package com.networknt.openapi;

import com.networknt.config.Config;
import com.networknt.exception.ExpiredTokenException;
import com.networknt.handler.Handler;
import com.networknt.handler.MiddlewareHandler;
import com.networknt.handler.config.HandlerConfig;
import com.networknt.httpstring.AttachmentConstants;
import com.networknt.httpstring.HttpStringConstants;
import com.networknt.oas.model.Operation;
import com.networknt.oas.model.Path;
import com.networknt.oas.model.SecurityParameter;
import com.networknt.oas.model.SecurityRequirement;
import com.networknt.security.IJwtVerifyHandler;
import com.networknt.security.JwtVerifier;
import com.networknt.security.SecurityConfig;
import com.networknt.utility.Constants;
import com.networknt.utility.ModuleRegistry;
import io.undertow.Handlers;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HeaderMap;
import io.undertow.util.Headers;
import io.undertow.util.HttpString;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/openapi/JwtVerifyHandler.class */
public class JwtVerifyHandler implements MiddlewareHandler, IJwtVerifyHandler {
    static final Logger logger = LoggerFactory.getLogger((Class<?>) JwtVerifyHandler.class);
    static final String HANDLER_CONFIG = "handler";
    static final String OPENAPI_SECURITY_CONFIG = "openapi-security";
    static final String STATUS_INVALID_AUTH_TOKEN = "ERR10000";
    static final String STATUS_AUTH_TOKEN_EXPIRED = "ERR10001";
    static final String STATUS_MISSING_AUTH_TOKEN = "ERR10002";
    static final String STATUS_INVALID_SCOPE_TOKEN = "ERR10003";
    static final String STATUS_SCOPE_TOKEN_EXPIRED = "ERR10004";
    static final String STATUS_AUTH_TOKEN_SCOPE_MISMATCH = "ERR10005";
    static final String STATUS_SCOPE_TOKEN_SCOPE_MISMATCH = "ERR10006";
    static final String STATUS_INVALID_REQUEST_PATH = "ERR10007";
    static final String STATUS_METHOD_NOT_ALLOWED = "ERR10008";
    static SecurityConfig config;
    public static JwtVerifier jwtVerifier;
    String basePath;
    private volatile HttpHandler next;

    public JwtVerifyHandler() {
        config = SecurityConfig.load(OPENAPI_SECURITY_CONFIG);
        jwtVerifier = new JwtVerifier(config);
        HandlerConfig handlerConfig = (HandlerConfig) Config.getInstance().getJsonObjectConfig("handler", HandlerConfig.class);
        this.basePath = handlerConfig == null ? "/" : handlerConfig.getBasePath();
    }

    @Override // io.undertow.server.HttpHandler
    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        if (logger.isDebugEnabled()) {
            logger.debug("JwtVerifyHandler.handleRequest starts.");
        }
        String requestPath = httpServerExchange.getRequestPath();
        if (config.getSkipPathPrefixes() != null) {
            Stream<String> stream = config.getSkipPathPrefixes().stream();
            Objects.requireNonNull(requestPath);
            if (stream.anyMatch(requestPath::startsWith)) {
                if (logger.isTraceEnabled()) {
                    logger.trace("Skip request path base on skipPathPrefixes for " + requestPath);
                }
                Handler.next(httpServerExchange, this.next);
                if (logger.isDebugEnabled()) {
                    logger.debug("JwtVerifyHandler.handleRequest ends.");
                    return;
                }
                return;
            }
        }
        if (handleJwt(httpServerExchange, null, requestPath, null)) {
            if (logger.isDebugEnabled()) {
                logger.debug("JwtVerifyHandler.handleRequest ends.");
            }
            Handler.next(httpServerExchange, this.next);
        }
    }

    public boolean handleJwt(HttpServerExchange httpServerExchange, String str, String str2, List<String> list) throws Exception {
        HeaderMap requestHeaders = httpServerExchange.getRequestHeaders();
        String first = requestHeaders.getFirst(Headers.AUTHORIZATION);
        if (logger.isTraceEnabled() && first != null && first.length() > 10) {
            logger.trace("Authorization header = " + first.substring(0, 10));
        }
        if (first == null) {
            setExchangeStatus(httpServerExchange, STATUS_MISSING_AUTH_TOKEN, new Object[0]);
            httpServerExchange.endExchange();
            if (!logger.isDebugEnabled()) {
                return false;
            }
            logger.debug("JwtVerifyHandler.handleRequest ends with an error.");
            return false;
        }
        if (first.trim().length() < 6) {
            setExchangeStatus(httpServerExchange, STATUS_INVALID_AUTH_TOKEN, new Object[0]);
            httpServerExchange.endExchange();
            if (!logger.isDebugEnabled()) {
                return false;
            }
            logger.debug("JwtVerifyHandler.handleRequest ends with an error.");
            return false;
        }
        String scopeToken = getScopeToken(first, requestHeaders);
        boolean isIgnoreJwtExpiry = config.isIgnoreJwtExpiry();
        String tokenFromAuthorization = JwtVerifier.getTokenFromAuthorization(scopeToken);
        if (tokenFromAuthorization == null) {
            if (logger.isDebugEnabled()) {
                logger.debug("JwtVerifyHandler.handleRequest ends with an error.");
            }
            setExchangeStatus(httpServerExchange, STATUS_MISSING_AUTH_TOKEN, new Object[0]);
            httpServerExchange.endExchange();
            return true;
        }
        if (logger.isTraceEnabled()) {
            logger.trace("parsed jwt from authorization = " + tokenFromAuthorization.substring(0, 10));
        }
        try {
            JwtClaims verifyJwt = jwtVerifier.verifyJwt(tokenFromAuthorization, isIgnoreJwtExpiry, true, str, str2, list);
            if (logger.isTraceEnabled()) {
                logger.trace("claims = " + verifyJwt.toJson());
            }
            Map<String, Object> map = (Map) httpServerExchange.getAttachment(AttachmentConstants.AUDIT_INFO);
            if (map == null) {
                map = new HashMap();
                httpServerExchange.putAttachment(AttachmentConstants.AUDIT_INFO, map);
            }
            String stringClaimValue = verifyJwt.getStringClaimValue("client_id");
            String stringClaimValue2 = verifyJwt.getStringClaimValue(Constants.USER_ID_STRING);
            if (stringClaimValue == null) {
                stringClaimValue = verifyJwt.getStringClaimValue(Constants.CID_STRING);
            }
            if (stringClaimValue2 == null) {
                stringClaimValue2 = verifyJwt.getStringClaimValue(Constants.UID_STRING);
            }
            map.put(Constants.USER_ID_STRING, stringClaimValue2);
            map.put(Constants.SUBJECT_CLAIMS, verifyJwt);
            map.put("client_id", stringClaimValue);
            if (!config.isEnableH2c() && jwtVerifier.checkForH2CRequest(requestHeaders)) {
                setExchangeStatus(httpServerExchange, STATUS_METHOD_NOT_ALLOWED, new Object[0]);
                if (!logger.isDebugEnabled()) {
                    return false;
                }
                logger.debug("JwtVerifyHandler.handleRequest ends with an error.");
                return false;
            }
            String first2 = requestHeaders.getFirst(HttpStringConstants.CALLER_ID);
            if (first2 != null) {
                map.put(Constants.CALLER_ID_STRING, first2);
            }
            if (config != null && config.isEnableVerifyScope()) {
                if (logger.isTraceEnabled()) {
                    logger.trace("verify scope from the primary token when enableVerifyScope is true");
                }
                Operation operation = getOperation(httpServerExchange, (OpenApiOperation) map.get(Constants.OPENAPI_OPERATION_STRING), map);
                if (operation == null) {
                    if (!config.isSkipVerifyScopeWithoutSpec()) {
                        return false;
                    }
                    if (logger.isDebugEnabled()) {
                        logger.debug("JwtVerifyHandler.handleRequest ends without verifying scope due to spec.");
                    }
                    Handler.next(httpServerExchange, this.next);
                    return false;
                }
                String first3 = requestHeaders.getFirst(HttpStringConstants.SCOPE_TOKEN);
                String tokenFromAuthorization2 = JwtVerifier.getTokenFromAuthorization(first3);
                ArrayList arrayList = new ArrayList();
                if (!hasValidSecondaryScopes(httpServerExchange, tokenFromAuthorization2, arrayList, isIgnoreJwtExpiry, str, str2, list, map) || !hasValidScope(httpServerExchange, first3, arrayList, verifyJwt, operation)) {
                    return false;
                }
            }
            if (config.getPassThroughClaims() != null && config.getPassThroughClaims().size() > 0) {
                for (Map.Entry<String, String> entry : config.getPassThroughClaims().entrySet()) {
                    String key = entry.getKey();
                    String value = entry.getValue();
                    Object claimValue = verifyJwt.getClaimValue(key);
                    if (logger.isTraceEnabled()) {
                        logger.trace("pass through header {} with value {}", value, claimValue);
                    }
                    requestHeaders.put(new HttpString(value), claimValue.toString());
                }
            }
            if (logger.isTraceEnabled()) {
                logger.trace("complete JWT verification for request path = " + httpServerExchange.getRequestURI());
            }
            if (!logger.isDebugEnabled()) {
                return true;
            }
            logger.debug("JwtVerifyHandler.handleRequest ends.");
            return true;
        } catch (ExpiredTokenException e) {
            logger.error("ExpiredTokenException", (Throwable) e);
            if (logger.isDebugEnabled()) {
                logger.debug("JwtVerifyHandler.handleRequest ends with an error.");
            }
            setExchangeStatus(httpServerExchange, STATUS_AUTH_TOKEN_EXPIRED, new Object[0]);
            httpServerExchange.endExchange();
            return true;
        } catch (InvalidJwtException e2) {
            logger.error("InvalidJwtException: ", (Throwable) e2);
            if (logger.isDebugEnabled()) {
                logger.debug("JwtVerifyHandler.handleRequest ends with an error.");
            }
            setExchangeStatus(httpServerExchange, STATUS_INVALID_AUTH_TOKEN, new Object[0]);
            httpServerExchange.endExchange();
            return true;
        }
    }

    protected String getScopeToken(String str, HeaderMap headerMap) {
        String str2 = str;
        if (str2 != null && !str2.substring(0, 6).equalsIgnoreCase("Bearer")) {
            str2 = headerMap.getFirst(HttpStringConstants.SCOPE_TOKEN);
            if (logger.isTraceEnabled() && str2 != null && str2.length() > 10) {
                logger.trace("The replaced authorization from X-Scope-Token header = " + str2.substring(0, 10));
            }
        }
        return str2;
    }

    protected Operation getOperation(HttpServerExchange httpServerExchange, OpenApiOperation openApiOperation, Map<String, Object> map) {
        Operation operation;
        if (openApiOperation == null) {
            Optional<NormalisedPath> findMatchingApiPath = OpenApiHandler.getHelper(httpServerExchange.getRequestPath()).findMatchingApiPath(new ApiNormalisedPath(httpServerExchange.getRequestURI(), this.basePath));
            if (findMatchingApiPath.isEmpty()) {
                if (config.isSkipVerifyScopeWithoutSpec()) {
                    return null;
                }
                setExchangeStatus(httpServerExchange, STATUS_INVALID_REQUEST_PATH, new Object[0]);
                return null;
            }
            NormalisedPath normalisedPath = findMatchingApiPath.get();
            Path path = OpenApiHandler.getHelper(httpServerExchange.getRequestPath()).openApi3.getPath(normalisedPath.original());
            String lowerCase = httpServerExchange.getRequestMethod().toString().toLowerCase();
            operation = path.getOperation(lowerCase);
            if (operation == null) {
                setExchangeStatus(httpServerExchange, STATUS_METHOD_NOT_ALLOWED, lowerCase, normalisedPath.normalised());
                httpServerExchange.endExchange();
                return null;
            }
            map.put(Constants.OPENAPI_OPERATION_STRING, new OpenApiOperation(normalisedPath, path, lowerCase, operation));
            map.put("endpoint", normalisedPath.normalised() + "@" + lowerCase);
        } else {
            operation = openApiOperation.getOperation();
        }
        return operation;
    }

    protected boolean hasValidSecondaryScopes(HttpServerExchange httpServerExchange, String str, List<String> list, boolean z, String str2, String str3, List<String> list2, Map<String, Object> map) {
        if (str == null) {
            return true;
        }
        if (logger.isTraceEnabled()) {
            logger.trace("start verifying scope token = " + str.substring(0, 10));
        }
        try {
            JwtClaims verifyJwt = jwtVerifier.verifyJwt(str, z, true, str2, str3, list2);
            Object claimValue = verifyJwt.getClaimValue("scope");
            if (claimValue instanceof String) {
                list.addAll(Arrays.asList(verifyJwt.getStringClaimValue("scope").split(" ")));
            } else if (claimValue instanceof List) {
                list.addAll(verifyJwt.getStringListClaimValue("scope"));
            }
            if (list.isEmpty()) {
                Object claimValue2 = verifyJwt.getClaimValue(Constants.SCP_STRING);
                if (claimValue2 instanceof String) {
                    list.addAll(Arrays.asList(verifyJwt.getStringClaimValue(Constants.SCP_STRING).split(" ")));
                } else if (claimValue2 instanceof List) {
                    list.addAll(verifyJwt.getStringListClaimValue(Constants.SCP_STRING));
                }
            }
            map.put(Constants.SCOPE_CLIENT_ID_STRING, verifyJwt.getStringClaimValue("client_id"));
            map.put(Constants.ACCESS_CLAIMS, verifyJwt);
            return true;
        } catch (ExpiredTokenException e) {
            logger.error("ExpiredTokenException", (Throwable) e);
            setExchangeStatus(httpServerExchange, STATUS_SCOPE_TOKEN_EXPIRED, new Object[0]);
            httpServerExchange.endExchange();
            return false;
        } catch (MalformedClaimException e2) {
            logger.error("MalformedClaimException", (Throwable) e2);
            setExchangeStatus(httpServerExchange, STATUS_INVALID_AUTH_TOKEN, new Object[0]);
            httpServerExchange.endExchange();
            return false;
        } catch (InvalidJwtException e3) {
            logger.error("InvalidJwtException", (Throwable) e3);
            setExchangeStatus(httpServerExchange, STATUS_INVALID_SCOPE_TOKEN, new Object[0]);
            httpServerExchange.endExchange();
            return false;
        }
    }

    protected boolean hasValidScope(HttpServerExchange httpServerExchange, String str, List<String> list, JwtClaims jwtClaims, Operation operation) {
        if (!config.isEnableVerifyScope()) {
            return true;
        }
        List<String> list2 = null;
        List<SecurityRequirement> securityRequirements = operation.getSecurityRequirements();
        if (securityRequirements != null) {
            for (SecurityRequirement securityRequirement : securityRequirements) {
                SecurityParameter securityParameter = null;
                Iterator<String> it = OpenApiHandler.getHelper(httpServerExchange.getRequestPath()).oauth2Names.iterator();
                while (it.hasNext()) {
                    securityParameter = securityRequirement.getRequirement(it.next());
                    if (securityParameter != null) {
                        break;
                    }
                }
                if (securityParameter != null) {
                    list2 = securityParameter.getParameters();
                }
                if (list2 != null) {
                    break;
                }
            }
        }
        if (str != null) {
            if (logger.isTraceEnabled()) {
                logger.trace("validate the scope with scope token");
            }
            if (list != null && matchedScopes(list, list2)) {
                return true;
            }
            setExchangeStatus(httpServerExchange, STATUS_SCOPE_TOKEN_SCOPE_MISMATCH, list, list2);
            httpServerExchange.endExchange();
            return false;
        }
        if (logger.isTraceEnabled()) {
            logger.trace("validate the scope with primary token");
        }
        List<String> list3 = null;
        try {
            Object claimValue = jwtClaims.getClaimValue("scope");
            if (claimValue instanceof String) {
                list3 = Arrays.asList(jwtClaims.getStringClaimValue("scope").split(" "));
            } else if (claimValue instanceof List) {
                list3 = jwtClaims.getStringListClaimValue("scope");
            }
            if (list3 == null || list3.isEmpty()) {
                Object claimValue2 = jwtClaims.getClaimValue(Constants.SCP_STRING);
                if (claimValue2 instanceof String) {
                    list3 = Arrays.asList(jwtClaims.getStringClaimValue(Constants.SCP_STRING).split(" "));
                } else if (claimValue2 instanceof List) {
                    list3 = jwtClaims.getStringListClaimValue(Constants.SCP_STRING);
                }
            }
            if (matchedScopes(list3, list2)) {
                return true;
            }
            setExchangeStatus(httpServerExchange, STATUS_AUTH_TOKEN_SCOPE_MISMATCH, list3, list2);
            httpServerExchange.endExchange();
            return false;
        } catch (MalformedClaimException e) {
            logger.error("MalformedClaimException", (Throwable) e);
            setExchangeStatus(httpServerExchange, STATUS_INVALID_AUTH_TOKEN, new Object[0]);
            httpServerExchange.endExchange();
            return false;
        }
    }

    protected boolean matchedScopes(List<String> list, Collection<String> collection) {
        boolean z = false;
        if (collection == null || collection.size() <= 0) {
            z = true;
        } else if (list != null && list.size() > 0) {
            Iterator<String> it = collection.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (list.contains(it.next())) {
                    z = true;
                    break;
                }
            }
        }
        return z;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public HttpHandler getNext() {
        return this.next;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public MiddlewareHandler setNext(HttpHandler httpHandler) {
        Handlers.handlerNotNull(httpHandler);
        this.next = httpHandler;
        return this;
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public boolean isEnabled() {
        return config.isEnableVerifyJwt();
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public void register() {
        ModuleRegistry.registerModule(JwtVerifyHandler.class.getName(), Config.getInstance().getJsonMapConfigNoCache(OPENAPI_SECURITY_CONFIG), null);
    }

    @Override // com.networknt.handler.MiddlewareHandler
    public void reload() {
        config.reload(OPENAPI_SECURITY_CONFIG);
        jwtVerifier = new JwtVerifier(config);
        ModuleRegistry.registerModule(JwtVerifyHandler.class.getName(), Config.getInstance().getJsonMapConfigNoCache(OPENAPI_SECURITY_CONFIG), null);
    }

    @Override // com.networknt.security.IJwtVerifyHandler
    public JwtVerifier getJwtVerifier() {
        return jwtVerifier;
    }
}
