package org.xdi.oxauth.uma.service;

import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import javax.ejb.Stateless;
import javax.inject.Inject;
import javax.inject.Named;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.slf4j.Logger;
import org.xdi.model.custom.script.conf.CustomScriptConfiguration;
import org.xdi.oxauth.model.config.WebKeysConfiguration;
import org.xdi.oxauth.model.configuration.AppConfiguration;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.jwt.Jwt;
import org.xdi.oxauth.model.registration.Client;
import org.xdi.oxauth.model.uma.UmaErrorResponseType;
import org.xdi.oxauth.model.uma.UmaTokenResponse;
import org.xdi.oxauth.model.uma.persistence.UmaPermission;
import org.xdi.oxauth.model.uma.persistence.UmaScopeDescription;
import org.xdi.oxauth.security.Identity;
import org.xdi.oxauth.service.ClientService;
import org.xdi.oxauth.service.token.TokenService;
import org.xdi.oxauth.uma.authorization.Claims;
import org.xdi.oxauth.uma.authorization.UmaAuthorizationContext;
import org.xdi.oxauth.uma.authorization.UmaPCT;
import org.xdi.oxauth.uma.authorization.UmaRPT;
import org.xdi.oxauth.uma.authorization.UmaWebException;
import org.xdi.oxauth.util.ServerUtil;

@Named
@Stateless
/* loaded from: input_file:org/xdi/oxauth/uma/service/UmaTokenService.class */
public class UmaTokenService {

    @Inject
    private Logger log;

    @Inject
    private Identity identity;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private UmaRptService rptService;

    @Inject
    private UmaPctService pctService;

    @Inject
    private UmaPermissionService permissionService;

    @Inject
    private UmaValidationService umaValidationService;

    @Inject
    private ClientService clientService;

    @Inject
    private TokenService tokenService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private WebKeysConfiguration webKeysConfiguration;

    @Inject
    private UmaNeedsInfoService umaNeedsInfoService;

    @Inject
    private ExternalUmaRptPolicyService policyService;

    public Response requestRpt(String str, String str2, String str3, String str4, String str5, String str6, String str7, HttpServletRequest httpServletRequest) {
        boolean z;
        try {
            this.log.trace("requestRpt grant_type: {}, ticket: {}, claim_token: {}, claim_token_format: {}, pct: {}, rpt: {}, scope: {}", new Object[]{str, str2, str3, str4, str5, str6, str7});
            this.umaValidationService.validateGrantType(str);
            List<UmaPermission> validateTicket = this.umaValidationService.validateTicket(str2);
            Jwt validateClaimToken = this.umaValidationService.validateClaimToken(str3, str4);
            UmaPCT validatePct = this.umaValidationService.validatePct(str5);
            UmaRPT validateRPT = this.umaValidationService.validateRPT(str6);
            Map<UmaScopeDescription, Boolean> validateScopes = this.umaValidationService.validateScopes(str7, validateTicket);
            Client client = this.identity.getSessionClient().getClient();
            if (client != null && client.isDisabled()) {
                throw new UmaWebException(Response.Status.FORBIDDEN, this.errorResponseFactory, UmaErrorResponseType.DISABLED_CLIENT);
            }
            UmaPCT updateClaims = this.pctService.updateClaims(validatePct, validateClaimToken, client.getClientId(), validateTicket);
            Map<CustomScriptConfiguration, UmaAuthorizationContext> checkNeedsInfo = this.umaNeedsInfoService.checkNeedsInfo(new Claims(validateClaimToken, updateClaims, str3), validateScopes, validateTicket, updateClaims, httpServletRequest, client);
            if (checkNeedsInfo.isEmpty()) {
                this.log.warn("There are no any policies that protects scopes. Scopes: " + UmaScopeService.asString(validateScopes.keySet()));
                this.log.warn("Access granted because there are no any protection. Make sure it is intentional behavior.");
            } else {
                for (Map.Entry<CustomScriptConfiguration, UmaAuthorizationContext> entry : checkNeedsInfo.entrySet()) {
                    boolean authorize = this.policyService.authorize(entry.getKey(), entry.getValue());
                    this.log.trace("Policy script inum: '{}' result: '{}'", entry.getKey().getInum(), Boolean.valueOf(authorize));
                    if (!authorize) {
                        this.log.trace("Stop authorization scriptMap execution, current script returns false, script inum: " + entry.getKey().getInum());
                        throw new UmaWebException(Response.Status.FORBIDDEN, this.errorResponseFactory, UmaErrorResponseType.FORBIDDEN_BY_POLICY);
                    }
                }
            }
            this.log.trace("Access granted.");
            if (validateRPT == null) {
                validateRPT = this.rptService.createRPTAndPersist(client.getClientId());
                z = false;
            } else {
                z = true;
            }
            updatePermissionsWithClientRequestedScope(validateTicket, validateScopes);
            this.rptService.addPermissionToRPT(validateRPT, validateTicket);
            UmaTokenResponse umaTokenResponse = new UmaTokenResponse();
            umaTokenResponse.setAccessToken(validateRPT.getCode());
            umaTokenResponse.setUpgraded(Boolean.valueOf(z));
            umaTokenResponse.setTokenType("Bearer");
            umaTokenResponse.setPct(updateClaims.getCode());
            return Response.ok(ServerUtil.asJson(umaTokenResponse)).build();
        } catch (Exception e) {
            this.log.error("Exception happened", e);
            if (e instanceof WebApplicationException) {
                throw e;
            }
            this.log.error("Failed to handle request to UMA Token Endpoint.");
            throw new UmaWebException(Response.Status.INTERNAL_SERVER_ERROR, this.errorResponseFactory, UmaErrorResponseType.SERVER_ERROR);
        }
    }

    private void updatePermissionsWithClientRequestedScope(List<UmaPermission> list, Map<UmaScopeDescription, Boolean> map) {
        for (UmaPermission umaPermission : list) {
            HashSet hashSet = new HashSet(umaPermission.getScopeDns());
            for (Map.Entry<UmaScopeDescription, Boolean> entry : map.entrySet()) {
                if (entry.getValue().booleanValue()) {
                    hashSet.add(entry.getKey().getDn());
                }
            }
            umaPermission.setScopeDns(new ArrayList(hashSet));
        }
    }
}
