package org.apache.cxf.rs.security.oauth2.filters;

import jakarta.annotation.Priority;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.ws.rs.HttpMethod;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.container.PreMatching;
import jakarta.ws.rs.core.Form;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.ext.Provider;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.security.SimplePrincipal;
import org.apache.cxf.common.util.PropertyUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.provider.FormEncodingProvider;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.FormUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation;
import org.apache.cxf.rs.security.oauth2.common.AuthenticationMethod;
import org.apache.cxf.rs.security.oauth2.common.OAuthContext;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator;
import org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.security.transport.TLSSessionInfo;

@PreMatching
@Provider
@Priority(1000)
/* loaded from: input_file:lib/cxf-shade-9.0.0.jar:org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.class */
public class OAuthRequestFilter extends AbstractAccessTokenValidator implements ContainerRequestFilter {
    private static final Logger LOG = LogUtils.getL7dLogger(OAuthRequestFilter.class);
    private boolean useUserSubject;
    private String audience;
    private String issuer;
    private boolean completeAudienceMatch;
    private boolean checkFormData;
    private boolean allPermissionsMatch;
    private boolean blockPublicClients;
    private AuthenticationMethod am;
    private boolean audienceIsEndpointAddress = true;
    private List<String> requiredScopes = Collections.emptyList();

    @Override // jakarta.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) {
        validateRequest(JAXRSUtils.getCurrentMessage());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateRequest(Message message) {
        String remoteAddr;
        if (isCorsRequest(message)) {
            return;
        }
        String[] authorizationParts = getAuthorizationParts(message);
        if (authorizationParts.length < 2) {
            throw ExceptionUtils.toForbiddenException(null, null);
        }
        AccessTokenValidation accessTokenValidation = getAccessTokenValidation(authorizationParts[0], authorizationParts[1], null);
        if (!accessTokenValidation.isInitialValidationSuccessful()) {
            AuthorizationUtils.throwAuthorizationFailure(this.supportedSchemes, this.realm);
        }
        String validateAudiences = validateAudiences(accessTokenValidation.getAudiences());
        if (this.issuer != null && !this.issuer.equals(accessTokenValidation.getTokenIssuer())) {
            AuthorizationUtils.throwAuthorizationFailure(this.supportedSchemes, this.realm);
        }
        List<OAuthPermission> tokenScopes = accessTokenValidation.getTokenScopes();
        ArrayList arrayList = new ArrayList();
        HttpServletRequest httpServletRequest = getMessageContext().getHttpServletRequest();
        for (OAuthPermission oAuthPermission : tokenScopes) {
            boolean checkRequestURI = checkRequestURI(httpServletRequest, oAuthPermission.getUris(), message);
            boolean checkHttpVerb = checkHttpVerb(httpServletRequest, oAuthPermission.getHttpVerbs());
            boolean checkScopeProperty = checkScopeProperty(oAuthPermission.getPermission());
            if (checkRequestURI && checkHttpVerb && checkScopeProperty) {
                arrayList.add(oAuthPermission);
            }
        }
        if ((!tokenScopes.isEmpty() && arrayList.isEmpty()) || ((this.allPermissionsMatch && arrayList.size() != tokenScopes.size()) || (!this.requiredScopes.isEmpty() && this.requiredScopes.size() != arrayList.size()))) {
            LOG.warning("Client has no valid permissions");
            throw ExceptionUtils.toForbiddenException(null, null);
        }
        if (accessTokenValidation.getClientIpAddress() != null && ((remoteAddr = getMessageContext().getHttpServletRequest().getRemoteAddr()) == null || accessTokenValidation.getClientIpAddress().equals(remoteAddr))) {
            LOG.warning("Client IP Address is invalid");
            throw ExceptionUtils.toForbiddenException(null, null);
        }
        if (this.blockPublicClients && !accessTokenValidation.isClientConfidential()) {
            LOG.warning("Only Confidential Clients are supported");
            throw ExceptionUtils.toForbiddenException(null, null);
        }
        if (this.am != null && !this.am.equals(accessTokenValidation.getTokenSubject().getAuthenticationMethod())) {
            LOG.warning("The token has been authorized by the resource owner using an unsupported authentication method");
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
        String str = accessTokenValidation.getExtraProps().get("x5t#S256");
        if (str != null) {
            TLSSessionInfo tlsSessionInfo = getTlsSessionInfo();
            X509Certificate rootTLSCertificate = tlsSessionInfo == null ? null : OAuthUtils.getRootTLSCertificate(tlsSessionInfo);
            if (rootTLSCertificate == null || !OAuthUtils.compareCertificateThumbprints(rootTLSCertificate, str)) {
                throw ExceptionUtils.toNotAuthorizedException(null, null);
            }
        }
        message.put((Class<Class>) SecurityContext.class, (Class) createSecurityContext(httpServletRequest, accessTokenValidation));
        OAuthContext oAuthContext = new OAuthContext(accessTokenValidation.getTokenSubject(), accessTokenValidation.getClientSubject(), arrayList, accessTokenValidation.getTokenGrantType());
        oAuthContext.setClientId(accessTokenValidation.getClientId());
        oAuthContext.setClientConfidential(accessTokenValidation.isClientConfidential());
        oAuthContext.setTokenKey(accessTokenValidation.getTokenKey());
        oAuthContext.setTokenAudience(validateAudiences);
        oAuthContext.setTokenIssuer(accessTokenValidation.getTokenIssuer());
        oAuthContext.setTokenRequestParts(authorizationParts);
        oAuthContext.setTokenExtraProperties(accessTokenValidation.getExtraProps());
        message.setContent(OAuthContext.class, oAuthContext);
    }

    protected boolean checkHttpVerb(HttpServletRequest httpServletRequest, List<String> list) {
        if (list.isEmpty() || list.contains(httpServletRequest.getMethod())) {
            return true;
        }
        LOG.fine("Invalid http verb");
        return false;
    }

    protected boolean checkRequestURI(HttpServletRequest httpServletRequest, List<String> list, Message message) {
        if (list.isEmpty()) {
            return true;
        }
        String pathInfo = httpServletRequest.getPathInfo();
        if (pathInfo == null) {
            pathInfo = (String) message.get(Message.PATH_INFO);
        }
        boolean z = false;
        Iterator<String> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (OAuthUtils.checkRequestURI(pathInfo, it.next())) {
                z = true;
                break;
            }
        }
        if (!z) {
            LOG.fine("Invalid request URI: " + httpServletRequest.getRequestURL().toString());
        }
        return z;
    }

    protected boolean checkScopeProperty(String str) {
        if (this.requiredScopes.isEmpty()) {
            return true;
        }
        return this.requiredScopes.contains(str);
    }

    public void setUseUserSubject(boolean z) {
        this.useUserSubject = z;
    }

    protected SecurityContext createSecurityContext(HttpServletRequest httpServletRequest, AccessTokenValidation accessTokenValidation) {
        final UserSubject tokenSubject = this.useUserSubject ? accessTokenValidation.getTokenSubject() : accessTokenValidation.getClientSubject();
        return new SecurityContext() { // from class: org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter.1
            @Override // org.apache.cxf.security.SecurityContext
            public Principal getUserPrincipal() {
                if (tokenSubject != null) {
                    return new SimplePrincipal(tokenSubject.getLogin());
                }
                return null;
            }

            @Override // org.apache.cxf.security.SecurityContext
            public boolean isUserInRole(String str) {
                if (tokenSubject == null) {
                    return false;
                }
                return tokenSubject.getRoles().contains(str);
            }
        };
    }

    protected boolean isCorsRequest(Message message) {
        return PropertyUtils.isTrue(message.get("local_preflight"));
    }

    protected String validateAudiences(List<String> list) {
        if (StringUtils.isEmpty(list) && this.audience == null) {
            return null;
        }
        if (this.audience != null) {
            if (list.contains(this.audience)) {
                return this.audience;
            }
            AuthorizationUtils.throwAuthorizationFailure(this.supportedSchemes, this.realm);
        }
        if (!this.audienceIsEndpointAddress) {
            return null;
        }
        String str = (String) PhaseInterceptorChain.getCurrentMessage().get(Message.REQUEST_URL);
        for (String str2 : list) {
            if (this.completeAudienceMatch ? str.equals(str2) : str.startsWith(str2)) {
                return str2;
            }
        }
        AuthorizationUtils.throwAuthorizationFailure(this.supportedSchemes, this.realm);
        return null;
    }

    public void setCheckFormData(boolean z) {
        this.checkFormData = z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String[] getAuthorizationParts(Message message) {
        return !this.checkFormData ? AuthorizationUtils.getAuthorizationParts(getMessageContext(), this.supportedSchemes) : new String[]{"Bearer", getTokenFromFormData(message)};
    }

    protected String getTokenFromFormData(Message message) {
        String str = (String) message.get(Message.HTTP_REQUEST_METHOD);
        String str2 = (String) message.get("Content-Type");
        if (str2 != null && MediaType.APPLICATION_FORM_URLENCODED.startsWith(str2) && str != null && (str.equals(HttpMethod.POST) || str.equals(HttpMethod.PUT))) {
            try {
                FormEncodingProvider formEncodingProvider = new FormEncodingProvider(true);
                Form readForm = FormUtils.readForm(formEncodingProvider, message);
                String first = readForm.asMap().getFirst(OAuthConstants.ACCESS_TOKEN);
                if (first != null) {
                    FormUtils.restoreForm(formEncodingProvider, readForm, message);
                    return first;
                }
            } catch (Exception e) {
            }
        }
        AuthorizationUtils.throwAuthorizationFailure(this.supportedSchemes, this.realm);
        return null;
    }

    public void setRequiredScopes(List<String> list) {
        this.requiredScopes = list;
    }

    public void setAllPermissionsMatch(boolean z) {
        this.allPermissionsMatch = z;
    }

    public void setBlockPublicClients(boolean z) {
        this.blockPublicClients = z;
    }

    public void setTokenSubjectAuthenticationMethod(AuthenticationMethod authenticationMethod) {
        this.am = authenticationMethod;
    }

    public String getAudience() {
        return this.audience;
    }

    public void setAudience(String str) {
        this.audience = str;
    }

    public boolean isCompleteAudienceMatch() {
        return this.completeAudienceMatch;
    }

    public void setCompleteAudienceMatch(boolean z) {
        this.completeAudienceMatch = z;
    }

    public void setAudienceIsEndpointAddress(boolean z) {
        this.audienceIsEndpointAddress = z;
    }

    public void setIssuer(String str) {
        this.issuer = str;
    }

    private TLSSessionInfo getTlsSessionInfo() {
        return (TLSSessionInfo) getMessageContext().get(TLSSessionInfo.class.getName());
    }
}
