package leap.oauth2.webapp.authc;

import leap.core.annotation.Inject;
import leap.core.security.token.TokenVerifyException;
import leap.core.web.RequestIgnore;
import leap.lang.intercepting.State;
import leap.lang.logging.Log;
import leap.lang.logging.LogFactory;
import leap.oauth2.webapp.OAuth2Config;
import leap.oauth2.webapp.OAuth2ErrorHandler;
import leap.oauth2.webapp.OAuth2ResponseException;
import leap.oauth2.webapp.Oauth2InvalidTokenException;
import leap.oauth2.webapp.token.Token;
import leap.oauth2.webapp.token.TokenExtractor;
import leap.web.App;
import leap.web.Request;
import leap.web.Response;
import leap.web.security.SecurityInterceptor;
import leap.web.security.authc.AuthenticationContext;
import leap.web.security.csrf.CSRF;

/* loaded from: input_file:leap/oauth2/webapp/authc/OAuth2AuthenticationInterceptor.class */
public class OAuth2AuthenticationInterceptor implements SecurityInterceptor {
    private static final Log log = LogFactory.get((Class<?>) OAuth2AuthenticationInterceptor.class);

    @Inject
    protected App app;

    @Inject
    protected OAuth2Config config;

    @Inject
    protected TokenExtractor tokenExtractor;

    @Inject
    protected OAuth2ErrorHandler errorHandler;

    @Inject
    protected OAuth2Authenticator authenticator;

    @Override // leap.web.security.SecurityInterceptor
    public State preResolveAuthentication(Request request, Response response, AuthenticationContext authenticationContext) throws Throwable {
        if (!this.config.isEnabled()) {
            return State.CONTINUE;
        }
        Object attribute = this.app.getAttribute("oauth2.skipTokenAuthenticateUrl");
        if (attribute instanceof String[]) {
            for (String str : (String[]) attribute) {
                if (request.getPath().equals(str)) {
                    return State.CONTINUE;
                }
            }
        }
        for (RequestIgnore requestIgnore : this.config.getIgnores()) {
            if (requestIgnore.matches(request)) {
                return State.CONTINUE;
            }
        }
        Token extractTokenFromRequest = this.tokenExtractor.extractTokenFromRequest(request);
        if (null == extractTokenFromRequest) {
            return State.CONTINUE;
        }
        try {
            OAuth2Authentication authenticate = this.authenticator.authenticate(extractTokenFromRequest);
            if (null == authenticate) {
                log.warn("Invalid access token '{}'", extractTokenFromRequest.getToken());
                return State.CONTINUE;
            }
            authenticationContext.setAuthentication(authenticate);
            CSRF.ignore(request.getServletRequest());
            return State.CONTINUE;
        } catch (TokenVerifyException e) {
            this.errorHandler.handleInvalidToken(request, response, e.getMessage());
            return State.INTERCEPTED;
        } catch (OAuth2ResponseException e2) {
            if ((e2 instanceof Oauth2InvalidTokenException) && null != authenticationContext.getSecuredPath() && authenticationContext.getSecuredPath().isAllowAnonymous()) {
                return State.CONTINUE;
            }
            this.errorHandler.responseError(request, response, e2.getStatus(), e2.getError(), e2.getMessage());
            return State.INTERCEPTED;
        } catch (Throwable th) {
            log.error("Error resolving authentication from access token : {}", th.getMessage(), th);
            this.errorHandler.handleServerError(request, response, th);
            return State.INTERCEPTED;
        }
    }
}
