package de.adorsys.aspsp.xs2a.connector.oauth;

import de.adorsys.psd2.aspsp.profile.service.AspspProfileService;
import de.adorsys.psd2.xs2a.core.domain.MessageCategory;
import de.adorsys.psd2.xs2a.core.error.MessageErrorCode;
import de.adorsys.psd2.xs2a.core.profile.ScaApproach;
import de.adorsys.psd2.xs2a.web.Xs2aEndpointChecker;
import de.adorsys.psd2.xs2a.web.error.TppErrorMessageWriter;
import de.adorsys.psd2.xs2a.web.filter.AbstractXs2aFilter;
import de.adorsys.psd2.xs2a.web.filter.TppErrorMessage;
import de.adorsys.psd2.xs2a.web.request.RequestPathResolver;
import java.io.IOException;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:BOOT-INF/lib/xs2a-connector-oauth-service-5.9.jar:de/adorsys/aspsp/xs2a/connector/oauth/TokenAuthenticationFilter.class */
public class TokenAuthenticationFilter extends AbstractXs2aFilter {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) TokenAuthenticationFilter.class);
    private static final String BEARER_TOKEN_PREFIX = "Bearer ";
    private static final String CONSENT_ENP_ENDING = "consents";
    private static final String FUNDS_CONF_ENP_ENDING = "funds-confirmations";
    private final RequestPathResolver requestPathResolver;
    private final String oauthModeHeaderName;
    private final TokenValidationService tokenValidationService;
    private final AspspProfileService aspspProfileService;
    private final OauthDataHolder oauthDataHolder;
    private final TppErrorMessageWriter tppErrorMessageWriter;

    public TokenAuthenticationFilter(RequestPathResolver requestPathResolver, @Value("${oauth.header-name:X-OAUTH-PREFERRED}") String str, Xs2aEndpointChecker xs2aEndpointChecker, TokenValidationService tokenValidationService, AspspProfileService aspspProfileService, OauthDataHolder oauthDataHolder, TppErrorMessageWriter tppErrorMessageWriter) {
        super(tppErrorMessageWriter, xs2aEndpointChecker);
        this.requestPathResolver = requestPathResolver;
        this.oauthModeHeaderName = str;
        this.tokenValidationService = tokenValidationService;
        this.aspspProfileService = aspspProfileService;
        this.oauthDataHolder = oauthDataHolder;
        this.tppErrorMessageWriter = tppErrorMessageWriter;
    }

    @Override // de.adorsys.psd2.xs2a.web.filter.GlobalAbstractExceptionFilter
    protected void doFilterInternalCustom(HttpServletRequest httpServletRequest, @NotNull HttpServletResponse httpServletResponse, @NotNull FilterChain filterChain) throws IOException, ServletException {
        String header = httpServletRequest.getHeader(this.oauthModeHeaderName);
        if (!StringUtils.isNotBlank(header)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        Optional<OauthType> byValue = OauthType.getByValue(header);
        if (!byValue.isPresent()) {
            log.info("Token authentication error: unknown OAuth type {}", header);
            this.tppErrorMessageWriter.writeError(httpServletResponse, 400, buildTppErrorMessage(MessageErrorCode.FORMAT_ERROR, new Object[0]));
            return;
        }
        OauthType oauthType = byValue.get();
        String resolveBearerToken = resolveBearerToken(httpServletRequest);
        if (isInvalidOauthRequest(httpServletRequest, httpServletResponse, oauthType, resolveBearerToken)) {
            return;
        }
        this.oauthDataHolder.setOauthTypeAndToken(oauthType, resolveBearerToken);
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private boolean isInvalidOauthRequest(HttpServletRequest httpServletRequest, @NotNull HttpServletResponse httpServletResponse, OauthType oauthType, String str) throws IOException {
        if (!this.aspspProfileService.getScaApproaches().contains(ScaApproach.OAUTH)) {
            log.info("Token authentication error: OAUTH SCA approach is not supported in the profile");
            this.tppErrorMessageWriter.writeError(httpServletResponse, 400, buildTppErrorMessage(MessageErrorCode.FORMAT_ERROR, new Object[0]));
            return true;
        }
        if (oauthType == OauthType.PRE_STEP && StringUtils.isBlank(str)) {
            log.info("Token authentication error: token is absent in pre-step OAuth");
            this.tppErrorMessageWriter.writeError(httpServletResponse, 403, buildTppErrorMessage(MessageErrorCode.UNAUTHORIZED_NO_TOKEN, this.aspspProfileService.getAspspSettings().getCommon().getOauthConfigurationUrl()));
            return true;
        }
        if (!isTokenRequired(oauthType, this.requestPathResolver.resolveRequestPath(httpServletRequest)) || !isTokenInvalid(str)) {
            return false;
        }
        log.info("Token authentication error: token is invalid");
        this.tppErrorMessageWriter.writeError(httpServletResponse, 403, buildTppErrorMessage(MessageErrorCode.TOKEN_INVALID, new Object[0]));
        return true;
    }

    private boolean isTokenRequired(OauthType oauthType, String str) {
        if (oauthType == OauthType.PRE_STEP) {
            return true;
        }
        String trimEndingSlash = trimEndingSlash(str);
        if (trimEndingSlash.endsWith(CONSENT_ENP_ENDING) || trimEndingSlash.endsWith(FUNDS_CONF_ENP_ENDING)) {
            return false;
        }
        Stream stream = ((Set) this.aspspProfileService.getAspspSettings().getPis().getSupportedPaymentTypeAndProductMatrix().values().stream().flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toSet())).stream();
        trimEndingSlash.getClass();
        return stream.noneMatch(trimEndingSlash::endsWith);
    }

    private boolean isTokenInvalid(String str) {
        return this.tokenValidationService.validate(str) == null;
    }

    private String resolveBearerToken(HttpServletRequest httpServletRequest) {
        return (String) Optional.ofNullable(httpServletRequest.getHeader("Authorization")).filter((v0) -> {
            return StringUtils.isNotBlank(v0);
        }).filter(str -> {
            return StringUtils.startsWithIgnoreCase(str, BEARER_TOKEN_PREFIX);
        }).map(str2 -> {
            return StringUtils.substringAfter(str2, BEARER_TOKEN_PREFIX);
        }).orElse(null);
    }

    private String trimEndingSlash(String str) {
        String str2 = str;
        while (true) {
            String str3 = str2;
            if (!StringUtils.endsWith(str3, "/")) {
                return str3;
            }
            str2 = StringUtils.removeEnd(str3, "/");
        }
    }

    private TppErrorMessage buildTppErrorMessage(MessageErrorCode messageErrorCode, Object... objArr) {
        return new TppErrorMessage(MessageCategory.ERROR, messageErrorCode, objArr);
    }
}
