package org.xdi.oxauth.uma.ws.rs;

import com.wordnik.swagger.annotations.Api;
import com.wordnik.swagger.annotations.ApiOperation;
import com.wordnik.swagger.annotations.ApiParam;
import com.wordnik.swagger.annotations.ApiResponse;
import com.wordnik.swagger.annotations.ApiResponses;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import javax.ws.rs.Consumes;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.log.Log;
import org.xdi.oxauth.model.common.uma.UmaRPT;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.uma.GatIntrospectionResponse;
import org.xdi.oxauth.model.uma.RptIntrospectionResponse;
import org.xdi.oxauth.model.uma.UmaErrorResponseType;
import org.xdi.oxauth.model.uma.UmaPermission;
import org.xdi.oxauth.model.uma.persistence.ResourceSetPermission;
import org.xdi.oxauth.service.uma.AbstractRPTManager;
import org.xdi.oxauth.service.uma.RPTManager;
import org.xdi.oxauth.service.uma.ScopeService;
import org.xdi.oxauth.service.uma.UmaValidationService;
import org.xdi.oxauth.util.ServerUtil;

@Path("/rpt/status")
@Api(value = "/rpt/status", description = "The endpoint at which the host requests the status of an RPT presented to it by a requester. The endpoint is RPT introspection profile implementation defined by UMA specification")
@Name("rptStatusRestWebService")
/* loaded from: input_file:org/xdi/oxauth/uma/ws/rs/RptStatusWS.class */
public class RptStatusWS {

    @Logger
    private Log log;

    @In
    private ErrorResponseFactory errorResponseFactory;

    @In
    private RPTManager rptManager;

    @In
    private UmaValidationService umaValidationService;

    @In
    private ScopeService umaScopeService;

    @ApiOperation(value = "The resource server MUST determine a received RPT's status, including both whether it is active and, if so, its associated authorization data, before giving or refusing access to the client. An RPT is associated with a set of authorization data that governs whether the client is authorized for access. The token's nature and format are dictated by its profile; the profile might allow it to be self-contained, such that the resource server is able to determine its status locally, or might require or allow the resource server to make a run-time introspection request of the authorization server that issued the token.", produces = "application/json", notes = "The endpoint MAY allow other parameters to provide further context to\n   the query.  For instance, an authorization service may need to know\n   the IP address of the client accessing the protected resource in\n   order to determine the appropriateness of the token being presented.\n\n   To prevent unauthorized token scanning attacks, the endpoint MUST\n   also require some form of authorization to access this endpoint, such\n   as client authentication as described in OAuth 2.0 [RFC6749] or a\n   separate OAuth 2.0 access token such as the bearer token described in\n   OAuth 2.0 Bearer Token Usage [RFC6750].  The methods of managing and\n   validating these authentication credentials are out of scope of this\n   specification.\n")
    @ApiResponses({@ApiResponse(code = 401, message = "Unauthorized")})
    @POST
    @Produces({"application/json"})
    public Response requestRptStatus(@HeaderParam("Authorization") String str, @FormParam("token") @ApiParam(value = "The string value of the token.  For access tokens,\n      this is the \"access_token\" value returned from the token endpoint\n      defined in OAuth 2.0 [RFC6749] section 5.1.  For refresh tokens,\n      this is the \"refresh_token\" value returned from the token endpoint\n      as defined in OAuth 2.0 [RFC6749] section 5.1.  Other token types\n      are outside the scope of this specification.", required = true) String str2, @FormParam("token_type_hint") @ApiParam(value = "A hint about the type of the token\n      submitted for introspection.  The protected resource re MAY pass\n      this parameter in order to help the authorization server to\n      optimize the token lookup.  If the server is unable to locate the\n      token using the given hint, it MUST extend its search across all\n      of its supported token types.  An authorization server MAY ignore\n      this parameter, particularly if it is able to detect the token\n      type automatically.  Values for this field are defined in OAuth\n      Token Revocation [RFC7009].", required = false) String str3) {
        try {
            this.umaValidationService.assertHasProtectionScope(str);
            UmaRPT rPTByCode = this.rptManager.getRPTByCode(str2);
            if (rPTByCode != null && AbstractRPTManager.isGat(rPTByCode.getCode())) {
                return gatResponse(rPTByCode);
            }
            if (!isValid(rPTByCode)) {
                return Response.status(Response.Status.OK).entity(new RptIntrospectionResponse(false)).cacheControl(ServerUtil.cacheControl(true)).build();
            }
            List<UmaPermission> buildStatusResponsePermissions = buildStatusResponsePermissions(rPTByCode);
            RptIntrospectionResponse rptIntrospectionResponse = new RptIntrospectionResponse();
            rptIntrospectionResponse.setActive(true);
            rptIntrospectionResponse.setExpiresAt(rPTByCode.getExpirationDate());
            rptIntrospectionResponse.setIssuedAt(rPTByCode.getCreationDate());
            rptIntrospectionResponse.setPermissions(buildStatusResponsePermissions);
            return Response.status(Response.Status.OK).entity(ServerUtil.asJson(rptIntrospectionResponse)).cacheControl(ServerUtil.cacheControl(true)).build();
        } catch (Exception e) {
            this.log.error("Exception happened", e, new Object[0]);
            if (e instanceof WebApplicationException) {
                throw e;
            }
            throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.SERVER_ERROR)).build());
        }
    }

    private Response gatResponse(UmaRPT umaRPT) throws IOException {
        if (!isValid(umaRPT)) {
            return Response.status(Response.Status.OK).entity(new GatIntrospectionResponse(false)).cacheControl(ServerUtil.cacheControl(true)).build();
        }
        GatIntrospectionResponse gatIntrospectionResponse = new GatIntrospectionResponse();
        gatIntrospectionResponse.setActive(true);
        gatIntrospectionResponse.setExpiresAt(umaRPT.getExpirationDate());
        gatIntrospectionResponse.setIssuedAt(umaRPT.getCreationDate());
        gatIntrospectionResponse.setScopes(umaRPT.getPermissions());
        return Response.status(Response.Status.OK).entity(ServerUtil.asJson(gatIntrospectionResponse)).cacheControl(ServerUtil.cacheControl(true)).build();
    }

    private boolean isValid(UmaRPT umaRPT) {
        if (umaRPT == null) {
            return false;
        }
        umaRPT.checkExpired();
        return umaRPT.isValid();
    }

    private boolean isValid(ResourceSetPermission resourceSetPermission) {
        if (resourceSetPermission == null) {
            return false;
        }
        resourceSetPermission.checkExpired();
        return resourceSetPermission.isValid();
    }

    private List<UmaPermission> buildStatusResponsePermissions(UmaRPT umaRPT) {
        List<ResourceSetPermission> rptPermissions;
        ArrayList arrayList = new ArrayList();
        if (umaRPT != null && (rptPermissions = this.rptManager.getRptPermissions(umaRPT)) != null && !rptPermissions.isEmpty()) {
            for (ResourceSetPermission resourceSetPermission : rptPermissions) {
                if (isValid(resourceSetPermission)) {
                    UmaPermission convert = ServerUtil.convert(resourceSetPermission, this.umaScopeService);
                    if (convert != null) {
                        arrayList.add(convert);
                    }
                } else {
                    this.log.debug("Ignore permission, skip it in response because permission is not valid. Permission dn: {0}, rpt dn: {1}", new Object[]{resourceSetPermission.getDn(), umaRPT.getDn()});
                }
            }
        }
        return arrayList;
    }

    @GET
    @Consumes({"application/json"})
    @ApiOperation("Not allowed")
    @ApiResponses({@ApiResponse(code = 405, message = "Introspection of RPT is not allowed by GET HTTP method.")})
    @Produces({"application/json"})
    public Response requestRptStatusGet(@HeaderParam("Authorization") String str, @FormParam("token") String str2, @FormParam("token_type_hint") String str3) {
        throw new WebApplicationException(Response.status(405).entity("Introspection of RPT is not allowed by GET HTTP method.").build());
    }
}
