package org.forgerock.http.oauth2;

import java.util.ArrayList;
import java.util.Set;
import org.forgerock.http.Filter;
import org.forgerock.http.Handler;
import org.forgerock.http.protocol.Header;
import org.forgerock.http.protocol.Headers;
import org.forgerock.http.protocol.Request;
import org.forgerock.http.protocol.Response;
import org.forgerock.http.protocol.ResponseException;
import org.forgerock.http.protocol.Status;
import org.forgerock.services.context.Context;
import org.forgerock.util.AsyncFunction;
import org.forgerock.util.promise.NeverThrowsException;
import org.forgerock.util.promise.Promise;
import org.forgerock.util.time.TimeService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/forgerock/http/oauth2/ResourceServerFilter.class */
public class ResourceServerFilter implements Filter {
    static final String WWW_AUTHENTICATE_HEADER = "WWW-Authenticate";
    private static final String AUTHORIZATION_HEADER = "Authorization";
    private static final String DESC_INVALID_TOKEN = "The access token provided is expired, revoked, malformed, or invalid for other reasons.";
    private static final String DESC_INVALID_REQUEST = "The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed.";
    private static final String DESC_INSUFFICIENT_SCOPE = "The request requires higher privileges than provided by the access token.";
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) ResourceServerFilter.class);
    private final AccessTokenResolver resolver;
    private final TimeService time;
    private final ResourceAccess resourceAccess;
    private final String realm;

    private static Response notAuthorized(String str) {
        return newResourceServerErrorResponse(Status.UNAUTHORIZED, str, null, null, null);
    }

    private static Response invalidRequest(String str, AccessTokenException accessTokenException) {
        Response newResourceServerErrorResponse = newResourceServerErrorResponse(Status.BAD_REQUEST, str, null, OAuth2Error.E_INVALID_REQUEST, DESC_INVALID_REQUEST);
        newResourceServerErrorResponse.setCause(accessTokenException);
        return newResourceServerErrorResponse;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Response invalidToken(String str) {
        return newResourceServerErrorResponse(Status.UNAUTHORIZED, str, null, OAuth2Error.E_INVALID_TOKEN, DESC_INVALID_TOKEN);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Response insufficientScope(String str, Set<String> set) {
        return newResourceServerErrorResponse(Status.FORBIDDEN, str, set, OAuth2Error.E_INSUFFICIENT_SCOPE, DESC_INSUFFICIENT_SCOPE);
    }

    private static Response newResourceServerErrorResponse(Status status, String str, Set<String> set, String str2, String str3) {
        Response response = new Response(status);
        response.getHeaders().put("WWW-Authenticate", (Object) OAuth2Error.newResourceServerError(str, set == null ? null : new ArrayList(set), str2, str3, null).toWWWAuthenticateHeader());
        return response;
    }

    public ResourceServerFilter(AccessTokenResolver accessTokenResolver, TimeService timeService, ResourceAccess resourceAccess, String str) {
        this.resolver = accessTokenResolver;
        this.time = timeService;
        this.resourceAccess = resourceAccess;
        this.realm = str;
    }

    @Override // org.forgerock.http.Filter
    public Promise<Response, NeverThrowsException> filter(Context context, Request request, Handler handler) {
        try {
            String accessToken = getAccessToken(request);
            if (accessToken != null) {
                return this.resolver.resolve(context, accessToken).thenAsync(onResolverSuccess(context, request, handler), onResolverException(accessToken));
            }
            logger.debug("Missing OAuth 2.0 Bearer Token in the Authorization header");
            return Response.newResponsePromise(notAuthorized(this.realm));
        } catch (AccessTokenException e) {
            logger.debug("Multiple 'Authorization' headers in the request", (Throwable) e);
            return Response.newResponsePromise(invalidRequest(this.realm, e));
        }
    }

    private AsyncFunction<AccessTokenException, Response, NeverThrowsException> onResolverException(final String str) {
        return new AsyncFunction<AccessTokenException, Response, NeverThrowsException>() { // from class: org.forgerock.http.oauth2.ResourceServerFilter.1
            @Override // org.forgerock.util.AsyncFunction, org.forgerock.util.Function
            public Promise<? extends Response, ? extends NeverThrowsException> apply(AccessTokenException accessTokenException) {
                ResourceServerFilter.logger.debug("Access Token '{}' cannot be resolved", str, accessTokenException);
                return Response.newResponsePromise(ResourceServerFilter.invalidToken(ResourceServerFilter.this.realm));
            }
        };
    }

    private AsyncFunction<AccessTokenInfo, Response, NeverThrowsException> onResolverSuccess(final Context context, final Request request, final Handler handler) {
        return new AsyncFunction<AccessTokenInfo, Response, NeverThrowsException>() { // from class: org.forgerock.http.oauth2.ResourceServerFilter.2
            @Override // org.forgerock.util.AsyncFunction, org.forgerock.util.Function
            public Promise<? extends Response, ? extends NeverThrowsException> apply(AccessTokenInfo accessTokenInfo) {
                if (ResourceServerFilter.this.isExpired(accessTokenInfo)) {
                    ResourceServerFilter.logger.debug("Access Token {} is expired", accessTokenInfo);
                    return Response.newResponsePromise(ResourceServerFilter.invalidToken(ResourceServerFilter.this.realm));
                }
                try {
                    Set<String> requiredScopes = ResourceServerFilter.this.resourceAccess.getRequiredScopes(context, request);
                    if (accessTokenInfo.getScopes().containsAll(requiredScopes)) {
                        return handler.handle(new OAuth2Context(context, accessTokenInfo), request);
                    }
                    ResourceServerFilter.logger.debug("Access Token {} is missing required scopes", accessTokenInfo);
                    return Response.newResponsePromise(ResourceServerFilter.insufficientScope(ResourceServerFilter.this.realm, requiredScopes));
                } catch (ResponseException e) {
                    return Response.newResponsePromise(e.getResponse());
                }
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isExpired(AccessTokenInfo accessTokenInfo) {
        return this.time.now() > accessTokenInfo.getExpiresAt();
    }

    private String getAccessToken(Request request) throws AccessTokenException {
        Headers headers = request.getHeaders();
        Header header = headers.get2("Authorization");
        if (header == null) {
            return null;
        }
        if (header.getValues().size() > 1) {
            throw new AccessTokenException("Can't use more than 1 'Authorization' Header to convey the OAuth2 AccessToken");
        }
        return OAuth2.getBearerAccessToken(headers.getFirst("Authorization"));
    }
}
