package org.forgerock.opendj.rest2ldap.authz;

import java.net.URI;
import java.util.HashMap;
import java.util.Set;
import org.forgerock.http.Filter;
import org.forgerock.http.Handler;
import org.forgerock.http.filter.Filters;
import org.forgerock.http.oauth2.AccessTokenInfo;
import org.forgerock.http.oauth2.AccessTokenResolver;
import org.forgerock.http.oauth2.OAuth2Context;
import org.forgerock.http.oauth2.ResourceAccess;
import org.forgerock.http.oauth2.ResourceServerFilter;
import org.forgerock.http.protocol.Headers;
import org.forgerock.http.protocol.Request;
import org.forgerock.http.protocol.Response;
import org.forgerock.http.protocol.ResponseException;
import org.forgerock.http.protocol.Status;
import org.forgerock.opendj.ldap.ConnectionFactory;
import org.forgerock.opendj.rest2ldap.authz.ConditionalFilters;
import org.forgerock.services.context.Context;
import org.forgerock.services.context.SecurityContext;
import org.forgerock.util.Function;
import org.forgerock.util.Pair;
import org.forgerock.util.Reject;
import org.forgerock.util.promise.NeverThrowsException;
import org.forgerock.util.promise.Promise;
import org.forgerock.util.promise.Promises;
import org.forgerock.util.time.TimeService;

/* loaded from: input_file:org/forgerock/opendj/rest2ldap/authz/Authorization.class */
public final class Authorization {
    private static final String OAUTH2_AUTHORIZATION_HEADER = "Authorization";

    public static Filter newAuthorizationFilter(Iterable<? extends ConditionalFilters.ConditionalFilter> iterable) {
        return new AuthorizationFilter(iterable);
    }

    public static ConditionalFilters.ConditionalFilter newConditionalHttpBasicAuthenticationFilter(AuthenticationStrategy authenticationStrategy, final Function<Headers, Pair<String, String>, NeverThrowsException> function) {
        return ConditionalFilters.newConditionalFilter(new HttpBasicAuthenticationFilter(authenticationStrategy, function), new ConditionalFilters.Condition() { // from class: org.forgerock.opendj.rest2ldap.authz.Authorization.1
            @Override // org.forgerock.opendj.rest2ldap.authz.ConditionalFilters.Condition
            public boolean canApplyFilter(Context context, Request request) {
                return function.apply(request.getHeaders()) != null;
            }
        });
    }

    public static ConditionalFilters.ConditionalFilter newConditionalDirectConnectionFilter(ConnectionFactory connectionFactory) {
        return ConditionalFilters.asConditionalFilter(new DirectConnectionFilter(connectionFactory));
    }

    public static Filter newProxyAuthorizationFilter(ConnectionFactory connectionFactory) {
        return new ProxiedAuthV2Filter(connectionFactory);
    }

    public static AccessTokenResolver newRfc7662AccessTokenResolver(Handler handler, URI uri, String str, String str2) {
        return new Rfc7662AccessTokenResolver(handler, uri, str, str2);
    }

    public static AccessTokenResolver newCtsAccessTokenResolver(ConnectionFactory connectionFactory, String str) {
        return new CtsAccessTokenResolver(connectionFactory, str);
    }

    public static AccessTokenResolver newFileAccessTokenResolver(String str) {
        return new FileAccessTokenResolver(str);
    }

    public static Filter newOAuth2ResourceServerFilter(String str, Set<String> set, AccessTokenResolver accessTokenResolver, String str2) {
        return createResourceServerFilter(str, set, accessTokenResolver, str2);
    }

    public static ConditionalFilters.ConditionalFilter newConditionalOAuth2ResourceServerFilter(final String str, final Set<String> set, final AccessTokenResolver accessTokenResolver, final String str2) {
        return new ConditionalFilters.ConditionalFilter() { // from class: org.forgerock.opendj.rest2ldap.authz.Authorization.2
            @Override // org.forgerock.opendj.rest2ldap.authz.ConditionalFilters.ConditionalFilter
            public Filter getFilter() {
                return Authorization.createResourceServerFilter(str, set, accessTokenResolver, str2);
            }

            @Override // org.forgerock.opendj.rest2ldap.authz.ConditionalFilters.ConditionalFilter
            public ConditionalFilters.Condition getCondition() {
                return new ConditionalFilters.Condition() { // from class: org.forgerock.opendj.rest2ldap.authz.Authorization.2.1
                    @Override // org.forgerock.opendj.rest2ldap.authz.ConditionalFilters.Condition
                    public boolean canApplyFilter(Context context, Request request) {
                        return request.getHeaders().containsKey("Authorization");
                    }
                };
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Filter createResourceServerFilter(String str, final Set<String> set, AccessTokenResolver accessTokenResolver, String str2) {
        Reject.ifTrue(str == null || str.isEmpty(), "realm must not be empty");
        Reject.ifNull(accessTokenResolver, "Access token resolver must not be null");
        Reject.ifTrue(set == null || set.isEmpty(), "scopes set can not be empty");
        Reject.ifTrue(str2 == null || str2.isEmpty(), "Authz id template must not be empty");
        return Filters.chainOf(new Filter[]{new ResourceServerFilter(accessTokenResolver, TimeService.SYSTEM, new ResourceAccess() { // from class: org.forgerock.opendj.rest2ldap.authz.Authorization.3
            public Set<String> getRequiredScopes(Context context, Request request) throws ResponseException {
                return set;
            }
        }, str), createSecurityContextInjectionFilter(str2)});
    }

    private static Filter createSecurityContextInjectionFilter(String str) {
        final AuthzIdTemplate authzIdTemplate = new AuthzIdTemplate(str);
        return new Filter() { // from class: org.forgerock.opendj.rest2ldap.authz.Authorization.4
            public Promise<Response, NeverThrowsException> filter(Context context, Request request, Handler handler) {
                AccessTokenInfo accessToken = context.asContext(OAuth2Context.class).getAccessToken();
                HashMap hashMap = new HashMap(1);
                try {
                    hashMap.put(AuthzIdTemplate.this.getSecurityContextID(), AuthzIdTemplate.this.formatAsAuthzId(accessToken.asJsonValue()));
                    return handler.handle(new SecurityContext(context, accessToken.getToken(), hashMap), request);
                } catch (IllegalArgumentException e) {
                    return Promises.newResultPromise(new Response(Status.INTERNAL_SERVER_ERROR).setCause(e));
                }
            }
        };
    }

    private Authorization() {
    }
}
