package org.xdi.oxd.server.op;

import com.google.common.base.Strings;
import com.google.inject.Injector;
import java.util.Collections;
import java.util.List;
import org.codehaus.jackson.node.POJONode;
import org.jboss.resteasy.client.ClientResponseFailure;
import org.jboss.resteasy.specimpl.BuiltResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xdi.oxauth.model.uma.JsonLogicNodeParser;
import org.xdi.oxauth.model.uma.PermissionTicket;
import org.xdi.oxd.common.Command;
import org.xdi.oxd.common.CommandResponse;
import org.xdi.oxd.common.CoreUtils;
import org.xdi.oxd.common.ErrorResponse;
import org.xdi.oxd.common.ErrorResponseCode;
import org.xdi.oxd.common.ErrorResponseException;
import org.xdi.oxd.common.introspection.CorrectRptIntrospectionResponse;
import org.xdi.oxd.common.introspection.CorrectUmaPermission;
import org.xdi.oxd.common.params.RsCheckAccessParams;
import org.xdi.oxd.common.response.RsCheckAccessResponse;
import org.xdi.oxd.rs.protect.resteasy.PatProvider;
import org.xdi.oxd.rs.protect.resteasy.ResourceRegistrar;
import org.xdi.oxd.rs.protect.resteasy.RptPreProcessInterceptor;
import org.xdi.oxd.rs.protect.resteasy.ServiceProvider;
import org.xdi.oxd.server.model.UmaResource;
import org.xdi.oxd.server.service.Rp;

/* loaded from: input_file:org/xdi/oxd/server/op/RsCheckAccessOperation.class */
public class RsCheckAccessOperation extends BaseOperation<RsCheckAccessParams> {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) RsCheckAccessOperation.class);

    /* JADX INFO: Access modifiers changed from: protected */
    public RsCheckAccessOperation(Command command, Injector injector) {
        super(command, injector, RsCheckAccessParams.class);
    }

    @Override // org.xdi.oxd.server.op.IOperation
    public CommandResponse execute(final RsCheckAccessParams rsCheckAccessParams) throws Exception {
        BuiltResponse builtResponse;
        validate(rsCheckAccessParams);
        Rp rp = getRp();
        UmaResource umaResource = rp.umaResource(rsCheckAccessParams.getPath(), rsCheckAccessParams.getHttpMethod());
        if (umaResource == null) {
            ErrorResponse errorResponse = new ErrorResponse("invalid_request");
            errorResponse.setErrorDescription("Resource is not protected with path: " + rsCheckAccessParams.getPath() + " and httpMethod: " + rsCheckAccessParams.getHttpMethod() + ". Please protect your resource first with uma_rs_protect command. Check details on " + CoreUtils.DOC_URL);
            LOG.error(errorResponse.getErrorDescription());
            return CommandResponse.error().setData(new POJONode(errorResponse));
        }
        PatProvider patProvider = new PatProvider() { // from class: org.xdi.oxd.server.op.RsCheckAccessOperation.1
            @Override // org.xdi.oxd.rs.protect.resteasy.PatProvider
            public String getPatToken() {
                return RsCheckAccessOperation.this.getUmaTokenService().getPat(rsCheckAccessParams.getOxdId()).getToken();
            }

            @Override // org.xdi.oxd.rs.protect.resteasy.PatProvider
            public void clearPat() {
            }
        };
        CorrectRptIntrospectionResponse introspectRpt = getIntrospectionService().introspectRpt(rsCheckAccessParams.getOxdId(), rsCheckAccessParams.getRpt());
        LOG.trace("RPT: " + rsCheckAccessParams.getRpt() + ", status: " + introspectRpt);
        if (!Strings.isNullOrEmpty(rsCheckAccessParams.getRpt()) && introspectRpt != null && introspectRpt.getActive() && introspectRpt.getPermissions() != null) {
            for (CorrectUmaPermission correctUmaPermission : introspectRpt.getPermissions()) {
                List<String> scopes = umaResource.getScopes();
                if (scopes.isEmpty()) {
                    LOG.trace("Not scopes in resource:" + umaResource + ", oxdId: " + rsCheckAccessParams.getOxdId());
                    if (!umaResource.getScopeExpressions().isEmpty() && JsonLogicNodeParser.isNodeValid(umaResource.getScopeExpressions().get(0))) {
                        scopes = JsonLogicNodeParser.parseNode(umaResource.getScopeExpressions().get(0)).getData();
                        LOG.trace("Set requiredScope from scope expression.");
                    }
                }
                boolean z = !Collections.disjoint(scopes, correctUmaPermission.getScopes());
                LOG.trace("containsAny: " + z + ", requiredScopes: " + scopes + ", permissionScopes: " + correctUmaPermission.getScopes());
                if (z && correctUmaPermission.getResourceId() != null && correctUmaPermission.getResourceId().equals(umaResource.getId())) {
                    LOG.debug("RPT has enough permissions, access GRANTED. Path: " + rsCheckAccessParams.getPath() + ", httpMethod:" + rsCheckAccessParams.getHttpMethod() + ", site: " + rp);
                    return okResponse(new RsCheckAccessResponse("granted"));
                }
            }
        }
        List<String> ticketScopes = umaResource.getTicketScopes();
        if (ticketScopes.isEmpty()) {
            ticketScopes = umaResource.getScopes();
        }
        RptPreProcessInterceptor rptPreProcessInterceptor = new RptPreProcessInterceptor(new ResourceRegistrar(patProvider, new ServiceProvider(rp.getOpHost())));
        try {
            LOG.trace("Try to register ticket, scopes: " + ticketScopes + ", resourceId: " + umaResource.getId());
            builtResponse = (BuiltResponse) rptPreProcessInterceptor.registerTicketResponse(ticketScopes, umaResource.getId());
        } catch (ClientResponseFailure e) {
            LOG.debug("Failed to register ticket. Entity: " + e.getResponse().getEntity(String.class) + ", status: " + e.getResponse().getStatus(), (Throwable) e);
            if (e.getResponse().getStatus() != 400 && e.getResponse().getStatus() != 401) {
                throw e;
            }
            LOG.debug("Try maybe PAT is lost on AS, force refresh PAT and request ticket again ...");
            getUmaTokenService().obtainPat(rsCheckAccessParams.getOxdId());
            builtResponse = (BuiltResponse) rptPreProcessInterceptor.registerTicketResponse(ticketScopes, umaResource.getId());
        }
        RsCheckAccessResponse rsCheckAccessResponse = new RsCheckAccessResponse("denied");
        rsCheckAccessResponse.setWwwAuthenticateHeader((String) builtResponse.getMetadata().getFirst("WWW-Authenticate"));
        rsCheckAccessResponse.setTicket(((PermissionTicket) builtResponse.getEntity()).getTicket());
        LOG.debug("Access denied for path: " + rsCheckAccessParams.getPath() + " and httpMethod: " + rsCheckAccessParams.getHttpMethod() + ". Ticket is registered: " + rsCheckAccessResponse);
        return okResponse(rsCheckAccessResponse);
    }

    private void validate(RsCheckAccessParams rsCheckAccessParams) {
        if (Strings.isNullOrEmpty(rsCheckAccessParams.getHttpMethod())) {
            throw new ErrorResponseException(ErrorResponseCode.NO_UMA_HTTP_METHOD);
        }
        if (Strings.isNullOrEmpty(rsCheckAccessParams.getPath())) {
            throw new ErrorResponseException(ErrorResponseCode.NO_UMA_PATH_PARAMETER);
        }
    }
}
