package org.xdi.oxd.server.service;

import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import com.google.inject.Inject;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xdi.oxauth.client.AuthorizationRequest;
import org.xdi.oxauth.client.AuthorizationResponse;
import org.xdi.oxauth.client.AuthorizeClient;
import org.xdi.oxauth.client.ClientUtils;
import org.xdi.oxauth.client.OpenIdConfigurationResponse;
import org.xdi.oxauth.client.TokenClient;
import org.xdi.oxauth.client.TokenRequest;
import org.xdi.oxauth.client.TokenResponse;
import org.xdi.oxauth.client.uma.UmaClientFactory;
import org.xdi.oxauth.model.common.AuthenticationMethod;
import org.xdi.oxauth.model.common.GrantType;
import org.xdi.oxauth.model.common.Prompt;
import org.xdi.oxauth.model.common.ResponseType;
import org.xdi.oxauth.model.uma.UmaMetadata;
import org.xdi.oxauth.model.uma.UmaScopeType;
import org.xdi.oxauth.model.uma.UmaTokenResponse;
import org.xdi.oxauth.model.util.Util;
import org.xdi.oxd.common.ErrorResponseCode;
import org.xdi.oxd.common.ErrorResponseException;
import org.xdi.oxd.common.introspection.CorrectRptIntrospectionResponse;
import org.xdi.oxd.common.params.RpGetRptParams;
import org.xdi.oxd.common.response.RpGetRptResponse;
import org.xdi.oxd.server.Configuration;
import org.xdi.oxd.server.ServerLauncher;
import org.xdi.oxd.server.Utils;
import org.xdi.oxd.server.model.Pat;
import org.xdi.oxd.server.model.UmaToken;
import org.xdi.oxd.server.model.UmaTokenFactory;

/* loaded from: input_file:org/xdi/oxd/server/service/UmaTokenService.class */
public class UmaTokenService {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) UmaTokenService.class);
    private final RpService rpService;
    private final ValidationService validationService;
    private final DiscoveryService discoveryService;
    private final HttpService httpService;
    private final Configuration configuration;
    private final StateService stateService;

    @Inject
    public UmaTokenService(RpService rpService, ValidationService validationService, DiscoveryService discoveryService, HttpService httpService, Configuration configuration, StateService stateService) {
        this.rpService = rpService;
        this.validationService = validationService;
        this.discoveryService = discoveryService;
        this.httpService = httpService;
        this.configuration = configuration;
        this.stateService = stateService;
    }

    public RpGetRptResponse getRpt(RpGetRptParams rpGetRptParams) throws UnsupportedEncodingException {
        Rp rp = this.rpService.getRp(rpGetRptParams.getOxdId());
        UmaMetadata umaDiscoveryByOxdId = this.discoveryService.getUmaDiscoveryByOxdId(rpGetRptParams.getOxdId());
        if (!Strings.isNullOrEmpty(rp.getRpt()) && rp.getRptExpiresAt() != null && !isExpired(rp.getRptExpiresAt())) {
            LOG.debug("RPT from rp, RPT: " + rp.getRpt() + ", rp: " + rp);
            RpGetRptResponse rpGetRptResponse = new RpGetRptResponse();
            rpGetRptResponse.setRpt(rp.getRpt());
            rpGetRptResponse.setTokenType(rp.getRptTokenType());
            rpGetRptResponse.setPct(rp.getRptPct());
            rpGetRptResponse.setUpdated(rp.getRptUpgraded());
            return rpGetRptResponse;
        }
        UmaTokenResponse requestRpt = UmaClientFactory.instance().createTokenService(umaDiscoveryByOxdId, this.httpService.getClientExecutor()).requestRpt("Basic " + Utils.encodeCredentials(rp.getClientId(), rp.getClientSecret()), GrantType.OXAUTH_UMA_TICKET.getValue(), rpGetRptParams.getTicket(), rpGetRptParams.getClaimToken(), rpGetRptParams.getClaimTokenFormat(), rpGetRptParams.getPct(), rpGetRptParams.getRpt(), rpGetRptParams.getScope() != null ? Utils.joinAndUrlEncode(rpGetRptParams.getScope()) : null);
        if (requestRpt != null && StringUtils.isNotBlank(requestRpt.getAccessToken())) {
            CorrectRptIntrospectionResponse introspectRpt = ((IntrospectionService) ServerLauncher.getInjector().getInstance(IntrospectionService.class)).introspectRpt(rpGetRptParams.getOxdId(), requestRpt.getAccessToken());
            LOG.debug("RPT " + requestRpt.getAccessToken() + ", status: " + introspectRpt);
            if (introspectRpt.getActive()) {
                LOG.debug("RPT is successfully obtained from AS. RPT: {}", requestRpt.getAccessToken());
                rp.setRpt(requestRpt.getAccessToken());
                rp.setRptTokenType(requestRpt.getTokenType());
                rp.setRptPct(requestRpt.getPct());
                rp.setRptUpgraded(requestRpt.getUpgraded());
                rp.setRptCreatedAt(new Date(introspectRpt.getIssuedAt().intValue() * 1000));
                rp.setRptExpiresAt(new Date(introspectRpt.getExpiresAt().intValue() * 1000));
                this.rpService.updateSilently(rp);
                RpGetRptResponse rpGetRptResponse2 = new RpGetRptResponse();
                rpGetRptResponse2.setRpt(rp.getRpt());
                rpGetRptResponse2.setTokenType(rp.getRptTokenType());
                rpGetRptResponse2.setPct(rp.getRptPct());
                rpGetRptResponse2.setUpdated(rp.getRptUpgraded());
                return rpGetRptResponse2;
            }
        }
        LOG.error("Failed to get RPT for rp: " + rp);
        throw new ErrorResponseException(ErrorResponseCode.FAILED_TO_GET_RPT);
    }

    public static boolean isExpired(Date date) {
        return date.before(new Date());
    }

    public Pat getPat(String str) {
        this.validationService.notBlankOxdId(str);
        Rp rp = this.rpService.getRp(str);
        if (rp.getPat() != null && rp.getPatCreatedAt() != null && rp.getPatExpiresIn() > 0) {
            Calendar calendar = Calendar.getInstance();
            calendar.setTime(rp.getPatCreatedAt());
            calendar.add(13, rp.getPatExpiresIn());
            if (!isExpired(calendar.getTime())) {
                LOG.debug("PAT from site configuration, PAT: " + rp.getPat());
                return new Pat(rp.getPat(), "", rp.getPatExpiresIn());
            }
        }
        return obtainPat(str);
    }

    public Pat obtainPat(String str) {
        Rp rp = this.rpService.getRp(str);
        UmaToken obtainToken = obtainToken(str, UmaScopeType.PROTECTION, rp);
        rp.setPat(obtainToken.getToken());
        rp.setPatCreatedAt(new Date());
        rp.setPatExpiresIn(obtainToken.getExpiresIn());
        rp.setPatRefreshToken(obtainToken.getRefreshToken());
        this.rpService.updateSilently(rp);
        return (Pat) obtainToken;
    }

    private UmaToken obtainToken(String str, UmaScopeType umaScopeType, Rp rp) {
        UmaToken obtainTokenWithUserCredentials;
        OpenIdConfigurationResponse connectDiscoveryResponseByOxdId = this.discoveryService.getConnectDiscoveryResponseByOxdId(str);
        if (useClientAuthentication(umaScopeType)) {
            obtainTokenWithUserCredentials = obtainTokenWithClientCredentials(connectDiscoveryResponseByOxdId, rp, umaScopeType);
            LOG.trace("Obtained token with client authentication: " + obtainTokenWithUserCredentials);
        } else {
            obtainTokenWithUserCredentials = obtainTokenWithUserCredentials(connectDiscoveryResponseByOxdId, rp, umaScopeType);
            LOG.trace("Obtained token with user credentials: " + obtainTokenWithUserCredentials);
        }
        return obtainTokenWithUserCredentials;
    }

    public boolean useClientAuthentication(UmaScopeType umaScopeType) {
        if (umaScopeType == UmaScopeType.PROTECTION) {
            return this.configuration.getUseClientAuthenticationForPat() != null && this.configuration.getUseClientAuthenticationForPat().booleanValue();
        }
        throw new RuntimeException("Unknown UMA scope type: " + umaScopeType);
    }

    private UmaToken obtainTokenWithClientCredentials(OpenIdConfigurationResponse openIdConfigurationResponse, Rp rp, UmaScopeType umaScopeType) {
        TokenClient tokenClient = new TokenClient(openIdConfigurationResponse.getTokenEndpoint());
        tokenClient.setExecutor(this.httpService.getClientExecutor());
        TokenResponse execClientCredentialsGrant = tokenClient.execClientCredentialsGrant(scopesAsString(umaScopeType), rp.getClientId(), rp.getClientSecret());
        if (execClientCredentialsGrant == null) {
            LOG.error("No response from TokenClient");
        } else {
            if (Util.allNotBlank(execClientCredentialsGrant.getAccessToken())) {
                if (!execClientCredentialsGrant.getScope().contains(umaScopeType.getValue())) {
                    LOG.error("oxd requested scope " + umaScopeType + " but AS returned access_token without that scope, token scopes :" + execClientCredentialsGrant.getScope());
                    LOG.error("Please check AS(oxauth) configuration and make sure UMA scope (uma_protection) is enabled.");
                    throw new RuntimeException("oxd requested scope " + umaScopeType + " but AS returned access_token without that scope, token scopes :" + execClientCredentialsGrant.getScope());
                }
                UmaToken newToken = UmaTokenFactory.newToken(umaScopeType);
                newToken.setToken(execClientCredentialsGrant.getAccessToken());
                newToken.setRefreshToken(execClientCredentialsGrant.getRefreshToken());
                newToken.setExpiresIn(execClientCredentialsGrant.getExpiresIn().intValue());
                return newToken;
            }
            LOG.error("Token is blank in response, site: " + rp);
        }
        throw new RuntimeException("Failed to obtain PAT.");
    }

    private List<String> scopes(UmaScopeType umaScopeType) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(umaScopeType.getValue());
        arrayList.add("openid");
        return arrayList;
    }

    private String scopesAsString(UmaScopeType umaScopeType) {
        String str = "";
        Iterator<String> it = scopes(umaScopeType).iterator();
        while (it.hasNext()) {
            str = str + it.next() + " ";
        }
        return str.trim();
    }

    private UmaToken obtainTokenWithUserCredentials(OpenIdConfigurationResponse openIdConfigurationResponse, Rp rp, UmaScopeType umaScopeType) {
        ArrayList newArrayList = Lists.newArrayList();
        newArrayList.add(ResponseType.CODE);
        newArrayList.add(ResponseType.ID_TOKEN);
        String generateState = this.stateService.generateState();
        AuthorizationRequest authorizationRequest = new AuthorizationRequest(newArrayList, rp.getClientId(), scopes(umaScopeType), rp.getAuthorizationRedirectUri(), null);
        authorizationRequest.setState(generateState);
        authorizationRequest.setAuthUsername(rp.getUserId());
        authorizationRequest.setAuthPassword(rp.getUserSecret());
        authorizationRequest.getPrompts().add(Prompt.NONE);
        AuthorizeClient authorizeClient = new AuthorizeClient(openIdConfigurationResponse.getAuthorizationEndpoint());
        authorizeClient.setExecutor(this.httpService.getClientExecutor());
        authorizeClient.setRequest(authorizationRequest);
        AuthorizationResponse exec = authorizeClient.exec();
        ClientUtils.showClient(authorizeClient);
        String scope = exec.getScope();
        String code = exec.getCode();
        if (!generateState.equals(exec.getState())) {
            throw new ErrorResponseException(ErrorResponseCode.INVALID_STATE);
        }
        if (Util.allNotBlank(code)) {
            TokenRequest tokenRequest = new TokenRequest(GrantType.AUTHORIZATION_CODE);
            tokenRequest.setCode(code);
            tokenRequest.setRedirectUri(rp.getAuthorizationRedirectUri());
            tokenRequest.setAuthUsername(rp.getClientId());
            tokenRequest.setAuthPassword(rp.getClientSecret());
            tokenRequest.setAuthenticationMethod(AuthenticationMethod.CLIENT_SECRET_BASIC);
            tokenRequest.setScope(scope);
            TokenClient tokenClient = new TokenClient(openIdConfigurationResponse.getTokenEndpoint());
            tokenClient.setRequest(tokenRequest);
            tokenClient.setExecutor(this.httpService.getClientExecutor());
            TokenResponse exec2 = tokenClient.exec();
            ClientUtils.showClient(authorizeClient);
            if (exec2.getStatus() == 200 && Util.allNotBlank(exec2.getAccessToken())) {
                UmaToken newToken = UmaTokenFactory.newToken(umaScopeType);
                newToken.setToken(exec2.getAccessToken());
                newToken.setRefreshToken(exec2.getRefreshToken());
                newToken.setExpiresIn(exec2.getExpiresIn().intValue());
                return newToken;
            }
            LOG.error("Status: " + exec2.getStatus() + ", Entity: " + exec2.getEntity());
        } else {
            LOG.debug("Authorization code is blank.");
        }
        throw new RuntimeException("Failed to obtain Token, scopeType: " + umaScopeType + ", site: " + rp);
    }
}
