package org.gluu.oxd.server.op;

import com.google.common.base.Strings;
import com.google.inject.Injector;
import java.util.Collections;
import java.util.List;
import javax.ws.rs.ClientErrorException;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.gluu.oxauth.model.uma.JsonLogicNodeParser;
import org.gluu.oxauth.model.uma.PermissionTicket;
import org.gluu.oxd.common.Command;
import org.gluu.oxd.common.CoreUtils;
import org.gluu.oxd.common.ErrorResponse;
import org.gluu.oxd.common.ErrorResponseCode;
import org.gluu.oxd.common.Jackson2;
import org.gluu.oxd.common.introspection.CorrectRptIntrospectionResponse;
import org.gluu.oxd.common.introspection.CorrectUmaPermission;
import org.gluu.oxd.common.params.RsCheckAccessParams;
import org.gluu.oxd.common.response.IOpResponse;
import org.gluu.oxd.common.response.RsCheckAccessResponse;
import org.gluu.oxd.rs.protect.resteasy.PatProvider;
import org.gluu.oxd.rs.protect.resteasy.ResourceRegistrar;
import org.gluu.oxd.rs.protect.resteasy.RptPreProcessInterceptor;
import org.gluu.oxd.rs.protect.resteasy.ServiceProvider;
import org.gluu.oxd.server.HttpException;
import org.gluu.oxd.server.model.UmaResource;
import org.gluu.oxd.server.service.Rp;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/gluu/oxd/server/op/RsCheckAccessOperation.class */
public class RsCheckAccessOperation extends BaseOperation<RsCheckAccessParams> {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) RsCheckAccessOperation.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    public RsCheckAccessOperation(Command command, Injector injector) {
        super(command, injector, RsCheckAccessParams.class);
    }

    @Override // org.gluu.oxd.server.op.IOperation
    public IOpResponse execute(final RsCheckAccessParams rsCheckAccessParams) throws Exception {
        Response registerTicketResponse;
        validate(rsCheckAccessParams);
        Rp rp = getRp();
        UmaResource umaResource = rp.umaResource(rsCheckAccessParams.getPath(), rsCheckAccessParams.getHttpMethod());
        if (umaResource == null) {
            ErrorResponse errorResponse = new ErrorResponse("invalid_request");
            errorResponse.setErrorDescription("Resource is not protected with path: " + rsCheckAccessParams.getPath() + " and httpMethod: " + rsCheckAccessParams.getHttpMethod() + ". Please protect your resource first with uma_rs_protect command. Check details on " + CoreUtils.DOC_URL);
            LOG.error(errorResponse.getErrorDescription());
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(Jackson2.asJson(errorResponse)).build());
        }
        PatProvider patProvider = new PatProvider() { // from class: org.gluu.oxd.server.op.RsCheckAccessOperation.1
            @Override // org.gluu.oxd.rs.protect.resteasy.PatProvider
            public String getPatToken() {
                return RsCheckAccessOperation.this.getUmaTokenService().getPat(rsCheckAccessParams.getOxdId()).getToken();
            }

            @Override // org.gluu.oxd.rs.protect.resteasy.PatProvider
            public void clearPat() {
            }
        };
        CorrectRptIntrospectionResponse introspectRpt = getIntrospectionService().introspectRpt(rsCheckAccessParams.getOxdId(), rsCheckAccessParams.getRpt());
        LOG.trace("RPT: " + rsCheckAccessParams.getRpt() + ", status: " + introspectRpt);
        if (!Strings.isNullOrEmpty(rsCheckAccessParams.getRpt()) && introspectRpt != null && introspectRpt.getActive() && introspectRpt.getPermissions() != null) {
            for (CorrectUmaPermission correctUmaPermission : introspectRpt.getPermissions()) {
                List<String> scopes = umaResource.getScopes();
                if (scopes.isEmpty()) {
                    LOG.trace("Not scopes in resource:" + umaResource + ", oxdId: " + rsCheckAccessParams.getOxdId());
                    if (!umaResource.getScopeExpressions().isEmpty() && JsonLogicNodeParser.isNodeValid(umaResource.getScopeExpressions().get(0))) {
                        scopes = JsonLogicNodeParser.parseNode(umaResource.getScopeExpressions().get(0)).getData();
                        LOG.trace("Set requiredScope from scope expression.");
                    }
                }
                boolean z = !Collections.disjoint(scopes, correctUmaPermission.getScopes());
                LOG.trace("containsAny: " + z + ", requiredScopes: " + scopes + ", permissionScopes: " + correctUmaPermission.getScopes());
                if (z && correctUmaPermission.getResourceId() != null && correctUmaPermission.getResourceId().equals(umaResource.getId())) {
                    LOG.debug("RPT has enough permissions, access GRANTED. Path: " + rsCheckAccessParams.getPath() + ", httpMethod:" + rsCheckAccessParams.getHttpMethod() + ", site: " + rp);
                    return new RsCheckAccessResponse("granted");
                }
            }
        }
        List<String> ticketScopes = umaResource.getTicketScopes();
        if (ticketScopes.isEmpty()) {
            ticketScopes = umaResource.getScopes();
        }
        RptPreProcessInterceptor createRptPreProcessInterceptor = getOpClientFactory().createRptPreProcessInterceptor(new ResourceRegistrar(patProvider, new ServiceProvider(rp.getOpHost())));
        try {
            LOG.trace("Try to register ticket, scopes: " + ticketScopes + ", resourceId: " + umaResource.getId());
            registerTicketResponse = createRptPreProcessInterceptor.registerTicketResponse(ticketScopes, umaResource.getId());
        } catch (ClientErrorException e) {
            LOG.debug("Failed to register ticket. Entity: " + ((String) e.getResponse().readEntity(String.class)) + ", status: " + e.getResponse().getStatus(), (Throwable) e);
            if (e.getResponse().getStatus() != 400 && e.getResponse().getStatus() != 401) {
                throw e;
            }
            LOG.debug("Try maybe PAT is lost on AS, force refresh PAT and request ticket again ...");
            getUmaTokenService().obtainPat(rsCheckAccessParams.getOxdId());
            registerTicketResponse = createRptPreProcessInterceptor.registerTicketResponse(ticketScopes, umaResource.getId());
        }
        RsCheckAccessResponse rsCheckAccessResponse = new RsCheckAccessResponse("denied");
        rsCheckAccessResponse.setWwwAuthenticateHeader((String) registerTicketResponse.getMetadata().getFirst("WWW-Authenticate"));
        rsCheckAccessResponse.setTicket(((PermissionTicket) registerTicketResponse.getEntity()).getTicket());
        LOG.debug("Access denied for path: " + rsCheckAccessParams.getPath() + " and httpMethod: " + rsCheckAccessParams.getHttpMethod() + ". Ticket is registered: " + rsCheckAccessResponse);
        return rsCheckAccessResponse;
    }

    private void validate(RsCheckAccessParams rsCheckAccessParams) {
        if (Strings.isNullOrEmpty(rsCheckAccessParams.getHttpMethod())) {
            throw new HttpException(ErrorResponseCode.NO_UMA_HTTP_METHOD);
        }
        if (Strings.isNullOrEmpty(rsCheckAccessParams.getPath())) {
            throw new HttpException(ErrorResponseCode.NO_UMA_PATH_PARAMETER);
        }
    }
}
