package io.jans.ca.server.security.service;

import io.jans.as.model.util.Util;
import io.jans.ca.common.ErrorResponseCode;
import io.jans.ca.server.HttpException;
import io.jans.ca.server.configuration.ApiAppConfiguration;
import io.jans.ca.server.configuration.model.Rp;
import io.jans.ca.server.persistence.service.MainPersistenceService;
import io.jans.ca.server.service.RpSyncService;
import io.jans.ca.server.service.ValidationService;
import jakarta.annotation.Priority;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.inject.Alternative;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.core.Context;
import java.io.Serializable;
import org.slf4j.Logger;

@ApplicationScoped
@Named("clientApiAuthorizationService")
@Alternative
@Priority(1)
/* loaded from: input_file:io/jans/ca/server/security/service/ClientApiAuthorizationService.class */
public class ClientApiAuthorizationService extends AuthorizationService implements Serializable {
    private static final long serialVersionUID = 1;
    private static final String AUTHENTICATION_SCHEME = "Bearer ";

    @Inject
    transient Logger LOG;

    @Context
    transient HttpServletRequest request;

    @Context
    transient HttpServletResponse response;

    @Inject
    ValidationService validationService;

    @Inject
    RpSyncService rpSyncService;

    @Inject
    MainPersistenceService jansConfigurationService;

    @Override // io.jans.ca.server.security.service.AuthorizationService
    public String processAuthorization(String str, String str2, String str3, String str4, String str5) throws Exception {
        this.LOG.debug("oAuth  Authorization parameters , path:{}, method:{}, authorization: {}, authorizationRpId: {} ", new Object[]{str, str2, str4, str5});
        validateAuthorizationRpId(this.jansConfigurationService.find(), str5);
        validateAccessToken(str4, str5);
        return "AUTHORIZATION SUCCESS";
    }

    private void validateAuthorizationRpId(ApiAppConfiguration apiAppConfiguration, String str) {
        if (Util.isNullOrEmpty(str)) {
            this.LOG.debug("`AuthorizationRpId` header is null or Empty");
            throw new HttpException(ErrorResponseCode.AUTHORIZATION_RP_ID_HEADER_NOT_FOUND);
        }
        Rp rp = this.rpSyncService.getRp(str);
        if (rp == null || Util.isNullOrEmpty(rp.getRpId())) {
            this.LOG.debug("`rp_id` in `AuthorizationRpId` header is not registered in jans_client_api.");
            throw new HttpException(ErrorResponseCode.AUTHORIZATION_RP_ID_NOT_FOUND);
        }
        if (apiAppConfiguration.getProtectCommandsWithRpId() == null || apiAppConfiguration.getProtectCommandsWithRpId().isEmpty() || apiAppConfiguration.getProtectCommandsWithRpId().contains(str)) {
            return;
        }
        this.LOG.debug("`rp_id` in `AuthorizationRpId` header is invalid. The `AuthorizationRpId` header should contain `rp_id` from `protect_commands_with_rp_id` field in client-api-server.yml.");
        throw new HttpException(ErrorResponseCode.INVALID_AUTHORIZATION_RP_ID);
    }

    private void validateAccessToken(String str, String str2) {
        ApiAppConfiguration find = this.jansConfigurationService.find();
        if (find.getProtectCommandsWithAccessToken() != null && !find.getProtectCommandsWithAccessToken().booleanValue()) {
            this.LOG.debug("Skip protection because protect_commands_with_access_token: false in configuration file.");
            return;
        }
        if (Util.isNullOrEmpty(str)) {
            this.LOG.debug("No access token provided in Authorization header. Forbidden.");
            throw new HttpException(ErrorResponseCode.BLANK_ACCESS_TOKEN);
        }
        String substring = str.substring(AUTHENTICATION_SCHEME.length());
        if (Util.isNullOrEmpty(substring)) {
            this.LOG.debug("No access token provided in Authorization header. Forbidden.");
            throw new HttpException(ErrorResponseCode.BLANK_ACCESS_TOKEN);
        }
        this.validationService.validateAccessToken(substring, str2);
    }
}
