package io.gravitee.gateway.security.oauth2.policy;

import io.gravitee.gateway.api.ExecutionContext;
import io.gravitee.gateway.api.Request;
import io.gravitee.gateway.api.Response;
import io.gravitee.gateway.policy.AbstractPolicy;
import io.gravitee.gateway.policy.PolicyException;
import io.gravitee.policy.api.PolicyChain;
import io.gravitee.policy.api.PolicyResult;
import io.gravitee.reporter.api.http.SecurityType;
import io.gravitee.repository.exceptions.TechnicalException;
import io.gravitee.repository.management.api.SubscriptionRepository;
import io.gravitee.repository.management.api.search.SubscriptionCriteria;
import io.gravitee.repository.management.model.Subscription;
import java.util.Collections;
import java.util.Date;
import java.util.List;

/* loaded from: input_file:io/gravitee/gateway/security/oauth2/policy/CheckSubscriptionPolicy.class */
public class CheckSubscriptionPolicy extends AbstractPolicy {
    static final String CONTEXT_ATTRIBUTE_CLIENT_ID = "oauth.client_id";
    static final String BEARER_AUTHORIZATION_TYPE = "Bearer";
    private static final String OAUTH2_ERROR_ACCESS_DENIED = "access_denied";
    private static final String OAUTH2_ERROR_SERVER_ERROR = "server_error";
    static final String GATEWAY_OAUTH2_ACCESS_DENIED_KEY = "GATEWAY_OAUTH2_ACCESS_DENIED";
    static final String GATEWAY_OAUTH2_SERVER_ERROR_KEY = "GATEWAY_OAUTH2_SERVER_ERROR";
    static final String GATEWAY_OAUTH2_INVALID_CLIENT_KEY = "GATEWAY_OAUTH2_INVALID_CLIENT";

    protected void onRequest(Request request, Response response, PolicyChain policyChain, ExecutionContext executionContext) throws PolicyException {
        SubscriptionRepository subscriptionRepository = (SubscriptionRepository) executionContext.getComponent(SubscriptionRepository.class);
        String str = (String) executionContext.getAttribute(CONTEXT_ATTRIBUTE_CLIENT_ID);
        if (str == null || str.trim().isEmpty()) {
            sendError(GATEWAY_OAUTH2_INVALID_CLIENT_KEY, response, policyChain, "invalid_client", "No client_id was supplied");
            return;
        }
        request.metrics().setSecurityType(SecurityType.OAUTH2);
        request.metrics().setSecurityToken(str);
        try {
            List search = subscriptionRepository.search(new SubscriptionCriteria.Builder().apis(Collections.singleton((String) executionContext.getAttribute("gravitee.attribute.api"))).clientId(str).status(Subscription.Status.ACCEPTED).build());
            if (search != null && !search.isEmpty()) {
                Subscription subscription = (Subscription) search.get(0);
                if (subscription.getClientId().equals(str) && (subscription.getEndingAt() == null || subscription.getEndingAt().after(new Date(request.timestamp())))) {
                    executionContext.setAttribute("gravitee.attribute.application", subscription.getApplication());
                    executionContext.setAttribute("gravitee.attribute.user-id", subscription.getId());
                    executionContext.setAttribute("gravitee.attribute.plan", subscription.getPlan());
                    policyChain.doNext(request, response);
                    return;
                }
            }
            sendUnauthorized(GATEWAY_OAUTH2_ACCESS_DENIED_KEY, policyChain, OAUTH2_ERROR_ACCESS_DENIED);
        } catch (TechnicalException e) {
            sendUnauthorized(GATEWAY_OAUTH2_SERVER_ERROR_KEY, policyChain, OAUTH2_ERROR_SERVER_ERROR);
        }
    }

    private void sendUnauthorized(String str, PolicyChain policyChain, String str2) {
        policyChain.failWith(PolicyResult.failure(str, 401, str2));
    }

    private void sendError(String str, Response response, PolicyChain policyChain, String str2, String str3) {
        response.headers().add("WWW-Authenticate", "Bearer realm=\"gravitee.io\", error=\"" + str2 + "\", error_description=\"" + str3 + "\"");
        policyChain.failWith(PolicyResult.failure(str, 401, (String) null));
    }

    public String id() {
        return "check-subscription";
    }
}
