package org.gluu.oxtrust.auth.uma;

import java.io.Serializable;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.event.Observes;
import javax.enterprise.inject.Produces;
import javax.inject.Inject;
import javax.inject.Named;
import javax.ws.rs.core.Response;
import org.apache.http.HeaderElement;
import org.apache.http.HttpResponse;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.conn.ConnectionKeepAliveStrategy;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.http.message.BasicHeaderElementIterator;
import org.apache.http.protocol.HttpContext;
import org.gluu.config.oxtrust.AppConfiguration;
import org.gluu.exception.OxIntializationException;
import org.gluu.oxauth.client.uma.UmaClientFactory;
import org.gluu.oxauth.client.uma.UmaRptIntrospectionService;
import org.gluu.oxauth.model.uma.PermissionTicket;
import org.gluu.oxauth.model.uma.RptIntrospectionResponse;
import org.gluu.oxauth.model.uma.UmaMetadata;
import org.gluu.oxauth.model.uma.UmaPermission;
import org.gluu.oxauth.model.uma.UmaPermissionList;
import org.gluu.oxauth.model.uma.wrapper.Token;
import org.gluu.service.cdi.event.ApplicationInitialized;
import org.gluu.service.cdi.event.ApplicationInitializedEvent;
import org.gluu.util.Pair;
import org.gluu.util.StringHelper;
import org.jboss.resteasy.client.jaxrs.ClientHttpEngine;
import org.jboss.resteasy.client.jaxrs.engines.factory.ApacheHttpClient4EngineFactory;
import org.slf4j.Logger;

@ApplicationScoped
@Named("umaPermissionService")
/* loaded from: input_file:org/gluu/oxtrust/auth/uma/UmaPermissionService.class */
public class UmaPermissionService implements Serializable {
    private static final long serialVersionUID = -3347131971095468866L;

    @Inject
    private Logger log;

    @Inject
    private UmaMetadata umaMetadata;

    @Inject
    protected AppConfiguration appConfiguration;
    private org.gluu.oxauth.client.uma.UmaPermissionService permissionService;
    private UmaRptIntrospectionService rptStatusService;
    private ClientHttpEngine clientHttpEngine;
    private final Pair<Boolean, Response> authenticationFailure = new Pair<>(false, (Object) null);
    private final Pair<Boolean, Response> authenticationSuccess = new Pair<>(true, (Object) null);
    private ConnectionKeepAliveStrategy connectionKeepAliveStrategy = new ConnectionKeepAliveStrategy() { // from class: org.gluu.oxtrust.auth.uma.UmaPermissionService.1
        @Override // org.apache.http.conn.ConnectionKeepAliveStrategy
        public long getKeepAliveDuration(HttpResponse httpResponse, HttpContext httpContext) {
            BasicHeaderElementIterator basicHeaderElementIterator = new BasicHeaderElementIterator(httpResponse.headerIterator("Keep-Alive"));
            while (basicHeaderElementIterator.hasNext()) {
                HeaderElement nextElement = basicHeaderElementIterator.nextElement();
                String name = nextElement.getName();
                String value = nextElement.getValue();
                if (value != null && name.equalsIgnoreCase("timeout")) {
                    return Long.parseLong(value) * 1000;
                }
            }
            return UmaPermissionService.this.appConfiguration.getRptConnectionPoolCustomKeepAliveTimeout() * 1000;
        }
    };

    public void init(@Observes @ApplicationInitialized(ApplicationScoped.class) ApplicationInitializedEvent applicationInitializedEvent) {
        try {
            if (this.umaMetadata != null) {
                if (this.appConfiguration.isRptConnectionPoolUseConnectionPooling()) {
                    this.log.debug("##### Initializing custom ClientExecutor...");
                    PoolingHttpClientConnectionManager poolingHttpClientConnectionManager = new PoolingHttpClientConnectionManager();
                    poolingHttpClientConnectionManager.setMaxTotal(this.appConfiguration.getRptConnectionPoolMaxTotal());
                    poolingHttpClientConnectionManager.setDefaultMaxPerRoute(this.appConfiguration.getRptConnectionPoolDefaultMaxPerRoute());
                    poolingHttpClientConnectionManager.setValidateAfterInactivity(this.appConfiguration.getRptConnectionPoolValidateAfterInactivity() * 1000);
                    this.clientHttpEngine = ApacheHttpClient4EngineFactory.create(HttpClients.custom().setDefaultRequestConfig(RequestConfig.custom().setCookieSpec("standard").build()).setKeepAliveStrategy(this.connectionKeepAliveStrategy).setConnectionManager(poolingHttpClientConnectionManager).build());
                    this.log.info("##### Initializing custom ClientExecutor DONE");
                    this.permissionService = UmaClientFactory.instance().createPermissionService(this.umaMetadata, this.clientHttpEngine);
                    this.rptStatusService = UmaClientFactory.instance().createRptStatusService(this.umaMetadata, this.clientHttpEngine);
                } else {
                    this.permissionService = UmaClientFactory.instance().createPermissionService(this.umaMetadata);
                    this.rptStatusService = UmaClientFactory.instance().createRptStatusService(this.umaMetadata);
                }
            }
        } catch (Exception e) {
            this.log.error("Failed to initialize UmaPermissionService", e);
        }
    }

    @ApplicationScoped
    @Produces
    @Named("umaMetadataConfiguration")
    public UmaMetadata initUmaMetadataConfiguration() throws OxIntializationException {
        String umaConfigurationEndpoint = getUmaConfigurationEndpoint();
        if (StringHelper.isEmpty(umaConfigurationEndpoint)) {
            return null;
        }
        this.log.info("##### Getting UMA metadata ...");
        UmaMetadata metadata = (this.clientHttpEngine == null ? UmaClientFactory.instance().createMetadataService(umaConfigurationEndpoint) : UmaClientFactory.instance().createMetadataService(umaConfigurationEndpoint, this.clientHttpEngine)).getMetadata();
        this.log.info("##### Getting UMA metadata ... DONE");
        if (metadata == null) {
            throw new OxIntializationException("UMA meta data configuration is invalid!");
        }
        return metadata;
    }

    public String getUmaConfigurationEndpoint() {
        String umaIssuer = this.appConfiguration.getUmaIssuer();
        if (StringHelper.isEmpty(umaIssuer)) {
            this.log.trace("oxAuth UMA issuer isn't specified");
            return null;
        }
        String str = umaIssuer;
        if (!str.endsWith("uma2-configuration")) {
            str = str + "/.well-known/uma2-configuration";
        }
        return str;
    }

    public Pair<Boolean, Response> validateRptToken(Token token, String str, String str2, String str3) {
        return validateRptToken(token, str, str2, Arrays.asList(str3));
    }

    public Pair<Boolean, Response> validateRptToken(Token token, String str, String str2, List<String> list) {
        this.log.trace("Validating RPT, resourceId: {}, scopeIds: {}, authorization: {}", new Object[]{str2, list, str});
        if (StringHelper.isNotEmpty(str) && str.startsWith("Bearer ")) {
            String substring = str.substring(7);
            RptIntrospectionResponse statusResponse = getStatusResponse(token, substring);
            this.log.trace("RPT status response: {} ", statusResponse);
            if (statusResponse == null || !statusResponse.getActive()) {
                this.log.error("Status response for RPT token: '{}' is invalid", substring);
            } else if (isRptHasPermissions(statusResponse)) {
                LinkedList linkedList = new LinkedList();
                for (UmaPermission umaPermission : statusResponse.getPermissions()) {
                    if (umaPermission.getScopes() != null) {
                        linkedList.addAll(umaPermission.getScopes());
                    }
                }
                if (linkedList.containsAll(list)) {
                    return this.authenticationSuccess;
                }
                this.log.error("Status response for RPT token: '{}' not contains right permissions", substring);
            }
        }
        Response prepareRegisterPermissionsResponse = prepareRegisterPermissionsResponse(token, str2, list);
        return prepareRegisterPermissionsResponse == null ? this.authenticationFailure : new Pair<>(true, prepareRegisterPermissionsResponse);
    }

    private boolean isRptHasPermissions(RptIntrospectionResponse rptIntrospectionResponse) {
        return (rptIntrospectionResponse.getPermissions() == null || rptIntrospectionResponse.getPermissions().isEmpty()) ? false : true;
    }

    private RptIntrospectionResponse getStatusResponse(Token token, String str) {
        RptIntrospectionResponse rptIntrospectionResponse = null;
        try {
            rptIntrospectionResponse = this.rptStatusService.requestRptStatus("Bearer " + token.getAccessToken(), str, "");
        } catch (Exception e) {
            this.log.error("Failed to determine RPT status", e);
            e.printStackTrace();
        }
        if (rptIntrospectionResponse == null || !rptIntrospectionResponse.getActive()) {
            return null;
        }
        return rptIntrospectionResponse;
    }

    public String registerResourcePermission(Token token, String str, List<String> list) {
        if (this.permissionService == null) {
            init(null);
        }
        UmaPermission umaPermission = new UmaPermission();
        umaPermission.setResourceId(str);
        umaPermission.setScopes(list);
        PermissionTicket registerPermission = this.permissionService.registerPermission("Bearer " + token.getAccessToken(), UmaPermissionList.instance(new UmaPermission[]{umaPermission}));
        if (registerPermission == null) {
            return null;
        }
        return registerPermission.getTicket();
    }

    private Response prepareRegisterPermissionsResponse(Token token, String str, List<String> list) {
        String registerResourcePermission = registerResourcePermission(token, str, list);
        if (StringHelper.isEmpty(registerResourcePermission)) {
            return null;
        }
        this.log.debug("Construct response: HTTP 401 (Unauthorized), ticket: '{}'", registerResourcePermission);
        Response response = null;
        try {
            response = Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", String.format("UMA realm=\"Authorization required\", host_id=%s, as_uri=%s, ticket=%s", getHost(this.appConfiguration.getIdpUrl()), getUmaConfigurationEndpoint(), registerResourcePermission)).build();
        } catch (MalformedURLException e) {
            this.log.error("Failed to determine host by URI", e);
        }
        return response;
    }

    private String getHost(String str) throws MalformedURLException {
        return new URL(str).getHost();
    }
}
