package org.xdi.oxauth.uma.ws.rs;

import com.wordnik.swagger.annotations.Api;
import com.wordnik.swagger.annotations.ApiOperation;
import com.wordnik.swagger.annotations.ApiParam;
import com.wordnik.swagger.annotations.ApiResponse;
import com.wordnik.swagger.annotations.ApiResponses;
import java.io.IOException;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.codehaus.jackson.map.ObjectMapper;
import org.codehaus.jackson.map.SerializationConfig;
import org.slf4j.Logger;
import org.xdi.oxauth.model.configuration.AppConfiguration;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.uma.PermissionTicket;
import org.xdi.oxauth.model.uma.UmaErrorResponseType;
import org.xdi.oxauth.model.uma.UmaPermission;
import org.xdi.oxauth.model.uma.UmaPermissionList;
import org.xdi.oxauth.service.token.TokenService;
import org.xdi.oxauth.uma.service.UmaPermissionService;
import org.xdi.oxauth.uma.service.UmaRptService;
import org.xdi.oxauth.uma.service.UmaValidationService;
import org.xdi.oxauth.util.ServerUtil;

@Path("/host/rsrc_pr")
@Api(value = "/host/rsrc_pr", description = "The resource server uses the protection API's permission registration endpoint to register a requested permission with the authorization server that would suffice for the client's access attempt. The authorization server returns a permission ticket for the resource server to give to the client in its response. The PAT provided in the API request implicitly identifies the resource owner (\"subject\") to which the permission applies.\n\nNote: The resource server is free to choose the extent of the requested permission that it registers, as long as it minimally suffices for the access attempted by the client. For example, it can choose to register a permission that covers several scopes or a resource set that is greater in extent than the specific resource that the client attempted to access. Likewise, the authorization server is ultimately free to choose to partially fulfill the elements of a permission request based on incomplete satisfaction of policy criteria, or not to fulfill the request.\n\nThe resource server uses the POST method at the endpoint. The body of the HTTP request message contains a JSON object providing the requested permission, using a format derived from the scope description format specified in [OAuth-resource-reg], as follows. The object has the following properties:")
/* loaded from: input_file:org/xdi/oxauth/uma/ws/rs/UmaPermissionRegistrationWS.class */
public class UmaPermissionRegistrationWS {

    @Inject
    private Logger log;

    @Inject
    private TokenService tokenService;

    @Inject
    private UmaPermissionService permissionService;

    @Inject
    private UmaRptService rptService;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private UmaValidationService umaValidationService;

    @Inject
    private AppConfiguration appConfiguration;

    @Consumes({"application/json"})
    @ApiOperation(value = "Registers permission using the POST method", consumes = "application/json", produces = "application/json", notes = "The resource server uses the POST method at the endpoint. The body of the HTTP request message contains a JSON object providing the requested permission, using a format derived from the scope description format specified in [OAuth-resource-reg], as follows. The object has the following properties:")
    @ApiResponses({@ApiResponse(code = 401, message = "Unauthorized"), @ApiResponse(code = 400, message = "Bad Request")})
    @POST
    @Produces({"application/json"})
    public Response registerPermission(@Context HttpServletRequest httpServletRequest, @HeaderParam("Authorization") String str, @ApiParam(value = "The identifier for a resource to which this client is seeking access. The identifier MUST correspond to a resource set that was previously registered.", required = true) String str2) {
        try {
            this.umaValidationService.assertHasProtectionScope(str);
            UmaPermissionList parseRequest = parseRequest(str2);
            this.umaValidationService.validatePermissions(parseRequest);
            return Response.status(Response.Status.CREATED).entity(new PermissionTicket(this.permissionService.addPermission(parseRequest, this.rptService.rptExpirationDate(), this.tokenService.getClientDn(str)))).build();
        } catch (Exception e) {
            if (e instanceof WebApplicationException) {
                throw e;
            }
            this.log.error("Exception happened", e);
            throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.SERVER_ERROR)).build());
        }
    }

    private UmaPermissionList parseRequest(String str) {
        UmaPermissionList umaPermissionList;
        ObjectMapper configure = ServerUtil.createJsonMapper().configure(SerializationConfig.Feature.WRAP_ROOT_VALUE, false);
        try {
            return new UmaPermissionList().addPermission((UmaPermission) configure.readValue(str, UmaPermission.class));
        } catch (IOException e) {
            try {
                umaPermissionList = (UmaPermissionList) configure.readValue(str, UmaPermissionList.class);
            } catch (IOException e2) {
                this.log.error("Failed to parse uma permission request" + str, e2);
            }
            if (!umaPermissionList.isEmpty()) {
                return umaPermissionList;
            }
            this.log.error("Permission list is empty.");
            return (UmaPermissionList) this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_PERMISSION_REQUEST);
        }
    }
}
