package com.networknt.aws.lambda.handler.middleware.security;

import com.networknt.aws.lambda.LightLambdaExchange;
import com.networknt.aws.lambda.handler.MiddlewareHandler;
import com.networknt.aws.lambda.handler.middleware.audit.AuditMiddleware;
import com.networknt.aws.lambda.handler.middleware.specification.OpenApiMiddleware;
import com.networknt.client.oauth.TokenInfo;
import com.networknt.monad.Result;
import com.networknt.oas.model.Operation;
import com.networknt.oas.model.SecurityParameter;
import com.networknt.oas.model.SecurityRequirement;
import com.networknt.openapi.OpenApiOperation;
import com.networknt.security.SecurityConfig;
import com.networknt.security.SwtVerifier;
import com.networknt.status.Status;
import com.networknt.utility.Constants;
import com.networknt.utility.MapUtil;
import com.networknt.utility.StringUtils;
import java.lang.reflect.Field;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/aws/lambda/handler/middleware/security/SwtVerifyMiddleware.class */
public class SwtVerifyMiddleware implements MiddlewareHandler {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SwtVerifyMiddleware.class);
    static final String OPENAPI_SECURITY_CONFIG = "openapi-security";
    static final String STATUS_INVALID_AUTH_TOKEN = "ERR10000";
    static final String STATUS_MISSING_AUTH_TOKEN = "ERR10002";
    static final String STATUS_AUTH_TOKEN_SCOPE_MISMATCH = "ERR10005";
    static final String STATUS_SCOPE_TOKEN_SCOPE_MISMATCH = "ERR10006";
    static final String STATUS_INVALID_REQUEST_PATH = "ERR10007";
    static final String STATUS_METHOD_NOT_ALLOWED = "ERR10008";
    static final String STATUS_CLIENT_EXCEPTION = "ERR10082";
    static final String STATUS_OPENAPI_OPERATION_MISSED = "ERR10085";
    public static SwtVerifier swtVerifier;
    private static SecurityConfig CONFIG;

    public SwtVerifyMiddleware() {
        CONFIG = SecurityConfig.load(OPENAPI_SECURITY_CONFIG);
        swtVerifier = new SwtVerifier(CONFIG);
        if (LOG.isInfoEnabled()) {
            LOG.info("SwtVerifyMiddleware is constructed");
        }
    }

    @Override // com.networknt.aws.lambda.handler.LambdaHandler
    public Status execute(LightLambdaExchange lightLambdaExchange) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("SwtVerifyMiddleware.execute starts.");
        }
        String path = lightLambdaExchange.getRequest().getPath();
        if (CONFIG.getSkipPathPrefixes() != null) {
            Stream<String> stream = CONFIG.getSkipPathPrefixes().stream();
            Objects.requireNonNull(path);
            if (stream.anyMatch(path::startsWith)) {
                if (LOG.isTraceEnabled()) {
                    LOG.trace("Skip request path base on skipPathPrefixes for " + path);
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("SwtVerifyMiddleware.execute ends.");
                }
                return successMiddlewareStatus();
            }
        }
        return handleSwt(lightLambdaExchange, path, null);
    }

    public Status handleSwt(LightLambdaExchange lightLambdaExchange, String str, List<String> list) {
        Map<String, String> headers = lightLambdaExchange.getRequest().getHeaders();
        Optional valueIgnoreCase = MapUtil.getValueIgnoreCase(headers, "Authorization");
        if (LOG.isTraceEnabled()) {
            LOG.trace("reqPath = {} and headerMap = {}", str, headers.isEmpty() ? "empty" : headers.toString());
        }
        if (valueIgnoreCase.isEmpty()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("SwtVerifyMiddleware.execute ends with an error. Authorization header value is NULL.");
            }
            return new Status(STATUS_MISSING_AUTH_TOKEN, new Object[0]);
        }
        String str2 = (String) valueIgnoreCase.get();
        if (str2.trim().length() < 6) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("SwtVerifyMiddleware.execute ends with an error.");
            }
            return new Status(STATUS_INVALID_AUTH_TOKEN, new Object[0]);
        }
        if (LOG.isTraceEnabled() && str2.length() > 10) {
            LOG.trace("Authorization header = " + str2.substring(0, 10));
        }
        String tokenFromAuthorization = SwtVerifier.getTokenFromAuthorization(getScopeToken(str2, headers));
        if (tokenFromAuthorization == null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("SwtVerifyMiddleware.execute ends with an error.");
            }
            return new Status(STATUS_MISSING_AUTH_TOKEN, new Object[0]);
        }
        if (LOG.isTraceEnabled()) {
            LOG.trace("parsed swt from authorization = " + tokenFromAuthorization.substring(0, 10));
        }
        Optional valueIgnoreCase2 = MapUtil.getValueIgnoreCase(headers, CONFIG.getSwtClientIdHeader());
        Optional valueIgnoreCase3 = MapUtil.getValueIgnoreCase(headers, CONFIG.getSwtClientSecretHeader());
        if (LOG.isTraceEnabled()) {
            LOG.trace("header swtClientId = " + ((String) valueIgnoreCase2.orElse(null)) + ", header swtClientSecret = " + StringUtils.maskHalfString((String) valueIgnoreCase3.orElse(null)));
        }
        Result<TokenInfo> verifySwt = swtVerifier.verifySwt(tokenFromAuthorization, str, list, (String) valueIgnoreCase2.orElse(null), (String) valueIgnoreCase3.orElse(null));
        if (verifySwt.isFailure()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("SwtVerifyMiddleware.execute ends with an error.");
            }
            return verifySwt.getError();
        }
        TokenInfo result = verifySwt.getResult();
        Map<String, Object> hashMap = lightLambdaExchange.getAttachment(AuditMiddleware.AUDIT_ATTACHMENT_KEY) != null ? (Map) lightLambdaExchange.getAttachment(AuditMiddleware.AUDIT_ATTACHMENT_KEY) : new HashMap<>();
        hashMap.put("client_id", result.getClientId());
        hashMap.put(Constants.ISSUER_CLAIMS, result.getIss());
        Optional valueIgnoreCase4 = MapUtil.getValueIgnoreCase(lightLambdaExchange.getRequest().getHeaders(), Constants.CALLER_ID_STRING);
        if (valueIgnoreCase4.isPresent()) {
            hashMap.put(Constants.CALLER_ID_STRING, valueIgnoreCase4.get());
        }
        lightLambdaExchange.addAttachment(AuditMiddleware.AUDIT_ATTACHMENT_KEY, hashMap);
        if (CONFIG != null && CONFIG.isEnableVerifyScope()) {
            if (LOG.isTraceEnabled()) {
                LOG.trace("verify scope from the primary token when enableVerifyScope is true");
            }
            Operation operation = ((OpenApiOperation) hashMap.get(Constants.OPENAPI_OPERATION_STRING)).getOperation();
            if (operation == null) {
                if (CONFIG.isSkipVerifyScopeWithoutSpec()) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("SwtVerifyMiddleware.execute ends without verifying scope due to spec.");
                    }
                    return successMiddlewareStatus();
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("SwtVerifyMiddleware.execute ends with an error.");
                }
                return new Status(STATUS_OPENAPI_OPERATION_MISSED, new Object[0]);
            }
            Optional valueIgnoreCase5 = MapUtil.getValueIgnoreCase(headers, "X-Scope-Token");
            SwtVerifier.getTokenFromAuthorization((String) valueIgnoreCase5.orElse(null));
            ArrayList arrayList = new ArrayList();
            Status hasValidSecondaryScopes = hasValidSecondaryScopes(lightLambdaExchange, (String) valueIgnoreCase5.orElse(null), arrayList, str, list, hashMap);
            if (hasValidSecondaryScopes.getStatusCode() >= 400) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("SwtVerifyMiddleware.execute ends with an error.");
                }
                return hasValidSecondaryScopes;
            }
            Status hasValidScope = hasValidScope((String) valueIgnoreCase5.orElse(null), arrayList, result, operation);
            if (hasValidScope.getStatusCode() >= 400) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("SwtVerifyMiddleware.execute ends with an error.");
                }
                return hasValidScope;
            }
        }
        if (CONFIG.getPassThroughClaims() != null && !CONFIG.getPassThroughClaims().isEmpty()) {
            try {
                for (Map.Entry<String, String> entry : CONFIG.getPassThroughClaims().entrySet()) {
                    String key = entry.getKey();
                    String value = entry.getValue();
                    Field declaredField = result.getClass().getDeclaredField(key);
                    declaredField.setAccessible(true);
                    Object obj = declaredField.get(result);
                    if (LOG.isTraceEnabled()) {
                        LOG.trace("pass through header {} with value {}", value, obj);
                    }
                    headers.put(value, obj.toString());
                }
            } catch (Exception e) {
                LOG.error("Exception:", (Throwable) e);
            }
        }
        if (LOG.isTraceEnabled()) {
            LOG.trace("complete SWT verification for request path = " + lightLambdaExchange.getRequest().getPath());
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("SwtVerifyMiddleware.execute ends.");
        }
        return successMiddlewareStatus();
    }

    protected Status hasValidScope(String str, List<String> list, TokenInfo tokenInfo, Operation operation) {
        if (CONFIG.isEnableVerifyScope()) {
            List<String> list2 = null;
            List<SecurityRequirement> securityRequirements = operation.getSecurityRequirements();
            if (securityRequirements != null) {
                for (SecurityRequirement securityRequirement : securityRequirements) {
                    SecurityParameter securityParameter = null;
                    Iterator<String> it = OpenApiMiddleware.helper.oauth2Names.iterator();
                    while (it.hasNext()) {
                        securityParameter = securityRequirement.getRequirement(it.next());
                        if (securityParameter != null) {
                            break;
                        }
                    }
                    if (securityParameter != null) {
                        list2 = securityParameter.getParameters();
                    }
                    if (list2 != null) {
                        break;
                    }
                }
            }
            if (str != null) {
                if (LOG.isTraceEnabled()) {
                    LOG.trace("validate the scope with scope token");
                }
                if (list == null || !matchedScopes(list, list2)) {
                    return new Status(STATUS_SCOPE_TOKEN_SCOPE_MISMATCH, list, list2);
                }
            } else {
                if (LOG.isTraceEnabled()) {
                    LOG.trace("validate the scope with primary token");
                }
                String scope = tokenInfo.getScope();
                List<String> asList = scope != null ? Arrays.asList(scope.split(" ")) : null;
                if (!matchedScopes(asList, list2)) {
                    LOG.error("Authorization token scope is not matched.");
                    return new Status(STATUS_AUTH_TOKEN_SCOPE_MISMATCH, asList, list2);
                }
            }
        }
        return successMiddlewareStatus();
    }

    protected boolean matchedScopes(List<String> list, Collection<String> collection) {
        boolean z = false;
        if (collection == null || collection.size() <= 0) {
            z = true;
        } else if (list != null && list.size() > 0) {
            Iterator<String> it = collection.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (list.contains(it.next())) {
                    z = true;
                    break;
                }
            }
        }
        return z;
    }

    protected Status hasValidSecondaryScopes(LightLambdaExchange lightLambdaExchange, String str, List<String> list, String str2, List<String> list2, Map<String, Object> map) {
        if (str != null) {
            if (LOG.isTraceEnabled()) {
                LOG.trace("start verifying scope token = " + str.substring(0, 10));
            }
            try {
                Map<String, String> headers = lightLambdaExchange.getRequest().getHeaders();
                Optional valueIgnoreCase = MapUtil.getValueIgnoreCase(headers, CONFIG.getSwtClientIdHeader());
                Optional valueIgnoreCase2 = MapUtil.getValueIgnoreCase(headers, CONFIG.getSwtClientSecretHeader());
                if (LOG.isTraceEnabled()) {
                    LOG.trace("header swtClientId = " + ((String) valueIgnoreCase.orElse(null)) + ", header swtClientSecret = " + StringUtils.maskHalfString((String) valueIgnoreCase2.orElse(null)));
                }
                Result<TokenInfo> verifySwt = swtVerifier.verifySwt(str, str2, list2, (String) valueIgnoreCase.orElse(null), (String) valueIgnoreCase2.orElse(null));
                if (verifySwt.isFailure()) {
                    return verifySwt.getError();
                }
                TokenInfo result = verifySwt.getResult();
                String scope = result.getScope();
                if (scope != null) {
                    list.addAll(Arrays.asList(scope.split(" ")));
                    map.put(Constants.SCOPE_CLIENT_ID_STRING, result.getClientId());
                }
            } catch (Exception e) {
                LOG.error("Exception", (Throwable) e);
                return new Status(STATUS_CLIENT_EXCEPTION, e.getMessage());
            }
        }
        return successMiddlewareStatus();
    }

    protected String getScopeToken(String str, Map<String, String> map) {
        String str2 = str;
        if (str2 != null && !str2.substring(0, 6).equalsIgnoreCase("Bearer")) {
            Optional valueIgnoreCase = MapUtil.getValueIgnoreCase(map, "X-Scope-Token");
            if (valueIgnoreCase.isPresent()) {
                str2 = (String) valueIgnoreCase.get();
                if (LOG.isTraceEnabled() && str2.length() > 10) {
                    LOG.trace("The replaced authorization from X-Scope-Token header = " + str2.substring(0, 10));
                }
            }
        }
        return str2;
    }

    @Override // com.networknt.aws.lambda.handler.MiddlewareHandler
    public void getCachedConfigurations() {
    }

    @Override // com.networknt.aws.lambda.handler.LambdaHandler
    public boolean isEnabled() {
        return CONFIG.isEnableVerifySwt();
    }

    @Override // com.networknt.aws.lambda.handler.LambdaHandler
    public void register() {
    }

    @Override // com.networknt.aws.lambda.handler.LambdaHandler
    public void reload() {
    }

    @Override // com.networknt.aws.lambda.handler.MiddlewareHandler
    public boolean isContinueOnFailure() {
        return false;
    }

    @Override // com.networknt.aws.lambda.handler.MiddlewareHandler
    public boolean isAudited() {
        return false;
    }

    @Override // com.networknt.aws.lambda.handler.LambdaHandler
    public boolean isAsynchronous() {
        return false;
    }
}
