package edu.uiuc.ncsa.security.oauth_2_0.client;

import edu.uiuc.ncsa.security.core.exceptions.GeneralException;
import edu.uiuc.ncsa.security.delegation.client.request.ATRequest;
import edu.uiuc.ncsa.security.delegation.client.request.ATResponse;
import edu.uiuc.ncsa.security.delegation.client.server.ATServer;
import edu.uiuc.ncsa.security.delegation.token.impl.AccessTokenImpl;
import edu.uiuc.ncsa.security.oauth_2_0.IDTokenUtil;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Constants;
import edu.uiuc.ncsa.security.oauth_2_0.OA2RefreshTokenImpl;
import edu.uiuc.ncsa.security.oauth_2_0.server.OA2Claims;
import edu.uiuc.ncsa.security.servlet.ServiceClient;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import net.sf.json.JSONObject;
import org.apache.commons.io.IOUtils;

/* loaded from: input_file:WEB-INF/lib/ncsa-security-oauth-2.0-3.1.jar:edu/uiuc/ncsa/security/oauth_2_0/client/ATServer2.class */
public class ATServer2 extends ASImpl implements ATServer {
    ServiceClient serviceClient;

    public ServiceClient getServiceClient() {
        return this.serviceClient;
    }

    public ATServer2(ServiceClient serviceClient) {
        super(serviceClient.host(new URI[0]));
        this.serviceClient = serviceClient;
    }

    @Override // edu.uiuc.ncsa.security.delegation.client.server.ATServer
    public ATResponse processATRequest(ATRequest aTRequest) {
        return getAccessToken(aTRequest);
    }

    protected ATResponse getAccessToken(ATRequest aTRequest) {
        URL url;
        URL url2;
        Map parameters = aTRequest.getParameters();
        if (parameters.get(OA2Constants.REDIRECT_URI) == null) {
            throw new GeneralException("Error: the client redirect uri was not set in the request.");
        }
        HashMap hashMap = new HashMap();
        hashMap.put(OA2Constants.AUTHORIZATION_CODE, aTRequest.getAuthorizationGrant().getToken());
        hashMap.put(OA2Constants.GRANT_TYPE, OA2Constants.AUTHORIZATION_CODE_VALUE);
        hashMap.put(OA2Constants.CLIENT_ID, aTRequest.getClient().getIdentifierString());
        hashMap.put(OA2Constants.CLIENT_SECRET, aTRequest.getClient().getSecret());
        hashMap.put(OA2Constants.REDIRECT_URI, parameters.get(OA2Constants.REDIRECT_URI));
        String rawResponse = getServiceClient().getRawResponse(hashMap);
        if (rawResponse.startsWith("<") || rawResponse.startsWith(IOUtils.LINE_SEPARATOR_UNIX)) {
            throw new GeneralException("Error: Response from server was html: " + rawResponse);
        }
        JSONObject fromObject = JSONObject.fromObject(rawResponse);
        if (!fromObject.containsKey(OA2Constants.ACCESS_TOKEN)) {
            throw new IllegalArgumentException("Error: No access token found in server response");
        }
        AccessTokenImpl accessTokenImpl = new AccessTokenImpl(URI.create(fromObject.getString(OA2Constants.ACCESS_TOKEN)));
        OA2RefreshTokenImpl oA2RefreshTokenImpl = null;
        if (fromObject.containsKey(OA2Constants.REFRESH_TOKEN)) {
            oA2RefreshTokenImpl = new OA2RefreshTokenImpl(URI.create(fromObject.getString(OA2Constants.REFRESH_TOKEN)));
            try {
                if (fromObject.containsKey(OA2Constants.EXPIRES_IN)) {
                    oA2RefreshTokenImpl.setExpiresIn(Long.parseLong(fromObject.getString(OA2Constants.EXPIRES_IN)) * 1000);
                }
            } catch (NumberFormatException e) {
            }
        }
        if (!fromObject.getString(OA2Constants.TOKEN_TYPE).equals(OA2Constants.BEARER_TOKEN_TYPE)) {
            throw new GeneralException("Error: incorrect token type");
        }
        JSONObject readIDToken = IDTokenUtil.readIDToken(fromObject.getString(OA2Constants.ID_TOKEN));
        if (!readIDToken.getString(OA2Claims.AUDIENCE).equals(aTRequest.getClient().getIdentifierString())) {
            throw new GeneralException("Error: Audience is incorrect");
        }
        if (!readIDToken.getString(OA2Constants.NONCE).equals(aTRequest.getParameters().get(OA2Constants.NONCE))) {
            throw new GeneralException("Error: Incorrect nonce returned from server");
        }
        try {
            url = getAddress().toURL();
            url2 = new URL(readIDToken.getString(OA2Claims.ISSUER));
        } catch (MalformedURLException e2) {
            e2.printStackTrace();
        }
        if (!url.getProtocol().equals(url2.getProtocol()) || !url.getHost().equals(url2.getHost()) || url.getPort() != url2.getPort()) {
            throw new GeneralException("Error: Issuer is incorrect");
        }
        if (!readIDToken.containsKey(OA2Claims.EXPIRATION)) {
            throw new GeneralException("Error: Claims failed to have required expiration");
        }
        if (Long.parseLong(readIDToken.getString(OA2Claims.EXPIRATION)) * 1000 <= System.currentTimeMillis()) {
            throw new GeneralException("Error: expired claim.");
        }
        parameters.put(OA2Claims.ISSUED_AT, new Date(readIDToken.getLong(OA2Claims.ISSUED_AT) * 1000));
        parameters.put(OA2Claims.SUBJECT, readIDToken.getString(OA2Claims.SUBJECT));
        ATResponse2 aTResponse2 = new ATResponse2(accessTokenImpl, oA2RefreshTokenImpl);
        aTResponse2.setParameters(parameters);
        return aTResponse2;
    }
}
