package com.networknt.oauth.handler;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.networknt.basicauth.BasicAuthConfig;
import com.networknt.body.BodyHandler;
import com.networknt.client.oauth.SignRequest;
import com.networknt.config.Config;
import com.networknt.config.JsonMapper;
import com.networknt.db.provider.DbProvider;
import com.networknt.exception.ApiException;
import com.networknt.handler.LightHttpHandler;
import com.networknt.monad.Result;
import com.networknt.oauth.common.ClientUtil;
import com.networknt.oauth.common.HttpAuth;
import com.networknt.security.JwtConfig;
import com.networknt.security.JwtIssuer;
import com.networknt.security.KeyUtil;
import com.networknt.service.SingletonServiceFactory;
import com.networknt.status.Status;
import com.networknt.utility.HashUtil;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.Headers;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.util.HashMap;
import java.util.Map;
import net.lightapi.portal.db.PortalDbProvider;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler;
import org.jose4j.jwt.JwtClaims;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/oauth/handler/ProviderIdSigningPostHandler.class */
public class ProviderIdSigningPostHandler implements LightHttpHandler {
    private static final String MISSING_AUTHORIZATION_HEADER = "ERR12002";
    private static final String INVALID_AUTHORIZATION_HEADER = "ERR12003";
    private static final String INVALID_BASIC_CREDENTIALS = "ERR12004";
    private static final String CLIENT_NOT_FOUND = "ERR12014";
    private static final String UNAUTHORIZED_CLIENT = "ERR12007";
    private static final String RUNTIME_EXCEPTION = "ERR10010";
    private static final String GENERIC_EXCEPTION = "ERR10014";
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) ProviderIdSigningPostHandler.class);
    static PortalDbProvider dbProvider = (PortalDbProvider) SingletonServiceFactory.getBean(DbProvider.class);

    @Override // io.undertow.server.HttpHandler
    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        ObjectMapper mapper = Config.getInstance().getMapper();
        httpServerExchange.getResponseHeaders().put(Headers.CONTENT_TYPE, "application/json");
        String first = httpServerExchange.getQueryParameters().get(JwtConfig.PROVIDER_ID).getFirst();
        Map<String, Object> authenticateClient = authenticateClient(httpServerExchange);
        if (authenticateClient != null) {
            SignRequest signRequest = (SignRequest) Config.getInstance().getMapper().convertValue((Map) httpServerExchange.getAttachment(BodyHandler.REQUEST_BODY), SignRequest.class);
            int expires = signRequest.getExpires();
            Result<Map<String, Object>> queryCurrentProviderKey = dbProvider.queryCurrentProviderKey(first);
            if (queryCurrentProviderKey.isFailure()) {
                logger.error("failed to get the current host key: " + String.valueOf(queryCurrentProviderKey.getError()));
                throw new ApiException(queryCurrentProviderKey.getError());
            }
            try {
                Map<String, Object> payload = signRequest.getPayload();
                Map<String, Object> result = queryCurrentProviderKey.getResult();
                String jwt = JwtIssuer.getJwt(mockCcClaims((String) authenticateClient.get(OAuthBearerLoginCallbackHandler.CLIENT_ID_CONFIG), Integer.valueOf(expires), payload), (String) result.get("kid"), KeyUtil.deserializePrivateKey((String) result.get("privateKey"), "RSA"));
                HashMap hashMap = new HashMap();
                hashMap.put("access_token", jwt);
                hashMap.put("token_type", BasicAuthConfig.BEARER);
                hashMap.put("expires_in", Integer.valueOf(expires));
                httpServerExchange.getResponseSender().send(mapper.writeValueAsString(hashMap));
            } catch (Exception e) {
                logger.error("Exception:", (Throwable) e);
                throw new ApiException(new Status("ERR10014", e.getMessage()));
            }
        }
    }

    private Map<String, Object> authenticateClient(HttpServerExchange httpServerExchange) throws ApiException {
        HttpAuth httpAuth = new HttpAuth(httpServerExchange);
        if (!httpAuth.isHeaderAvailable()) {
            throw new ApiException(new Status(MISSING_AUTHORIZATION_HEADER, new Object[0]));
        }
        String clientId = httpAuth.getClientId();
        String clientSecret = httpAuth.getClientSecret();
        if (clientId != null && !clientId.trim().isEmpty() && clientSecret != null && !clientSecret.trim().isEmpty()) {
            return validateClientSecret(clientId, clientSecret);
        }
        if (httpAuth.isInvalidCredentials()) {
            throw new ApiException(new Status(INVALID_BASIC_CREDENTIALS, httpAuth.getCredentials()));
        }
        throw new ApiException(new Status(INVALID_AUTHORIZATION_HEADER, httpAuth.getAuth()));
    }

    private Map<String, Object> validateClientSecret(String str, String str2) throws ApiException {
        Result<String> clientById = ClientUtil.getClientById(str);
        if (clientById.isFailure()) {
            logger.error("failed to get the client: " + String.valueOf(clientById.getError()));
            throw new ApiException(clientById.getError());
        }
        String result = clientById.getResult();
        if (result == null) {
            throw new ApiException(new Status(CLIENT_NOT_FOUND, str));
        }
        try {
            Map<String, Object> string2Map = JsonMapper.string2Map(result);
            if (HashUtil.validatePassword(str2.toCharArray(), (String) string2Map.get(OAuthBearerLoginCallbackHandler.CLIENT_SECRET_CONFIG))) {
                return string2Map;
            }
            throw new ApiException(new Status(UNAUTHORIZED_CLIENT, new Object[0]));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            logger.error("Exception:", e);
            throw new ApiException(new Status(RUNTIME_EXCEPTION, new Object[0]));
        }
    }

    private JwtClaims mockCcClaims(String str, Integer num, Map<String, Object> map) {
        JwtClaims jwtClaimsWithExpiresIn = JwtIssuer.getJwtClaimsWithExpiresIn(num.intValue());
        jwtClaimsWithExpiresIn.setClaim("client_id", str);
        if (map != null) {
            for (Map.Entry<String, Object> entry : map.entrySet()) {
                jwtClaimsWithExpiresIn.setClaim(entry.getKey(), entry.getValue());
            }
        }
        return jwtClaimsWithExpiresIn;
    }
}
