package org.mule.modules.oauth2.provider;

import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.inject.Inject;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.joda.time.Duration;
import org.mule.api.MuleContext;
import org.mule.api.MuleEvent;
import org.mule.api.MuleException;
import org.mule.api.annotations.param.InboundHeaders;
import org.mule.api.annotations.param.OutboundHeaders;
import org.mule.api.callback.SourceCallback;
import org.mule.api.security.Authentication;
import org.mule.api.security.SecurityProvider;
import org.mule.api.store.ListableObjectStore;
import org.mule.api.store.ObjectStoreException;
import org.mule.api.store.ObjectStoreManager;
import org.mule.api.transport.Connector;
import org.mule.module.http.api.listener.HttpListenerConfig;
import org.mule.modules.oauth2.provider.Constants;
import org.mule.modules.oauth2.provider.client.Client;
import org.mule.modules.oauth2.provider.client.ClientStore;
import org.mule.modules.oauth2.provider.client.ClientType;
import org.mule.modules.oauth2.provider.client.NoSuchClientException;
import org.mule.modules.oauth2.provider.client.ObjectStoreClientStore;
import org.mule.modules.oauth2.provider.code.AuthorizationCodeManager;
import org.mule.modules.oauth2.provider.code.AuthorizationCodeStore;
import org.mule.modules.oauth2.provider.code.ObjectStoreAuthorizationCode;
import org.mule.modules.oauth2.provider.config.Configuration;
import org.mule.modules.oauth2.provider.generator.AuthorizationFlowGenerator;
import org.mule.modules.oauth2.provider.generator.CreateAccessTokenFlowGenerator;
import org.mule.modules.oauth2.provider.generator.FlowGenerator;
import org.mule.modules.oauth2.provider.generator.StaticWebContentFlowGenerator;
import org.mule.modules.oauth2.provider.processor.ValidateClientCredentials;
import org.mule.modules.oauth2.provider.ratelimit.RateLimiter;
import org.mule.modules.oauth2.provider.ratelimit.SimpleInMemoryRateLimiter;
import org.mule.modules.oauth2.provider.token.AccessTokenStoreHolder;
import org.mule.modules.oauth2.provider.token.InvalidAccessTokenException;
import org.mule.modules.oauth2.provider.token.InvalidTokenException;
import org.mule.modules.oauth2.provider.token.ObjectStoreTokenStore;
import org.mule.modules.oauth2.provider.token.Token;
import org.mule.modules.oauth2.provider.token.TokenManager;
import org.mule.modules.oauth2.provider.token.TokenStore;
import org.mule.security.DefaultSecurityContext;
import org.mule.transport.NullPayload;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:mule/lib/mule/mule-module-security-oauth2-provider-1.5.0.jar:org/mule/modules/oauth2/provider/OAuth2ProviderModule.class */
public class OAuth2ProviderModule {
    private static final Logger logger = LoggerFactory.getLogger(OAuth2ProviderModule.class);
    private static final List<? extends FlowGenerator> FLOW_GENERATORS = Arrays.asList(new StaticWebContentFlowGenerator(), new AuthorizationFlowGenerator(), new CreateAccessTokenFlowGenerator());
    private static final int EXPIRATION_INTERVAL_PERCENTAGE = 10;

    @Inject
    private MuleContext muleContext;
    private String providerName;
    private String host;
    private int port;
    private ClientStore clientStore;
    private AuthorizationCodeStore authorizationCodeStore;
    private TokenStore tokenStore;
    private String loginPage;
    private String scopes;
    private String defaultScopes;
    private String authorizationEndpointPath;
    private String accessTokenEndpointPath;
    private int authorizationTtlSeconds;
    private int tokenTtlSeconds;
    private Connector connector;
    private HttpListenerConfig listenerConfig;
    private SecurityProvider resourceOwnerSecurityProvider;
    private SecurityProvider clientSecurityProvider;
    private boolean enableRefreshToken;
    private String supportedGrantTypes;
    private RateLimiter rateLimiter;
    private List<Client> clients;

    @Inject
    private ObjectStoreManager objectStoreManager;
    private TokenManager tokenManager;
    private Configuration configuration;
    private ValidateClientCredentials clientCredentialsValidator;

    public void generateFlows() throws MuleException {
        Configuration createConfiguration = createConfiguration();
        Iterator<? extends FlowGenerator> it = FLOW_GENERATORS.iterator();
        while (it.hasNext()) {
            it.next().generate(this.muleContext, createConfiguration);
        }
        this.clientCredentialsValidator = new ValidateClientCredentials(createConfiguration);
    }

    private Configuration createConfiguration() {
        configureStores();
        AuthorizationCodeManager authorizationCodeManager = new AuthorizationCodeManager(this.authorizationCodeStore, Duration.standardSeconds(this.authorizationTtlSeconds));
        this.tokenManager = new TokenManager(this.tokenStore, Duration.standardSeconds(this.tokenTtlSeconds));
        if (this.rateLimiter == null) {
            this.rateLimiter = new SimpleInMemoryRateLimiter();
        }
        this.configuration = new Configuration(this.providerName, this.connector, this.listenerConfig, this.host, this.port, this.resourceOwnerSecurityProvider, this.clientSecurityProvider, this.loginPage, this.authorizationEndpointPath, this.accessTokenEndpointPath, this.clientStore, authorizationCodeManager, this.tokenManager, this.scopes, this.defaultScopes, this.enableRefreshToken, Utils.parseProviderGrantTypes(this.supportedGrantTypes), this.rateLimiter);
        return this.configuration;
    }

    private void configureStores() {
        initializeDefaultStores();
        if (this.clients == null || this.clientStore == null) {
            return;
        }
        Iterator<Client> it = this.clients.iterator();
        while (it.hasNext()) {
            this.clientStore.addClient(it.next());
        }
    }

    private void initializeDefaultStores() {
        if (useDefaultClientStore()) {
            this.clientStore = new ObjectStoreClientStore();
            ((ObjectStoreClientStore) this.clientStore).setObjectStore(this.objectStoreManager.getObjectStore(ObjectStoreClientStore.CLIENTS_PARTITION, true));
            try {
                ((ListableObjectStore) ((ObjectStoreClientStore) this.clientStore).getClientObjectStore()).open();
            } catch (ObjectStoreException e) {
                throw new RuntimeException("Error initializing persistent object store for Clients");
            }
        }
        if (useDefaultAuthorizationCodeStore()) {
            int millis = (int) TimeUnit.SECONDS.toMillis(this.authorizationTtlSeconds);
            this.authorizationCodeStore = new ObjectStoreAuthorizationCode();
            ((ObjectStoreAuthorizationCode) this.authorizationCodeStore).setObjectStore(this.objectStoreManager.getObjectStore(ObjectStoreAuthorizationCode.AUTHORIZATION_CODE_PARTITION, false, -1, millis, (millis * 10) / 100));
        }
        if (useDefaultTokenStore()) {
            int millis2 = (int) TimeUnit.SECONDS.toMillis(this.tokenTtlSeconds);
            this.tokenStore = new ObjectStoreTokenStore();
            ((ObjectStoreTokenStore) this.tokenStore).setRefreshTokenObjectStore(this.objectStoreManager.getObjectStore(ObjectStoreTokenStore.REFRESH_TOKENS_PARTITION));
            ((ObjectStoreTokenStore) this.tokenStore).setAccessTokenObjectStore(this.objectStoreManager.getObjectStore(ObjectStoreTokenStore.ACCESS_TOKENS_PARTITION, false, -1, millis2, (millis2 * 10) / 100));
        }
    }

    private boolean useDefaultClientStore() {
        return this.clientStore == null;
    }

    private boolean useDefaultTokenStore() {
        return this.tokenStore == null;
    }

    private boolean useDefaultAuthorizationCodeStore() {
        return this.authorizationCodeStore == null;
    }

    @Inject
    public MuleEvent validateClient(@OutboundHeaders Map<String, Object> map, MuleEvent muleEvent, SourceCallback sourceCallback) throws Exception {
        if (isValidClient(muleEvent)) {
            return sourceCallback.processEvent(muleEvent);
        }
        map.put("http.status", 403);
        muleEvent.getMessage().setPayload(NullPayload.getInstance());
        return muleEvent;
    }

    private boolean isValidClient(MuleEvent muleEvent) throws MuleException {
        this.clientCredentialsValidator.process(muleEvent);
        return muleEvent.getFlowVariableNames().contains(Constants.CLIENT_FLOW_VAR);
    }

    @Inject
    public MuleEvent validate(@InboundHeaders("access_token?") String str, @InboundHeaders("Authorization?") String str2, @OutboundHeaders Map<String, Object> map, String str3, String str4, boolean z, MuleEvent muleEvent, SourceCallback sourceCallback) throws Exception {
        if (StringUtils.isNotBlank(str) && StringUtils.isNotBlank(str2)) {
            map.put("http.status", 400);
            muleEvent.getMessage().setPayload(NullPayload.getInstance());
            return muleEvent;
        }
        String extractCredentialsFromAuthorizationHeader = StringUtils.isNotBlank(str) ? str : Utils.extractCredentialsFromAuthorizationHeader(str2, Constants.HTTP_AUTHORIZATION_SCHEME_BEARER, "UTF-8");
        if (StringUtils.isBlank(extractCredentialsFromAuthorizationHeader)) {
            extractCredentialsFromAuthorizationHeader = (String) ((Map) muleEvent.getMessage().getInboundProperty("http.query.params")).get("access_token");
        }
        if (isValidAccessToken(extractCredentialsFromAuthorizationHeader, str3, str4, muleEvent)) {
            return sourceCallback.processEvent(muleEvent);
        }
        if (z) {
            throw new InvalidAccessTokenException("Invalid access token: " + extractCredentialsFromAuthorizationHeader);
        }
        map.put("http.status", 403);
        muleEvent.getMessage().setPayload(NullPayload.getInstance());
        return muleEvent;
    }

    public void createClient(String str, String str2, ClientType clientType, String str3, String str4, String str5, List<String> list, List<Constants.RequestGrantType> list2, List<String> list3) {
        Client client = new Client(str, str2, clientType, list, list2, list3);
        client.setClientName(str3);
        client.setDescription(str4);
        client.setPrincipal(str5);
        this.clientStore.addClient(client);
    }

    public void deleteClient(String str) throws NoSuchClientException {
        this.clientStore.removeClient(str);
    }

    public void revokeToken(String str) throws InvalidTokenException {
        AccessTokenStoreHolder retrieveByRefreshToken;
        if (this.tokenStore.retrieveByAccessToken(str) != null) {
            this.tokenStore.remove(str);
        } else {
            if (!this.enableRefreshToken || (retrieveByRefreshToken = this.tokenStore.retrieveByRefreshToken(str)) == null) {
                throw new InvalidTokenException("Token is invalid");
            }
            this.tokenStore.remove(retrieveByRefreshToken.getAccessToken().getAccessToken());
        }
    }

    private boolean isValidAccessToken(String str, String str2, String str3, MuleEvent muleEvent) {
        AccessTokenStoreHolder nonExpiredAccessTokenHolder = this.tokenManager.getNonExpiredAccessTokenHolder(str);
        if (nonExpiredAccessTokenHolder == null) {
            return false;
        }
        boolean z = areScopesValid(nonExpiredAccessTokenHolder.getAccessToken(), str2) && areResourceOwnerRolesValid(nonExpiredAccessTokenHolder, str3);
        if (z) {
            Authentication resourceOwnerAuthentication = nonExpiredAccessTokenHolder.getResourceOwnerAuthentication();
            if (resourceOwnerAuthentication != null) {
                muleEvent.getSession().setSecurityContext(new DefaultSecurityContext(resourceOwnerAuthentication));
            }
            muleEvent.setFlowVariable(Constants.ACCESS_TOKEN_STORE_HOLDER_FLOW_VAR, nonExpiredAccessTokenHolder);
        }
        return z;
    }

    private boolean areScopesValid(Token token, String str) {
        if (StringUtils.isBlank(str)) {
            return true;
        }
        return CollectionUtils.isNotEmpty(CollectionUtils.intersection(token.getScopes(), Utils.tokenize(str)));
    }

    private boolean areResourceOwnerRolesValid(AccessTokenStoreHolder accessTokenStoreHolder, String str) {
        if (StringUtils.isBlank(str)) {
            return true;
        }
        return CollectionUtils.isNotEmpty(CollectionUtils.intersection(accessTokenStoreHolder.getResourceOwnerRoles(), Utils.tokenize(str)));
    }

    public MuleContext getMuleContext() {
        return this.muleContext;
    }

    public void setMuleContext(MuleContext muleContext) {
        this.muleContext = muleContext;
    }

    public Configuration getConfiguration() {
        return this.configuration;
    }

    public void setConfiguration(Configuration configuration) {
        this.configuration = configuration;
    }

    public String getProviderName() {
        return this.providerName;
    }

    public void setProviderName(String str) {
        this.providerName = str;
    }

    public String getHost() {
        return this.host;
    }

    public void setHost(String str) {
        this.host = str;
    }

    public int getPort() {
        return this.port;
    }

    public void setPort(int i) {
        this.port = i;
    }

    public ClientStore getClientStore() {
        return this.clientStore;
    }

    public void setClientStore(ClientStore clientStore) {
        this.clientStore = clientStore;
    }

    public AuthorizationCodeStore getAuthorizationCodeStore() {
        return this.authorizationCodeStore;
    }

    public void setAuthorizationCodeStore(AuthorizationCodeStore authorizationCodeStore) {
        this.authorizationCodeStore = authorizationCodeStore;
    }

    public TokenStore getTokenStore() {
        return this.tokenStore;
    }

    public void setTokenStore(TokenStore tokenStore) {
        this.tokenStore = tokenStore;
    }

    public String getLoginPage() {
        return this.loginPage;
    }

    public void setLoginPage(String str) {
        this.loginPage = str;
    }

    public String getDefaultScopes() {
        return this.defaultScopes;
    }

    public void setDefaultScopes(String str) {
        this.defaultScopes = str;
    }

    public String getScopes() {
        return this.scopes;
    }

    public void setScopes(String str) {
        this.scopes = str;
    }

    public String getAuthorizationEndpointPath() {
        return this.authorizationEndpointPath;
    }

    public void setAuthorizationEndpointPath(String str) {
        this.authorizationEndpointPath = str;
    }

    public String getAccessTokenEndpointPath() {
        return this.accessTokenEndpointPath;
    }

    public void setAccessTokenEndpointPath(String str) {
        this.accessTokenEndpointPath = str;
    }

    public int getAuthorizationTtlSeconds() {
        return this.authorizationTtlSeconds;
    }

    public void setAuthorizationTtlSeconds(int i) {
        this.authorizationTtlSeconds = i;
    }

    public int getTokenTtlSeconds() {
        return this.tokenTtlSeconds;
    }

    public void setTokenTtlSeconds(int i) {
        this.tokenTtlSeconds = i;
    }

    public Connector getConnector() {
        return this.connector;
    }

    public void setConnector(Connector connector) {
        this.connector = connector;
    }

    public HttpListenerConfig getListenerConfig() {
        return this.listenerConfig;
    }

    public void setListenerConfig(HttpListenerConfig httpListenerConfig) {
        this.listenerConfig = httpListenerConfig;
    }

    public SecurityProvider getResourceOwnerSecurityProvider() {
        return this.resourceOwnerSecurityProvider;
    }

    public void setResourceOwnerSecurityProvider(SecurityProvider securityProvider) {
        this.resourceOwnerSecurityProvider = securityProvider;
    }

    public SecurityProvider getClientSecurityProvider() {
        return this.clientSecurityProvider;
    }

    public void setClientSecurityProvider(SecurityProvider securityProvider) {
        this.clientSecurityProvider = securityProvider;
    }

    public boolean isEnableRefreshToken() {
        return this.enableRefreshToken;
    }

    public void setEnableRefreshToken(boolean z) {
        this.enableRefreshToken = z;
    }

    public String getSupportedGrantTypes() {
        return this.supportedGrantTypes;
    }

    public void setSupportedGrantTypes(String str) {
        this.supportedGrantTypes = str;
    }

    public RateLimiter getRateLimiter() {
        return this.rateLimiter;
    }

    public void setRateLimiter(RateLimiter rateLimiter) {
        this.rateLimiter = rateLimiter;
    }

    public void setClients(List<Client> list) {
        this.clients = list;
    }

    public List<Client> getClients() {
        return this.clients;
    }

    public void setObjectStoreManager(ObjectStoreManager objectStoreManager) {
        this.objectStoreManager = objectStoreManager;
    }

    public ObjectStoreManager getObjectStoreManager() {
        return this.objectStoreManager;
    }
}
