package com.ibm.mfp.java.token.validator;

import com.ibm.mfp.java.token.validator.utils.TokenValidationUtils;
import java.net.URI;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.codec.binary.Base64;
import org.apache.http.message.BasicNameValuePair;

/* loaded from: input_file:com/ibm/mfp/java/token/validator/TokenValidationManager.class */
public class TokenValidationManager {
    private static final String BEARER = "Bearer";
    private static final String INTROSPECTION_PATH = "introspection";
    private static final String TOKEN_PATH = "token";
    private static final long DEFAULT_CACHE_SIZE = 50000;
    private static final String INTROSPECTION_SCOPE_KEY = "authorization.introspect";
    public static final String INVALID_TOKEN_ERROR = "invalid_token";
    private static final Logger logger = Logger.getLogger(TokenValidationManager.class.getName());
    private static final String ACCESS_TOKEN_KEY = "access_token";
    private static final String EXPIRATION = "expires_in";
    private TokenValidationCache cache;
    private URI authorizationURI;
    private String basicAuthorization;
    private int attempts;
    private String resourceConfidentialToken;
    private long resourceConfidentialTokenExpiration;

    public TokenValidationManager(URI uri, String str, String str2, long j) throws TokenValidationException {
        if (uri == null) {
            throw new TokenValidationException("Missing parameters");
        }
        this.authorizationURI = uri;
        this.cache = new TokenValidationCache(j);
        if (str == null || str2 == null) {
            logger.log(Level.FINE, "No clientId or clientSecret passed, if you are working in embedded-AZ mode, token validation will fail");
        } else {
            this.basicAuthorization = "Basic " + Base64.encodeBase64String((str + ":" + str2).getBytes());
        }
    }

    public TokenValidationManager(URI uri, String str, String str2) throws TokenValidationException {
        this(uri, str, str2, DEFAULT_CACHE_SIZE);
    }

    public TokenValidationResult validate(String str, String str2) throws TokenValidationException {
        AuthenticationError preProcessAuthHeader = preProcessAuthHeader(str);
        return preProcessAuthHeader != null ? new TokenValidationResult(preProcessAuthHeader, null) : introspect(str, str2);
    }

    public TokenValidationResult validate(String str) throws TokenValidationException {
        return validate(str, null);
    }

    public Map<String, Object> obtainAccessToken(String str) throws TokenValidationException {
        String buildPath = TokenValidationUtils.buildPath(this.authorizationURI.toString(), TOKEN_PATH);
        HashMap hashMap = new HashMap();
        if (hasBasicCredentials()) {
            hashMap.put("Authorization", this.basicAuthorization);
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(new BasicNameValuePair("grant_type", "client_credentials"));
        arrayList.add(new BasicNameValuePair("scope", str));
        try {
            String makePostRequest = TokenValidationUtils.makePostRequest(buildPath, hashMap, arrayList);
            Map<String, Object> map = TokenValidationUtils.toMap(makePostRequest);
            if (map.get(ACCESS_TOKEN_KEY) == null) {
                throw new TokenValidationException("Failed to make token request, " + makePostRequest);
            }
            return map;
        } catch (Exception e) {
            logger.severe("Unable to obtain access token, if working in external-AZ mode, verify you have set clientId/clientSecret to null");
            throw new TokenValidationException("Failed to make token request, reason: " + e.getMessage(), e);
        }
    }

    private AuthenticationError preProcessAuthHeader(String str) {
        if (str == null || str.length() < 1) {
            return new AuthenticationError(401, buildErrorMessage(null, null));
        }
        if ((str.startsWith(BEARER) ? str.substring(BEARER.length()) : "").isEmpty()) {
            return new AuthenticationError(401, buildErrorMessage(INVALID_TOKEN_ERROR, null));
        }
        return null;
    }

    private TokenValidationResult introspect(String str, String str2) throws TokenValidationException {
        AuthenticationError authenticationError = null;
        obtainToken();
        TokenIntrospectionData tokenIntrospectionData = this.cache.get(str);
        if (tokenIntrospectionData == null) {
            try {
                tokenIntrospectionData = makeIntrospectionRequest(str);
                this.cache.set(str, tokenIntrospectionData);
            } catch (TokenValidationException e) {
                authenticationError = handleConflictFailure(e);
            }
        }
        AuthenticationError validateIntrospectionDataResponse = authenticationError != null ? authenticationError : validateIntrospectionDataResponse(tokenIntrospectionData, str2);
        return new TokenValidationResult(validateIntrospectionDataResponse, validateIntrospectionDataResponse != null ? TokenIntrospectionData.INACTIVE_TOKEN : tokenIntrospectionData);
    }

    private AuthenticationError validateIntrospectionDataResponse(TokenIntrospectionData tokenIntrospectionData, String str) {
        if (tokenIntrospectionData != null && tokenIntrospectionData.isActive()) {
            if (str == null || tokenIntrospectionData.isScopeCovered(str)) {
                return null;
            }
            return new AuthenticationError(403, buildErrorMessage("insufficient_scope", str));
        }
        return new AuthenticationError(401, buildErrorMessage(INVALID_TOKEN_ERROR, null));
    }

    protected TokenIntrospectionData makeIntrospectionRequest(String str) throws TokenValidationException {
        String buildPath = TokenValidationUtils.buildPath(this.authorizationURI.toString(), INTROSPECTION_PATH);
        HashMap hashMap = new HashMap();
        if (getResourceConfidentialToken() != null) {
            hashMap.put("Authorization", TokenValidationUtils.toggleAccessTokenAndAuthHeader(getResourceConfidentialToken(), false));
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(new BasicNameValuePair(TOKEN_PATH, TokenValidationUtils.toggleAccessTokenAndAuthHeader(str, true)));
        arrayList.add(new BasicNameValuePair("token_type_hint", ACCESS_TOKEN_KEY));
        try {
            return TokenValidationUtils.toTokenIntrospectionData(TokenValidationUtils.makePostRequest(buildPath, hashMap, arrayList));
        } catch (Exception e) {
            if (e instanceof TokenValidationException) {
                return handleIntrospectionFailure(str, (TokenValidationException) e);
            }
            throw new TokenValidationException("Failed to make introspection request, reason: " + e.getMessage(), e);
        }
    }

    private TokenIntrospectionData handleIntrospectionFailure(String str, TokenValidationException tokenValidationException) throws TokenValidationException {
        int status = tokenValidationException.getStatus();
        if (status == 401 || status == 403) {
            return handleUnauthorizedFailure(str);
        }
        throw tokenValidationException;
    }

    private boolean hasBasicCredentials() {
        return this.basicAuthorization != null;
    }

    private TokenIntrospectionData handleUnauthorizedFailure(String str) throws TokenValidationException {
        int i = this.attempts + 1;
        this.attempts = i;
        if (i >= 4) {
            logger.severe("Introspection endpoint resulted in unauthorized response, if you are working in embedded AZ server, you must provide non-null clientId/clientSecret credentials");
            throw new TokenValidationException("Error obtaining a token for the Resource Server using the specified clientId/clientSecret credentials");
        }
        setResourceConfidentialToken(null);
        obtainToken();
        return makeIntrospectionRequest(str);
    }

    private AuthenticationError handleConflictFailure(TokenValidationException tokenValidationException) throws TokenValidationException {
        if (tokenValidationException.getStatus() == 409) {
            return new AuthenticationError(409, null);
        }
        throw tokenValidationException;
    }

    private void obtainToken() throws TokenValidationException {
        if (shouldObtainToken()) {
            setResourceConfidentialToken(obtainAccessToken(INTROSPECTION_SCOPE_KEY));
        }
    }

    private String buildErrorMessage(String str, String str2) {
        StringBuilder sb = new StringBuilder();
        sb.append(BEARER);
        if (str != null) {
            sb.append(" error=\"").append(str).append("\"");
        }
        if (str2 != null) {
            sb.append(", scope=\"").append(str2).append("\"");
        }
        return sb.toString();
    }

    private boolean shouldObtainToken() {
        return hasBasicCredentials() && getResourceConfidentialToken() == null;
    }

    private String getResourceConfidentialToken() {
        if (System.currentTimeMillis() >= this.resourceConfidentialTokenExpiration) {
            setResourceConfidentialToken(null);
        }
        return this.resourceConfidentialToken;
    }

    private void setResourceConfidentialToken(Map<String, Object> map) {
        if (map == null) {
            this.resourceConfidentialToken = null;
            this.resourceConfidentialTokenExpiration = 0L;
        } else {
            this.resourceConfidentialToken = (String) map.get(ACCESS_TOKEN_KEY);
            this.resourceConfidentialTokenExpiration = System.currentTimeMillis() + (((Number) map.get(EXPIRATION)).longValue() * 1000);
        }
    }
}
