package org.gluu.oxauth.uma.service;

import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import javax.ejb.Stateless;
import javax.inject.Inject;
import javax.inject.Named;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.gluu.oxauth.model.common.ExecutionContext;
import org.gluu.oxauth.model.configuration.AppConfiguration;
import org.gluu.oxauth.model.error.ErrorResponseFactory;
import org.gluu.oxauth.model.jwt.Jwt;
import org.gluu.oxauth.model.registration.Client;
import org.gluu.oxauth.model.uma.UmaErrorResponseType;
import org.gluu.oxauth.model.uma.UmaTokenResponse;
import org.gluu.oxauth.model.uma.persistence.UmaPermission;
import org.gluu.oxauth.security.Identity;
import org.gluu.oxauth.uma.authorization.Claims;
import org.gluu.oxauth.uma.authorization.UmaAuthorizationContext;
import org.gluu.oxauth.uma.authorization.UmaPCT;
import org.gluu.oxauth.uma.authorization.UmaRPT;
import org.gluu.oxauth.uma.authorization.UmaScriptByScope;
import org.gluu.oxauth.util.ServerUtil;
import org.oxauth.persistence.model.Scope;
import org.slf4j.Logger;

@Named
@Stateless
/* loaded from: input_file:org/gluu/oxauth/uma/service/UmaTokenService.class */
public class UmaTokenService {

    @Inject
    private Logger log;

    @Inject
    private Identity identity;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private UmaRptService rptService;

    @Inject
    private UmaPctService pctService;

    @Inject
    private UmaPermissionService permissionService;

    @Inject
    private UmaValidationService umaValidationService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private UmaNeedsInfoService umaNeedsInfoService;

    @Inject
    private UmaExpressionService expressionService;

    public Response requestRpt(String str, String str2, String str3, String str4, String str5, String str6, String str7, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            this.log.trace("requestRpt grant_type: {}, ticket: {}, claim_token: {}, claim_token_format: {}, pct: {}, rpt: {}, scope: {}", new Object[]{str, str2, str3, str4, str5, str6, str7});
            this.umaValidationService.validateGrantType(str);
            List<UmaPermission> validateTicket = this.umaValidationService.validateTicket(str2);
            Jwt validateClaimToken = this.umaValidationService.validateClaimToken(str3, str4);
            UmaPCT validatePct = this.umaValidationService.validatePct(str5);
            UmaRPT validateRPT = this.umaValidationService.validateRPT(str6);
            Client validate = this.umaValidationService.validate(this.identity.getSessionClient().getClient());
            Map<Scope, Boolean> validateScopes = this.umaValidationService.validateScopes(str7, validateTicket, validate);
            UmaPCT updateClaims = this.pctService.updateClaims(validatePct, validateClaimToken, validate.getClientId(), validateTicket);
            Map<UmaScriptByScope, UmaAuthorizationContext> checkNeedsInfo = this.umaNeedsInfoService.checkNeedsInfo(new Claims(validateClaimToken, updateClaims, str3), validateScopes, validateTicket, updateClaims, httpServletRequest, validate);
            if (checkNeedsInfo.isEmpty()) {
                this.log.warn("There are no any policies that protects scopes. Scopes: " + UmaScopeService.asString(validateScopes.keySet()) + ". Configuration property umaGrantAccessIfNoPolicies: " + this.appConfiguration.getUmaGrantAccessIfNoPolicies());
                if (this.appConfiguration.getUmaGrantAccessIfNoPolicies() == null || !this.appConfiguration.getUmaGrantAccessIfNoPolicies().booleanValue()) {
                    this.log.warn("Access denied because there are no any protection. Make sure it is intentional behavior.");
                    throw this.errorResponseFactory.createWebApplicationException(Response.Status.FORBIDDEN, UmaErrorResponseType.FORBIDDEN_BY_POLICY, "Access denied because there are no any protection. Make sure it is intentional behavior.");
                }
                this.log.warn("Access granted because there are no any protection. Make sure it is intentional behavior.");
            } else {
                this.expressionService.evaluate(checkNeedsInfo, validateTicket);
            }
            this.log.trace("Access granted.");
            updatePermissionsWithClientRequestedScope(validateTicket, validateScopes);
            addPctToPermissions(validateTicket, updateClaims);
            boolean z = false;
            if (validateRPT == null) {
                ExecutionContext executionContext = new ExecutionContext(httpServletRequest, httpServletResponse);
                executionContext.setClient(validate);
                str6 = this.rptService.createRPTAndPersist(executionContext, validateTicket).getNotHashedCode();
            } else if (this.rptService.addPermissionToRPT(validateRPT, validateTicket)) {
                z = true;
            }
            UmaTokenResponse umaTokenResponse = new UmaTokenResponse();
            umaTokenResponse.setAccessToken(str6);
            umaTokenResponse.setUpgraded(Boolean.valueOf(z));
            umaTokenResponse.setTokenType("Bearer");
            umaTokenResponse.setPct(updateClaims.getCode());
            return Response.ok(ServerUtil.asJson(umaTokenResponse)).build();
        } catch (Exception e) {
            this.log.error("Exception happened", e);
            if (e instanceof WebApplicationException) {
                throw e;
            }
            this.log.error("Failed to handle request to UMA Token Endpoint.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.INTERNAL_SERVER_ERROR, UmaErrorResponseType.SERVER_ERROR, "Failed to handle request to UMA Token Endpoint.");
        }
    }

    private void addPctToPermissions(List<UmaPermission> list, UmaPCT umaPCT) {
        for (UmaPermission umaPermission : list) {
            umaPermission.getAttributes().put("pct", umaPCT.getCode());
            this.permissionService.mergeSilently(umaPermission);
        }
    }

    private void updatePermissionsWithClientRequestedScope(List<UmaPermission> list, Map<Scope, Boolean> map) {
        this.log.trace("Updating permissions with requested scopes ...");
        for (UmaPermission umaPermission : list) {
            HashSet hashSet = new HashSet(umaPermission.getScopeDns());
            for (Map.Entry<Scope, Boolean> entry : map.entrySet()) {
                this.log.trace("Updating permissions with scope: " + entry.getKey().getId() + ", isRequestedScope: " + entry.getValue() + ", permisson: " + umaPermission.getDn());
                hashSet.add(entry.getKey().getDn());
            }
            umaPermission.setScopeDns(new ArrayList(hashSet));
        }
    }
}
