package org.gluu.oxtrust.service.uma;

import java.io.Serializable;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.inject.Named;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.StringUtils;
import org.gluu.config.oxtrust.AppConfiguration;
import org.gluu.oxauth.client.ClientInfoClient;
import org.gluu.oxauth.client.ClientInfoResponse;
import org.gluu.oxtrust.ldap.service.ConfigurationService;
import org.gluu.oxtrust.ldap.service.JsonConfigurationService;
import org.gluu.oxtrust.service.OpenIdService;
import org.slf4j.Logger;

@ApplicationScoped
@BindingUrls({"/scim"})
@Named("scimUmaProtectionService")
/* loaded from: input_file:org/gluu/oxtrust/service/uma/ScimUmaProtectionService.class */
public class ScimUmaProtectionService extends BaseUmaProtectionService implements Serializable {
    private static final long serialVersionUID = -5447131971095468865L;

    @Inject
    private Logger log;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private ConfigurationService configurationService;

    @Inject
    private JsonConfigurationService jsonConfigurationService;

    @Inject
    private OpenIdService openIdService;

    @Override // org.gluu.oxtrust.service.uma.BaseUmaProtectionService
    protected String getClientId() {
        return this.appConfiguration.getScimUmaClientId();
    }

    @Override // org.gluu.oxtrust.service.uma.BaseUmaProtectionService
    protected String getClientKeyStorePassword() {
        return this.appConfiguration.getScimUmaClientKeyStorePassword();
    }

    @Override // org.gluu.oxtrust.service.uma.BaseUmaProtectionService
    protected String getClientKeyStoreFile() {
        return this.appConfiguration.getScimUmaClientKeyStoreFile();
    }

    @Override // org.gluu.oxtrust.service.uma.BaseUmaProtectionService
    protected String getClientKeyId() {
        return this.appConfiguration.getScimUmaClientKeyId();
    }

    @Override // org.gluu.oxtrust.service.uma.BaseUmaProtectionService
    public String getUmaResourceId() {
        return this.appConfiguration.getScimUmaResourceId();
    }

    @Override // org.gluu.oxtrust.service.uma.BaseUmaProtectionService
    public String getUmaScope() {
        return this.appConfiguration.getScimUmaScope();
    }

    @Override // org.gluu.oxtrust.service.uma.BaseUmaProtectionService
    public boolean isEnabled() {
        return isScimEnabled() && isEnabledUmaAuthentication();
    }

    private boolean isScimEnabled() {
        return this.configurationService.getConfiguration().isScimEnabled();
    }

    @Override // org.gluu.oxtrust.service.uma.BaseUmaProtectionService
    public Response processAuthorization(HttpHeaders httpHeaders, ResourceInfo resourceInfo) {
        Response errorResponse;
        String headerString = httpHeaders.getHeaderString("Authorization");
        this.log.info("==== SCIM Service call intercepted ====");
        this.log.info("Authorization header {} found", StringUtils.isEmpty(headerString) ? "not" : "");
        try {
            if (this.jsonConfigurationService.getOxTrustappConfiguration().isScimTestMode()) {
                this.log.info("SCIM Test Mode is ACTIVE");
                errorResponse = processTestModeAuthorization(headerString);
            } else if (isEnabled()) {
                this.log.info("SCIM is protected by UMA");
                errorResponse = processUmaAuthorization(headerString, resourceInfo);
            } else {
                this.log.info("Please activate UMA or test mode to protect your SCIM endpoints. Read the Gluu SCIM docs to learn more");
                errorResponse = getErrorResponse(Response.Status.UNAUTHORIZED, "SCIM API not protected");
            }
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
            errorResponse = getErrorResponse(Response.Status.INTERNAL_SERVER_ERROR, e.getMessage());
        }
        return errorResponse;
    }

    private Response processTestModeAuthorization(String str) throws Exception {
        Response response = null;
        if (StringUtils.isNotEmpty(str)) {
            String replaceFirst = str.replaceFirst("Bearer\\s+", "");
            this.log.debug("Validating token {}", replaceFirst);
            ClientInfoResponse execClientInfo = new ClientInfoClient(this.openIdService.getOpenIdConfiguration().getClientInfoEndpoint()).execClientInfo(replaceFirst);
            if (execClientInfo.getStatus() != Response.Status.OK.getStatusCode() || execClientInfo.getErrorType() != null) {
                response = getErrorResponse(Response.Status.UNAUTHORIZED, "Invalid token " + replaceFirst);
                this.log.debug("Error validating access token: {}", execClientInfo.getErrorDescription());
            }
        } else {
            this.log.info("Request is missing authorization header");
            response = getErrorResponse(Response.Status.INTERNAL_SERVER_ERROR, "No authorization header found");
        }
        return response;
    }
}
