package com.liferay.oauth2.provider.rest.internal.endpoint.access.token.authentication.handler;

import com.liferay.oauth2.provider.rest.internal.configuration.admin.service.OAuth2InAssertionManagedServiceFactory;
import com.liferay.oauth2.provider.rest.internal.endpoint.constants.OAuth2ProviderRESTEndpointConstants;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.util.ParamUtil;
import com.liferay.portal.kernel.util.StringUtil;
import com.liferay.portal.kernel.util.Validator;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.ext.Provider;
import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
import org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.grants.jwt.Constants;
import org.apache.cxf.rs.security.oauth2.grants.jwt.JwtBearerAuthHandler;
import org.apache.cxf.rs.security.oauth2.provider.ClientRegistrationProvider;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.security.SecurityContext;

@Provider
/* loaded from: input_file:com/liferay/oauth2/provider/rest/internal/endpoint/access/token/authentication/handler/LiferayJWTBearerAuthenticationHandler.class */
public class LiferayJWTBearerAuthenticationHandler extends JwtBearerAuthHandler {
    private static final Log _log = LogFactoryUtil.getLog(LiferayJWTBearerAuthenticationHandler.class);
    private ClientRegistrationProvider _clientRegistrationProvider;
    private OAuth2InAssertionManagedServiceFactory _oAuth2InAssertionManagedServiceFactory;

    @Override // org.apache.cxf.rs.security.oauth2.grants.jwt.JwtBearerAuthHandler
    public void filter(ContainerRequestContext containerRequestContext) {
        if (StringUtil.startsWith(containerRequestContext.getUriInfo().getPath(), "token")) {
            Message currentMessage = JAXRSUtils.getCurrentMessage();
            HttpServletRequest httpServletRequest = (HttpServletRequest) currentMessage.get("HTTP.REQUEST");
            if (_isUsingJWTAssertionForClientAuthentication(httpServletRequest)) {
                String string = ParamUtil.getString(httpServletRequest, Constants.CLIENT_AUTH_ASSERTION_PARAM);
                if (string == null) {
                    throw new NotAuthorizedException("Missing JWT assertion", new Object[0]);
                }
                JwtToken jwtToken = super.getJwtToken(string);
                String str = (String) jwtToken.getClaim("sub");
                String string2 = ParamUtil.getString(httpServletRequest, "client_id");
                if (Validator.isNotNull(string2) && !string2.equals(str)) {
                    throw new NotAuthorizedException("Client ID parameter does not match JWT subject", new Object[0]);
                }
                currentMessage.put("client_id", str);
                SecurityContext configureSecurityContext = configureSecurityContext(jwtToken);
                if (configureSecurityContext != null) {
                    JAXRSUtils.getCurrentMessage().put(SecurityContext.class, configureSecurityContext);
                }
            }
        }
    }

    public void setClientRegistrationProvider(ClientRegistrationProvider clientRegistrationProvider) {
        this._clientRegistrationProvider = clientRegistrationProvider;
    }

    public void setOAuth2InAssertionManagedServiceFactory(OAuth2InAssertionManagedServiceFactory oAuth2InAssertionManagedServiceFactory) {
        this._oAuth2InAssertionManagedServiceFactory = oAuth2InAssertionManagedServiceFactory;
    }

    @Override // org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer
    protected JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwtToken) {
        Client client = this._clientRegistrationProvider.getClient((String) jwtToken.getClaim("sub"));
        String tokenEndpointAuthMethod = client.getTokenEndpointAuthMethod();
        try {
            if (tokenEndpointAuthMethod.equals("client_secret_jwt")) {
                return new HmacJwsSignatureVerifier(client.getClientSecret());
            }
            if (tokenEndpointAuthMethod.equals("private_key_jwt")) {
                return JwsUtils.getSignatureVerifier(JwkUtils.readJwkSet(client.getProperties().get(OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_CLIENT_JWKS)).getKey((String) jwtToken.getJwsHeader("kid")));
            }
            throw new IllegalArgumentException("Client is configured to not use JWT as a client authentication method");
        } catch (Exception e) {
            if (_log.isWarnEnabled()) {
                _log.warn(e);
            }
            throw new NotAuthorizedException(OAuthConstants.INVALID_CLIENT, new Object[0]);
        }
    }

    private boolean _isUsingJWTAssertionForClientAuthentication(HttpServletRequest httpServletRequest) {
        String string = ParamUtil.getString(httpServletRequest, Constants.CLIENT_AUTH_ASSERTION_TYPE);
        return !Validator.isNull(string) && Constants.CLIENT_AUTH_JWT_BEARER.equals(HttpUtils.urlDecode(string));
    }
}
