package com.mulesoft.modules.oauth2.provider.internal.processor;

import com.mulesoft.modules.oauth2.provider.api.Constants;
import com.mulesoft.modules.oauth2.provider.api.ResourceOwnerAuthentication;
import com.mulesoft.modules.oauth2.provider.api.client.Client;
import com.mulesoft.modules.oauth2.provider.api.client.NoSuchClientException;
import com.mulesoft.modules.oauth2.provider.api.ratelimit.RateLimiter;
import com.mulesoft.modules.oauth2.provider.internal.Utils;
import com.mulesoft.modules.oauth2.provider.internal.config.OAuthConfiguration;
import com.mulesoft.modules.oauth2.provider.internal.processor.RequestProcessingException;
import com.mulesoft.modules.oauth2.provider.internal.ratelimit.RateLimitExceededException;
import com.mulesoft.modules.oauth2.provider.internal.token.InvalidGrantException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.mule.runtime.api.exception.MuleRuntimeException;
import org.mule.runtime.api.security.Authentication;
import org.mule.runtime.api.security.Credentials;
import org.mule.runtime.api.security.DefaultMuleAuthentication;
import org.mule.runtime.api.security.SecurityException;
import org.mule.runtime.api.util.Preconditions;
import org.mule.runtime.core.api.security.DefaultMuleCredentials;
import org.mule.runtime.core.api.util.ExceptionUtils;
import org.mule.runtime.http.api.HttpConstants;
import org.mule.runtime.http.api.HttpHeaders;
import org.mule.runtime.http.api.domain.entity.ByteArrayHttpEntity;
import org.mule.runtime.http.api.domain.entity.EmptyHttpEntity;
import org.mule.runtime.http.api.domain.message.response.HttpResponseBuilder;
import org.mule.runtime.http.api.domain.request.HttpRequestContext;
import org.mule.runtime.http.api.utils.HttpEncoderDecoderUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/mulesoft/modules/oauth2/provider/internal/processor/OAuth2ProviderRequestProcessor.class */
public class OAuth2ProviderRequestProcessor {
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth2ProviderRequestProcessor.class);
    protected OAuthConfiguration configuration;

    /* loaded from: input_file:com/mulesoft/modules/oauth2/provider/internal/processor/OAuth2ProviderRequestProcessor$ErrorResponseBuilder.class */
    public interface ErrorResponseBuilder {
        String buildResponsePayload(String str, String... strArr);
    }

    public OAuth2ProviderRequestProcessor(OAuthConfiguration oAuthConfiguration) {
        this.configuration = oAuthConfiguration;
    }

    public final void process(HttpRequestContext httpRequestContext, HttpResponseBuilder httpResponseBuilder, OAuth2ProviderProcessor oAuth2ProviderProcessor) {
        RequestData requestData = null;
        try {
            requestData = new RequestData(httpRequestContext);
            oAuth2ProviderProcessor.process(requestData, httpResponseBuilder);
        } catch (RequestProcessingException e) {
            handleException(e, this::buildResponsePayload, requestData, httpResponseBuilder);
        } catch (Exception e2) {
            handleException(convertToRequestProcessingException(e2), this::buildResponsePayload, requestData, httpResponseBuilder);
        }
    }

    private RequestProcessingException convertToRequestProcessingException(Exception exc) {
        if (exc instanceof InvalidGrantException) {
            return new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_GRANT, exc.getMessage());
        }
        if (exc instanceof NoSuchClientException) {
            return new RequestProcessingException(RequestProcessingException.ErrorType.UNAUTHORIZED_CLIENT, exc.getMessage());
        }
        if (exc instanceof RateLimitExceededException) {
            return new RequestProcessingException(RequestProcessingException.ErrorType.RATE_LIMIT_EXCEEDED);
        }
        Object obj = (Throwable) ExceptionUtils.extractCauseOfType(exc, RequestProcessingException.class).orElse(null);
        if (obj != null) {
            return (RequestProcessingException) obj;
        }
        Throwable th = (Throwable) ExceptionUtils.extractCauseOfType(exc, IllegalArgumentException.class).orElse(null);
        return th != null ? new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_REQUEST, th.getMessage()) : new RequestProcessingException(RequestProcessingException.ErrorType.SERVER_ERROR, exc);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Multi-variable type inference failed */
    public void handleException(RequestProcessingException requestProcessingException, ErrorResponseBuilder errorResponseBuilder, RequestData requestData, HttpResponseBuilder httpResponseBuilder) {
        if (requestProcessingException.getErrorType() == RequestProcessingException.ErrorType.SERVER_ERROR) {
            LOGGER.error("Unexpected exception", requestProcessingException);
            httpResponseBuilder.statusCode(Integer.valueOf(HttpConstants.HttpStatus.INTERNAL_SERVER_ERROR.getStatusCode()));
            httpResponseBuilder.reasonPhrase("SERVER ERROR");
            httpResponseBuilder.entity(new ByteArrayHttpEntity(errorResponseBuilder.buildResponsePayload(Utils.resolveMessageEncoding(requestData).name(), Constants.ERROR_PARAMETER, RequestProcessingException.ErrorType.SERVER_ERROR.getErrorCode()).getBytes()));
            return;
        }
        if (requestProcessingException.getErrorType() == RequestProcessingException.ErrorType.RATE_LIMIT_EXCEEDED) {
            httpResponseBuilder.statusCode(Integer.valueOf(HttpConstants.HttpStatus.TOO_MANY_REQUESTS.getStatusCode()));
            httpResponseBuilder.entity(new EmptyHttpEntity());
            return;
        }
        String[] strArr = {Constants.ERROR_PARAMETER, requestProcessingException.getErrorType().getErrorCode(), Constants.ERROR_DESCRIPTION_PARAMETER, requestProcessingException.getMessage()};
        String parameterFromBodyOrQuery = getParameterFromBodyOrQuery(requestData, Constants.REDIRECT_URI_PARAMETER);
        boolean z = false;
        if (isRedirectingForError(requestProcessingException.getErrorType(), parameterFromBodyOrQuery)) {
            try {
                try {
                    getSupportedResponseTypeOrFail(requestData);
                } catch (RequestProcessingException e) {
                }
            } catch (RequestProcessingException e2) {
            }
            setRedirectResponse(httpResponseBuilder, buildErrorResponseRedirectUri(parameterFromBodyOrQuery, requestData, strArr));
            z = true;
        }
        if (z) {
            return;
        }
        httpResponseBuilder.statusCode(Integer.valueOf(HttpConstants.HttpStatus.BAD_REQUEST.getStatusCode()));
        httpResponseBuilder.entity(new ByteArrayHttpEntity(errorResponseBuilder.buildResponsePayload(Utils.resolveMessageEncoding(requestData).name(), strArr).getBytes()));
    }

    protected boolean isRedirectingForError(RequestProcessingException.ErrorType errorType, String str) {
        return errorType.isDoRedirect() && StringUtils.isNotBlank(str);
    }

    private String buildResponsePayload(String str, String... strArr) {
        return buildEncodedParameters(str, strArr);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setRedirectResponse(HttpResponseBuilder httpResponseBuilder, String str) {
        httpResponseBuilder.statusCode(Integer.valueOf(HttpConstants.HttpStatus.MOVED_TEMPORARILY.getStatusCode()));
        httpResponseBuilder.addHeader("Content-Type", HttpHeaders.Values.APPLICATION_X_WWW_FORM_URLENCODED.toRfcString());
        httpResponseBuilder.addHeader("Location", str);
    }

    protected String buildErrorResponseRedirectUri(String str, RequestData requestData, String... strArr) throws RequestProcessingException {
        try {
            return buildRedirectUri(str, requestData, strArr);
        } catch (RequestProcessingException e) {
            return buildRedirectUri(str, requestData, false, strArr);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String buildRedirectUri(String str, RequestData requestData, String... strArr) throws RequestProcessingException {
        return buildRedirectUri(str, requestData, getSupportedResponseTypeOrFail(requestData) == Constants.ResponseType.TOKEN, strArr);
    }

    private String buildRedirectUri(String str, RequestData requestData, boolean z, String... strArr) throws RequestProcessingException {
        String optionalParameter = getOptionalParameter(requestData, Constants.STATE_PARAMETER);
        String name = Utils.resolveMessageEncoding(requestData).name();
        return StringUtils.isNotBlank(optionalParameter) ? buildRedirectUri(str, name, z, (String[]) ArrayUtils.addAll(strArr, new String[]{Constants.STATE_PARAMETER, optionalParameter})) : buildRedirectUri(str, name, z, strArr);
    }

    public String buildRedirectUri(String str, String str2, boolean z, String... strArr) throws RequestProcessingException {
        String buildEncodedParameters = buildEncodedParameters(str2, strArr);
        URI newURI = newURI(str);
        String stripFragment = stripFragment(newURI);
        if (StringUtils.isBlank(buildEncodedParameters)) {
            return stripFragment;
        }
        return stripFragment + (z ? "#" : hasQuery(newURI) ? "&" : "?") + buildEncodedParameters;
    }

    private boolean hasQuery(URI uri) {
        return StringUtils.isNotBlank(uri.getQuery());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<String, Object> keyValuePairsToMap(Object... objArr) {
        Preconditions.checkArgument(objArr.length % 2 == 0, "need an even number of (param name, param value) string pairs");
        HashMap hashMap = new HashMap();
        for (int i = 0; i < objArr.length; i += 2) {
            Object obj = objArr[i + 1];
            if (obj != null) {
                hashMap.put((String) objArr[i], obj);
            }
        }
        return hashMap;
    }

    private String buildEncodedParameters(String str, String... strArr) {
        Preconditions.checkArgument(strArr.length % 2 == 0, "need an even number of (param name, param value) string pairs");
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < strArr.length; i += 2) {
            String str2 = strArr[i];
            String str3 = strArr[i + 1];
            if (StringUtils.isNotBlank(str3)) {
                if (sb.length() > 0) {
                    sb.append('&');
                }
                sb.append(str2).append('=').append(urlEncode(str3, str));
            }
        }
        return sb.toString();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getMandatoryParameterOrFail(RequestData requestData, String str) throws RequestProcessingException {
        String optionalParameter = getOptionalParameter(requestData, str);
        if (!StringUtils.isBlank(optionalParameter)) {
            return optionalParameter;
        }
        RequestProcessingException.ErrorType findByParameterName = RequestProcessingException.ErrorType.findByParameterName(str);
        if (findByParameterName == null) {
            findByParameterName = RequestProcessingException.ErrorType.INVALID_REQUEST;
        }
        throw new RequestProcessingException(findByParameterName, "Missing mandatory parameter: " + str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getOptionalParameter(RequestData requestData, String str) {
        String parameterFromBodyOrQuery = getParameterFromBodyOrQuery(requestData, str);
        if (StringUtils.isBlank(parameterFromBodyOrQuery)) {
            return null;
        }
        return parameterFromBodyOrQuery;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Constants.ResponseType getSupportedResponseTypeOrFail(RequestData requestData) throws RequestProcessingException {
        String mandatoryParameterOrFail = getMandatoryParameterOrFail(requestData, Constants.RESPONSE_TYPE_PARAMETER);
        try {
            Constants.ResponseType valueOfIgnoreCase = Constants.ResponseType.valueOfIgnoreCase(mandatoryParameterOrFail);
            if (this.configuration.isAuthorizationResponseTypeSupported(valueOfIgnoreCase)) {
                return valueOfIgnoreCase;
            }
            throw new RequestProcessingException(RequestProcessingException.ErrorType.UNSUPPORTED_RESPONSE_TYPE, buildUnsupportedResponseTypeErrorMessage(mandatoryParameterOrFail));
        } catch (IllegalArgumentException e) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.UNSUPPORTED_RESPONSE_TYPE, buildUnsupportedResponseTypeErrorMessage(mandatoryParameterOrFail));
        }
    }

    private String buildUnsupportedResponseTypeErrorMessage(String str) {
        return "Response type '" + str + "' is not supported";
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Constants.RequestGrantType getSupportedRequestGrantTypeOrFail(RequestData requestData) throws RequestProcessingException {
        String mandatoryParameterOrFail = getMandatoryParameterOrFail(requestData, Constants.GRANT_TYPE_PARAMETER);
        try {
            Constants.RequestGrantType valueOfIgnoreCase = Constants.RequestGrantType.valueOfIgnoreCase(mandatoryParameterOrFail);
            if (this.configuration.isRequestGrantTypeSupported(valueOfIgnoreCase)) {
                return valueOfIgnoreCase;
            }
            throw new RequestProcessingException(RequestProcessingException.ErrorType.UNSUPPORTED_GRANT_TYPE, buildUnsupportedRequestGrantTypeErrorMessage(mandatoryParameterOrFail));
        } catch (IllegalArgumentException e) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.UNSUPPORTED_GRANT_TYPE, buildUnsupportedRequestGrantTypeErrorMessage(mandatoryParameterOrFail));
        }
    }

    private String buildUnsupportedRequestGrantTypeErrorMessage(String str) {
        return "Grant type '" + str + "' is not supported";
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Client getKnownClientOrFail(RequestData requestData) throws SecurityException {
        String username = extractClientCredentials(requestData).getUsername();
        if (StringUtils.isBlank(username)) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_CLIENT_ID);
        }
        return this.configuration.getClientManager().getClientById(username);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getValidRedirectionUriOrFail(Client client, RequestData requestData) throws RequestProcessingException {
        String mandatoryParameterOrFail = getMandatoryParameterOrFail(requestData, Constants.REDIRECT_URI_PARAMETER);
        if (client.isValidRedirectUri(mandatoryParameterOrFail)) {
            return mandatoryParameterOrFail;
        }
        throw new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_REDIRECTION_URI);
    }

    private String getParameterFromBodyOrQuery(RequestData requestData, String str) {
        String str2 = null;
        String headerValueIgnoreCase = requestData.getContext().getRequest().getHeaderValueIgnoreCase("Content-Type");
        if (headerValueIgnoreCase != null && headerValueIgnoreCase.contains(HttpHeaders.Values.APPLICATION_X_WWW_FORM_URLENCODED.withoutParameters().toRfcString())) {
            List list = (List) HttpEncoderDecoderUtils.decodeUrlEncodedBody(requestData.getContent(), Utils.resolveMessageEncoding(requestData)).entrySet().stream().filter(entry -> {
                return StringUtils.equalsIgnoreCase((CharSequence) entry.getKey(), str);
            }).map((v0) -> {
                return v0.getValue();
            }).collect(Collectors.toList());
            if (!list.isEmpty()) {
                str2 = getSingleParameterValue(list);
            }
        }
        if (StringUtils.isBlank(str2)) {
            str2 = getSingleParameterValue(requestData.getContext().getRequest().getQueryParams().getAll(str));
        }
        if (StringUtils.isBlank(str2)) {
            str2 = requestData.getContext().getRequest().getHeaderValueIgnoreCase(str);
        }
        return StringUtils.stripToNull(str2);
    }

    private String getSingleParameterValue(Object obj) {
        if (obj == null) {
            return null;
        }
        return obj instanceof String ? (String) obj : obj instanceof List ? StringUtils.join(new HashSet((List) obj), ' ') : obj.getClass().isArray() ? StringUtils.join(new HashSet(Arrays.asList((Object[]) obj)), ' ') : obj.toString();
    }

    private String urlEncode(String str, String str2) {
        try {
            return URLEncoder.encode(str, str2);
        } catch (UnsupportedEncodingException e) {
            throw new MuleRuntimeException(e);
        }
    }

    private String urlDecode(String str, String str2) {
        try {
            return URLDecoder.decode(str, str2);
        } catch (UnsupportedEncodingException e) {
            throw new MuleRuntimeException(e);
        }
    }

    private URI newURI(String str) throws RequestProcessingException {
        try {
            return new URI(str);
        } catch (URISyntaxException e) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_REDIRECTION_URI, e.getMessage());
        }
    }

    private String stripFragment(URI uri) {
        String fragment = uri.getFragment();
        return StringUtils.isNotBlank(fragment) ? StringUtils.substringBefore(uri.toString(), "#" + fragment) : uri.toString();
    }

    protected Credentials extractResourceOwnerCredentials(RequestData requestData) throws RequestProcessingException {
        return new DefaultMuleCredentials(getMandatoryParameterOrFail(requestData, Constants.USERNAME_PARAMETER), StringUtils.stripToEmpty(getOptionalParameter(requestData, Constants.PASSWORD_PARAMETER)).toCharArray());
    }

    protected Credentials extractClientCredentials(RequestData requestData) throws RequestProcessingException {
        String optionalParameter = getOptionalParameter(requestData, Constants.CLIENT_ID_PARAMETER);
        String stripToEmpty = StringUtils.stripToEmpty(getOptionalParameter(requestData, Constants.CLIENT_SECRET_PARAMETER));
        String optionalParameter2 = getOptionalParameter(requestData, "Authorization");
        if (StringUtils.isBlank(optionalParameter2)) {
            optionalParameter2 = requestData.getContext().getRequest().getHeaderValueIgnoreCase("Authorization");
        }
        if (StringUtils.isBlank(optionalParameter) && StringUtils.isBlank(optionalParameter2)) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_REQUEST, "No client identification nor authentication found");
        }
        if (StringUtils.isNotBlank(stripToEmpty) && StringUtils.isNotBlank(optionalParameter2)) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_REQUEST, "Multiple client authentications found");
        }
        if (StringUtils.isBlank(optionalParameter2)) {
            return new ClientSecretCredentials(optionalParameter, stripToEmpty.toCharArray());
        }
        Pair<String, String> basicAuthUsernamePassword = getBasicAuthUsernamePassword(requestData);
        String str = (String) basicAuthUsernamePassword.getLeft();
        String str2 = (String) basicAuthUsernamePassword.getRight();
        if (StringUtils.isBlank(str)) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_REQUEST, "Invalid 'Authorization' header");
        }
        return new DefaultMuleCredentials(str, str2.toCharArray());
    }

    private Pair<String, String> getBasicAuthUsernamePassword(RequestData requestData) {
        String extractCredentialsFromAuthorizationHeader = Utils.extractCredentialsFromAuthorizationHeader(requestData.getContext().getRequest().getHeaderValueIgnoreCase("Authorization"), Constants.HTTP_AUTHORIZATION_SCHEME_BASIC, Utils.resolveMessageEncoding(requestData).name());
        return Pair.of(Utils.urlDecode(StringUtils.substringBefore(extractCredentialsFromAuthorizationHeader, ":")), StringUtils.stripToEmpty(Utils.urlDecode(StringUtils.substringAfter(extractCredentialsFromAuthorizationHeader, ":"))));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set<String> getEffectiveScopes(RequestData requestData, Client client) throws RequestProcessingException {
        Set<String> set = Utils.tokenize(getOptionalParameter(requestData, Constants.SCOPE_PARAMETER), " ");
        Set<String> scopes = client.getScopes();
        if (scopes.isEmpty() && !this.configuration.getDefaultScopes().isEmpty()) {
            scopes = this.configuration.getDefaultScopes();
        }
        return Utils.computeEffectiveScopeOrFail(set, scopes, this.configuration.getSupportedScopes());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Pair<Boolean, ResourceOwnerAuthentication> validateResourceOwnerCredentials(Client client, RequestData requestData) throws SecurityException {
        ResourceOwnerAuthentication resourceOwnerAuthentication = null;
        Credentials extractResourceOwnerCredentials = extractResourceOwnerCredentials(requestData);
        this.configuration.getRateLimiter().checkOperationAuthorized(RateLimiter.Operation.RESOURCE_OWNER_LOGIN, extractResourceOwnerCredentials.getUsername());
        try {
            resourceOwnerAuthentication = this.configuration.getResourceOwnerSecurityProvider().authenticate((Authentication) new DefaultMuleAuthentication(extractResourceOwnerCredentials));
        } catch (Exception e) {
            logValidationException(client, extractResourceOwnerCredentials, e);
        }
        boolean z = false;
        if (resourceOwnerAuthentication != null) {
            z = true;
        }
        this.configuration.getRateLimiter().recordOperationOutcome(RateLimiter.Operation.RESOURCE_OWNER_LOGIN, extractResourceOwnerCredentials.getUsername(), z ? RateLimiter.Outcome.SUCCESS : RateLimiter.Outcome.FAILURE);
        return Pair.of(Boolean.valueOf(z), resourceOwnerAuthentication);
    }

    private void logValidationException(Client client, Credentials credentials, Exception exc) {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.warn(getValidationMessage(client, credentials), exc);
        } else {
            LOGGER.warn(getValidationMessage(client, credentials));
        }
    }

    private String getValidationMessage(Client client, Credentials credentials) {
        return String.format("Failed to validate client credentials for client ID: %s and principal: %s", client.getClientId(), credentials.getUsername());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean validateClientCredentials(Client client, RequestData requestData) throws RequestProcessingException {
        Credentials extractClientCredentials = extractClientCredentials(requestData);
        if (extractClientCredentials instanceof ClientSecretCredentials) {
            return client.isAuthenticatedBy((ClientSecretCredentials) extractClientCredentials);
        }
        if (this.configuration.getClientSecurityProvider() == null) {
            LOGGER.warn("Client ID: " + client.getClientId() + " failed to present a secret and no security provider is configured to validate its credentials");
            return false;
        }
        DefaultMuleCredentials defaultMuleCredentials = new DefaultMuleCredentials(StringUtils.isNotBlank(client.getPrincipal()) ? client.getPrincipal() : extractClientCredentials.getUsername(), extractClientCredentials.getPassword());
        try {
            this.configuration.getClientSecurityProvider().authenticate(new DefaultMuleAuthentication(defaultMuleCredentials));
            return true;
        } catch (Exception e) {
            logValidationException(client, defaultMuleCredentials, e);
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void failIfParameterPresentMultipleTimes(RequestData requestData, String... strArr) throws RequestProcessingException {
        for (String str : strArr) {
            if (HttpEncoderDecoderUtils.decodeUrlEncodedBody(requestData.getContent(), Utils.resolveMessageEncoding(requestData)).getAll(str).size() + requestData.getContext().getRequest().getHeaderValuesIgnoreCase(str).size() + requestData.getContext().getRequest().getQueryParams().getAll(str).size() > 1) {
                throw new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_REQUEST, String.format("Found multiple values for parameter: %s", str));
            }
        }
    }
}
