package de.adorsys.oauth.server;

import com.nimbusds.jose.util.Base64;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.PlainClientSecret;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import java.io.IOException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.DispatcherType;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@WebFilter(urlPatterns = {"/api/token", "/api/revoke"}, dispatcherTypes = {DispatcherType.REQUEST, DispatcherType.FORWARD})
/* loaded from: input_file:WEB-INF/lib/oauth-server-0.27.jar:de/adorsys/oauth/server/ClientCredentialsCheckFilter.class */
public class ClientCredentialsCheckFilter implements Filter {
    private static final Logger LOG = LoggerFactory.getLogger(ClientCredentialsCheckFilter.class);
    private String clientSecurityDomain = "client-auth";
    private boolean checkClientCredentialsOnTokenRevoke;

    public void init(FilterConfig filterConfig) throws ServletException {
        this.clientSecurityDomain = filterConfig.getServletContext().getInitParameter("clientCredentialsSecurityDomain");
        if (this.clientSecurityDomain == null) {
            this.clientSecurityDomain = "client-auth";
        }
        this.checkClientCredentialsOnTokenRevoke = !"false".equals(filterConfig.getServletContext().getInitParameter("checkClientCredentialsOnTokenRevoke"));
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (verifyClientCredentials(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        httpServletResponse.setStatus(HTTPResponse.SC_UNAUTHORIZED);
        httpServletResponse.setHeader("WWW-Authenticate", "Basic realm=\"oauth\"");
        httpServletResponse.getWriter().write("client authentification failed");
    }

    public void destroy() {
    }

    private boolean verifyClientCredentials(HttpServletRequest httpServletRequest) throws IOException {
        if (httpServletRequest.getRequestURI().endsWith("/api/revoke") && !this.checkClientCredentialsOnTokenRevoke) {
            return true;
        }
        try {
            ClientAuthentication parse = ClientAuthentication.parse(FixedServletUtils.createHTTPRequest(httpServletRequest));
            if (!(parse instanceof PlainClientSecret)) {
                return false;
            }
            final PlainClientSecret plainClientSecret = (PlainClientSecret) parse;
            CallbackHandler callbackHandler = new CallbackHandler() { // from class: de.adorsys.oauth.server.ClientCredentialsCheckFilter.1
                @Override // javax.security.auth.callback.CallbackHandler
                public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                    for (Callback callback : callbackArr) {
                        if (callback instanceof NameCallback) {
                            ((NameCallback) callback).setName(plainClientSecret.getClientID().getValue());
                        } else if (callback instanceof PasswordCallback) {
                            ((PasswordCallback) callback).setPassword(plainClientSecret.getClientSecret().getValue().toCharArray());
                        }
                    }
                }
            };
            try {
                LoginContext loginContext = new LoginContext(this.clientSecurityDomain, new Subject(), callbackHandler);
                loginContext.login();
                loginContext.logout();
                return true;
            } catch (LoginException e) {
                LOG.error("call securitydomain " + callbackHandler, e);
                return false;
            }
        } catch (ParseException e2) {
            throw new IOException(e2);
        }
    }

    private String[] getNamePassword(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header != null && header.startsWith("Basic ")) {
            String decodeToString = new Base64(header.substring(6)).decodeToString();
            return decodeToString.contains(":") ? decodeToString.split(":") : new String[]{decodeToString, ""};
        }
        if (!httpServletRequest.getContentType().contains("application/x-www-form-urlencoded")) {
            return null;
        }
        String parameter = httpServletRequest.getParameter("client_id");
        String parameter2 = httpServletRequest.getParameter("client_secret");
        if (parameter == null || parameter2 == null) {
            return null;
        }
        return new String[]{parameter, parameter2};
    }
}
