package io.jans.ca.rs.protect.resteasy;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import io.jans.as.model.uma.PermissionTicket;
import io.jans.as.model.uma.RptIntrospectionResponse;
import io.jans.as.model.uma.UmaPermission;
import io.jans.as.model.uma.UmaPermissionList;
import io.jans.ca.rs.protect.Jackson;
import io.jans.util.StringHelper;
import jakarta.ws.rs.ClientErrorException;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.jboss.resteasy.core.ServerResponse;
import org.jboss.resteasy.spi.Failure;
import org.jboss.resteasy.spi.HttpRequest;

/* loaded from: input_file:io/jans/ca/rs/protect/resteasy/RptPreProcessInterceptor.class */
public class RptPreProcessInterceptor {
    private static final Logger LOG = Logger.getLogger(RptPreProcessInterceptor.class);
    private final ResourceRegistrar resourceRegistrar;
    private final PatProvider patProvider;
    private final ServiceProvider serviceProvider;

    public RptPreProcessInterceptor(ResourceRegistrar resourceRegistrar) {
        Preconditions.checkNotNull(resourceRegistrar, "Resource registrar is null.");
        Preconditions.checkNotNull(resourceRegistrar.getPatProvider(), "PAT Provider is null.");
        Preconditions.checkNotNull(resourceRegistrar.getServiceProvider(), "Service Provider is null.");
        this.resourceRegistrar = resourceRegistrar;
        this.patProvider = resourceRegistrar.getPatProvider();
        this.serviceProvider = resourceRegistrar.getServiceProvider();
    }

    public ServerResponse preProcess(HttpRequest httpRequest) throws Failure, WebApplicationException {
        String path = getPath(httpRequest);
        String httpMethod = httpRequest.getHttpMethod();
        Key key = this.resourceRegistrar.getKey(path, httpMethod);
        if (key == null) {
            LOG.debug("Resource is not protected with UMA, path:" + path + ", httpMethod: " + httpMethod);
            return null;
        }
        try {
            String rpt = getRpt(httpRequest.getHttpHeaders());
            if (!Strings.isNullOrEmpty(rpt)) {
                LOG.debug("RPT present in request");
                if (hasPermission(requestRptStatus(rpt), key, httpMethod, isGat(rpt))) {
                    LOG.debug("RPT has enough permissions, access GRANTED. Path: " + path + ", httpMethod:" + httpMethod);
                    return null;
                }
            }
            LOG.debug("Client does not present valid RPT. Registering permission ticket ...");
            return new ServerResponse(registerTicketResponse(path, httpMethod));
        } catch (Exception e) {
            LOG.error(e.getMessage(), e);
            if (e instanceof ClientErrorException) {
                LOG.error("Entity: " + ((String) e.getResponse().readEntity(String.class)));
            }
            return new ServerResponse(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(e.getMessage()).build());
        }
    }

    public static boolean isGat(String str) {
        return !Strings.isNullOrEmpty(str) && str.startsWith("gat_");
    }

    public boolean hasPermission(RptIntrospectionResponse rptIntrospectionResponse, Key key, String str, boolean z) {
        if (rptIntrospectionResponse == null || !rptIntrospectionResponse.getActive()) {
            return false;
        }
        String resourceSetId = this.resourceRegistrar.getResourceSetId(key);
        if (Strings.isNullOrEmpty(resourceSetId)) {
            LOG.error("Resource has key but is not registered on AS. Key: " + key);
            return false;
        }
        if (rptIntrospectionResponse.getPermissions() == null) {
            return false;
        }
        for (UmaPermission umaPermission : rptIntrospectionResponse.getPermissions()) {
            if (umaPermission.getResourceId() != null && umaPermission.getResourceId().equals(resourceSetId) && this.resourceRegistrar.getProtector().hasAccess(key.getPath(), str, umaPermission.getScopes())) {
                return true;
            }
            if (z && this.resourceRegistrar.getProtector().hasAccess(key.getPath(), str, umaPermission.getScopes())) {
                return true;
            }
        }
        return false;
    }

    public String getPath(HttpRequest httpRequest) {
        if (httpRequest.getUri() == null || httpRequest.getUri().getAbsolutePath() == null) {
            return null;
        }
        return httpRequest.getUri().getAbsolutePath().getPath();
    }

    public static String getRptFromAuthorization(String str) {
        if (StringHelper.isNotEmpty(str) && str.startsWith("Bearer ")) {
            return str.substring("Bearer ".length());
        }
        return null;
    }

    public static String getRpt(HttpHeaders httpHeaders) {
        List requestHeader;
        return (httpHeaders == null || (requestHeader = httpHeaders.getRequestHeader("Authorization")) == null || requestHeader.isEmpty()) ? "" : getRptFromAuthorization((String) requestHeader.get(0));
    }

    public RptIntrospectionResponse requestRptStatus(String str) {
        if (!StringUtils.isNotBlank(str)) {
            return null;
        }
        LOG.debug("Request RPT " + str + " status...");
        RptIntrospectionResponse requestRptStatus = this.serviceProvider.getRptIntrospectionService().requestRptStatus("Bearer " + this.patProvider.getPatToken(), str, "");
        if (requestRptStatus != null) {
            LOG.debug("RPT status: " + Jackson.asJsonSilently(requestRptStatus));
            return requestRptStatus;
        }
        LOG.debug("Unable to retrieve RPT " + str + " status from AM.");
        return null;
    }

    public Response registerTicketResponse(String str, String str2) {
        Key key = this.resourceRegistrar.getKey(str, str2);
        if (key == null) {
            LOG.error("Resource is not registered. Path: " + str + ", httpMethod: " + str2 + ". Please register it via uma-rs configuration.");
            LOG.error("Skip protection !!!");
            return null;
        }
        List<String> scopesForTicket = this.resourceRegistrar.getRsResource(key).getScopesForTicket(str2);
        LOG.trace("Ticket scopes: " + scopesForTicket);
        return registerTicketResponse(scopesForTicket, this.resourceRegistrar.getResourceSetId(key));
    }

    public Response registerTicketResponse(List<String> list, String str) {
        return registerTicketResponse(list, str, true);
    }

    public Response registerTicketResponse(List<String> list, String str, boolean z) {
        PermissionTicket registerPermission;
        Preconditions.checkState((list == null || list.isEmpty()) ? false : true, "Scopes must not be empty.");
        Preconditions.checkState(!Strings.isNullOrEmpty(str), "ResourceId must be set.");
        try {
            UmaPermission umaPermission = new UmaPermission();
            umaPermission.setResourceId(str);
            umaPermission.setScopes(list);
            registerPermission = this.resourceRegistrar.getServiceProvider().getPermissionService().registerPermission("Bearer " + this.patProvider.getPatToken(), UmaPermissionList.instance(new UmaPermission[]{umaPermission}));
        } catch (ClientErrorException e) {
            LOG.debug("Failed to register ticket. Entity: " + ((String) e.getResponse().readEntity(String.class)) + ", status: " + e.getResponse().getStatus(), e);
            if (e.getResponse().getStatus() != 400 && e.getResponse().getStatus() != 401) {
                throw e;
            }
            LOG.debug("Try maybe PAT is lost on AS, force refresh PAT and request ticket again ...");
            this.patProvider.clearPat();
            if (z) {
                LOG.debug("Re-try register the ticket.");
                return registerTicketResponse(list, str, false);
            }
        } catch (Exception e2) {
            LOG.error("Failed to register permission ticket.", e2);
        }
        if (registerPermission == null) {
            LOG.error("Failed to register permission ticket. Response is null.");
            return Response.status(Response.Status.FORBIDDEN).header("Warning:", "UMA Authorization Server Unreachable").build();
        }
        String str2 = "UMA realm=\"rs\",as_uri=\"" + this.serviceProvider.getOpHost() + "\",error=\"insufficient_scope\",ticket=\"" + registerPermission.getTicket() + "\"";
        LOG.debug("Ticket registered, " + str2);
        return Response.status(Response.Status.FORBIDDEN).header("WWW-Authenticate", str2).entity(registerPermission).build();
    }
}
