package org.gluu.oxtrust.auth.uma;

import java.io.Serializable;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.List;
import java.util.concurrent.locks.ReentrantLock;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.inject.Inject;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.StringUtils;
import org.gluu.oxauth.client.uma.wrapper.UmaClient;
import org.gluu.oxauth.model.uma.UmaMetadata;
import org.gluu.oxauth.model.uma.wrapper.Token;
import org.gluu.oxtrust.auth.IProtectionService;
import org.gluu.oxtrust.exception.UmaProtectionException;
import org.gluu.oxtrust.service.EncryptionService;
import org.gluu.oxtrust.service.filter.ProtectedApi;
import org.gluu.util.Pair;
import org.gluu.util.StringHelper;
import org.gluu.util.security.StringEncrypter;
import org.slf4j.Logger;

/* loaded from: input_file:org/gluu/oxtrust/auth/uma/BaseUmaProtectionService.class */
public abstract class BaseUmaProtectionService implements IProtectionService, Serializable {
    private static final long serialVersionUID = -1147131971095468865L;

    @Inject
    private Logger log;

    @Inject
    private EncryptionService encryptionService;

    @Inject
    private UmaMetadata umaMetadata;

    @Inject
    protected UmaPermissionService umaPermissionService;
    private Token umaPat;
    private long umaPatAccessTokenExpiration = 0;
    private final ReentrantLock lock = new ReentrantLock();

    public Token getPatToken() throws UmaProtectionException {
        if (isValidPatToken(this.umaPat, this.umaPatAccessTokenExpiration)) {
            return this.umaPat;
        }
        this.lock.lock();
        try {
            if (isValidPatToken(this.umaPat, this.umaPatAccessTokenExpiration)) {
                return this.umaPat;
            }
            retrievePatToken();
            return this.umaPat;
        } finally {
            this.lock.unlock();
        }
    }

    protected boolean isEnabledUmaAuthentication() {
        return this.umaMetadata != null && isExistPatToken();
    }

    public boolean isExistPatToken() {
        try {
            return getPatToken() != null;
        } catch (UmaProtectionException e) {
            this.log.error("Failed to check UMA PAT token status", e);
            return false;
        }
    }

    public String getIssuer() {
        return this.umaMetadata == null ? "" : this.umaMetadata.getIssuer();
    }

    private void retrievePatToken() throws UmaProtectionException {
        this.umaPat = null;
        if (this.umaMetadata == null) {
            return;
        }
        String clientKeyStoreFile = getClientKeyStoreFile();
        String clientKeyStorePassword = getClientKeyStorePassword();
        if (StringHelper.isEmpty(clientKeyStoreFile) || StringHelper.isEmpty(clientKeyStorePassword)) {
            throw new UmaProtectionException("UMA JKS keystore path or password is empty");
        }
        if (clientKeyStorePassword != null) {
            try {
                clientKeyStorePassword = this.encryptionService.decrypt(clientKeyStorePassword);
            } catch (StringEncrypter.EncryptionException e) {
                this.log.error("Failed to decrypt UmaClientKeyStorePassword password", e);
            }
        }
        try {
            this.umaPat = UmaClient.requestPat(this.umaMetadata.getTokenEndpoint(), clientKeyStoreFile, clientKeyStorePassword, getClientId(), getClientKeyId());
            if (this.umaPat == null) {
                this.umaPatAccessTokenExpiration = 0L;
            } else {
                this.umaPatAccessTokenExpiration = computeAccessTokenExpirationTime(this.umaPat.getExpiresIn());
            }
            if (this.umaPat == null || this.umaPat.getAccessToken() == null) {
                throw new UmaProtectionException("Failed to obtain valid UMA PAT token");
            }
        } catch (Exception e2) {
            throw new UmaProtectionException("Failed to obtain valid UMA PAT token", e2);
        }
    }

    protected long computeAccessTokenExpirationTime(Integer num) {
        Calendar calendar = Calendar.getInstance();
        if (num != null) {
            calendar.add(13, num.intValue());
            calendar.add(13, -10);
        }
        return calendar.getTimeInMillis();
    }

    private boolean isValidPatToken(Token token, long j) {
        return (token == null || token.getAccessToken() == null || j <= System.currentTimeMillis()) ? false : true;
    }

    Response processUmaAuthorization(String str, ResourceInfo resourceInfo) throws Exception {
        List<String> requestedScopes = getRequestedScopes(resourceInfo);
        try {
            Token patToken = getPatToken();
            Pair<Boolean, Response> validateRptToken = !requestedScopes.isEmpty() ? this.umaPermissionService.validateRptToken(patToken, str, getUmaResourceId(), requestedScopes) : this.umaPermissionService.validateRptToken(patToken, str, getUmaResourceId(), getUmaScope());
            if (!((Boolean) validateRptToken.getFirst()).booleanValue()) {
                return IProtectionService.simpleResponse(Response.Status.UNAUTHORIZED, "Invalid GAT/RPT token");
            }
            if (validateRptToken.getSecond() != null) {
                return (Response) validateRptToken.getSecond();
            }
            return null;
        } catch (UmaProtectionException e) {
            return IProtectionService.simpleResponse(Response.Status.INTERNAL_SERVER_ERROR, "Failed to obtain PAT token");
        }
    }

    public List<String> getRequestedScopes(ResourceInfo resourceInfo) {
        ProtectedApi protectedApi = (ProtectedApi) resourceInfo.getResourceClass().getAnnotation(ProtectedApi.class);
        ArrayList arrayList = new ArrayList();
        if (protectedApi == null) {
            addMethodScopes(resourceInfo, arrayList);
        } else {
            arrayList.addAll((Collection) Stream.of((Object[]) protectedApi.scopes()).collect(Collectors.toList()));
            addMethodScopes(resourceInfo, arrayList);
        }
        return arrayList;
    }

    private void addMethodScopes(ResourceInfo resourceInfo, List<String> list) {
        ProtectedApi protectedApi = (ProtectedApi) resourceInfo.getResourceMethod().getAnnotation(ProtectedApi.class);
        if (protectedApi != null) {
            list.addAll((Collection) Stream.of((Object[]) protectedApi.scopes()).collect(Collectors.toList()));
        }
    }

    protected abstract String getClientId();

    protected abstract String getClientKeyStorePassword();

    protected abstract String getClientKeyStoreFile();

    protected abstract String getClientKeyId();

    public abstract String getUmaResourceId();

    public abstract String getUmaScope();

    @Override // org.gluu.oxtrust.auth.IProtectionService
    public Response processAuthorization(HttpHeaders httpHeaders, ResourceInfo resourceInfo) {
        Response simpleResponse;
        String headerString = httpHeaders.getHeaderString("Authorization");
        this.log.info("Authorization header {} found", StringUtils.isEmpty(headerString) ? "not" : "");
        try {
            simpleResponse = isEnabledUmaAuthentication() ? processUmaAuthorization(headerString, resourceInfo) : IProtectionService.simpleResponse(Response.Status.INTERNAL_SERVER_ERROR, "Failed to setup UMA authentication");
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
            simpleResponse = IProtectionService.simpleResponse(Response.Status.INTERNAL_SERVER_ERROR, e.getMessage());
        }
        return simpleResponse;
    }
}
