package org.xdi.oxauth.uma.ws.rs;

import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.log.Log;
import org.xdi.oxauth.model.common.AuthorizationGrant;
import org.xdi.oxauth.model.common.uma.UmaRPT;
import org.xdi.oxauth.model.config.ConfigurationFactory;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.federation.FederationTrust;
import org.xdi.oxauth.model.federation.FederationTrustStatus;
import org.xdi.oxauth.model.uma.AuthorizationResponse;
import org.xdi.oxauth.model.uma.RptAuthorizationRequest;
import org.xdi.oxauth.model.uma.UmaErrorResponseType;
import org.xdi.oxauth.model.uma.persistence.ResourceSetPermission;
import org.xdi.oxauth.service.ClientService;
import org.xdi.oxauth.service.FederationDataService;
import org.xdi.oxauth.service.token.TokenService;
import org.xdi.oxauth.service.uma.RPTManager;
import org.xdi.oxauth.service.uma.ResourceSetPermissionManager;
import org.xdi.oxauth.service.uma.UmaValidationService;
import org.xdi.oxauth.service.uma.authorization.AuthorizationService;
import org.xdi.oxauth.util.ServerUtil;

@Name("rptPermissionAuthorizationRestWebService")
/* loaded from: input_file:org/xdi/oxauth/uma/ws/rs/RptPermissionAuthorizationRestWebServiceImpl.class */
public class RptPermissionAuthorizationRestWebServiceImpl implements RptPermissionAuthorizationRestWebService {

    @Logger
    private Log log;

    @In
    private TokenService tokenService;

    @In
    private ErrorResponseFactory errorResponseFactory;

    @In
    private RPTManager rptManager;

    @In
    private ResourceSetPermissionManager resourceSetPermissionManager;

    @In
    private UmaValidationService umaValidationService;

    @In
    private AuthorizationService umaAuthorizationService;

    @In
    private FederationDataService federationDataService;

    @In
    private ClientService clientService;

    @Override // org.xdi.oxauth.uma.ws.rs.RptPermissionAuthorizationRestWebService
    public Response requestRptPermissionAuthorization(String str, String str2, RptAuthorizationRequest rptAuthorizationRequest, HttpServletRequest httpServletRequest) {
        try {
            this.umaValidationService.validateAuthorizationWithAuthScope(str);
            authorizeRptPermission(this.tokenService.getAuthorizationGrant(str), this.umaValidationService.validateAmHost(str2), rptAuthorizationRequest, httpServletRequest);
            return Response.ok(ServerUtil.asJson(new AuthorizationResponse(Response.Status.OK.getReasonPhrase()))).build();
        } catch (Exception e) {
            this.log.error("Exception happened", e, new Object[0]);
            if (e instanceof WebApplicationException) {
                throw e;
            }
            throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.SERVER_ERROR)).build());
        }
    }

    private ResourceSetPermission authorizeRptPermission(AuthorizationGrant authorizationGrant, String str, RptAuthorizationRequest rptAuthorizationRequest, HttpServletRequest httpServletRequest) {
        UmaRPT rPTByCode = this.rptManager.getRPTByCode(rptAuthorizationRequest.getRpt());
        this.umaValidationService.validateRPT(rPTByCode);
        ResourceSetPermission resourceSetPermissionByTicket = this.resourceSetPermissionManager.getResourceSetPermissionByTicket(rptAuthorizationRequest.getTicket());
        this.umaValidationService.validateResourceSetPermission(resourceSetPermissionByTicket);
        Boolean federationEnabled = ConfigurationFactory.getConfiguration().getFederationEnabled();
        if (federationEnabled != null && federationEnabled.booleanValue()) {
            List<FederationTrust> trustByClient = this.federationDataService.getTrustByClient(this.clientService.getClient(rPTByCode.getClientId()), FederationTrustStatus.ACTIVE);
            if (trustByClient == null || trustByClient.isEmpty()) {
                this.log.trace("Forbid RPT authorization - client is not in any trust however federation is enabled on server.", new Object[0]);
                throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.NOT_AUTHORIZED_PERMISSION)).build());
            }
            Iterator<FederationTrust> it = trustByClient.iterator();
            while (it.hasNext()) {
                Boolean skipAuthorization = it.next().getSkipAuthorization();
                if (skipAuthorization != null && skipAuthorization.booleanValue()) {
                    this.log.trace("grant access directly, client is in trust and skipAuthorization=true", new Object[0]);
                    this.rptManager.addPermissionToRPT(rPTByCode, resourceSetPermissionByTicket);
                    return resourceSetPermissionByTicket;
                }
            }
        }
        if (!this.umaAuthorizationService.allowToAddPermission(authorizationGrant, rPTByCode, resourceSetPermissionByTicket, httpServletRequest, rptAuthorizationRequest)) {
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.NOT_AUTHORIZED_PERMISSION)).build());
        }
        this.rptManager.addPermissionToRPT(rPTByCode, resourceSetPermissionByTicket);
        return resourceSetPermissionByTicket;
    }
}
