package org.gluu.oxauthconfigapi.filters;

import io.quarkus.arc.AlternativePriority;
import java.io.Serializable;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.inject.Named;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.StringUtils;
import org.gluu.config.oxtrust.AppConfiguration;
import org.gluu.oxauth.client.ClientInfoClient;
import org.gluu.oxauth.client.ClientInfoResponse;
import org.gluu.oxtrust.auth.uma.BaseUmaProtectionService;
import org.gluu.oxtrust.auth.uma.BindingUrls;
import org.gluu.oxtrust.service.OpenIdService;
import org.slf4j.Logger;

@AlternativePriority(1)
@BindingUrls({"/api/v1"})
@Named("apiUmaProtectionService")
@ApplicationScoped
/* loaded from: input_file:org/gluu/oxauthconfigapi/filters/ApiUmaProtectionService.class */
public class ApiUmaProtectionService extends BaseUmaProtectionService implements Serializable {
    private static final long serialVersionUID = -6553095758559902245L;

    @Inject
    private Logger logger;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private OpenIdService openIdService;

    protected String getClientId() {
        return this.appConfiguration.getApiUmaClientId();
    }

    protected String getClientKeyStorePassword() {
        return this.appConfiguration.getApiUmaClientKeyStorePassword();
    }

    protected String getClientKeyStoreFile() {
        return this.appConfiguration.getApiUmaClientKeyStoreFile();
    }

    protected String getClientKeyId() {
        return this.appConfiguration.getApiUmaClientKeyId();
    }

    public String getUmaResourceId() {
        return this.appConfiguration.getApiUmaResourceId();
    }

    public String getUmaScope() {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append(this.appConfiguration.getApiUmaScopes()[0]);
        stringBuffer.append(" ");
        stringBuffer.append(this.appConfiguration.getApiUmaScopes()[1]);
        return stringBuffer.toString();
    }

    public boolean isEnabled() {
        return isEnabledUmaAuthentication();
    }

    public Response processAuthorization(HttpHeaders httpHeaders, ResourceInfo resourceInfo) {
        Response response = null;
        String headerString = httpHeaders.getHeaderString("Authorization");
        this.logger.info("Authorization header {} found", StringUtils.isEmpty(headerString) ? "not" : "");
        try {
            if (this.appConfiguration.isOxTrustApiTestMode()) {
                this.logger.info("================OXAUTH-CONFIG-API Test Mode is ACTIVE");
                response = processTestModeAuthorization(headerString);
            } else if (isEnabled()) {
                this.logger.info("================OXAUTH-CONFIG-API is protected by UMA");
            } else {
                this.logger.info("Please activate UMA or test mode to protect your API endpoints. Read the Gluu API docs to learn more");
                response = getErrorResponse(Response.Status.UNAUTHORIZED, "API not protected");
            }
        } catch (Exception e) {
            this.logger.error(e.getMessage(), e);
            response = getErrorResponse(Response.Status.INTERNAL_SERVER_ERROR, e.getMessage());
        }
        return response;
    }

    private Response processTestModeAuthorization(String str) throws Exception {
        Response response = null;
        if (StringUtils.isNotEmpty(str)) {
            String replaceFirst = str.replaceFirst("Bearer\\s+", "");
            this.logger.debug("Validating token {}", replaceFirst);
            ClientInfoResponse execClientInfo = new ClientInfoClient(this.openIdService.getOpenIdConfiguration().getClientInfoEndpoint()).execClientInfo(replaceFirst);
            if (execClientInfo.getStatus() != Response.Status.OK.getStatusCode() || execClientInfo.getErrorType() != null) {
                response = getErrorResponse(Response.Status.UNAUTHORIZED, "Invalid token " + replaceFirst);
                this.logger.debug("Error validating access token: {}", execClientInfo.getErrorDescription());
            }
        } else {
            this.logger.info("Request is missing authorization header");
            response = getErrorResponse(Response.Status.INTERNAL_SERVER_ERROR, "No authorization header found");
        }
        return response;
    }
}
