package pl.edu.icm.unity.oauth.as.token;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.oauth2.sdk.token.Tokens;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import java.util.Date;
import javax.ws.rs.FormParam;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Response;
import org.apache.log4j.Logger;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.WrongArgumentException;
import pl.edu.icm.unity.oauth.as.OAuthASProperties;
import pl.edu.icm.unity.oauth.as.OAuthProcessor;
import pl.edu.icm.unity.oauth.as.OAuthRequestValidator;
import pl.edu.icm.unity.oauth.as.OAuthToken;
import pl.edu.icm.unity.oauth.as.OAuthValidationException;
import pl.edu.icm.unity.server.api.internal.IdPEngine;
import pl.edu.icm.unity.server.api.internal.Token;
import pl.edu.icm.unity.server.api.internal.TokensManagement;
import pl.edu.icm.unity.server.api.internal.TransactionalRunner;
import pl.edu.icm.unity.server.authn.InvocationContext;
import pl.edu.icm.unity.server.utils.Log;
import pl.edu.icm.unity.types.basic.EntityParam;

@Produces({"application/json"})
@Path(OAuthTokenEndpoint.TOKEN_PATH)
/* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/AccessTokenResource.class */
public class AccessTokenResource extends BaseOAuthResource {
    private static final Logger log = Log.getLogger("unity.server.oauth", AccessTokenResource.class);
    private TokensManagement tokensManagement;
    private OAuthASProperties config;
    private TransactionalRunner tx;
    private ClientCredentialsProcessor clientGrantProcessor;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/AccessTokenResource$OAuthErrorException.class */
    public static class OAuthErrorException extends EngineException {
        private Response response;

        public OAuthErrorException(Response response) {
            this.response = response;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/AccessTokenResource$TokensPair.class */
    public static class TokensPair {
        Token codeToken;
        OAuthToken parsedAuthzCodeToken;

        public TokensPair(Token token, OAuthToken oAuthToken) {
            this.codeToken = token;
            this.parsedAuthzCodeToken = oAuthToken;
        }
    }

    public AccessTokenResource(TokensManagement tokensManagement, OAuthASProperties oAuthASProperties, OAuthRequestValidator oAuthRequestValidator, IdPEngine idPEngine, TransactionalRunner transactionalRunner) {
        this.tokensManagement = tokensManagement;
        this.config = oAuthASProperties;
        this.tx = transactionalRunner;
        this.clientGrantProcessor = new ClientCredentialsProcessor(oAuthRequestValidator, idPEngine, oAuthASProperties);
    }

    @POST
    @Path("/")
    public Response getToken(@FormParam("grant_type") String str, @FormParam("code") String str2, @FormParam("scope") String str3, @FormParam("redirect_uri") String str4) throws EngineException, JsonProcessingException {
        return str == null ? makeError(OAuth2Error.INVALID_REQUEST, "grant_type is required") : str.equals(GrantType.AUTHORIZATION_CODE.getValue()) ? str2 == null ? makeError(OAuth2Error.INVALID_REQUEST, "code is required") : handleAuthzCodeFlow(str2, str4) : str.equals(GrantType.CLIENT_CREDENTIALS.getValue()) ? handleClientCredentialFlow(str3) : makeError(OAuth2Error.INVALID_GRANT, "wrong or not supported grant_type value");
    }

    private Response handleClientCredentialFlow(String str) throws EngineException, JsonProcessingException {
        Date date = new Date();
        BearerAccessToken bearerAccessToken = new BearerAccessToken();
        try {
            OAuthToken processClientFlowRequest = this.clientGrantProcessor.processClientFlowRequest(bearerAccessToken.getValue(), str);
            Date accessTokenExpiration = getAccessTokenExpiration(date);
            AccessTokenResponse accessTokenResponse = new AccessTokenResponse(new Tokens(bearerAccessToken, (RefreshToken) null));
            this.tokensManagement.addToken(OAuthProcessor.INTERNAL_ACCESS_TOKEN, bearerAccessToken.getValue(), new EntityParam(Long.valueOf(processClientFlowRequest.getClientId())), processClientFlowRequest.getSerialized(), date, accessTokenExpiration);
            return toResponse(Response.ok(getResponseContent(accessTokenResponse)));
        } catch (OAuthValidationException e) {
            return makeError(OAuth2Error.INVALID_REQUEST, e.getMessage());
        }
    }

    private Response handleAuthzCodeFlow(String str, String str2) throws EngineException, JsonProcessingException {
        try {
            TokensPair loadAndRemoveAuthzCodeToken = loadAndRemoveAuthzCodeToken(str);
            Token token = loadAndRemoveAuthzCodeToken.codeToken;
            OAuthToken oAuthToken = loadAndRemoveAuthzCodeToken.parsedAuthzCodeToken;
            if (oAuthToken.getRedirectUri() != null) {
                if (str2 == null) {
                    return makeError(OAuth2Error.INVALID_GRANT, "redirect_uri is required");
                }
                if (!str2.equals(oAuthToken.getRedirectUri())) {
                    return makeError(OAuth2Error.INVALID_GRANT, "redirect_uri is wrong");
                }
            }
            Date date = new Date();
            BearerAccessToken bearerAccessToken = new BearerAccessToken();
            OAuthToken oAuthToken2 = new OAuthToken(oAuthToken);
            oAuthToken2.setAccessToken(bearerAccessToken.getValue());
            Date accessTokenExpiration = getAccessTokenExpiration(date);
            JWT decodeIDToken = decodeIDToken(oAuthToken2);
            AccessTokenResponse accessTokenResponse = decodeIDToken == null ? new AccessTokenResponse(new Tokens(bearerAccessToken, (RefreshToken) null)) : new OIDCTokenResponse(new OIDCTokens(decodeIDToken, bearerAccessToken, (RefreshToken) null));
            this.tokensManagement.addToken(OAuthProcessor.INTERNAL_ACCESS_TOKEN, bearerAccessToken.getValue(), new EntityParam(token.getOwner()), oAuthToken2.getSerialized(), date, accessTokenExpiration);
            return toResponse(Response.ok(getResponseContent(accessTokenResponse)));
        } catch (OAuthErrorException e) {
            return e.response;
        }
    }

    private Date getAccessTokenExpiration(Date date) {
        return new Date(date.getTime() + (this.config.getIntValue(OAuthASProperties.ACCESS_TOKEN_VALIDITY).intValue() * 1000));
    }

    private TokensPair loadAndRemoveAuthzCodeToken(String str) throws OAuthErrorException, EngineException {
        return (TokensPair) this.tx.runInTransactionRet(() -> {
            try {
                Token tokenById = this.tokensManagement.getTokenById(OAuthProcessor.INTERNAL_CODE_TOKEN, str);
                OAuthToken parseInternalToken = parseInternalToken(tokenById);
                long entityId = InvocationContext.getCurrent().getLoginSession().getEntityId();
                if (parseInternalToken.getClientId() != entityId) {
                    log.warn("Client with id " + entityId + " presented authorization code issued for client " + parseInternalToken.getClientId());
                    throw new OAuthErrorException(makeError(OAuth2Error.INVALID_GRANT, "wrong code"));
                }
                this.tokensManagement.removeToken(OAuthProcessor.INTERNAL_CODE_TOKEN, str);
                return new TokensPair(tokenById, parseInternalToken);
            } catch (WrongArgumentException e) {
                throw new OAuthErrorException(makeError(OAuth2Error.INVALID_GRANT, "wrong code"));
            }
        });
    }
}
