package org.apache.cxf.rs.security.oauth2.services;

import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.MultivaluedMap;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.jaxrs.ext.MessageContextImpl;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer;
import org.apache.cxf.rs.security.jose.jwt.JwtException;
import org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.provider.AccessTokenValidator;
import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;

/* loaded from: input_file:lib/cxf-rt-rs-security-oauth2-3.4.3.jar:org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.class */
public abstract class AbstractAccessTokenValidator {
    private static final String DEFAULT_AUTH_SCHEME = "Bearer";
    protected String realm;
    private MessageContext mc;
    private OAuthDataProvider dataProvider;
    private int maxValidationDataCacheSize;
    private JoseJwtConsumer jwtTokenConsumer;
    protected Set<String> supportedSchemes = new HashSet();
    private List<AccessTokenValidator> tokenHandlers = Collections.emptyList();
    private ConcurrentHashMap<String, AccessTokenValidation> accessTokenValidations = new ConcurrentHashMap<>();
    private boolean persistJwtEncoding = true;

    public void setTokenValidator(AccessTokenValidator accessTokenValidator) {
        setTokenValidators(Collections.singletonList(accessTokenValidator));
    }

    public void setTokenValidators(List<AccessTokenValidator> list) {
        this.tokenHandlers = list;
        Iterator<AccessTokenValidator> it = list.iterator();
        while (it.hasNext()) {
            this.supportedSchemes.addAll(it.next().getSupportedAuthorizationSchemes());
        }
    }

    public void setDataProvider(OAuthDataProvider oAuthDataProvider) {
        this.dataProvider = oAuthDataProvider;
    }

    @Context
    public void setMessageContext(MessageContext messageContext) {
        this.mc = messageContext;
    }

    public MessageContext getMessageContext() {
        return this.mc != null ? this.mc : new MessageContextImpl(PhaseInterceptorChain.getCurrentMessage());
    }

    protected AccessTokenValidator findTokenValidator(String str) {
        for (AccessTokenValidator accessTokenValidator : this.tokenHandlers) {
            List<String> supportedAuthorizationSchemes = accessTokenValidator.getSupportedAuthorizationSchemes();
            if ((supportedAuthorizationSchemes.size() == 1 && "*".equals(supportedAuthorizationSchemes.get(0))) || supportedAuthorizationSchemes.contains(str)) {
                return accessTokenValidator;
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AccessTokenValidation getAccessTokenValidation(String str, String str2, MultivaluedMap<String, String> multivaluedMap) {
        if (this.dataProvider == null && this.tokenHandlers.isEmpty()) {
            throw ExceptionUtils.toInternalServerErrorException(null, null);
        }
        AccessTokenValidation accessTokenValidation = null;
        if (this.maxValidationDataCacheSize > 0) {
            accessTokenValidation = this.accessTokenValidations.get(str2);
        }
        ServerAccessToken serverAccessToken = null;
        if (accessTokenValidation == null) {
            AccessTokenValidator findTokenValidator = findTokenValidator(str);
            if (findTokenValidator != null) {
                try {
                    accessTokenValidation = findTokenValidator.validateAccessToken(getMessageContext(), str, str2, multivaluedMap);
                } catch (RuntimeException e) {
                    AuthorizationUtils.throwAuthorizationFailure(Collections.singleton(str), this.realm);
                }
            }
            if (accessTokenValidation == null && this.dataProvider != null && str.equals("Bearer")) {
                try {
                    String str3 = str2;
                    if (!this.persistJwtEncoding) {
                        str3 = (this.jwtTokenConsumer == null ? new JoseJwtConsumer() : this.jwtTokenConsumer).getJwtToken(str2).getClaims().getTokenId();
                    }
                    serverAccessToken = this.dataProvider.getAccessToken(str3);
                } catch (JwtException | OAuthServiceException e2) {
                }
                if (serverAccessToken == null) {
                    AuthorizationUtils.throwAuthorizationFailure(Collections.singleton(str), this.realm);
                }
                accessTokenValidation = new AccessTokenValidation(serverAccessToken);
            }
        }
        if (accessTokenValidation == null) {
            AuthorizationUtils.throwAuthorizationFailure(this.supportedSchemes, this.realm);
        }
        if (OAuthUtils.isExpired(Long.valueOf(accessTokenValidation.getTokenIssuedAt()), Long.valueOf(accessTokenValidation.getTokenLifetime()))) {
            if (serverAccessToken != null) {
                removeAccessToken(serverAccessToken);
            } else if (this.maxValidationDataCacheSize > 0) {
                this.accessTokenValidations.remove(str2);
            }
            AuthorizationUtils.throwAuthorizationFailure(this.supportedSchemes, this.realm);
        }
        if (accessTokenValidation.getTokenNotBefore() > 0 && accessTokenValidation.getTokenNotBefore() > System.currentTimeMillis() / 1000) {
            AuthorizationUtils.throwAuthorizationFailure(this.supportedSchemes, this.realm);
        }
        if (this.maxValidationDataCacheSize > 0) {
            if (this.accessTokenValidations.size() >= this.maxValidationDataCacheSize) {
                this.accessTokenValidations.clear();
            }
            this.accessTokenValidations.put(str2, accessTokenValidation);
        }
        return accessTokenValidation;
    }

    protected void removeAccessToken(ServerAccessToken serverAccessToken) {
        this.dataProvider.revokeToken(serverAccessToken.getClient(), serverAccessToken.getTokenKey(), OAuthConstants.ACCESS_TOKEN);
    }

    public void setRealm(String str) {
        this.realm = str;
    }

    public void setMaxValidationDataCacheSize(int i) {
        this.maxValidationDataCacheSize = i;
    }

    public JoseJwtConsumer getJwtTokenConsumer() {
        return this.jwtTokenConsumer;
    }

    public void setJwtTokenConsumer(JoseJwtConsumer joseJwtConsumer) {
        this.jwtTokenConsumer = joseJwtConsumer;
    }

    public boolean isPersistJwtEncoding() {
        return this.persistJwtEncoding;
    }

    public void setPersistJwtEncoding(boolean z) {
        this.persistJwtEncoding = z;
    }
}
