package com.networknt.graphql.security;

import com.networknt.exception.ExpiredTokenException;
import com.networknt.graphql.common.GraphqlUtil;
import com.networknt.handler.Handler;
import com.networknt.handler.MiddlewareHandler;
import com.networknt.httpstring.AttachmentConstants;
import com.networknt.httpstring.HttpStringConstants;
import com.networknt.security.IJwtVerifyHandler;
import com.networknt.security.JwtVerifier;
import com.networknt.security.SecurityConfig;
import com.networknt.utility.ModuleRegistry;
import io.undertow.Handlers;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HeaderMap;
import io.undertow.util.Headers;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/graphql/security/JwtVerifyHandler.class */
public class JwtVerifyHandler implements MiddlewareHandler, IJwtVerifyHandler {
    private static final String STATUS_INVALID_AUTH_TOKEN = "ERR10000";
    private static final String STATUS_AUTH_TOKEN_EXPIRED = "ERR10001";
    private static final String STATUS_MISSING_AUTH_TOKEN = "ERR10002";
    private static final String STATUS_INVALID_SCOPE_TOKEN = "ERR10003";
    private static final String STATUS_SCOPE_TOKEN_EXPIRED = "ERR10004";
    private static final String STATUS_AUTH_TOKEN_SCOPE_MISMATCH = "ERR10005";
    private static final String STATUS_SCOPE_TOKEN_SCOPE_MISMATCH = "ERR10006";
    private volatile HttpHandler next;
    private static final Logger logger = LoggerFactory.getLogger(JwtVerifyHandler.class);
    private static final String GRAPHQL_SECURITY_CONFIG = "graphql-security";
    static SecurityConfig config = SecurityConfig.load(GRAPHQL_SECURITY_CONFIG);
    static JwtVerifier jwtVerifier = new JwtVerifier(config);

    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        HeaderMap requestHeaders = httpServerExchange.getRequestHeaders();
        String requestPath = httpServerExchange.getRequestPath();
        String first = requestHeaders.getFirst(Headers.AUTHORIZATION);
        JwtVerifier jwtVerifier2 = jwtVerifier;
        String tokenFromAuthorization = JwtVerifier.getTokenFromAuthorization(first);
        if (tokenFromAuthorization == null) {
            setExchangeStatus(httpServerExchange, STATUS_MISSING_AUTH_TOKEN, new Object[0]);
            return;
        }
        try {
            JwtClaims verifyJwt = jwtVerifier.verifyJwt(tokenFromAuthorization, false, true, (String) null, requestPath, (List) null);
            HashMap hashMap = new HashMap();
            hashMap.put("endpoint", GraphqlUtil.config.getPath());
            String stringClaimValue = verifyJwt.getStringClaimValue("client_id");
            if (stringClaimValue == null) {
                stringClaimValue = verifyJwt.getStringClaimValue("cid");
            }
            hashMap.put("client_id", stringClaimValue);
            String stringClaimValue2 = verifyJwt.getStringClaimValue("user_id");
            if (stringClaimValue2 == null) {
                stringClaimValue2 = verifyJwt.getStringClaimValue("uid");
            }
            hashMap.put("user_id", stringClaimValue2);
            hashMap.put("subject_claims", verifyJwt);
            String first2 = requestHeaders.getFirst(HttpStringConstants.CALLER_ID);
            if (first2 != null) {
                hashMap.put("caller_id", first2);
            }
            httpServerExchange.putAttachment(AttachmentConstants.AUDIT_INFO, hashMap);
            if (config != null && config.isEnableVerifyScope()) {
                String first3 = requestHeaders.getFirst(HttpStringConstants.SCOPE_TOKEN);
                JwtVerifier jwtVerifier3 = jwtVerifier;
                String tokenFromAuthorization2 = JwtVerifier.getTokenFromAuthorization(first3);
                List<String> list = null;
                if (tokenFromAuthorization2 != null) {
                    try {
                        JwtClaims verifyJwt2 = jwtVerifier.verifyJwt(tokenFromAuthorization2, false, true, (String) null, requestPath, (List) null);
                        Object claimValue = verifyJwt2.getClaimValue("scope");
                        if (claimValue instanceof String) {
                            list = Arrays.asList(verifyJwt2.getStringClaimValue("scope").split(" "));
                        } else if (claimValue instanceof List) {
                            list = verifyJwt2.getStringListClaimValue("scope");
                        }
                        if (list == null || list.isEmpty()) {
                            Object claimValue2 = verifyJwt2.getClaimValue("scp");
                            if (claimValue2 instanceof String) {
                                list = Arrays.asList(verifyJwt2.getStringClaimValue("scp").split(" "));
                            } else if (claimValue2 instanceof List) {
                                list = verifyJwt2.getStringListClaimValue("scp");
                            }
                        }
                        hashMap.put("scope_client_id", verifyJwt2.getStringClaimValue("client_id"));
                        hashMap.put("access_claims", verifyJwt2);
                    } catch (InvalidJwtException | MalformedClaimException e) {
                        logger.error("InvalidJwtException", e);
                        setExchangeStatus(httpServerExchange, STATUS_INVALID_SCOPE_TOKEN, new Object[0]);
                        return;
                    } catch (ExpiredTokenException e2) {
                        logger.error("ExpiredTokenException", e2);
                        setExchangeStatus(httpServerExchange, STATUS_SCOPE_TOKEN_EXPIRED, new Object[0]);
                        return;
                    }
                }
                if (first3 == null) {
                    List<String> list2 = null;
                    try {
                        Object claimValue3 = verifyJwt.getClaimValue("scope");
                        if (claimValue3 instanceof String) {
                            list2 = Arrays.asList(verifyJwt.getStringClaimValue("scope").split(" "));
                        } else if (claimValue3 instanceof List) {
                            list2 = verifyJwt.getStringListClaimValue("scope");
                        }
                        if (list2 == null || list2.isEmpty()) {
                            Object claimValue4 = verifyJwt.getClaimValue("scp");
                            if (claimValue4 instanceof String) {
                                list2 = Arrays.asList(verifyJwt.getStringClaimValue("scp").split(" "));
                            } else if (claimValue4 instanceof List) {
                                list2 = verifyJwt.getStringListClaimValue("scp");
                            }
                        }
                        if (!matchedScopes(list2, null)) {
                            setExchangeStatus(httpServerExchange, STATUS_AUTH_TOKEN_SCOPE_MISMATCH, new Object[]{list2, null});
                            return;
                        }
                    } catch (MalformedClaimException e3) {
                        logger.error("MalformedClaimException", e3);
                        setExchangeStatus(httpServerExchange, STATUS_INVALID_AUTH_TOKEN, new Object[0]);
                        return;
                    }
                } else if (list == null || !matchedScopes(list, null)) {
                    setExchangeStatus(httpServerExchange, STATUS_SCOPE_TOKEN_SCOPE_MISMATCH, new Object[]{list, null});
                    return;
                }
            }
            Handler.next(httpServerExchange, this.next);
        } catch (InvalidJwtException e4) {
            logger.error("InvalidJwtException: ", e4);
            setExchangeStatus(httpServerExchange, STATUS_INVALID_AUTH_TOKEN, new Object[0]);
        } catch (ExpiredTokenException e5) {
            logger.error("ExpiredTokenException", e5);
            setExchangeStatus(httpServerExchange, STATUS_AUTH_TOKEN_EXPIRED, new Object[0]);
        }
    }

    protected boolean matchedScopes(List<String> list, List<String> list2) {
        boolean z = false;
        if (list2 == null || list2.size() <= 0) {
            z = true;
        } else if (list != null && list.size() > 0) {
            Iterator<String> it = list2.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (list.contains(it.next())) {
                    z = true;
                    break;
                }
            }
        }
        return z;
    }

    public HttpHandler getNext() {
        return this.next;
    }

    public MiddlewareHandler setNext(HttpHandler httpHandler) {
        Handlers.handlerNotNull(httpHandler);
        this.next = httpHandler;
        return this;
    }

    public boolean isEnabled() {
        return config.isEnableVerifyJwt();
    }

    public void register() {
        ModuleRegistry.registerModule(GRAPHQL_SECURITY_CONFIG, JwtVerifyHandler.class.getName(), config.getMappedConfig(), (List) null);
    }

    public void reload() {
        config.reload(GRAPHQL_SECURITY_CONFIG);
        ModuleRegistry.registerModule(GRAPHQL_SECURITY_CONFIG, JwtVerifyHandler.class.getName(), config.getMappedConfig(), (List) null);
    }

    public JwtVerifier getJwtVerifier() {
        return jwtVerifier;
    }
}
