package io.curity.oauth;

import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.UnavailableException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:io/curity/oauth/OAuthFilter.class */
public abstract class OAuthFilter implements Filter {
    private static final String[] NO_SCOPES = new String[0];
    private static final Logger _logger = Logger.getLogger(OAuthFilter.class.getName());
    private static final String WWW_AUTHENTICATE = "WWW-Authenticate";
    private static final String AUTHORIZATION = "Authorization";
    public static final String PRINCIPAL_ATTRIBUTE_NAME = "principal";
    private Map<String, String> _filterConfig;
    private String _oauthHost = null;
    private String[] _scopes = null;

    /* loaded from: input_file:io/curity/oauth/OAuthFilter$InitParams.class */
    private interface InitParams {
        public static final String OAUTH_HOST = "oauthHost";
        public static final String SCOPE = "scope";
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this._filterConfig = FilterHelper.initParamsMapFrom(filterConfig);
        this._oauthHost = FilterHelper.getInitParamValue("oauthHost", this._filterConfig);
        this._scopes = (String[]) FilterHelper.getOptionalInitParamValue("scope", this._filterConfig, str -> {
            return str.split("\\s+");
        }).orElse(NO_SCOPES);
    }

    public final void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        Optional<String> extractAccessTokenFromHeader = extractAccessTokenFromHeader(servletRequest);
        String oAuthServerRealm = getOAuthServerRealm();
        if (!extractAccessTokenFromHeader.isPresent()) {
            setReAuthenticate401(httpServletResponse, oAuthServerRealm);
            return;
        }
        Optional<AuthenticatedUser> authenticate = authenticate(extractAccessTokenFromHeader.get());
        if (!authenticate.isPresent()) {
            setReAuthenticate401(httpServletResponse, oAuthServerRealm);
            return;
        }
        AuthenticatedUser authenticatedUser = authenticate.get();
        if (!isAuthorized(authenticatedUser)) {
            setForbidden403(httpServletResponse, oAuthServerRealm);
            return;
        }
        servletRequest.setAttribute(PRINCIPAL_ATTRIBUTE_NAME, authenticatedUser);
        if (filterChain != null) {
            filterChain.doFilter(new AuthenticatedUserRequestWrapper((HttpServletRequest) servletRequest, authenticatedUser), servletResponse);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<String, String> getFilterConfiguration() {
        return this._filterConfig;
    }

    private void setReAuthenticate401(HttpServletResponse httpServletResponse, String str) throws IOException {
        httpServletResponse.setHeader(WWW_AUTHENTICATE, String.format("Bearer realm=\"%s\"", str));
        httpServletResponse.sendError(401);
    }

    private void setForbidden403(HttpServletResponse httpServletResponse, String str) throws IOException {
        httpServletResponse.setHeader(WWW_AUTHENTICATE, String.format("Bearer realm=\"%s\"", str));
        httpServletResponse.sendError(403);
    }

    protected String getOAuthServerRealm() throws UnavailableException {
        if (this._oauthHost == null) {
            throw new UnavailableException("Filter not initialized");
        }
        return this._oauthHost;
    }

    protected abstract TokenValidator createTokenValidator(Map<String, ?> map) throws UnavailableException;

    protected abstract TokenValidator getTokenValidator();

    protected Optional<AuthenticatedUser> authenticate(String str) throws ServletException {
        AuthenticatedUser authenticatedUser = null;
        try {
            authenticatedUser = AuthenticatedUser.from(getTokenValidator().validate(str));
        } catch (Exception e) {
            _logger.fine(() -> {
                return String.format("Failed to validate incoming token due to: %s", e.getMessage());
            });
        }
        return Optional.ofNullable(authenticatedUser);
    }

    protected boolean isAuthorized(AuthenticatedUser authenticatedUser) {
        List asList = Arrays.asList(this._scopes);
        return asList.isEmpty() || authenticatedUser.getScopes().containsAll(asList);
    }

    public void destroy() {
        _logger.info("Destroying OAuthFilter");
        if (getTokenValidator() != null) {
            try {
                getTokenValidator().close();
            } catch (IOException e) {
                _logger.log(Level.WARNING, "Problem closing token validator", (Throwable) e);
            }
        }
    }

    private Optional<String> extractAccessTokenFromHeader(ServletRequest servletRequest) {
        String header = ((HttpServletRequest) servletRequest).getHeader(AUTHORIZATION);
        String str = null;
        if (header != null && header.startsWith("Bearer")) {
            String[] split = header.split("[Bb][Ee][Aa][Rr][Ee][Rr]\\s+");
            if (split.length != 2) {
                _logger.fine("Incoming token in Authorization header is not a Bearer token");
            } else {
                str = split[1];
            }
        }
        return Optional.ofNullable(str);
    }
}
