package com.networknt.security;

import com.google.auth.http.AuthHttpConstants;
import com.networknt.exception.ExpiredTokenException;
import com.networknt.handler.Handler;
import com.networknt.handler.MiddlewareHandler;
import com.networknt.httpstring.AttachmentConstants;
import com.networknt.httpstring.HttpStringConstants;
import com.networknt.status.Status;
import com.networknt.utility.Constants;
import io.undertow.Handlers;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HeaderMap;
import io.undertow.util.Headers;
import io.undertow.util.HttpString;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Stream;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/security/AbstractSimpleJwtVerifyHandler.class */
public abstract class AbstractSimpleJwtVerifyHandler extends UndertowVerifyHandler implements MiddlewareHandler, IJwtVerifyHandler {
    static final Logger logger = LoggerFactory.getLogger((Class<?>) AbstractSimpleJwtVerifyHandler.class);
    static final String STATUS_INVALID_AUTH_TOKEN = "ERR10000";
    static final String STATUS_AUTH_TOKEN_EXPIRED = "ERR10001";
    static final String TOKEN_VERIFICATION_EXCEPTION = "ERR10090";
    static final String STATUS_MISSING_AUTH_TOKEN = "ERR10002";
    static final String STATUS_METHOD_NOT_ALLOWED = "ERR10008";
    public static SecurityConfig config;
    public static JwtVerifier jwtVerifier;
    public volatile HttpHandler next;

    @Override // io.undertow.server.HttpHandler
    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        if (logger.isDebugEnabled()) {
            logger.debug("SimpleJwtVerifyHandler.handleRequest starts.");
        }
        String requestPath = httpServerExchange.getRequestPath();
        if (config.getSkipPathPrefixes() != null) {
            Stream<String> stream = config.getSkipPathPrefixes().stream();
            Objects.requireNonNull(requestPath);
            if (stream.anyMatch(requestPath::startsWith)) {
                if (logger.isTraceEnabled()) {
                    logger.trace("Skip request path base on skipPathPrefixes for {}", requestPath);
                }
                Handler.next(httpServerExchange, this.next);
                if (logger.isDebugEnabled()) {
                    logger.debug("SimpleJwtVerifyHandler.handleRequest ends.");
                    return;
                }
                return;
            }
        }
        Status handleJwt = handleJwt(httpServerExchange, null, requestPath, null);
        if (handleJwt != null) {
            setExchangeStatus(httpServerExchange, handleJwt);
            httpServerExchange.endExchange();
        } else {
            if (logger.isDebugEnabled()) {
                logger.debug("SimpleJwtVerifyHandler.handleRequest ends.");
            }
            Handler.next(httpServerExchange, this.next);
        }
    }

    public Status handleJwt(HttpServerExchange httpServerExchange, String str, String str2, List<String> list) throws Exception {
        HeaderMap requestHeaders = httpServerExchange.getRequestHeaders();
        String first = requestHeaders.getFirst(Headers.AUTHORIZATION);
        if (logger.isTraceEnabled() && first != null && first.length() > 10) {
            logger.trace("Authorization header = {}", first.substring(0, 10));
        }
        if (first == null) {
            Status status = new Status(STATUS_MISSING_AUTH_TOKEN, new Object[0]);
            if (logger.isTraceEnabled()) {
                logger.trace("SimpleJwtVerifyHandler.handleRequest ends with an error {}", status);
            }
            return status;
        }
        if (first.trim().length() < 6) {
            Status status2 = new Status(STATUS_INVALID_AUTH_TOKEN, new Object[0]);
            if (logger.isTraceEnabled()) {
                logger.trace("SimpleJwtVerifyHandler.handleRequest ends with an error {}", status2);
            }
            return status2;
        }
        String scopeToken = getScopeToken(first, requestHeaders);
        boolean isIgnoreJwtExpiry = config.isIgnoreJwtExpiry();
        String tokenFromAuthorization = JwtVerifier.getTokenFromAuthorization(scopeToken);
        if (tokenFromAuthorization == null) {
            if (logger.isDebugEnabled()) {
                logger.debug("SimpleJwtVerifyHandler.handleRequest ends with an error.");
            }
            return new Status(STATUS_MISSING_AUTH_TOKEN, new Object[0]);
        }
        if (logger.isTraceEnabled()) {
            logger.trace("parsed jwt from authorization = {}", tokenFromAuthorization.substring(0, 10));
        }
        try {
            JwtClaims verifyJwt = jwtVerifier.verifyJwt(tokenFromAuthorization, isIgnoreJwtExpiry, true, str, str2, list);
            if (logger.isTraceEnabled()) {
                logger.trace("claims = {}", verifyJwt.toJson());
            }
            Map map = (Map) httpServerExchange.getAttachment(AttachmentConstants.AUDIT_INFO);
            if (map == null) {
                map = new HashMap();
                httpServerExchange.putAttachment(AttachmentConstants.AUDIT_INFO, map);
            }
            String stringClaimValue = verifyJwt.getStringClaimValue("client_id");
            String stringClaimValue2 = verifyJwt.getStringClaimValue(Constants.USER_ID_STRING);
            String stringClaimValue3 = verifyJwt.getStringClaimValue("iss");
            if (stringClaimValue == null) {
                stringClaimValue = verifyJwt.getStringClaimValue(Constants.CID);
            }
            if (stringClaimValue2 == null) {
                stringClaimValue2 = verifyJwt.getStringClaimValue(Constants.UID);
            }
            map.put(Constants.USER_ID_STRING, stringClaimValue2);
            map.put(Constants.SUBJECT_CLAIMS, verifyJwt);
            map.put("client_id", stringClaimValue);
            map.put(Constants.ISSUER_CLAIMS, stringClaimValue3);
            if (!config.isEnableH2c() && checkForH2CRequest(requestHeaders)) {
                Status status3 = new Status(STATUS_METHOD_NOT_ALLOWED, new Object[0]);
                if (logger.isTraceEnabled()) {
                    logger.trace("SimpleJwtVerifyHandler.handleRequest ends with an error {}", status3);
                }
                return status3;
            }
            String first2 = requestHeaders.getFirst(HttpStringConstants.CALLER_ID);
            if (first2 != null) {
                map.put(Constants.CALLER_ID_STRING, first2);
            }
            if (config.getPassThroughClaims() != null && config.getPassThroughClaims().size() > 0) {
                for (Map.Entry<String, String> entry : config.getPassThroughClaims().entrySet()) {
                    String key = entry.getKey();
                    String value = entry.getValue();
                    Object claimValue = verifyJwt.getClaimValue(key);
                    if (logger.isTraceEnabled()) {
                        logger.trace("pass through header {} with value {}", value, claimValue);
                    }
                    requestHeaders.put(new HttpString(value), claimValue.toString());
                }
            }
            if (logger.isTraceEnabled()) {
                logger.trace("complete SJWT verification for request path = {}", httpServerExchange.getRequestURI());
            }
            if (!logger.isDebugEnabled()) {
                return null;
            }
            logger.debug("SimpleJwtVerifyHandler.handleRequest ends.");
            return null;
        } catch (ExpiredTokenException e) {
            logger.error("ExpiredTokenException", (Throwable) e);
            Status status4 = new Status(STATUS_AUTH_TOKEN_EXPIRED, new Object[0]);
            if (logger.isTraceEnabled()) {
                logger.trace("SimpleJwtVerifyHandler.handleRequest ends with an error {}", status4);
            }
            return status4;
        } catch (VerificationException e2) {
            logger.error("VerificationException", (Throwable) e2);
            Status status5 = new Status(TOKEN_VERIFICATION_EXCEPTION, e2.getMessage());
            if (logger.isTraceEnabled()) {
                logger.trace("SimpleJwtVerifyHandler.handleRequest ends with an error {}", status5);
            }
            return status5;
        } catch (InvalidJwtException e3) {
            logger.error("InvalidJwtException: ", (Throwable) e3);
            Status status6 = new Status(STATUS_INVALID_AUTH_TOKEN, new Object[0]);
            if (logger.isTraceEnabled()) {
                logger.trace("SimpleJwtVerifyHandler.handleRequest ends with an error {}", status6);
            }
            return status6;
        }
    }

    protected String getScopeToken(String str, HeaderMap headerMap) {
        String str2 = str;
        if (str2 != null && !str2.substring(0, 6).equalsIgnoreCase(AuthHttpConstants.BEARER)) {
            str2 = headerMap.getFirst(HttpStringConstants.SCOPE_TOKEN);
            if (logger.isTraceEnabled() && str2 != null && str2.length() > 10) {
                logger.trace("The replaced authorization from X-Scope-Token header = {}", str2.substring(0, 10));
            }
        }
        return str2;
    }

    public HttpHandler getNext() {
        return this.next;
    }

    public MiddlewareHandler setNext(HttpHandler httpHandler) {
        Handlers.handlerNotNull(httpHandler);
        this.next = httpHandler;
        return this;
    }

    public boolean isEnabled() {
        return config.isEnableVerifyJwt();
    }

    @Override // com.networknt.security.IJwtVerifyHandler
    public JwtVerifier getJwtVerifier() {
        return jwtVerifier;
    }
}
