package org.xdi.oxd.rs.protect.resteasy;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import java.util.List;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.jboss.resteasy.client.ClientResponseFailure;
import org.jboss.resteasy.core.ResourceMethod;
import org.jboss.resteasy.core.ServerResponse;
import org.jboss.resteasy.spi.Failure;
import org.jboss.resteasy.spi.HttpRequest;
import org.jboss.resteasy.spi.interception.PreProcessInterceptor;
import org.xdi.oxauth.model.uma.PermissionTicket;
import org.xdi.oxauth.model.uma.RptIntrospectionResponse;
import org.xdi.oxauth.model.uma.UmaPermission;
import org.xdi.oxd.rs.protect.Jackson;
import org.xdi.util.StringHelper;

/* loaded from: input_file:org/xdi/oxd/rs/protect/resteasy/RptPreProcessInterceptor.class */
public class RptPreProcessInterceptor implements PreProcessInterceptor {
    private static final Logger LOG = Logger.getLogger(RptPreProcessInterceptor.class);
    private final ResourceRegistrar resourceRegistrar;
    private final PatProvider patProvider;
    private final ServiceProvider serviceProvider;

    public RptPreProcessInterceptor(ResourceRegistrar resourceRegistrar) {
        Preconditions.checkNotNull(resourceRegistrar, "Resource registrar is null.");
        Preconditions.checkNotNull(resourceRegistrar.getPatProvider(), "PAT Provider is null.");
        Preconditions.checkNotNull(resourceRegistrar.getServiceProvider(), "Service Provider is null.");
        this.resourceRegistrar = resourceRegistrar;
        this.patProvider = resourceRegistrar.getPatProvider();
        this.serviceProvider = resourceRegistrar.getServiceProvider();
    }

    public ServerResponse preProcess(HttpRequest httpRequest, ResourceMethod resourceMethod) throws Failure, WebApplicationException {
        String path = getPath(httpRequest);
        String httpMethod = httpRequest.getHttpMethod();
        Key key = this.resourceRegistrar.getKey(path, httpMethod);
        if (key == null) {
            LOG.debug("Resource is not protected with UMA, path:" + path + ", httpMethod: " + httpMethod);
            return null;
        }
        try {
            String rpt = getRpt(httpRequest.getHttpHeaders());
            if (!Strings.isNullOrEmpty(rpt)) {
                LOG.debug("RPT present in request");
                if (hasPermission(requestRptStatus(rpt), key, httpMethod, isGat(rpt))) {
                    LOG.debug("RPT has enough permissions, access GRANTED. Path: " + path + ", httpMethod:" + httpMethod);
                    return null;
                }
            }
            LOG.debug("Client does not present valid RPT. Registering permission ticket ...");
            return registerTicketResponse(path, httpMethod);
        } catch (Exception e) {
            LOG.error(e.getMessage(), e);
            if (e instanceof ClientResponseFailure) {
                LOG.error("Entity: " + e.getResponse().getEntity(String.class));
            }
            return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(e.getMessage()).build();
        }
    }

    public static boolean isGat(String str) {
        return !Strings.isNullOrEmpty(str) && str.startsWith("gat_");
    }

    public boolean hasPermission(RptIntrospectionResponse rptIntrospectionResponse, Key key, String str, boolean z) {
        if (rptIntrospectionResponse == null || !rptIntrospectionResponse.getActive()) {
            return false;
        }
        String resourceSetId = this.resourceRegistrar.getResourceSetId(key);
        if (Strings.isNullOrEmpty(resourceSetId)) {
            LOG.error("Resource has key but is not registered on AS. Key: " + key);
            return false;
        }
        if (rptIntrospectionResponse.getPermissions() == null) {
            return false;
        }
        for (UmaPermission umaPermission : rptIntrospectionResponse.getPermissions()) {
            if (umaPermission.getResourceSetId() != null && umaPermission.getResourceSetId().equals(resourceSetId) && this.resourceRegistrar.getProtector().hasAccess(key.getPath(), str, umaPermission.getScopes())) {
                return true;
            }
            if (z && this.resourceRegistrar.getProtector().hasAccess(key.getPath(), str, umaPermission.getScopes())) {
                return true;
            }
        }
        return false;
    }

    public String getPath(HttpRequest httpRequest) {
        if (httpRequest.getUri() == null || httpRequest.getUri().getAbsolutePath() == null) {
            return null;
        }
        return httpRequest.getUri().getAbsolutePath().getPath();
    }

    public static String getRptFromAuthorization(String str) {
        if (StringHelper.isNotEmpty(str) && str.startsWith("Bearer ")) {
            return str.substring("Bearer ".length());
        }
        return null;
    }

    public static String getRpt(HttpHeaders httpHeaders) {
        List requestHeader;
        return (httpHeaders == null || (requestHeader = httpHeaders.getRequestHeader("Authorization")) == null || requestHeader.isEmpty()) ? "" : getRptFromAuthorization((String) requestHeader.get(0));
    }

    public RptIntrospectionResponse requestRptStatus(String str) {
        if (!StringUtils.isNotBlank(str)) {
            return null;
        }
        LOG.debug("Request RPT " + str + " status...");
        RptIntrospectionResponse requestRptStatus = this.serviceProvider.getRptStatusService().requestRptStatus("Bearer " + this.patProvider.getPatToken(), str, "");
        if (requestRptStatus != null) {
            LOG.debug("RPT status: " + Jackson.asJsonSilently(requestRptStatus));
            return requestRptStatus;
        }
        LOG.debug("Unable to retrieve RPT " + str + " status from AM.");
        return null;
    }

    public Response registerTicketResponse(String str, String str2) {
        Key key = this.resourceRegistrar.getKey(str, str2);
        if (key != null) {
            return registerTicketResponse(this.resourceRegistrar.getRsResource(key).scopesForTicket(str2), this.resourceRegistrar.getResourceSetId(key));
        }
        LOG.error("Resource is not registered. Path: " + str + ", httpMethod: " + str2 + ". Please register it via uma-rs configuration.");
        LOG.error("Skip protection !!!");
        return null;
    }

    public Response registerTicketResponse(List<String> list, String str) {
        PermissionTicket registerResourceSetPermission;
        Preconditions.checkState((list == null || list.isEmpty()) ? false : true, "Scopes must not be empty.");
        Preconditions.checkState(!Strings.isNullOrEmpty(str), "ResourceId must be set.");
        try {
            UmaPermission umaPermission = new UmaPermission();
            umaPermission.setResourceSetId(str);
            umaPermission.setScopes(list);
            registerResourceSetPermission = this.resourceRegistrar.getServiceProvider().getPermissionRegistrationService().registerResourceSetPermission("Bearer " + this.patProvider.getPatToken(), this.serviceProvider.opHostWithoutProtocol(), umaPermission);
        } catch (Exception e) {
            LOG.error("Failed to register permission ticket.", e);
        }
        if (registerResourceSetPermission == null) {
            LOG.error("Failed to register permission ticket. Response is null.");
            return Response.status(Response.Status.FORBIDDEN).header("Warning:", "UMA Authorization Server Unreachable").build();
        }
        String str2 = "UMA realm=\"rs\",as_uri=\"" + this.serviceProvider.getOpHost() + "\",error=\"insufficient_scope\",ticket=\"" + registerResourceSetPermission.getTicket() + "\"";
        LOG.debug("Ticket registered, " + str2);
        return Response.status(Response.Status.FORBIDDEN).header("WWW-Authenticate", str2).entity(registerResourceSetPermission).build();
    }
}
