package org.xdi.oxauth.introspection.ws.rs;

import com.wordnik.swagger.annotations.Api;
import com.wordnik.swagger.annotations.ApiResponse;
import com.wordnik.swagger.annotations.ApiResponses;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.ArrayList;
import java.util.UUID;
import javax.inject.Inject;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.xdi.oxauth.model.authorize.AuthorizeErrorResponseType;
import org.xdi.oxauth.model.common.AbstractToken;
import org.xdi.oxauth.model.common.AccessToken;
import org.xdi.oxauth.model.common.AuthorizationGrant;
import org.xdi.oxauth.model.common.AuthorizationGrantList;
import org.xdi.oxauth.model.common.IntrospectionResponse;
import org.xdi.oxauth.model.common.SubjectType;
import org.xdi.oxauth.model.common.TokenType;
import org.xdi.oxauth.model.common.User;
import org.xdi.oxauth.model.configuration.AppConfiguration;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.ldap.PairwiseIdentifier;
import org.xdi.oxauth.model.uma.UmaScopeType;
import org.xdi.oxauth.service.ClientService;
import org.xdi.oxauth.service.PairwiseIdentifierService;
import org.xdi.oxauth.service.token.TokenService;
import org.xdi.oxauth.util.ServerUtil;

@Path("/introspection")
@Api(value = "/introspection", description = "The Introspection Endpoint is an OAuth 2 Endpoint that responds to    HTTP GET and HTTP POST requests from token holders.  The endpoint    takes a single parameter representing the token (and optionally    further authentication) and returns a JSON document representing the meta information surrounding the token.")
/* loaded from: input_file:org/xdi/oxauth/introspection/ws/rs/IntrospectionWebService.class */
public class IntrospectionWebService {

    @Inject
    private Logger log;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private TokenService tokenService;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private ClientService clientService;

    @Inject
    private PairwiseIdentifierService pairwiseIdentifierService;

    @GET
    @Produces({"application/json"})
    @ApiResponses({@ApiResponse(code = 400, message = "invalid_request\nThe request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter or is otherwise malformed.  The resource server SHOULD respond with the HTTP 400 (Bad Request) status code."), @ApiResponse(code = 500, message = "Introspection Internal Server Failed.")})
    public Response introspectGet(@HeaderParam("Authorization") String str, @QueryParam("token") String str2, @QueryParam("token_type_hint") String str3) {
        return introspect(str, str2, str3);
    }

    @POST
    @Produces({"application/json"})
    public Response introspectPost(@HeaderParam("Authorization") String str, @FormParam("token") String str2, @FormParam("token_type_hint") String str3) {
        return introspect(str, str2, str3);
    }

    private Response introspect(String str, String str2, String str3) {
        try {
            this.log.trace("Introspect token, authorization: {}, token to introsppect: {}, tokenTypeHint:", new Object[]{str, str2, str3});
            if (!StringUtils.isNotBlank(str) || !StringUtils.isNotBlank(str2)) {
                return Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST)).build();
            }
            AuthorizationGrant authorizationGrant = getAuthorizationGrant(str, str2);
            if (authorizationGrant != null) {
                AbstractToken accessToken = authorizationGrant.getAccessToken(this.tokenService.getTokenFromAuthorizationParameter(str));
                boolean contains = authorizationGrant.getScopesAsString().contains(UmaScopeType.PROTECTION.getValue());
                if (accessToken != null && accessToken.isValid() && contains) {
                    IntrospectionResponse introspectionResponse = new IntrospectionResponse(false);
                    AuthorizationGrant authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str2);
                    if (authorizationGrantByAccessToken != null) {
                        AbstractToken accessToken2 = authorizationGrantByAccessToken.getAccessToken(str2);
                        User user = authorizationGrantByAccessToken.getUser();
                        introspectionResponse.setActive(accessToken2.isValid());
                        introspectionResponse.setExpiresAt(ServerUtil.dateToSeconds(accessToken2.getExpirationDate()));
                        introspectionResponse.setIssuedAt(ServerUtil.dateToSeconds(accessToken2.getCreationDate()));
                        introspectionResponse.setAcrValues(authorizationGrantByAccessToken.getAcrValues());
                        introspectionResponse.setScopes(authorizationGrantByAccessToken.getScopes() != null ? authorizationGrantByAccessToken.getScopes() : new ArrayList());
                        introspectionResponse.setClientId(authorizationGrantByAccessToken.getClientId());
                        introspectionResponse.setSubject(getSub(authorizationGrantByAccessToken));
                        introspectionResponse.setUsername(user != null ? user.getAttribute("displayName") : null);
                        introspectionResponse.setIssuer(this.appConfiguration.getIssuer());
                        introspectionResponse.setAudience(authorizationGrantByAccessToken.getClientId());
                        if (accessToken2 instanceof AccessToken) {
                            AccessToken accessToken3 = (AccessToken) accessToken2;
                            introspectionResponse.setTokenType(accessToken3.getTokenType() != null ? accessToken3.getTokenType().getName() : TokenType.BEARER.getName());
                        }
                    } else {
                        this.log.error("Failed to find grant for access_token: " + str2);
                    }
                    return Response.status(Response.Status.OK).entity(ServerUtil.asJson(introspectionResponse)).build();
                }
                this.log.error("Access token is not valid. Valid: " + (accessToken != null && accessToken.isValid()) + ", isPat:" + contains);
            } else {
                this.log.error("Authorization grant is null.");
            }
            return Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.ACCESS_DENIED)).build();
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
            return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
        }
    }

    private String getSub(AuthorizationGrant authorizationGrant) {
        User user = authorizationGrant.getUser();
        if (user == null) {
            this.log.trace("User is null for grant " + authorizationGrant.getGrantId());
            return "";
        }
        if (!SubjectType.PAIRWISE.equals(SubjectType.fromString(authorizationGrant.getClient().getSubjectType()))) {
            return user.getAttribute(this.appConfiguration.getOpenidSubAttribute());
        }
        String sectorIdentifierUri = StringUtils.isNotBlank(authorizationGrant.getClient().getSectorIdentifierUri()) ? authorizationGrant.getClient().getSectorIdentifierUri() : authorizationGrant.getClient().getRedirectUris()[0];
        String attribute = user.getAttribute("inum");
        String clientId = authorizationGrant.getClientId();
        try {
            PairwiseIdentifier findPairWiseIdentifier = this.pairwiseIdentifierService.findPairWiseIdentifier(attribute, sectorIdentifierUri, clientId);
            if (findPairWiseIdentifier == null) {
                findPairWiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri, clientId);
                findPairWiseIdentifier.setId(UUID.randomUUID().toString());
                findPairWiseIdentifier.setDn(this.pairwiseIdentifierService.getDnForPairwiseIdentifier(findPairWiseIdentifier.getId(), attribute));
                this.pairwiseIdentifierService.addPairwiseIdentifier(attribute, findPairWiseIdentifier);
            }
            return findPairWiseIdentifier.getId();
        } catch (Exception e) {
            this.log.error("Failed to get sub claim. PairwiseIdentifierService failed to find pair wise identifier.", e);
            return "";
        }
    }

    private AuthorizationGrant getAuthorizationGrant(String str, String str2) throws UnsupportedEncodingException {
        AuthorizationGrant authorizationGrantByPrefix = this.tokenService.getAuthorizationGrantByPrefix(str, "Bearer ");
        if (authorizationGrantByPrefix == null) {
            authorizationGrantByPrefix = this.tokenService.getAuthorizationGrantByPrefix(str, "Basic ");
            if (authorizationGrantByPrefix != null) {
                return authorizationGrantByPrefix;
            }
            if (StringUtils.startsWithIgnoreCase(str, "Basic ")) {
                String substring = str.substring("Basic ".length());
                String str3 = new String(Base64.decodeBase64(substring), "UTF-8");
                int indexOf = str3.indexOf(":");
                if (indexOf != -1) {
                    String decode = URLDecoder.decode(str3.substring(0, indexOf), "UTF-8");
                    if (this.clientService.authenticate(decode, URLDecoder.decode(str3.substring(indexOf + 1), "UTF-8"))) {
                        AuthorizationGrant authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str2);
                        if (authorizationGrantByAccessToken != null) {
                            if (authorizationGrantByAccessToken.getClientId().equals(decode)) {
                                return this.authorizationGrantList.getAuthorizationGrantByAccessToken(substring);
                            }
                            this.log.trace("Failed to match grant object clientId and client id provided during authentication.");
                            return null;
                        }
                    } else {
                        this.log.trace("Failed to perform basic authentication for client: " + decode);
                    }
                }
            }
        }
        return authorizationGrantByPrefix;
    }
}
