package com.networknt.aws.lambda;

import com.amazonaws.services.lambda.runtime.events.APIGatewayProxyRequestEvent;
import com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent;
import com.networknt.oas.model.Operation;
import com.networknt.oas.model.Path;
import com.networknt.oas.model.SecurityParameter;
import com.networknt.oas.model.SecurityRequirement;
import com.networknt.openapi.ApiNormalisedPath;
import com.networknt.openapi.NormalisedPath;
import com.networknt.openapi.OpenApiHelper;
import com.networknt.utility.StringUtils;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Scanner;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/aws/lambda/ScopeVerifier.class */
public class ScopeVerifier {
    static final Logger logger = LoggerFactory.getLogger(ScopeVerifier.class);
    static final String STATUS_AUTH_TOKEN_SCOPE_MISMATCH = "ERR10005";
    static final String STATUS_SCOPE_TOKEN_SCOPE_MISMATCH = "ERR10006";
    static final String STATUS_INVALID_REQUEST_PATH = "ERR10007";
    static final String STATUS_METHOD_NOT_ALLOWED = "ERR10008";
    static final String STATUS_MISSING_GATEWAY_AUTHORIZER = "ERR10061";
    static final String STATUS_MISSING_PRIMARY_SCOPES = "ERR10062";

    public APIGatewayProxyResponseEvent verifyScope(APIGatewayProxyRequestEvent aPIGatewayProxyRequestEvent) {
        APIGatewayProxyRequestEvent.ProxyRequestContext requestContext = aPIGatewayProxyRequestEvent.getRequestContext();
        if (requestContext == null) {
            return null;
        }
        Map authorizer = requestContext.getAuthorizer();
        if (authorizer == null) {
            logger.error("Authorizer enriched context is missing");
            return createErrorResponse(401, STATUS_MISSING_GATEWAY_AUTHORIZER);
        }
        String str = (String) authorizer.get("primary_scopes");
        if (str == null) {
            logger.error("Scopes from the JWT token in Authorization header are missing");
            return createErrorResponse(401, STATUS_MISSING_PRIMARY_SCOPES);
        }
        String[] split = StringUtils.split(str, ' ');
        String next = new Scanner(ScopeVerifier.class.getClassLoader().getResourceAsStream("openapi.yaml"), StandardCharsets.UTF_8).useDelimiter("\\A").next();
        OpenApiHelper openApiHelper = next != null ? new OpenApiHelper(next) : null;
        if (openApiHelper.openApi3 == null) {
            return null;
        }
        String path = aPIGatewayProxyRequestEvent.getPath();
        Optional findMatchingApiPath = openApiHelper.findMatchingApiPath(new ApiNormalisedPath(path, openApiHelper.basePath));
        if (!findMatchingApiPath.isPresent()) {
            logger.error("Invalid request path " + path);
            return createErrorResponse(404, STATUS_INVALID_REQUEST_PATH);
        }
        NormalisedPath normalisedPath = (NormalisedPath) findMatchingApiPath.get();
        Path path2 = openApiHelper.openApi3.getPath(normalisedPath.original());
        String lowerCase = aPIGatewayProxyRequestEvent.getHttpMethod().toLowerCase();
        Operation operation = path2.getOperation(lowerCase);
        if (operation == null) {
            logger.error("Method " + lowerCase + " is not allowed");
            return createErrorResponse(405, STATUS_METHOD_NOT_ALLOWED);
        }
        requestContext.getAuthorizer().put("endpoint", normalisedPath.normalised() + "@" + lowerCase);
        List list = null;
        List<SecurityRequirement> securityRequirements = operation.getSecurityRequirements();
        if (securityRequirements != null) {
            for (SecurityRequirement securityRequirement : securityRequirements) {
                SecurityParameter securityParameter = null;
                Iterator it = openApiHelper.oauth2Names.iterator();
                while (it.hasNext()) {
                    securityParameter = securityRequirement.getRequirement((String) it.next());
                    if (securityParameter != null) {
                        break;
                    }
                }
                if (securityParameter != null) {
                    list = securityParameter.getParameters();
                }
                if (list != null) {
                    break;
                }
            }
        }
        String str2 = (String) requestContext.getAuthorizer().get("secondary_scopes");
        if (str2 != null) {
            if (matchedScopes(StringUtils.split(str2, ' '), list)) {
                return null;
            }
            logger.error("Scopes " + str2 + " in scope token and spec scopes " + list + " are not matched");
            return createErrorResponse(403, STATUS_SCOPE_TOKEN_SCOPE_MISMATCH);
        }
        if (matchedScopes(split, list)) {
            return null;
        }
        logger.error("Scopes " + str + " in authorization token and spec scopes " + list + " are not matched");
        return createErrorResponse(403, STATUS_AUTH_TOKEN_SCOPE_MISMATCH);
    }

    private APIGatewayProxyResponseEvent createErrorResponse(int i, String str) {
        HashMap hashMap = new HashMap();
        hashMap.put("Content-Type", "application/json");
        return new APIGatewayProxyResponseEvent().withHeaders(hashMap).withStatusCode(Integer.valueOf(i)).withBody("{\"statusCode\":" + i + ",\"code\":\"" + str + "\"}");
    }

    private boolean matchedScopes(String[] strArr, Collection<String> collection) {
        boolean z = false;
        if (collection == null || collection.size() <= 0) {
            z = true;
        } else if (strArr != null && strArr.length > 0) {
            List asList = Arrays.asList(strArr);
            Iterator<String> it = collection.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (asList.contains(it.next())) {
                    z = true;
                    break;
                }
            }
        }
        return z;
    }
}
