package org.xdi.oxauth.token.ws.rs;

import java.security.SignatureException;
import java.util.ArrayList;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.CacheControl;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.codehaus.jettison.json.JSONException;
import org.codehaus.jettison.json.JSONObject;
import org.hibernate.annotations.common.util.StringHelper;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.log.Log;
import org.xdi.oxauth.model.common.AccessToken;
import org.xdi.oxauth.model.common.AuthorizationCodeGrant;
import org.xdi.oxauth.model.common.AuthorizationGrant;
import org.xdi.oxauth.model.common.AuthorizationGrantList;
import org.xdi.oxauth.model.common.ClientCredentialsGrant;
import org.xdi.oxauth.model.common.GrantType;
import org.xdi.oxauth.model.common.IdToken;
import org.xdi.oxauth.model.common.Mode;
import org.xdi.oxauth.model.common.RefreshToken;
import org.xdi.oxauth.model.common.ResourceOwnerPasswordCredentialsGrant;
import org.xdi.oxauth.model.common.TokenType;
import org.xdi.oxauth.model.common.User;
import org.xdi.oxauth.model.config.ConfigurationFactory;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.exception.InvalidJweException;
import org.xdi.oxauth.model.exception.InvalidJwtException;
import org.xdi.oxauth.model.registration.Client;
import org.xdi.oxauth.model.session.OAuthCredentials;
import org.xdi.oxauth.model.session.SessionClient;
import org.xdi.oxauth.model.token.PersistentJwt;
import org.xdi.oxauth.model.token.TokenErrorResponseType;
import org.xdi.oxauth.model.token.TokenParamsValidator;
import org.xdi.oxauth.service.AuthenticationFilterService;
import org.xdi.oxauth.service.AuthenticationService;
import org.xdi.oxauth.service.ClientService;
import org.xdi.oxauth.service.FederationDataService;
import org.xdi.oxauth.service.GrantService;
import org.xdi.oxauth.service.UserService;
import org.xdi.oxauth.util.ServerUtil;
import org.xdi.util.security.StringEncrypter;

@Name("requestTokenRestWebService")
/* loaded from: input_file:org/xdi/oxauth/token/ws/rs/TokenRestWebServiceImpl.class */
public class TokenRestWebServiceImpl implements TokenRestWebService {

    @Logger
    private Log log;

    @In
    private OAuthCredentials credentials;

    @In
    private ErrorResponseFactory errorResponseFactory;

    @In
    private AuthorizationGrantList authorizationGrantList;

    @In
    private SessionClient sessionClient;

    @In
    private UserService userService;

    @In
    private ClientService clientService;

    @In
    private AuthenticationFilterService authenticationFilterService;

    @In
    private FederationDataService federationDataService;

    @In
    private AuthenticationService authenticationService;

    @Override // org.xdi.oxauth.token.ws.rs.TokenRestWebService
    public Response requestAccessToken(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, String str10, String str11, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        this.log.debug("Attempting to request access token: grantType = {0}, code = {1}, redirectUri = {2}, username = {3}, refreshToken = {4}, clientId = {5}, ExtraParams = {6}, isSecure = {7}", new Object[]{str, str2, str3, str4, str8, str10, httpServletRequest.getParameterMap(), Boolean.valueOf(securityContext.isSecure())});
        Mode modeEnum = ConfigurationFactory.getConfiguration().getModeEnum();
        String urlDecode = ServerUtil.urlDecode(str6);
        Response.ResponseBuilder ok = Response.ok();
        try {
            if (TokenParamsValidator.validateParams(str, str2, str3, str4, str5, urlDecode, str7, str8, str9)) {
                GrantType fromString = GrantType.fromString(str);
                Client client = this.sessionClient.getClient();
                if (client == null) {
                    client = this.clientService.getClient(str10);
                    this.sessionClient.setClient(client);
                }
                if (ConfigurationFactory.getConfiguration().getFederationEnabled().booleanValue() && !this.federationDataService.hasAnyActiveTrust(client)) {
                    this.log.debug("Forbid token issuing. Client is not in any trust relationship however federation is enabled for server. Client id: {0}, redirectUris: {1}", new Object[]{client.getClientId(), client.getRedirectUris()});
                    return error(400, TokenErrorResponseType.UNAUTHORIZED_CLIENT).build();
                }
                if (fromString == GrantType.AUTHORIZATION_CODE) {
                    GrantService instance = GrantService.instance();
                    AuthorizationCodeGrant authorizationCodeGrant = this.authorizationGrantList.getAuthorizationCodeGrant(client.getClientId(), str2);
                    if (authorizationCodeGrant != null) {
                        AccessToken createAccessToken = authorizationCodeGrant.createAccessToken();
                        this.log.debug("Issuing access token: {0}", new Object[]{createAccessToken.getCode()});
                        RefreshToken createRefreshToken = authorizationCodeGrant.createRefreshToken();
                        if (urlDecode != null && !urlDecode.isEmpty()) {
                            urlDecode = authorizationCodeGrant.checkScopesPolicy(urlDecode);
                        }
                        IdToken idToken = null;
                        if (authorizationCodeGrant.getScopes().contains("openid")) {
                            idToken = authorizationCodeGrant.createIdToken(null, null, createAccessToken, null);
                        }
                        ok.entity(getJSonResponse(createAccessToken, createAccessToken.getTokenType(), Integer.valueOf(createAccessToken.getExpiresIn()), createRefreshToken, urlDecode, idToken));
                        switch (modeEnum) {
                            case IN_MEMORY:
                                authorizationCodeGrant.getAuthorizationCode().setUsed(true);
                                break;
                            case LDAP:
                                instance.removeByCode(authorizationCodeGrant.getAuthorizationCode().getCode(), authorizationCodeGrant.getClientId());
                                break;
                        }
                    } else {
                        if (modeEnum == Mode.LDAP) {
                            instance.removeAllByAuthorizationCode(str2);
                        }
                        ok = error(400, TokenErrorResponseType.INVALID_GRANT);
                    }
                } else if (fromString == GrantType.REFRESH_TOKEN) {
                    AuthorizationGrant authorizationGrantByRefreshToken = this.authorizationGrantList.getAuthorizationGrantByRefreshToken(client.getClientId(), str8);
                    if (authorizationGrantByRefreshToken != null) {
                        AccessToken createAccessToken2 = authorizationGrantByRefreshToken.createAccessToken();
                        RefreshToken createRefreshToken2 = authorizationGrantByRefreshToken.createRefreshToken();
                        if (urlDecode != null && !urlDecode.isEmpty()) {
                            urlDecode = authorizationGrantByRefreshToken.checkScopesPolicy(urlDecode);
                        }
                        IdToken idToken2 = null;
                        if (authorizationGrantByRefreshToken.getScopes().contains("openid")) {
                            idToken2 = authorizationGrantByRefreshToken.createIdToken(null, null, null, null);
                        }
                        ok.entity(getJSonResponse(createAccessToken2, createAccessToken2.getTokenType(), Integer.valueOf(createAccessToken2.getExpiresIn()), createRefreshToken2, urlDecode, idToken2));
                    } else {
                        ok = error(401, TokenErrorResponseType.INVALID_GRANT);
                    }
                } else if (fromString == GrantType.CLIENT_CREDENTIALS) {
                    ClientCredentialsGrant createClientCredentialsGrant = this.authorizationGrantList.createClientCredentialsGrant(new User(), client);
                    AccessToken createAccessToken3 = createClientCredentialsGrant.createAccessToken();
                    if (urlDecode != null && !urlDecode.isEmpty()) {
                        urlDecode = createClientCredentialsGrant.checkScopesPolicy(urlDecode);
                    }
                    IdToken idToken3 = null;
                    if (createClientCredentialsGrant.getScopes().contains("openid")) {
                        idToken3 = createClientCredentialsGrant.createIdToken(null, null, null, null);
                    }
                    ok.entity(getJSonResponse(createAccessToken3, createAccessToken3.getTokenType(), Integer.valueOf(createAccessToken3.getExpiresIn()), null, urlDecode, idToken3));
                } else if (fromString == GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS) {
                    User user = null;
                    if (this.authenticationFilterService.isEnabled()) {
                        String processAuthenticationFilters = this.authenticationFilterService.processAuthenticationFilters(httpServletRequest.getParameterMap());
                        if (StringHelper.isNotEmpty(processAuthenticationFilters)) {
                            user = this.userService.getUserByDn(processAuthenticationFilters);
                        }
                    }
                    if (user == null && this.authenticationService.authenticate(str4, str5)) {
                        user = this.credentials.getUser();
                    }
                    if (user != null) {
                        ResourceOwnerPasswordCredentialsGrant createResourceOwnerPasswordCredentialsGrant = this.authorizationGrantList.createResourceOwnerPasswordCredentialsGrant(user, client);
                        AccessToken createAccessToken4 = createResourceOwnerPasswordCredentialsGrant.createAccessToken();
                        RefreshToken createRefreshToken3 = createResourceOwnerPasswordCredentialsGrant.createRefreshToken();
                        if (urlDecode != null && !urlDecode.isEmpty()) {
                            urlDecode = createResourceOwnerPasswordCredentialsGrant.checkScopesPolicy(urlDecode);
                        }
                        IdToken idToken4 = null;
                        if (createResourceOwnerPasswordCredentialsGrant.getScopes().contains("openid")) {
                            idToken4 = createResourceOwnerPasswordCredentialsGrant.createIdToken(null, null, null, null);
                        }
                        ok.entity(getJSonResponse(createAccessToken4, createAccessToken4.getTokenType(), Integer.valueOf(createAccessToken4.getExpiresIn()), createRefreshToken3, urlDecode, idToken4));
                    } else {
                        ok = error(401, TokenErrorResponseType.INVALID_CLIENT);
                    }
                } else if (fromString == GrantType.EXTENSION) {
                    ok = error(501, TokenErrorResponseType.INVALID_GRANT);
                } else if (fromString == GrantType.OXAUTH_EXCHANGE_TOKEN) {
                    AuthorizationGrant authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str9);
                    if (authorizationGrantByAccessToken != null) {
                        AccessToken createLongLivedAccessToken = authorizationGrantByAccessToken.createLongLivedAccessToken();
                        ArrayList arrayList = new ArrayList();
                        if (authorizationGrantByAccessToken.getScopes() != null) {
                            arrayList.addAll(authorizationGrantByAccessToken.getScopes());
                        }
                        PersistentJwt persistentJwt = new PersistentJwt();
                        persistentJwt.setUserId(authorizationGrantByAccessToken.getUserId());
                        persistentJwt.setClientId(authorizationGrantByAccessToken.getClient().getClientId());
                        persistentJwt.setAuthorizationGrantType(authorizationGrantByAccessToken.getAuthorizationGrantType());
                        persistentJwt.setAuthenticationTime(authorizationGrantByAccessToken.getAuthenticationTime());
                        persistentJwt.setScopes(arrayList);
                        persistentJwt.setAccessTokens(authorizationGrantByAccessToken.getAccessTokens());
                        persistentJwt.setRefreshTokens(authorizationGrantByAccessToken.getRefreshTokens());
                        persistentJwt.setLongLivedAccessToken(authorizationGrantByAccessToken.getLongLivedAccessToken());
                        persistentJwt.setIdToken(authorizationGrantByAccessToken.getIdToken());
                        if (ConfigurationFactory.getConfiguration().getModeEnum() == Mode.IN_MEMORY) {
                            this.userService.saveLongLivedToken(authorizationGrantByAccessToken.getUserId(), persistentJwt);
                        }
                        ok.entity(getJSonResponse(createLongLivedAccessToken, createLongLivedAccessToken.getTokenType(), Integer.valueOf(createLongLivedAccessToken.getExpiresIn()), null, null, null));
                    } else {
                        ok = error(401, TokenErrorResponseType.INVALID_GRANT);
                    }
                }
            } else {
                ok = error(400, TokenErrorResponseType.INVALID_REQUEST);
            }
        } catch (Exception e) {
            ok = Response.status(500);
            this.log.error(e.getMessage(), e, new Object[0]);
        } catch (InvalidJweException e2) {
            ok = Response.status(500);
            this.log.error(e2.getMessage(), e2, new Object[0]);
        } catch (StringEncrypter.EncryptionException e3) {
            ok = Response.status(500);
            this.log.error(e3.getMessage(), e3, new Object[0]);
        } catch (InvalidJwtException e4) {
            ok = Response.status(500);
            this.log.error(e4.getMessage(), e4, new Object[0]);
        } catch (SignatureException e5) {
            ok = Response.status(500);
            this.log.error(e5.getMessage(), e5, new Object[0]);
        }
        CacheControl cacheControl = new CacheControl();
        cacheControl.setNoTransform(false);
        cacheControl.setNoStore(true);
        ok.cacheControl(cacheControl);
        ok.header("Pragma", "no-cache");
        return ok.build();
    }

    private Response.ResponseBuilder error(int i, TokenErrorResponseType tokenErrorResponseType) {
        return Response.status(i).entity(this.errorResponseFactory.getErrorAsJson(tokenErrorResponseType));
    }

    public String getJSonResponse(AccessToken accessToken, TokenType tokenType, Integer num, RefreshToken refreshToken, String str, IdToken idToken) {
        JSONObject jSONObject = new JSONObject();
        try {
            jSONObject.put("access_token", accessToken.getCode());
            jSONObject.put("token_type", tokenType.toString());
            if (num != null) {
                jSONObject.put("expires_in", num);
            }
            if (refreshToken != null) {
                jSONObject.put("refresh_token", refreshToken.getCode());
            }
            if (str != null) {
                jSONObject.put("scope", str);
            }
            if (idToken != null) {
                jSONObject.put("id_token", idToken.getCode());
            }
        } catch (JSONException e) {
            this.log.error(e.getMessage(), e, new Object[0]);
        }
        return jSONObject.toString();
    }
}
