", Response.status(Response.Status.UNAUTHORIZED).build());
            }
        }
        this.logger.info("Token is NOT JWT hence introspecting it as Reference token ");
        IntrospectionResponse introspectionResponse = this.openIdService.getIntrospectionResponse(str, str.substring("Bearer".length()).trim(), str2);
        this.logger.trace("oAuth  Authorization introspectionResponse:{}", introspectionResponse);
        if (introspectionResponse == null || !introspectionResponse.isActive()) {
            this.logger.error("Token is Invalid.");
            throw new WebApplicationException("Token is Invalid.", Response.status(Response.Status.UNAUTHORIZED).build());
        }
        String validateScope = validateScope(trim, introspectionResponse.getScope(), resourceInfo, str2);
        this.logger.debug("Custom authorization - isAuthorized:{}", Boolean.valueOf(externalAuthorization(str, str2, str3, str4)));
        return validateScope;
    }

    private String validateScope(String str, List<String> list, ResourceInfo resourceInfo, String str2) throws WebApplicationException {
        this.logger.debug("Validate scope, accessToken:{}, tokenScopes:{}, resourceInfo: {}, issuer: {}", new Object[]{str, list, resourceInfo, str2});
        try {
            Map<ProtectionScopeType, List<String>> requestedScopes = getRequestedScopes(resourceInfo);
            List<String> allScopeList = getAllScopeList(requestedScopes);
            this.logger.debug("Validate scope, resourceScopesByType: {}, resourceScopes: {}", requestedScopes, allScopeList);
            List<String> findMissingScopes = findMissingScopes(requestedScopes, list);
            this.logger.debug("missingScopes:{}", findMissingScopes);
            List<String> authSpecificScopeRequired = getAuthSpecificScopeRequired(resourceInfo);
            this.logger.debug(" resourceScopes:{}, authSpecificScope:{} ", allScopeList, authSpecificScopeRequired);
            if (authSpecificScopeRequired == null || authSpecificScopeRequired.isEmpty()) {
                this.logger.debug("Validating token scopes as no authSpecificScope required");
                if (findMissingScopes == null || findMissingScopes.isEmpty()) {
                    return "Bearer " + str;
                }
                this.logger.error("Insufficient scopes! Required scope:{} -  however token scopes:{}", allScopeList, list);
                throw new WebApplicationException("Insufficient scopes! , Required scope: " + allScopeList + ", however token scopes: " + list, Response.status(Response.Status.UNAUTHORIZED).build());
            }
            if (findMissingScopes != null && !findMissingScopes.isEmpty() && !isEqualCollection(findMissingScopes, authSpecificScopeRequired)) {
                this.logger.error("Insufficient scopes!! Required scope:{}, , however token scopes:{} ", allScopeList, list);
                throw new WebApplicationException("Insufficient scopes!! , Required scope: " + allScopeList + ", however token scopes: " + list, Response.status(Response.Status.UNAUTHORIZED).build());
            }
            allScopeList.addAll(authSpecificScopeRequired);
            String requestAccessToken = this.openIdService.requestAccessToken(this.authUtil.getClientId(), allScopeList);
            this.logger.debug("Introspecting new accessToken:{}", requestAccessToken);
            IntrospectionResponse introspectionResponse = this.openIdService.getIntrospectionResponse("Bearer " + requestAccessToken, requestAccessToken, this.authUtil.getIssuer());
            if (validateScope(introspectionResponse.getScope(), allScopeList)) {
                this.logger.info("Token scopes Valid Returning accessToken:{}", requestAccessToken);
                return "Bearer " + requestAccessToken;
            }
            this.logger.error("Insufficient scopes!!! for new token as well - Required scope:{}, token scopes:{}", allScopeList, introspectionResponse.getScope());
            throw new WebApplicationException("Insufficient scopes!!! Required scope: " + allScopeList + ", token scopes: " + introspectionResponse.getScope(), Response.status(Response.Status.UNAUTHORIZED).build());
        } catch (Exception e) {
            if (this.logger.isErrorEnabled()) {
                this.logger.error("oAuth authorization error:{} ", e.getMessage());
            }
            throw new WebApplicationException("oAuth authorization error " + e.getMessage(), Response.status(Response.Status.INTERNAL_SERVER_ERROR).build());
        }
    }

    private boolean externalAuthorization(String str, String str2, String str3, String str4) {
        this.logger.debug("External Authorization script params -  request:{}, response:{}, token:{}, issuer:{}, method:{}, path:{} ", new Object[]{this.request, this.response, str, str2, str3, str4});
        HashMap hashMap = new HashMap();
        hashMap.put("ISSUER", str2);
        hashMap.put("TOKEN", str);
        hashMap.put("METHOD", str3);
        hashMap.put("PATH", str4);
        return this.externalInterceptionService.authorization(this.request, this.response, this.configurationFactory.getApiAppConfiguration(), hashMap, Jackson.createJSONObject(hashMap));
    }

    private List<String> findMissingScopes(Map<ProtectionScopeType, List<String>> map, List<String> list) {
        this.logger.info("Check scopeMap:{}, tokenScopes:{}", map, list);
        ArrayList arrayList = new ArrayList();
        if (map == null || map.isEmpty()) {
            return arrayList;
        }
        List<String> list2 = map.get(ProtectionScopeType.SUPER);
        this.logger.debug("SUPER Scopes:{}", list2);
        List<String> list3 = null;
        if (list2 != null && !list2.isEmpty()) {
            boolean containsAnyElement = containsAnyElement(list2, list);
            this.logger.debug("Token contains SUPER scopes?:{}", Boolean.valueOf(containsAnyElement));
            if (containsAnyElement) {
                return null;
            }
        }
        List<String> list4 = map.get(ProtectionScopeType.GROUP);
        this.logger.debug("GROUP Scopes:{}", list4);
        if (list4 != null && !list4.isEmpty()) {
            boolean containsAnyElement2 = containsAnyElement(list4, list);
            this.logger.debug("Token contains GROUP scopes?:{}", Boolean.valueOf(containsAnyElement2));
            if (containsAnyElement2) {
                return null;
            }
        }
        List<String> list5 = map.get(ProtectionScopeType.SCOPE);
        this.logger.debug("SCOPE Scopes:{}", list5);
        if (list5 != null && !list5.isEmpty()) {
            list3 = findMissingElements(list5, list);
            this.logger.debug("SCOPE Missing Scopes:{}", list3);
        }
        return list3;
    }
}
