package com.linecorp.armeria.server.auth.oauth2;

import com.linecorp.armeria.client.WebClient;
import com.linecorp.armeria.common.HttpStatus;
import com.linecorp.armeria.common.annotation.Nullable;
import com.linecorp.armeria.common.annotation.UnstableApi;
import com.linecorp.armeria.common.auth.OAuth2Token;
import com.linecorp.armeria.common.auth.oauth2.OAuth2TokenDescriptor;
import com.linecorp.armeria.common.util.UnmodifiableFuture;
import com.linecorp.armeria.internal.common.auth.oauth2.OAuth2Constants;
import com.linecorp.armeria.internal.server.auth.oauth2.TokenIntrospectionRequest;
import com.linecorp.armeria.internal.shaded.caffeine.cache.Cache;
import com.linecorp.armeria.server.ServiceRequestContext;
import com.linecorp.armeria.server.auth.AbstractAuthorizerWithHandlers;
import com.linecorp.armeria.server.auth.AuthFailureHandler;
import com.linecorp.armeria.server.auth.AuthorizationStatus;
import io.netty.util.AttributeKey;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.CompletionStage;

@UnstableApi
/* loaded from: input_file:com/linecorp/armeria/server/auth/oauth2/OAuth2TokenIntrospectionAuthorizer.class */
public final class OAuth2TokenIntrospectionAuthorizer extends AbstractAuthorizerWithHandlers<OAuth2Token> {
    static final String INVALID_TOKEN = "invalid_token";
    private final Cache<String, OAuth2TokenDescriptor> tokenCache;
    private final Set<String> permittedScope;

    @Nullable
    private final String accessTokenType;

    @Nullable
    private final String realm;
    private final TokenIntrospectionRequest tokenIntrospectionRequest;
    private final AuthFailureHandler authFailureHandler;
    private final AuthorizationStatus failureStatus;
    private final CompletionStage<AuthorizationStatus> failureStatusFuture;
    static final AttributeKey<Integer> ERROR_CODE = AttributeKey.valueOf("x-oauth2-error");
    static final AttributeKey<String> ERROR_TYPE = AttributeKey.valueOf("x-oauth2-error-type");
    private static final CompletionStage<AuthorizationStatus> SUCCESS_STATUS_FUTURE = UnmodifiableFuture.completedFuture(AuthorizationStatus.ofSuccess());

    public static OAuth2TokenIntrospectionAuthorizerBuilder builder(WebClient webClient, String str) {
        return new OAuth2TokenIntrospectionAuthorizerBuilder(webClient, str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OAuth2TokenIntrospectionAuthorizer(Cache<String, OAuth2TokenDescriptor> cache, @Nullable String str, @Nullable String str2, Set<String> set, TokenIntrospectionRequest tokenIntrospectionRequest) {
        this.tokenCache = (Cache) Objects.requireNonNull(cache, "tokenCache");
        this.accessTokenType = str;
        this.realm = str2;
        this.permittedScope = (Set) Objects.requireNonNull(set, "permittedScope");
        this.tokenIntrospectionRequest = (TokenIntrospectionRequest) Objects.requireNonNull(tokenIntrospectionRequest, "tokenIntrospectionRequest");
        this.authFailureHandler = new OAuth2AuthorizationFailureHandler(str, str2, set.isEmpty() ? null : String.join(" ", set));
        this.failureStatus = AuthorizationStatus.ofFailure(this.authFailureHandler);
        this.failureStatusFuture = UnmodifiableFuture.completedFuture(this.failureStatus);
    }

    public Set<String> permittedScope() {
        return this.permittedScope;
    }

    @Nullable
    public String accessTokenType() {
        return this.accessTokenType;
    }

    @Nullable
    public String realm() {
        return this.realm;
    }

    public AuthFailureHandler failureHandler() {
        return this.authFailureHandler;
    }

    public CompletionStage<AuthorizationStatus> authorizeAndSupplyHandlers(ServiceRequestContext serviceRequestContext, @Nullable OAuth2Token oAuth2Token) {
        if (oAuth2Token == null) {
            return this.failureStatusFuture;
        }
        String accessToken = oAuth2Token.accessToken();
        OAuth2TokenDescriptor oAuth2TokenDescriptor = (OAuth2TokenDescriptor) this.tokenCache.getIfPresent(accessToken);
        return oAuth2TokenDescriptor != null ? validateDescriptor(serviceRequestContext, oAuth2TokenDescriptor) ? SUCCESS_STATUS_FUTURE : this.failureStatusFuture : this.tokenIntrospectionRequest.make(accessToken).thenApply(oAuth2TokenDescriptor2 -> {
            if (!authorizeNewDescriptor(serviceRequestContext, oAuth2TokenDescriptor2)) {
                return this.failureStatus;
            }
            this.tokenCache.put(accessToken, oAuth2TokenDescriptor2);
            return validateDescriptor(serviceRequestContext, oAuth2TokenDescriptor2) ? AuthorizationStatus.ofSuccess() : this.failureStatus;
        });
    }

    private boolean validateDescriptor(ServiceRequestContext serviceRequestContext, OAuth2TokenDescriptor oAuth2TokenDescriptor) {
        if (oAuth2TokenDescriptor.isValid()) {
            OAuth2TokenScopeValidator.setOauth2Context(serviceRequestContext, oAuth2TokenDescriptor, this.realm);
            return true;
        }
        serviceRequestContext.setAttr(ERROR_CODE, Integer.valueOf(HttpStatus.UNAUTHORIZED.code()));
        serviceRequestContext.setAttr(ERROR_TYPE, INVALID_TOKEN);
        return false;
    }

    private boolean authorizeNewDescriptor(ServiceRequestContext serviceRequestContext, OAuth2TokenDescriptor oAuth2TokenDescriptor) {
        if (!oAuth2TokenDescriptor.isActive()) {
            serviceRequestContext.setAttr(ERROR_CODE, Integer.valueOf(HttpStatus.UNAUTHORIZED.code()));
            serviceRequestContext.setAttr(ERROR_TYPE, INVALID_TOKEN);
            return false;
        }
        if (this.accessTokenType != null && !this.accessTokenType.equalsIgnoreCase(oAuth2TokenDescriptor.tokenType())) {
            serviceRequestContext.setAttr(ERROR_CODE, Integer.valueOf(HttpStatus.BAD_REQUEST.code()));
            serviceRequestContext.setAttr(ERROR_TYPE, OAuth2Constants.UNSUPPORTED_TOKEN_TYPE);
            return false;
        }
        if (!oAuth2TokenDescriptor.isNotBefore()) {
            serviceRequestContext.setAttr(ERROR_CODE, Integer.valueOf(HttpStatus.UNAUTHORIZED.code()));
            serviceRequestContext.setAttr(ERROR_TYPE, INVALID_TOKEN);
            return false;
        }
        boolean validateScope = OAuth2TokenScopeValidator.validateScope(oAuth2TokenDescriptor, this.permittedScope);
        if (!validateScope) {
            serviceRequestContext.setAttr(ERROR_CODE, Integer.valueOf(HttpStatus.FORBIDDEN.code()));
            serviceRequestContext.setAttr(ERROR_TYPE, "insufficient_scope");
        }
        return validateScope;
    }
}
