package edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet;

import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction;
import edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.AbstractAccessTokenServlet;
import edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.IssuerTransactionState;
import edu.uiuc.ncsa.security.core.exceptions.GeneralException;
import edu.uiuc.ncsa.security.core.exceptions.InvalidTokenException;
import edu.uiuc.ncsa.security.core.exceptions.InvalidURIException;
import edu.uiuc.ncsa.security.core.exceptions.NFWException;
import edu.uiuc.ncsa.security.core.util.BasicIdentifier;
import edu.uiuc.ncsa.security.core.util.DebugUtil;
import edu.uiuc.ncsa.security.delegation.server.ServiceTransaction;
import edu.uiuc.ncsa.security.delegation.server.request.IssuerResponse;
import edu.uiuc.ncsa.security.delegation.servlet.TransactionState;
import edu.uiuc.ncsa.security.delegation.token.RefreshToken;
import edu.uiuc.ncsa.security.oauth_2_0.OA2ATException;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Client;
import edu.uiuc.ncsa.security.oauth_2_0.OA2TokenForge;
import edu.uiuc.ncsa.security.oauth_2_0.server.ATIResponse2;
import edu.uiuc.ncsa.security.oauth_2_0.server.RTI2;
import edu.uiuc.ncsa.security.oauth_2_0.server.RTIRequest;
import edu.uiuc.ncsa.security.oauth_2_0.server.RTIResponse;
import java.io.IOException;
import java.net.URI;
import java.util.ArrayList;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.digest.DigestUtils;

/* loaded from: input_file:edu/uiuc/ncsa/myproxy/oa4mp/oauth2/servlet/OA2ATServlet.class */
public class OA2ATServlet extends AbstractAccessTokenServlet {
    public void preprocess(TransactionState transactionState) throws Throwable {
        super.preprocess(transactionState);
        transactionState.getResponse().setHeader("Cache-Control", "no-store");
        transactionState.getResponse().setHeader("Pragma", "no-cache");
        OA2ServiceTransaction transaction = transactionState.getTransaction();
        Map parameters = transactionState.getParameters();
        String str = (String) parameters.get("redirect_uri");
        try {
            transaction.setCallback(URI.create(str));
            OA2ClientCheck.check(transaction.getClient(), str);
            if (transaction.getNonce() != null && 0 < transaction.getNonce().length()) {
                parameters.put("nonce", transaction.getNonce());
            }
            parameters.put("client_id", transaction.getClient().getIdentifierString());
            if (getServiceEnvironment().getServiceAddress() == null) {
                throw new NFWException("Error: no service address was found in the configuration.");
            }
            String uri = getServiceEnvironment().getServiceAddress().toString();
            parameters.put("iss", uri.substring(0, uri.lastIndexOf("/")));
            parameters.put("sub", transaction.getUsername());
            if (transaction.hasAuthTime()) {
                parameters.put("auth_time", Long.toString(transaction.getAuthTime().getTime() / 1000));
            }
        } catch (Throwable th) {
            throw new InvalidURIException("Invalid redirect URI \"" + str + "\"", th);
        }
    }

    protected long computeRefreshLifetime(OA2ServiceTransaction oA2ServiceTransaction) {
        long max = Math.max(oA2ServiceTransaction.getRefreshTokenLifetime(), oA2ServiceTransaction.getClient().getRtLifetime());
        OA2SE serviceEnvironment = getServiceEnvironment();
        if (serviceEnvironment.getRefreshTokenLifetime() <= 0) {
            throw new NFWException("Internal error: the server-wide default for the refresh token lifetime has not been set.");
        }
        return Math.min(max, serviceEnvironment.getRefreshTokenLifetime());
    }

    protected void doIt(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable {
        String firstParameterValue = getFirstParameterValue(httpServletRequest, "grant_type");
        if (firstParameterValue == null) {
            warn("Error servicing request. No grant type was given. Rejecting request.");
            throw new GeneralException("Error: Could not service request");
        }
        OA2Client client = getClient(httpServletRequest);
        checkClient(client);
        String firstParameterValue2 = getFirstParameterValue(httpServletRequest, "client_secret");
        if (firstParameterValue2 == null) {
            DebugUtil.dbg(this, "doIt: no secret, throwing exception.");
            throw new OA2ATException("unauthorized_client", "Missing secret");
        }
        if (!client.getSecret().equals(DigestUtils.shaHex(firstParameterValue2))) {
            DebugUtil.dbg(this, "doIt: bad secret, throwing exception.");
            throw new OA2ATException("unauthorized_client", "Incorrect secret");
        }
        if (firstParameterValue.equals("refresh_token")) {
            doRefresh(httpServletRequest, httpServletResponse);
            return;
        }
        if (!firstParameterValue.equals("authorization_code")) {
            warn("Error: grant type was not recognized. Request rejected.");
            throw new ServletException("Error: Unknown request type.");
        }
        IssuerTransactionState doDelegation = doDelegation(httpServletRequest, httpServletResponse);
        ATIResponse2 issuerResponse = doDelegation.getIssuerResponse();
        OA2ServiceTransaction oA2ServiceTransaction = (OA2ServiceTransaction) doDelegation.getTransaction();
        if (!client.isRTLifetimeEnabled() && getServiceEnvironment().isRefreshTokenEnabled()) {
            info("Refresh tokens are disabled for client " + client.getIdentifierString() + ", but enabled on the server. No refresh token will be madeg.");
        }
        if (client.isRTLifetimeEnabled() && getServiceEnvironment().isRefreshTokenEnabled()) {
            RefreshToken refreshToken = issuerResponse.getRefreshToken();
            oA2ServiceTransaction.setRefreshToken(refreshToken);
            oA2ServiceTransaction.setRefreshTokenLifetime(getServiceEnvironment().getRefreshTokenLifetime());
            refreshToken.setExpiresIn(computeRefreshLifetime(oA2ServiceTransaction));
            oA2ServiceTransaction.setRefreshTokenValid(true);
        } else {
            issuerResponse.setRefreshToken((RefreshToken) null);
        }
        getTransactionStore().save(oA2ServiceTransaction);
        issuerResponse.write(httpServletResponse);
    }

    protected OA2ServiceTransaction getByRT(RefreshToken refreshToken) throws IOException {
        if (refreshToken == null) {
            throw new GeneralException("Error: null refresh token encountered.");
        }
        return getTransactionStore().get(refreshToken);
    }

    protected OA2TokenForge getTF2() {
        return getServiceEnvironment().getTokenForge();
    }

    protected TransactionState doRefresh(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        RefreshToken refreshToken = getTF2().getRefreshToken(new String[]{httpServletRequest.getParameter("refresh_token")});
        OA2Client client = getClient(httpServletRequest);
        if (client == null) {
            throw new InvalidTokenException("Could not find the client associated with geturirefresh token \"" + refreshToken + "\"");
        }
        checkClient(client);
        OA2ServiceTransaction byRT = getByRT(refreshToken);
        if (!getServiceEnvironment().isRefreshTokenEnabled() || !client.isRTLifetimeEnabled()) {
            throw new OA2ATException("request_not_supported", "Refresh tokens are not supported on this server");
        }
        if (byRT == null || !byRT.isRefreshTokenValid()) {
            throw new OA2ATException("invalid_request", "Error: The refresh token is no longer valid.");
        }
        byRT.setRefreshTokenValid(false);
        RTIResponse process = new RTI2(getTF2(), getServiceEnvironment().getServiceAddress()).process(new RTIRequest(httpServletRequest, client, byRT.getAccessToken()));
        process.getRefreshToken().setExpiresIn(computeRefreshLifetime(byRT));
        byRT.setRefreshToken(process.getRefreshToken());
        byRT.setRefreshTokenValid(true);
        byRT.setAccessToken(process.getAccessToken());
        getTransactionStore().remove(byRT.getIdentifier());
        getTransactionStore().save(byRT);
        process.write(httpServletResponse);
        return new IssuerTransactionState(httpServletRequest, httpServletResponse, process.getParameters(), byRT, process);
    }

    public ServiceTransaction verifyAndGet(IssuerResponse issuerResponse) throws IOException {
        ATIResponse2 aTIResponse2 = (ATIResponse2) issuerResponse;
        OA2ServiceTransaction oA2ServiceTransaction = (OA2ServiceTransaction) getTransactionStore().get(new BasicIdentifier((String) aTIResponse2.getParameters().get("code")));
        if (oA2ServiceTransaction == null) {
            throw new OA2ATException("invalid_request", "No pending transaction found");
        }
        if (!oA2ServiceTransaction.isAuthGrantValid()) {
            warn("Error: Attempt to use invalid authorization code.  Request rejected.");
            throw new GeneralException("Error: Attempt to use invalid authorization code.  Request rejected.");
        }
        if (!oA2ServiceTransaction.getCallback().equals(URI.create((String) aTIResponse2.getParameters().get("redirect_uri")))) {
            warn("Attempt to use alternate redirect uri rejected.");
            throw new OA2ATException("invalid_request", "Attempt to use alternate redirect uri rejected.");
        }
        ArrayList arrayList = new ArrayList();
        OA2SE serviceEnvironment = getServiceEnvironment();
        boolean z = false;
        for (String str : oA2ServiceTransaction.getScopes()) {
            if (serviceEnvironment.getScopes().contains(str)) {
                arrayList.add(str);
            } else {
                z = true;
            }
        }
        if (z) {
            aTIResponse2.setSupportedScopes(arrayList);
        }
        aTIResponse2.setScopeHandler(serviceEnvironment.getScopeHandler());
        aTIResponse2.setServiceTransaction(oA2ServiceTransaction);
        return oA2ServiceTransaction;
    }
}
