package org.xdi.oxauth.uma.ws.rs;

import com.wordnik.swagger.annotations.Api;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.gluu.site.ldap.persistence.LdapEntryManager;
import org.slf4j.Logger;
import org.xdi.oxauth.model.common.AuthorizationGrant;
import org.xdi.oxauth.model.common.uma.UmaRPT;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.uma.RptAuthorizationRequest;
import org.xdi.oxauth.model.uma.RptAuthorizationResponse;
import org.xdi.oxauth.model.uma.UmaErrorResponseType;
import org.xdi.oxauth.model.uma.persistence.ResourceSetPermission;
import org.xdi.oxauth.model.util.Util;
import org.xdi.oxauth.service.ClientService;
import org.xdi.oxauth.service.uma.ResourceSetPermissionManager;
import org.xdi.oxauth.service.uma.RptManager;
import org.xdi.oxauth.service.uma.UmaValidationService;
import org.xdi.oxauth.service.uma.authorization.AuthorizationService;
import org.xdi.oxauth.util.ServerUtil;

@Path("/requester/perm")
@Api(value = "/requester/perm", description = "RPT authorization endpoint. RPT is authorized with new permission(s).")
/* loaded from: input_file:org/xdi/oxauth/uma/ws/rs/RptPermissionAuthorizationWS.class */
public class RptPermissionAuthorizationWS {

    @Inject
    private Logger log;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private RptManager rptManager;

    @Inject
    private ResourceSetPermissionManager resourceSetPermissionManager;

    @Inject
    private UmaValidationService umaValidationService;

    @Inject
    private AuthorizationService umaAuthorizationService;

    @Inject
    private ClientService clientService;

    @Inject
    private LdapEntryManager ldapEntryManager;

    @POST
    @Produces({"application/json"})
    @Consumes({"application/json"})
    public Response requestRptPermissionAuthorization(@HeaderParam("Authorization") String str, @HeaderParam("Host") String str2, RptAuthorizationRequest rptAuthorizationRequest, @Context HttpServletRequest httpServletRequest) {
        try {
            return Response.ok(ServerUtil.asJson(new RptAuthorizationResponse(authorizeRptPermission(str, rptAuthorizationRequest, httpServletRequest, this.umaValidationService.assertHasAuthorizationScope(str), this.umaValidationService.validateAmHost(str2)).getCode()))).build();
        } catch (Exception e) {
            this.log.error("Exception happened", e);
            if (e instanceof WebApplicationException) {
                throw e;
            }
            throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.SERVER_ERROR)).build());
        }
    }

    private UmaRPT authorizeRptPermission(String str, RptAuthorizationRequest rptAuthorizationRequest, HttpServletRequest httpServletRequest, AuthorizationGrant authorizationGrant, String str2) {
        UmaRPT createRPT = Util.isNullOrEmpty(rptAuthorizationRequest.getRpt()) ? this.rptManager.createRPT(str, str2, false) : this.rptManager.getRPTByCode(rptAuthorizationRequest.getRpt());
        try {
            this.umaValidationService.validateRPT(createRPT);
        } catch (WebApplicationException e) {
            createRPT = this.rptManager.getRPTByCode(rptAuthorizationRequest.getRpt());
        }
        ResourceSetPermission resourceSetPermissionByTicket = this.resourceSetPermissionManager.getResourceSetPermissionByTicket(rptAuthorizationRequest.getTicket());
        this.umaValidationService.validateResourceSetPermission(resourceSetPermissionByTicket);
        if (!this.umaAuthorizationService.allowToAddPermission(authorizationGrant, createRPT, resourceSetPermissionByTicket, httpServletRequest, rptAuthorizationRequest.getClaims())) {
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.NOT_AUTHORIZED_PERMISSION)).build());
        }
        this.rptManager.addPermissionToRPT(createRPT, resourceSetPermissionByTicket);
        invalidateTicket(resourceSetPermissionByTicket);
        return createRPT;
    }

    private void invalidateTicket(ResourceSetPermission resourceSetPermission) {
        try {
            resourceSetPermission.setAmHost("invalidated");
            this.ldapEntryManager.merge(resourceSetPermission);
        } catch (Exception e) {
            this.log.error("Failed to invalidate ticket: " + resourceSetPermission.getTicket() + ". " + e.getMessage(), e);
        }
    }
}
