package io.gravitee.am.gateway.handler.common.vertx.web.auth.handler.impl;

import io.gravitee.am.common.exception.oauth2.InsufficientScopeException;
import io.gravitee.am.common.exception.oauth2.InvalidRequestException;
import io.gravitee.am.common.exception.oauth2.InvalidTokenException;
import io.gravitee.am.common.exception.oauth2.OAuth2Exception;
import io.gravitee.am.common.jwt.JWT;
import io.gravitee.am.gateway.handler.common.vertx.web.auth.handler.OAuth2AuthHandler;
import io.gravitee.am.gateway.handler.common.vertx.web.auth.handler.OAuth2AuthResponse;
import io.gravitee.am.gateway.handler.common.vertx.web.auth.provider.OAuth2AuthProvider;
import io.gravitee.am.model.oidc.Client;
import io.vertx.core.AsyncResult;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.http.HttpHeaders;
import io.vertx.ext.web.handler.HttpException;
import io.vertx.rxjava3.core.http.HttpServerRequest;
import io.vertx.rxjava3.ext.web.RoutingContext;

/* loaded from: input_file:io/gravitee/am/gateway/handler/common/vertx/web/auth/handler/impl/OAuth2AuthHandlerImpl.class */
public class OAuth2AuthHandlerImpl implements OAuth2AuthHandler {
    private static final String BEARER = "Bearer";
    private static final String realm = "gravitee-io";
    private static final String ACCESS_TOKEN = "access_token";
    private OAuth2AuthProvider oAuth2AuthProvider;
    private String requiredScope;
    private boolean extractRawToken;
    private boolean extractToken;
    private boolean extractClient;
    private boolean forceEndUserToken;
    private boolean forceClientToken;
    private boolean selfResource;
    private boolean offlineVerification;
    private String resourceParameter;
    private String resourceRequiredScope;

    public OAuth2AuthHandlerImpl(OAuth2AuthProvider oAuth2AuthProvider) {
        this.oAuth2AuthProvider = oAuth2AuthProvider;
    }

    public OAuth2AuthHandlerImpl(OAuth2AuthProvider oAuth2AuthProvider, String str) {
        this(oAuth2AuthProvider);
        this.requiredScope = str;
    }

    public void handle(RoutingContext routingContext) {
        parseAuthorization(routingContext, asyncResult -> {
            if (asyncResult.failed()) {
                processException(routingContext, asyncResult.cause());
                return;
            }
            String str = (String) asyncResult.result();
            if (this.extractRawToken) {
                routingContext.put("raw_token", str);
            }
            this.oAuth2AuthProvider.decodeToken(str, this.offlineVerification, asyncResult -> {
                String param;
                if (asyncResult.failed()) {
                    processException(routingContext, asyncResult.cause());
                    return;
                }
                OAuth2AuthResponse oAuth2AuthResponse = (OAuth2AuthResponse) asyncResult.result();
                JWT token = oAuth2AuthResponse.getToken();
                Client client = oAuth2AuthResponse.getClient();
                if (this.extractToken) {
                    routingContext.put("token", token);
                }
                if (this.extractClient) {
                    routingContext.put("client", client);
                }
                if (this.selfResource && (param = routingContext.request().getParam(this.resourceParameter)) != null && param.equals(token.getSub()) && (this.resourceRequiredScope == null || token.hasScope(this.resourceRequiredScope))) {
                    routingContext.next();
                    return;
                }
                if (this.forceEndUserToken && token.getSub().equals(token.getAud())) {
                    processException(routingContext, new InvalidTokenException("The access token was not issued for an End-User"));
                    return;
                }
                if (this.forceClientToken && !token.getSub().equals(token.getAud())) {
                    processException(routingContext, new InvalidTokenException("The access token was not issued for a Client"));
                } else if (this.requiredScope == null || token.hasScope(this.requiredScope)) {
                    routingContext.next();
                } else {
                    processException(routingContext, new InsufficientScopeException("Invalid access token scopes. The access token should have at least '" + this.requiredScope + "' scope"));
                }
            });
        });
    }

    @Override // io.gravitee.am.gateway.handler.common.vertx.web.auth.handler.OAuth2AuthHandler
    public void extractRawToken(boolean z) {
        this.extractRawToken = z;
    }

    @Override // io.gravitee.am.gateway.handler.common.vertx.web.auth.handler.OAuth2AuthHandler
    public void extractToken(boolean z) {
        this.extractToken = z;
    }

    @Override // io.gravitee.am.gateway.handler.common.vertx.web.auth.handler.OAuth2AuthHandler
    public void extractClient(boolean z) {
        this.extractClient = z;
    }

    @Override // io.gravitee.am.gateway.handler.common.vertx.web.auth.handler.OAuth2AuthHandler
    public void forceEndUserToken(boolean z) {
        this.forceEndUserToken = z;
    }

    @Override // io.gravitee.am.gateway.handler.common.vertx.web.auth.handler.OAuth2AuthHandler
    public void forceClientToken(boolean z) {
        this.forceClientToken = z;
    }

    @Override // io.gravitee.am.gateway.handler.common.vertx.web.auth.handler.OAuth2AuthHandler
    public void selfResource(boolean z, String str) {
        this.selfResource = z;
        this.resourceParameter = str;
    }

    @Override // io.gravitee.am.gateway.handler.common.vertx.web.auth.handler.OAuth2AuthHandler
    public void selfResource(boolean z, String str, String str2) {
        selfResource(z, str);
        this.resourceRequiredScope = str2;
    }

    @Override // io.gravitee.am.gateway.handler.common.vertx.web.auth.handler.OAuth2AuthHandler
    public void offlineVerification(boolean z) {
        this.offlineVerification = z;
    }

    private void parseAuthorization(RoutingContext routingContext, Handler<AsyncResult<String>> handler) {
        String param;
        HttpServerRequest request = routingContext.request();
        String str = request.headers().get(HttpHeaders.AUTHORIZATION);
        try {
            if (str != null) {
                int indexOf = str.indexOf(32);
                if (indexOf <= 0) {
                    handler.handle(Future.failedFuture(new InvalidRequestException("The access token must be sent using the Authorization header field")));
                    return;
                } else {
                    if (!BEARER.equalsIgnoreCase(str.substring(0, indexOf))) {
                        handler.handle(Future.failedFuture(new HttpException(401)));
                        return;
                    }
                    param = str.substring(indexOf + 1);
                }
            } else {
                param = request.getParam(ACCESS_TOKEN);
            }
            if (param == null) {
                handler.handle(Future.failedFuture(new HttpException(401)));
            } else {
                handler.handle(Future.succeededFuture(param));
            }
        } catch (RuntimeException e) {
            handler.handle(Future.failedFuture(e));
        }
    }

    private void processException(RoutingContext routingContext, Throwable th) {
        int i = -1;
        if (th instanceof HttpException) {
            i = ((HttpException) th).getStatusCode();
        } else if (th instanceof OAuth2Exception) {
            i = ((OAuth2Exception) th).getHttpStatusCode();
        }
        if (i == 401) {
            routingContext.response().putHeader("WWW-Authenticate", authenticateHeader());
        }
        routingContext.fail(th);
    }

    private String authenticateHeader() {
        return "Bearer realm=\"gravitee-io\"";
    }
}
