package com.liferay.oauth2.provider.jsonws.internal.security.auth.verifier;

import com.liferay.oauth2.provider.jsonws.internal.service.access.policy.scope.SAPEntryScope;
import com.liferay.oauth2.provider.jsonws.internal.service.access.policy.scope.SAPEntryScopeDescriptorFinderRegistrator;
import com.liferay.oauth2.provider.model.OAuth2Application;
import com.liferay.oauth2.provider.model.OAuth2Authorization;
import com.liferay.oauth2.provider.rest.spi.bearer.token.provider.BearerTokenProvider;
import com.liferay.oauth2.provider.rest.spi.bearer.token.provider.BearerTokenProviderAccessor;
import com.liferay.oauth2.provider.scope.liferay.ScopeLocator;
import com.liferay.oauth2.provider.scope.spi.scope.finder.ScopeFinder;
import com.liferay.oauth2.provider.service.OAuth2ApplicationLocalService;
import com.liferay.oauth2.provider.service.OAuth2ApplicationScopeAliasesLocalService;
import com.liferay.oauth2.provider.service.OAuth2AuthorizationLocalService;
import com.liferay.oauth2.provider.service.OAuth2ScopeGrantLocalService;
import com.liferay.portal.kernel.exception.PortalException;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.security.auth.AccessControlContext;
import com.liferay.portal.kernel.security.auth.AuthException;
import com.liferay.portal.kernel.security.auth.verifier.AuthVerifier;
import com.liferay.portal.kernel.security.auth.verifier.AuthVerifierResult;
import com.liferay.portal.kernel.security.service.access.policy.ServiceAccessPolicy;
import com.liferay.portal.kernel.util.GetterUtil;
import com.liferay.portal.kernel.util.StringUtil;
import com.liferay.portal.kernel.util.Validator;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@Component(property = {"auth.verifier.OAuth2JSONWSAuthVerifier.urls.includes=/api/jsonws/*"}, service = {AuthVerifier.class})
/* loaded from: input_file:com/liferay/oauth2/provider/jsonws/internal/security/auth/verifier/OAuth2JSONWSAuthVerifier.class */
public class OAuth2JSONWSAuthVerifier implements AuthVerifier {
    private static final String _TOKEN_KEY = "Bearer";
    private static final Log _log = LogFactoryUtil.getLog(OAuth2JSONWSAuthVerifier.class);

    @Reference(policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    private volatile BearerTokenProviderAccessor _bearerTokenProviderAccessor;
    private final Set<String> _jaxRsApplicationNames = Collections.newSetFromMap(new ConcurrentHashMap());

    @Reference
    private OAuth2ApplicationLocalService _oAuth2ApplicationLocalService;

    @Reference
    private OAuth2ApplicationScopeAliasesLocalService _oAuth2ApplicationScopeAliasesLocalService;

    @Reference
    private OAuth2AuthorizationLocalService _oAuth2AuthorizationLocalService;

    @Reference
    private OAuth2ScopeGrantLocalService _oAuth2ScopeGrantLocalService;

    @Reference
    private SAPEntryScopeDescriptorFinderRegistrator _sapEntryScopeDescriptorFinderRegistrator;

    @Reference
    private ScopeLocator _scopeLocator;

    public String getAuthType() {
        return "OAuth2";
    }

    public AuthVerifierResult verify(AccessControlContext accessControlContext, Properties properties) throws AuthException {
        OAuth2Application oAuth2Application;
        long companyId;
        BearerTokenProvider bearerTokenProvider;
        AuthVerifierResult authVerifierResult = new AuthVerifierResult();
        OAuth2Authorization oAuth2Authorization = getOAuth2Authorization(accessControlContext);
        try {
            BearerTokenProvider.AccessToken accessToken = getAccessToken(oAuth2Authorization);
            if (accessToken != null && (bearerTokenProvider = this._bearerTokenProviderAccessor.getBearerTokenProvider((companyId = (oAuth2Application = accessToken.getOAuth2Application()).getCompanyId()), oAuth2Application.getClientId())) != null && bearerTokenProvider.isValid(accessToken)) {
                List list = (List) this._oAuth2ScopeGrantLocalService.getOAuth2AuthorizationOAuth2ScopeGrants(oAuth2Authorization.getOAuth2AuthorizationId()).stream().filter(oAuth2ScopeGrant -> {
                    return this._jaxRsApplicationNames.contains(oAuth2ScopeGrant.getApplicationName());
                }).map((v0) -> {
                    return v0.getScope();
                }).collect(Collectors.toList());
                List<SAPEntryScope> registeredSAPEntryScopes = this._sapEntryScopeDescriptorFinderRegistrator.getRegisteredSAPEntryScopes(companyId);
                ArrayList arrayList = new ArrayList(registeredSAPEntryScopes.size());
                for (SAPEntryScope sAPEntryScope : registeredSAPEntryScopes) {
                    if (list.contains(sAPEntryScope.getScope())) {
                        arrayList.add(sAPEntryScope.getSapEntryName());
                    }
                }
                Map settings = authVerifierResult.getSettings();
                settings.put(BearerTokenProvider.AccessToken.class.getName(), accessToken);
                settings.put(ServiceAccessPolicy.SERVICE_ACCESS_POLICY_NAMES, arrayList);
                authVerifierResult.setState(AuthVerifierResult.State.SUCCESS);
                authVerifierResult.setUserId(accessToken.getUserId());
                return authVerifierResult;
            }
            return authVerifierResult;
        } catch (Exception e) {
            if (_log.isDebugEnabled()) {
                _log.debug("Unable to verify OAuth2 access token", e);
            }
            return authVerifierResult;
        }
    }

    @Reference(cardinality = ReferenceCardinality.MULTIPLE, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY, target = "(&(osgi.jaxrs.name=*)(sap.scope.finder=true))")
    protected void addJaxRsApplicationName(ServiceReference<ScopeFinder> serviceReference) {
        this._jaxRsApplicationNames.add(GetterUtil.getString(serviceReference.getProperty("osgi.jaxrs.name")));
    }

    protected BearerTokenProvider.AccessToken getAccessToken(OAuth2Authorization oAuth2Authorization) throws PortalException {
        if (oAuth2Authorization == null) {
            return null;
        }
        String accessTokenContent = oAuth2Authorization.getAccessTokenContent();
        if ("EXPIRED_TOKEN".equals(accessTokenContent)) {
            return null;
        }
        OAuth2Application oAuth2Application = this._oAuth2ApplicationLocalService.getOAuth2Application(oAuth2Authorization.getOAuth2ApplicationId());
        Date accessTokenCreateDate = oAuth2Authorization.getAccessTokenCreateDate();
        long time = (oAuth2Authorization.getAccessTokenExpirationDate().getTime() - accessTokenCreateDate.getTime()) / 1000;
        long time2 = accessTokenCreateDate.getTime() / 1000;
        List emptyList = Collections.emptyList();
        long oAuth2ApplicationScopeAliasesId = oAuth2Authorization.getOAuth2ApplicationScopeAliasesId();
        if (oAuth2ApplicationScopeAliasesId > 0) {
            emptyList = this._oAuth2ApplicationScopeAliasesLocalService.getOAuth2ApplicationScopeAliases(oAuth2ApplicationScopeAliasesId).getScopeAliasesList();
        }
        return new BearerTokenProvider.AccessToken(oAuth2Application, new ArrayList(), "", time, new HashMap(), "", "", time2, "", "", new HashMap(), "", "", emptyList, accessTokenContent, _TOKEN_KEY, oAuth2Authorization.getUserId(), oAuth2Authorization.getUserName());
    }

    protected OAuth2Authorization getOAuth2Authorization(AccessControlContext accessControlContext) {
        String header = accessControlContext.getRequest().getHeader("Authorization");
        if (Validator.isBlank(header)) {
            return null;
        }
        String[] split = header.split("\\s");
        if (!StringUtil.equalsIgnoreCase(split[0], _TOKEN_KEY)) {
            return null;
        }
        String str = split[1];
        if (Validator.isBlank(str)) {
            return null;
        }
        return this._oAuth2AuthorizationLocalService.fetchOAuth2AuthorizationByAccessTokenContent(str);
    }

    protected void removeJaxRsApplicationName(ServiceReference<ScopeFinder> serviceReference) {
        this._jaxRsApplicationNames.remove(GetterUtil.getString(serviceReference.getProperty("osgi.jaxrs.name")));
    }
}
