package org.apache.cxf.rs.security.oauth.filters;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import net.oauth.OAuth;
import net.oauth.OAuthMessage;
import net.oauth.OAuthProblemException;
import net.oauth.OAuthValidator;
import net.oauth.server.OAuthServlet;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.security.SimplePrincipal;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.cxf.rs.security.oauth.data.AccessToken;
import org.apache.cxf.rs.security.oauth.data.Client;
import org.apache.cxf.rs.security.oauth.data.OAuthContext;
import org.apache.cxf.rs.security.oauth.data.OAuthPermission;
import org.apache.cxf.rs.security.oauth.data.UserSubject;
import org.apache.cxf.rs.security.oauth.provider.DefaultOAuthValidator;
import org.apache.cxf.rs.security.oauth.provider.OAuthDataProvider;
import org.apache.cxf.rs.security.oauth.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth.utils.OAuthUtils;
import org.apache.cxf.security.SecurityContext;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-020.zip:modules/system/layers/fuse/org/apache/cxf/3.0/cxf-rt-rs-security-oauth-3.0.4.redhat-621020.jar:org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter.class */
public class AbstractAuthFilter {
    private static final Logger LOG = LogUtils.getL7dLogger(AbstractAuthFilter.class);
    private static final String[] REQUIRED_PARAMETERS = {OAuth.OAUTH_CONSUMER_KEY, OAuth.OAUTH_TOKEN, OAuth.OAUTH_SIGNATURE_METHOD, OAuth.OAUTH_SIGNATURE, OAuth.OAUTH_TIMESTAMP, OAuth.OAUTH_NONCE};
    private static final Set<String> ALLOWED_OAUTH_PARAMETERS = new HashSet();
    private boolean supportUnknownParameters;
    private boolean useUserSubject;
    private OAuthDataProvider dataProvider;
    private OAuthValidator validator = new DefaultOAuthValidator();

    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.2.1.redhat-020.zip:modules/system/layers/fuse/org/apache/cxf/3.0/cxf-rt-rs-security-oauth-3.0.4.redhat-621020.jar:org/apache/cxf/rs/security/oauth/filters/AbstractAuthFilter$CustomHttpServletWrapper.class */
    private class CustomHttpServletWrapper extends HttpServletRequestWrapper {
        public CustomHttpServletWrapper(HttpServletRequest httpServletRequest) {
            super(httpServletRequest);
        }

        @Override // javax.servlet.ServletRequestWrapper, javax.servlet.ServletRequest
        public Map<String, String[]> getParameterMap() {
            Map<String, String[]> parameterMap = super.getParameterMap();
            if (AbstractAuthFilter.this.supportUnknownParameters || AbstractAuthFilter.ALLOWED_OAUTH_PARAMETERS.containsAll(parameterMap.keySet())) {
                return parameterMap;
            }
            HashMap hashMap = new HashMap();
            for (Map.Entry<String, String[]> entry : parameterMap.entrySet()) {
                if (AbstractAuthFilter.ALLOWED_OAUTH_PARAMETERS.contains(entry.getKey())) {
                    hashMap.put(entry.getKey(), entry.getValue());
                }
            }
            return hashMap;
        }
    }

    public void setDataProvider(OAuthDataProvider oAuthDataProvider) {
        this.dataProvider = oAuthDataProvider;
    }

    public void setUseUserSubject(boolean z) {
        this.useUserSubject = z;
    }

    public boolean isUseUserSubject() {
        return this.useUserSubject;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public OAuthInfo handleOAuthRequest(HttpServletRequest httpServletRequest) throws Exception, OAuthProblemException {
        AccessToken preAuthorizedToken;
        AuthorizationPolicy authorizationPolicy;
        if (LOG.isLoggable(Level.FINE)) {
            LOG.log(Level.FINE, "OAuth security filter for url: {0}", httpServletRequest.getRequestURL());
        }
        OAuthMessage message = OAuthServlet.getMessage(new CustomHttpServletWrapper(httpServletRequest), OAuthServlet.getRequestURL(httpServletRequest));
        if (message.getParameter(OAuth.OAUTH_TOKEN) != null) {
            message.requireParameters(REQUIRED_PARAMETERS);
            preAuthorizedToken = this.dataProvider.getAccessToken(message.getToken());
            if (preAuthorizedToken == null) {
                LOG.warning("Access token is unavailable");
                throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
            }
            OAuthUtils.validateMessage(message, preAuthorizedToken.getClient(), preAuthorizedToken, this.dataProvider, this.validator);
        } else {
            String str = null;
            String str2 = null;
            String header = message.getHeader("Authorization");
            if (header != null) {
                if (header.startsWith(OAuthMessage.AUTH_SCHEME)) {
                    str = message.getParameter(OAuth.OAUTH_CONSUMER_KEY);
                    str2 = message.getParameter(OAuthConstants.OAUTH_CONSUMER_SECRET);
                } else if (header.startsWith("Basic") && (authorizationPolicy = getAuthorizationPolicy(header)) != null) {
                    str = authorizationPolicy.getUserName();
                    str2 = authorizationPolicy.getPassword();
                }
            }
            Client client = str != null ? this.dataProvider.getClient(str) : null;
            if (client == null) {
                LOG.warning("Client is invalid");
                throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
            }
            if (str2 != null && !str2.equals(client.getSecretKey())) {
                LOG.warning("Client secret is invalid");
                throw new OAuthProblemException(OAuth.Problems.CONSUMER_KEY_UNKNOWN);
            }
            OAuthUtils.validateMessage(message, client, null, this.dataProvider, this.validator);
            preAuthorizedToken = client.getPreAuthorizedToken();
            if (preAuthorizedToken == null || !preAuthorizedToken.isPreAuthorized()) {
                LOG.warning("Preauthorized access token is unavailable");
                throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
            }
        }
        List<OAuthPermission> scopes = preAuthorizedToken.getScopes();
        ArrayList arrayList = new ArrayList();
        for (OAuthPermission oAuthPermission : scopes) {
            boolean checkRequestURI = checkRequestURI(httpServletRequest, oAuthPermission.getUris());
            boolean checkHttpVerb = checkHttpVerb(httpServletRequest, oAuthPermission.getHttpVerbs());
            if (checkRequestURI && checkHttpVerb) {
                arrayList.add(oAuthPermission);
            }
        }
        if (scopes.size() <= 0 || !arrayList.isEmpty()) {
            return new OAuthInfo(preAuthorizedToken, arrayList);
        }
        LOG.warning("Client has no valid permissions");
        throw new OAuthProblemException("Client has no valid permissions");
    }

    protected AuthorizationPolicy getAuthorizationPolicy(String str) {
        Message currentMessage = PhaseInterceptorChain.getCurrentMessage();
        if (currentMessage != null) {
            return (AuthorizationPolicy) currentMessage.get(AuthorizationPolicy.class);
        }
        return null;
    }

    protected boolean checkHttpVerb(HttpServletRequest httpServletRequest, List<String> list) {
        if (list.isEmpty() || list.contains(httpServletRequest.getMethod())) {
            return true;
        }
        LOG.fine("Invalid http verb");
        return false;
    }

    protected boolean checkRequestURI(HttpServletRequest httpServletRequest, List<String> list) {
        if (list.isEmpty()) {
            return true;
        }
        String pathInfo = httpServletRequest.getPathInfo();
        boolean z = false;
        Iterator<String> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (OAuthUtils.checkRequestURI(pathInfo, it.next())) {
                z = true;
                break;
            }
        }
        if (!z) {
            LOG.warning("Invalid request URI: " + httpServletRequest.getRequestURL().toString());
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityContext createSecurityContext(HttpServletRequest httpServletRequest, final OAuthInfo oAuthInfo) {
        httpServletRequest.setAttribute("oauth_authorities", oAuthInfo.getRoles());
        final UserSubject subject = oAuthInfo.getToken().getSubject();
        return new SecurityContext() { // from class: org.apache.cxf.rs.security.oauth.filters.AbstractAuthFilter.1
            @Override // org.apache.cxf.security.SecurityContext
            public Principal getUserPrincipal() {
                return new SimplePrincipal(AbstractAuthFilter.this.useUserSubject ? subject != null ? subject.getLogin() : null : oAuthInfo.getToken().getClient().getLoginName());
            }

            @Override // org.apache.cxf.security.SecurityContext
            public boolean isUserInRole(String str) {
                List<String> roles = (!AbstractAuthFilter.this.useUserSubject || subject == null) ? oAuthInfo.getRoles() : subject.getRoles();
                if (roles == null) {
                    return false;
                }
                return roles.contains(str);
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public OAuthContext createOAuthContext(OAuthInfo oAuthInfo) {
        UserSubject userSubject = null;
        if (oAuthInfo.getToken() != null) {
            userSubject = oAuthInfo.getToken().getSubject();
        }
        return new OAuthContext(userSubject, oAuthInfo.getMatchedPermissions());
    }

    public void setValidator(OAuthValidator oAuthValidator) {
        this.validator = oAuthValidator;
    }

    public void setSupportUnknownParameters(boolean z) {
        this.supportUnknownParameters = z;
    }

    static {
        ALLOWED_OAUTH_PARAMETERS.addAll(Arrays.asList(REQUIRED_PARAMETERS));
        ALLOWED_OAUTH_PARAMETERS.add(OAuth.OAUTH_VERSION);
        ALLOWED_OAUTH_PARAMETERS.add(OAuthConstants.OAUTH_CONSUMER_SECRET);
    }
}
