package org.xdi.oxauth.uma.ws.rs;

import com.google.common.collect.Lists;
import com.wordnik.swagger.annotations.Api;
import com.wordnik.swagger.annotations.ApiOperation;
import com.wordnik.swagger.annotations.ApiResponse;
import com.wordnik.swagger.annotations.ApiResponses;
import java.util.ArrayList;
import java.util.List;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.gluu.site.ldap.persistence.LdapEntryManager;
import org.slf4j.Logger;
import org.xdi.oxauth.model.common.uma.UmaRPT;
import org.xdi.oxauth.model.config.WebKeysConfiguration;
import org.xdi.oxauth.model.configuration.AppConfiguration;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.jwt.Jwt;
import org.xdi.oxauth.model.token.JsonWebResponse;
import org.xdi.oxauth.model.token.JwtSigner;
import org.xdi.oxauth.model.uma.GatRequest;
import org.xdi.oxauth.model.uma.RPTResponse;
import org.xdi.oxauth.model.uma.UmaErrorResponseType;
import org.xdi.oxauth.service.token.TokenService;
import org.xdi.oxauth.service.uma.RptManager;
import org.xdi.oxauth.service.uma.UmaValidationService;
import org.xdi.oxauth.service.uma.authorization.AuthorizationService;
import org.xdi.oxauth.util.ServerUtil;

@Path("/requester")
@Api(value = "/requester/rpt", description = "The endpoint at which the requester asks the AM to issue an RPT")
/* loaded from: input_file:org/xdi/oxauth/uma/ws/rs/CreateRptWS.class */
public class CreateRptWS {

    @Inject
    private Logger log;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private RptManager rptManager;

    @Inject
    private UmaValidationService umaValidationService;

    @Inject
    private TokenService tokenService;

    @Inject
    private AuthorizationService umaAuthorizationService;

    @Inject
    private LdapEntryManager ldapEntryManager;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private WebKeysConfiguration webKeysConfiguration;

    @Path("rpt")
    @ApiOperation(value = "The endpoint at which the requester asks the AM to issue an RPT", produces = "application/json", notes = "The endpoint at which the requester asks the AM to issue an RPT")
    @ApiResponses({@ApiResponse(code = 401, message = "Unauthorized")})
    @POST
    @Produces({"application/json"})
    public Response getRpt(@HeaderParam("Authorization") String str, @HeaderParam("Host") String str2) {
        try {
            this.umaValidationService.assertHasAuthorizationScope(str);
            UmaRPT createRPT = this.rptManager.createRPT(str, this.umaValidationService.validateAmHost(str2), false);
            String code = createRPT.getCode();
            Boolean umaRptAsJwt = this.appConfiguration.getUmaRptAsJwt();
            if (umaRptAsJwt != null && umaRptAsJwt.booleanValue()) {
                code = createJwr(createRPT, str, Lists.newArrayList()).asString();
            }
            return Response.status(Response.Status.CREATED).entity(ServerUtil.asJson(new RPTResponse(code))).build();
        } catch (Exception e) {
            this.log.error("Exception happened", e);
            if (e instanceof WebApplicationException) {
                throw e;
            }
            throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.SERVER_ERROR)).build());
        }
    }

    private JsonWebResponse createJwr(UmaRPT umaRPT, String str, List<String> list) throws Exception {
        JwtSigner newJwtSigner = JwtSigner.newJwtSigner(this.appConfiguration, this.webKeysConfiguration, this.tokenService.getAuthorizationGrant(str).getClient());
        Jwt newJwt = newJwtSigner.newJwt();
        newJwt.getClaims().setExpirationTime(umaRPT.getExpirationDate());
        newJwt.getClaims().setIssuedAt(umaRPT.getCreationDate());
        if (!list.isEmpty()) {
            newJwt.getClaims().setClaim("scopes", list);
        }
        return newJwtSigner.sign();
    }

    @Path("gat")
    @ApiOperation(value = "The endpoint at which the requester asks the AM to issue an GAT", produces = "application/json", notes = "The endpoint at which the requester asks the AM to issue an GAT")
    @ApiResponses({@ApiResponse(code = 401, message = "Unauthorized")})
    @POST
    @Produces({"application/json"})
    public Response getGat(@HeaderParam("Authorization") String str, @HeaderParam("Host") String str2, GatRequest gatRequest, @Context HttpServletRequest httpServletRequest) {
        try {
            this.umaValidationService.assertHasAuthorizationScope(str);
            UmaRPT createRPT = this.rptManager.createRPT(str, this.umaValidationService.validateAmHost(str2), true);
            authorizeGat(gatRequest, createRPT, str, httpServletRequest);
            String code = createRPT.getCode();
            Boolean umaRptAsJwt = this.appConfiguration.getUmaRptAsJwt();
            if (umaRptAsJwt != null && umaRptAsJwt.booleanValue()) {
                code = createJwr(createRPT, str, gatRequest.getScopes()).asString();
            }
            return Response.status(Response.Status.CREATED).entity(ServerUtil.asJson(new RPTResponse(code))).build();
        } catch (Exception e) {
            this.log.error("Exception happened", e);
            if (e instanceof WebApplicationException) {
                throw e;
            }
            throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.SERVER_ERROR)).build());
        }
    }

    private void authorizeGat(GatRequest gatRequest, UmaRPT umaRPT, String str, HttpServletRequest httpServletRequest) {
        if (gatRequest.getScopes().isEmpty()) {
            return;
        }
        if (this.umaAuthorizationService.allowToAddPermissionForGat(this.tokenService.getAuthorizationGrant(str), umaRPT, gatRequest.getScopes(), httpServletRequest, gatRequest.getClaims())) {
            ArrayList arrayList = new ArrayList();
            if (umaRPT.getPermissions() != null) {
                arrayList.addAll(umaRPT.getPermissions());
            }
            arrayList.addAll(gatRequest.getScopes());
            umaRPT.setPermissions(arrayList);
            try {
                this.ldapEntryManager.merge(umaRPT);
                return;
            } catch (Exception e) {
                this.log.error(e.getMessage(), e);
            }
        }
        throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.NOT_AUTHORIZED_PERMISSION)).build());
    }
}
