package edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet;

import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction;
import edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.AbstractAccessTokenServlet;
import edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.IssuerTransactionState;
import edu.uiuc.ncsa.security.core.exceptions.GeneralException;
import edu.uiuc.ncsa.security.core.exceptions.InvalidTokenException;
import edu.uiuc.ncsa.security.core.exceptions.NFWException;
import edu.uiuc.ncsa.security.core.util.BasicIdentifier;
import edu.uiuc.ncsa.security.delegation.server.ServiceTransaction;
import edu.uiuc.ncsa.security.delegation.server.request.ATResponse;
import edu.uiuc.ncsa.security.delegation.server.request.IssuerResponse;
import edu.uiuc.ncsa.security.delegation.servlet.TransactionState;
import edu.uiuc.ncsa.security.delegation.storage.Client;
import edu.uiuc.ncsa.security.delegation.token.RefreshToken;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Error;
import edu.uiuc.ncsa.security.oauth_2_0.OA2TokenForge;
import edu.uiuc.ncsa.security.oauth_2_0.server.ATIResponse2;
import edu.uiuc.ncsa.security.oauth_2_0.server.RTI2;
import edu.uiuc.ncsa.security.oauth_2_0.server.RTIRequest;
import edu.uiuc.ncsa.security.oauth_2_0.server.RTIResponse;
import java.io.IOException;
import java.net.URI;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.digest.DigestUtils;

/* loaded from: input_file:edu/uiuc/ncsa/myproxy/oa4mp/oauth2/servlet/OA2ATServlet.class */
public class OA2ATServlet extends AbstractAccessTokenServlet {
    public void preprocess(TransactionState transactionState) throws Throwable {
        super.preprocess(transactionState);
        OA2ServiceTransaction transaction = transactionState.getTransaction();
        Map parameters = transactionState.getParameters();
        OA2ClientCheck.check(transaction.getClient(), (String) parameters.get("redirect_uri"));
        transaction.setCallback(URI.create((String) parameters.get("redirect_uri")));
        if (transaction.getNonce() != null && 0 < transaction.getNonce().length()) {
            parameters.put("nonce", transaction.getNonce());
        }
        parameters.put("client_id", transaction.getClient().getIdentifierString());
        if (getServiceEnvironment().getServiceAddress() == null) {
            throw new NFWException("Error: no service address was found in the configuration.");
        }
        String uri = getServiceEnvironment().getServiceAddress().toString();
        parameters.put("iss", uri.substring(0, uri.lastIndexOf("/")));
        parameters.put("sub", transaction.getUsername());
        if (transaction.hasAuthTime()) {
            parameters.put("auth_time", Long.toString(transaction.getAuthTime().getTime() / 1000));
        }
    }

    protected long computeRefreshLifetime(OA2ServiceTransaction oA2ServiceTransaction) {
        long max = Math.max(oA2ServiceTransaction.getRefreshTokenLifetime(), oA2ServiceTransaction.getClient().getRtLifetime());
        OA2SE serviceEnvironment = getServiceEnvironment();
        if (serviceEnvironment.getRefreshTokenLifetime() <= 0) {
            throw new NFWException("Internal error: the server-wide default for the refresh token lifetime has not been set.");
        }
        return Math.min(max, serviceEnvironment.getRefreshTokenLifetime());
    }

    protected void doIt(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable {
        String firstParameterValue = getFirstParameterValue(httpServletRequest, "grant_type");
        if (firstParameterValue == null) {
            warn("Error servicing request. No grant type was given. Rejecting request.");
            throw new GeneralException("Error: Could not service request");
        }
        Client client = getClient(httpServletRequest);
        checkClient(client);
        String firstParameterValue2 = getFirstParameterValue(httpServletRequest, "client_secret");
        if (firstParameterValue2 == null) {
            throw new GeneralException("Error: No secret. request refused.");
        }
        if (!client.getSecret().equals(DigestUtils.shaHex(firstParameterValue2))) {
            throw new GeneralException("Error: Secret is incorrect. request refused.");
        }
        if (firstParameterValue.equals("refresh_token")) {
            doRefresh(httpServletRequest, httpServletResponse);
            return;
        }
        if (!firstParameterValue.equals("authorization_code")) {
            warn("Error: grant type was not recognized. Request rejected.");
            throw new ServletException("Error: Unknown request type.");
        }
        IssuerTransactionState doDelegation = doDelegation(httpServletRequest, httpServletResponse);
        ATIResponse2 issuerResponse = doDelegation.getIssuerResponse();
        OA2ServiceTransaction oA2ServiceTransaction = (OA2ServiceTransaction) doDelegation.getTransaction();
        RefreshToken refreshToken = issuerResponse.getRefreshToken();
        oA2ServiceTransaction.setRefreshToken(refreshToken);
        refreshToken.setExpiresIn(computeRefreshLifetime(oA2ServiceTransaction));
        oA2ServiceTransaction.setRefreshTokenValid(true);
        getTransactionStore().save(oA2ServiceTransaction);
    }

    protected OA2ServiceTransaction getByRT(RefreshToken refreshToken) throws IOException {
        if (refreshToken == null) {
            throw new GeneralException("Error: null refresh token encountered.");
        }
        return getTransactionStore().get(refreshToken);
    }

    protected OA2TokenForge getTF2() {
        return getServiceEnvironment().getTokenForge();
    }

    protected TransactionState doRefresh(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        RefreshToken refreshToken = getTF2().getRefreshToken(new String[]{httpServletRequest.getParameter("refresh_token")});
        Client client = getClient(httpServletRequest);
        checkClient(client);
        OA2ServiceTransaction byRT = getByRT(refreshToken);
        if (byRT == null || !byRT.isRefreshTokenValid()) {
            throw new InvalidTokenException("Error: The refresh token is no longer valid");
        }
        byRT.setRefreshTokenValid(false);
        RTIResponse process = new RTI2(getTF2(), getServiceEnvironment().getServiceAddress()).process(new RTIRequest(httpServletRequest, client, byRT.getAccessToken()));
        process.getRefreshToken().setExpiresIn(computeRefreshLifetime(byRT));
        byRT.setRefreshToken(process.getRefreshToken());
        byRT.setRefreshTokenValid(true);
        getTransactionStore().save(byRT);
        process.write(httpServletResponse);
        return new IssuerTransactionState(httpServletRequest, httpServletResponse, process.getParameters(), byRT, process);
    }

    public ServiceTransaction verifyAndGet(IssuerResponse issuerResponse) throws IOException {
        ATResponse aTResponse = (ATResponse) issuerResponse;
        ServiceTransaction serviceTransaction = (ServiceTransaction) getTransactionStore().get(new BasicIdentifier((String) aTResponse.getParameters().get("code")));
        if (serviceTransaction == null) {
            throw new OA2Error("access_denied", "No pending transaction found", (String) aTResponse.getParameters().get("state"), (String) aTResponse.getParameters().get("redirect_uri"));
        }
        if (!serviceTransaction.isAuthGrantValid()) {
            warn("Error: Attempt to re-use authorization code rejected.");
            throw new GeneralException("Error: Attempt to re-use authorization code rejected.");
        }
        if (serviceTransaction.getCallback().equals(URI.create((String) aTResponse.getParameters().get("redirect_uri")))) {
            return serviceTransaction;
        }
        warn("Error: Attempt to use alternate redirect uri rejected.");
        throw new GeneralException("Error: Attempt to use alternate redirect uri rejected.");
    }
}
