package com.google.api.server.spi.auth;

import com.google.api.server.spi.Constant;
import com.google.api.server.spi.config.ApiMethodConfig;
import com.google.api.server.spi.config.scope.AuthScopeExpression;
import com.google.api.server.spi.response.UnauthorizedException;
import com.google.appengine.api.oauth.OAuthRequestException;
import com.google.appengine.api.oauth.OAuthServiceFactory;
import com.google.appengine.api.users.User;
import com.google.appengine.api.utils.SystemProperty;
import com.google.appengine.repackaged.com.google.api.client.extensions.appengine.http.UrlFetchTransport;
import com.google.appengine.repackaged.com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.appengine.repackaged.com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.appengine.repackaged.com.google.api.client.http.GenericUrl;
import com.google.appengine.repackaged.com.google.api.client.http.HttpHeaders;
import com.google.appengine.repackaged.com.google.api.client.http.HttpRequest;
import com.google.appengine.repackaged.com.google.api.client.http.HttpRequestFactory;
import com.google.appengine.repackaged.com.google.api.client.http.HttpRequestInitializer;
import com.google.appengine.repackaged.com.google.api.client.http.HttpResponse;
import com.google.appengine.repackaged.com.google.api.client.http.HttpTransport;
import com.google.appengine.repackaged.com.google.api.client.http.javanet.NetHttpTransport;
import com.google.appengine.repackaged.com.google.api.client.json.JsonObjectParser;
import com.google.appengine.repackaged.com.google.api.client.json.jackson.JacksonFactory;
import com.google.appengine.repackaged.com.google.common.annotations.VisibleForTesting;
import com.google.appengine.repackaged.com.google.common.collect.ImmutableList;
import com.google.appengine.repackaged.com.google.common.collect.ImmutableSet;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;

/* loaded from: input_file:com/google/api/server/spi/auth/AppEngineAuthUtils.class */
class AppEngineAuthUtils {

    @VisibleForTesting
    protected static final String HEADER_AUTHORIZATION = "Authorization";
    private static final String AUDIENCE_TAG = "aud";
    private static final String EMAIL_TAG = "email";
    private final boolean clientIdWhitelistEnabled;
    private static final Logger logger = Logger.getLogger(AppEngineAuthUtils.class.getName());

    @VisibleForTesting
    protected static final String[] ALLOWED_AUTH_SCHEMES = {UnauthorizedException.AUTH_SCHEME_OAUTH, "Bearer"};

    @VisibleForTesting
    protected static final String[] OAUTH2_TOKEN_PREFIXES = {"ya29.", "1/"};

    @VisibleForTesting
    protected static final List<String> SKIP_CLIENT_ID_CHECK_LIST = ImmutableList.of(Constant.SKIP_CLIENT_ID_CHECK);

    @VisibleForTesting
    protected static final String[] BEARER_TOKEN_PARAMETER_NAMES = {"access_token", "bearer_token"};
    private static final String[] CLIENT_TAGS = {"cid", "azp"};
    private final GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(getTransport(), new JacksonFactory()).build();
    private final HttpRequestFactory httpRequestFactory = getTransport().createRequestFactory(new HttpRequestInitializer() { // from class: com.google.api.server.spi.auth.AppEngineAuthUtils.1
        @Override // com.google.appengine.repackaged.com.google.api.client.http.HttpRequestInitializer
        public void initialize(HttpRequest httpRequest) {
            httpRequest.setParser(new JsonObjectParser(new JacksonFactory()));
        }
    });

    /* JADX INFO: Access modifiers changed from: package-private */
    public AppEngineAuthUtils(boolean z) {
        this.clientIdWhitelistEnabled = z;
    }

    private HttpTransport getTransport() {
        return SystemProperty.environment.value() == SystemProperty.Environment.Value.Production ? new UrlFetchTransport() : new NetHttpTransport();
    }

    @VisibleForTesting
    protected String matchAuthScheme(String str) {
        if (str == null) {
            return null;
        }
        for (String str2 : ALLOWED_AUTH_SCHEMES) {
            if (str.startsWith(str2)) {
                return str2;
            }
        }
        return null;
    }

    public User getCurrentUser(HttpServletRequest httpServletRequest, ApiMethodConfig apiMethodConfig) {
        return getCurrentUser(getAuthToken(httpServletRequest), apiMethodConfig.getScopeExpression(), apiMethodConfig.getAudiences(), apiMethodConfig.getClientIds(), SystemProperty.environment.value());
    }

    @VisibleForTesting
    User getCurrentUser(String str, AuthScopeExpression authScopeExpression, List<String> list, List<String> list2) {
        return getCurrentUser(str, authScopeExpression, list, list2, SystemProperty.Environment.Value.Production);
    }

    @VisibleForTesting
    User getCurrentUser(String str, AuthScopeExpression authScopeExpression, List<String> list, List<String> list2, SystemProperty.Environment.Value value) {
        logger.log(Level.FINE, "token={0}", str);
        logger.log(Level.FINE, "scopeExpression={0}", authScopeExpression.toLoggingForm());
        logger.log(Level.FINE, "allowedAudiences={0}", list);
        logger.log(Level.FINE, "allowedClientIds={0}", list2);
        if (str == null || str.trim().isEmpty()) {
            return null;
        }
        if (isIdToken(str)) {
            String idTokenEmail = getIdTokenEmail(str, list, list2, value);
            logger.log(Level.INFO, "getCurrentUser: IdToken; email={0}", idTokenEmail);
            if (idTokenEmail == null) {
                return null;
            }
            return new User(idTokenEmail, "");
        }
        String[] allScopes = authScopeExpression.getAllScopes();
        try {
            String[] oAuth2AuthorizedScopes = getOAuth2AuthorizedScopes(allScopes);
            boolean z = false;
            if (oAuth2AuthorizedScopes != null) {
                z = authScopeExpression.isAuthorized(ImmutableSet.copyOf(oAuth2AuthorizedScopes));
            }
            if (!z) {
                logger.info("getCurrentUser: AccessToken; scope not allowed");
                return null;
            }
            try {
                String oAuth2ClientIdDev = value == SystemProperty.Environment.Value.Development ? getOAuth2ClientIdDev(str) : getOAuth2ClientId(allScopes);
                if (!isClientIdAllowed(oAuth2ClientIdDev, list2, true)) {
                    logger.log(Level.WARNING, "getCurrentUser: clientId {0} not allowed", oAuth2ClientIdDev);
                    return null;
                }
                try {
                    User oAuth2User = getOAuth2User(allScopes);
                    logger.log(Level.INFO, "getCurrentUser: AccessToken; user={0}", oAuth2User);
                    return oAuth2User;
                } catch (OAuthRequestException e) {
                    logger.log(Level.INFO, "getCurrentUser: AccessToken; Tried and failed to get user for scope expression '" + authScopeExpression.toLoggingForm() + "'", e);
                    logger.info("getCurrentUser: AccessToken; scope not allowed");
                    return null;
                }
            } catch (OAuthRequestException e2) {
                logger.log(Level.INFO, "getCurrentUser: AccessToken; Tried and failed to get client id for scope '" + authScopeExpression + "'", e2);
                return null;
            }
        } catch (OAuthRequestException e3) {
            logger.log(Level.INFO, "getCurrentUser: AccessToken; Tried and failed to get client id for scope '" + authScopeExpression + "'", e3);
            return null;
        }
    }

    @VisibleForTesting
    String getAuthToken(HttpServletRequest httpServletRequest) {
        String authTokenFromHeader = getAuthTokenFromHeader(httpServletRequest.getHeader(HEADER_AUTHORIZATION));
        if (authTokenFromHeader == null) {
            authTokenFromHeader = getAuthTokenFromQueryParameters(httpServletRequest);
        }
        return authTokenFromHeader;
    }

    private String getAuthTokenFromQueryParameters(HttpServletRequest httpServletRequest) {
        for (String str : BEARER_TOKEN_PARAMETER_NAMES) {
            String parameter = httpServletRequest.getParameter(str);
            if (parameter != null) {
                return parameter;
            }
        }
        return null;
    }

    private String getAuthTokenFromHeader(String str) {
        String matchAuthScheme = matchAuthScheme(str);
        if (matchAuthScheme == null) {
            return null;
        }
        return str.substring(matchAuthScheme.length() + 1);
    }

    boolean isIdToken(String str) {
        String replaceFirst = str.trim().replaceFirst("^['\"]", "");
        for (String str2 : OAUTH2_TOKEN_PREFIXES) {
            if (replaceFirst.startsWith(str2)) {
                return false;
            }
        }
        return true;
    }

    GoogleIdToken verifyTokenInternal(String str) {
        try {
            return this.verifier.verify(str);
        } catch (IOException e) {
            logger.warning("getCurrentUser: " + e.getMessage());
            return null;
        } catch (IllegalArgumentException e2) {
            logger.warning("getCurrentUser: " + e2.getMessage());
            return null;
        } catch (GeneralSecurityException e3) {
            logger.warning("getCurrentUser: " + e3.getMessage());
            return null;
        }
    }

    private String getIdTokenEmail(String str, List<String> list, List<String> list2, SystemProperty.Environment.Value value) {
        GoogleIdToken verifyTokenInternal = verifyTokenInternal(str);
        if (verifyTokenInternal == null) {
            logger.warning("getCurrentUser: idToken=null");
            return null;
        }
        if (isClientIdAllowed(list2, verifyTokenInternal) && isAudienceAllowed(list, verifyTokenInternal)) {
            return extractUser(verifyTokenInternal);
        }
        return null;
    }

    private boolean isAudienceAllowed(List<String> list, GoogleIdToken googleIdToken) {
        String extractAudience = extractAudience(googleIdToken);
        if (isEmptyOrWhitespace(extractAudience)) {
            logger.warning("Token contained no audience: " + googleIdToken.getPayload());
            return false;
        }
        if (list != null && list.size() != 0) {
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                if (extractAudience.equals(it.next())) {
                    return true;
                }
            }
        }
        if (extractAudience.equals(extractClientId(googleIdToken))) {
            return true;
        }
        logger.warning("Audience in token was not allowed: " + extractAudience);
        return false;
    }

    private String extractAudience(GoogleIdToken googleIdToken) {
        return (String) googleIdToken.getPayload().get(AUDIENCE_TAG);
    }

    private String extractClientId(GoogleIdToken googleIdToken) {
        for (String str : CLIENT_TAGS) {
            String str2 = (String) googleIdToken.getPayload().get(str);
            if (str2 != null) {
                return str2;
            }
        }
        return null;
    }

    private String extractUser(GoogleIdToken googleIdToken) {
        return (String) googleIdToken.getPayload().get(EMAIL_TAG);
    }

    private boolean isClientIdAllowed(List<String> list, GoogleIdToken googleIdToken) {
        String extractClientId = extractClientId(googleIdToken);
        if (isEmptyOrWhitespace(extractClientId)) {
            logger.warning("Token contained no clientId: " + googleIdToken.getPayload());
            return false;
        }
        if (isClientIdAllowed(extractClientId, list, false)) {
            return true;
        }
        logger.warning("ClientId in token was not allowed: " + extractClientId);
        return false;
    }

    private boolean isClientIdAllowed(String str, List<String> list, boolean z) {
        if (!this.clientIdWhitelistEnabled) {
            logger.info("Client allowed because the whitelist is disabled");
            return true;
        }
        if (list == null || list.size() == 0) {
            return false;
        }
        if (z && list.equals(SKIP_CLIENT_ID_CHECK_LIST)) {
            return true;
        }
        for (String str2 : list) {
            if (!isEmptyOrWhitespace(str2) && str2.equals(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean isEmptyOrWhitespace(String str) {
        if (str == null) {
            return true;
        }
        return str.trim().isEmpty();
    }

    @VisibleForTesting
    User getOAuth2User(String[] strArr) throws OAuthRequestException {
        return OAuthServiceFactory.getOAuthService().getCurrentUser(strArr);
    }

    @VisibleForTesting
    String getOAuth2ClientId(String[] strArr) throws OAuthRequestException {
        return OAuthServiceFactory.getOAuthService().getClientId(strArr);
    }

    @VisibleForTesting
    String[] getOAuth2AuthorizedScopes(String[] strArr) throws OAuthRequestException {
        return OAuthServiceFactory.getOAuthService().getAuthorizedScopes(strArr);
    }

    @VisibleForTesting
    String getOAuth2ClientIdDev(String str) {
        try {
            HttpHeaders httpHeaders = new HttpHeaders();
            httpHeaders.setAuthorization("Bearer " + str);
            HttpResponse execute = this.httpRequestFactory.buildGetRequest(new GenericUrl("https://www.google.com/accounts/AuthSubTokenInfo")).setHeaders(httpHeaders).execute();
            Properties properties = new Properties();
            properties.load(execute.getContent());
            return (String) properties.get("Target");
        } catch (IOException e) {
            logger.log(Level.WARNING, "Failed to retrieve clientId from access token", (Throwable) e);
            return null;
        }
    }
}
