package edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet;

import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.RefreshTokenStore;
import edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.AbstractAccessTokenServlet;
import edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.IssuerTransactionState;
import edu.uiuc.ncsa.myproxy.oa4mp.server.util.AbstractCLIApprover;
import edu.uiuc.ncsa.security.core.exceptions.GeneralException;
import edu.uiuc.ncsa.security.core.exceptions.InvalidTokenException;
import edu.uiuc.ncsa.security.core.exceptions.NFWException;
import edu.uiuc.ncsa.security.core.util.BasicIdentifier;
import edu.uiuc.ncsa.security.delegation.server.ServiceTransaction;
import edu.uiuc.ncsa.security.delegation.server.request.ATResponse;
import edu.uiuc.ncsa.security.delegation.server.request.IssuerResponse;
import edu.uiuc.ncsa.security.delegation.servlet.TransactionState;
import edu.uiuc.ncsa.security.delegation.storage.Client;
import edu.uiuc.ncsa.security.delegation.token.RefreshToken;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Client;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Constants;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Error;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Errors;
import edu.uiuc.ncsa.security.oauth_2_0.OA2TokenForge;
import edu.uiuc.ncsa.security.oauth_2_0.server.ATIResponse2;
import edu.uiuc.ncsa.security.oauth_2_0.server.OA2Claims;
import edu.uiuc.ncsa.security.oauth_2_0.server.RTI2;
import edu.uiuc.ncsa.security.oauth_2_0.server.RTIRequest;
import edu.uiuc.ncsa.security.oauth_2_0.server.RTIResponse;
import java.io.IOException;
import java.net.URI;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.digest.DigestUtils;

/* loaded from: input_file:WEB-INF/lib/oa4mp-server-loader-oauth2-3.1.jar:edu/uiuc/ncsa/myproxy/oa4mp/oauth2/servlet/OA2ATServlet.class */
public class OA2ATServlet extends AbstractAccessTokenServlet {
    @Override // edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.MyProxyDelegationServlet, edu.uiuc.ncsa.security.delegation.servlet.TransactionFilter
    public void preprocess(TransactionState transactionState) throws Throwable {
        super.preprocess(transactionState);
        OA2ServiceTransaction oA2ServiceTransaction = (OA2ServiceTransaction) transactionState.getTransaction();
        Map<String, String> parameters = transactionState.getParameters();
        OA2ClientCheck.check(oA2ServiceTransaction.getClient(), parameters.get(OA2Constants.REDIRECT_URI));
        oA2ServiceTransaction.setCallback(URI.create(parameters.get(OA2Constants.REDIRECT_URI)));
        if (oA2ServiceTransaction.getNonce() != null && 0 < oA2ServiceTransaction.getNonce().length()) {
            parameters.put(OA2Constants.NONCE, oA2ServiceTransaction.getNonce());
        }
        parameters.put(OA2Constants.CLIENT_ID, oA2ServiceTransaction.getClient().getIdentifierString());
        if (getServiceEnvironment().getServiceAddress() == null) {
            throw new NFWException("Error: no service address was found in the configuration.");
        }
        String uri = getServiceEnvironment().getServiceAddress().toString();
        parameters.put(OA2Claims.ISSUER, uri.substring(0, uri.lastIndexOf(AbstractCLIApprover.ID_DELIMITER)));
        parameters.put(OA2Claims.SUBJECT, oA2ServiceTransaction.getUsername());
    }

    protected long computeRefreshLifetime(OA2ServiceTransaction oA2ServiceTransaction) {
        long max = Math.max(oA2ServiceTransaction.getRefreshTokenLifetime(), ((OA2Client) oA2ServiceTransaction.getClient()).getRtLifetime());
        OA2SE oa2se = (OA2SE) getServiceEnvironment();
        if (oa2se.getRefreshTokenLifetime() <= 0) {
            throw new NFWException("Internal error: the server-wide default for the refresh token lifetime has not been set.");
        }
        return Math.min(max, oa2se.getRefreshTokenLifetime());
    }

    @Override // edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.AbstractAccessTokenServlet, edu.uiuc.ncsa.security.servlet.AbstractServlet
    protected void doIt(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable {
        String firstParameterValue = getFirstParameterValue(httpServletRequest, OA2Constants.GRANT_TYPE);
        if (firstParameterValue == null) {
            warn("Error servicing request. No grant type was given. Rejecting request.");
            throw new GeneralException("Error: Could not service request");
        }
        Client client = getClient(httpServletRequest);
        checkClient(client);
        String firstParameterValue2 = getFirstParameterValue(httpServletRequest, OA2Constants.CLIENT_SECRET);
        if (firstParameterValue2 == null) {
            throw new GeneralException("Error: No secret. request refused.");
        }
        if (!client.getSecret().equals(DigestUtils.shaHex(firstParameterValue2))) {
            throw new GeneralException("Error: Secret is incorrect. request refused.");
        }
        if (firstParameterValue.equals(OA2Constants.REFRESH_TOKEN)) {
            doRefresh(httpServletRequest, httpServletResponse);
            return;
        }
        if (!firstParameterValue.equals(OA2Constants.AUTHORIZATION_CODE_VALUE)) {
            warn("Error: grant type was not recognized. Request rejected.");
            throw new ServletException("Error: Unknown request type.");
        }
        IssuerTransactionState doDelegation = doDelegation(httpServletRequest, httpServletResponse);
        ATIResponse2 aTIResponse2 = (ATIResponse2) doDelegation.getIssuerResponse();
        OA2ServiceTransaction oA2ServiceTransaction = (OA2ServiceTransaction) doDelegation.getTransaction();
        RefreshToken refreshToken = aTIResponse2.getRefreshToken();
        oA2ServiceTransaction.setRefreshToken(refreshToken);
        refreshToken.setExpiresIn(computeRefreshLifetime(oA2ServiceTransaction));
        oA2ServiceTransaction.setRefreshTokenValid(true);
        getTransactionStore().save(oA2ServiceTransaction);
    }

    protected OA2ServiceTransaction getByRT(RefreshToken refreshToken) throws IOException {
        if (refreshToken == null) {
            throw new GeneralException("Error: null refresh token encountered.");
        }
        return ((RefreshTokenStore) getTransactionStore()).get(refreshToken);
    }

    protected OA2TokenForge getTF2() {
        return (OA2TokenForge) getServiceEnvironment().getTokenForge();
    }

    protected TransactionState doRefresh(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        RefreshToken refreshToken = getTF2().getRefreshToken(httpServletRequest.getParameter(OA2Constants.REFRESH_TOKEN));
        Client client = getClient(httpServletRequest);
        checkClient(client);
        OA2ServiceTransaction byRT = getByRT(refreshToken);
        if (byRT == null || !byRT.isRefreshTokenValid()) {
            throw new InvalidTokenException("Error: The refresh token is no longer valid");
        }
        byRT.setRefreshTokenValid(false);
        RTIResponse rTIResponse = (RTIResponse) new RTI2(getTF2(), getServiceEnvironment().getServiceAddress()).process(new RTIRequest(httpServletRequest, client, byRT.getAccessToken()));
        rTIResponse.getRefreshToken().setExpiresIn(computeRefreshLifetime(byRT));
        byRT.setRefreshToken(rTIResponse.getRefreshToken());
        byRT.setRefreshTokenValid(true);
        getTransactionStore().save(byRT);
        rTIResponse.write(httpServletResponse);
        return new IssuerTransactionState(httpServletRequest, httpServletResponse, rTIResponse.getParameters(), byRT, rTIResponse);
    }

    @Override // edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.MyProxyDelegationServlet
    public ServiceTransaction verifyAndGet(IssuerResponse issuerResponse) throws IOException {
        ATResponse aTResponse = (ATResponse) issuerResponse;
        ServiceTransaction serviceTransaction = (ServiceTransaction) getTransactionStore().get(new BasicIdentifier(aTResponse.getParameters().get(OA2Constants.AUTHORIZATION_CODE)));
        if (serviceTransaction == null) {
            throw new OA2Error(OA2Errors.ACCESS_DENIED, "No pending transaction found", aTResponse.getParameters().get(OA2Constants.STATE), aTResponse.getParameters().get(OA2Constants.REDIRECT_URI));
        }
        if (!serviceTransaction.isAuthGrantValid()) {
            warn("Error: Attempt to re-use authorization code rejected.");
            throw new GeneralException("Error: Attempt to re-use authorization code rejected.");
        }
        if (serviceTransaction.getCallback().equals(URI.create(aTResponse.getParameters().get(OA2Constants.REDIRECT_URI)))) {
            return serviceTransaction;
        }
        warn("Error: Attempt to use alternate redirect uri rejected.");
        throw new GeneralException("Error: Attempt to use alternate redirect uri rejected.");
    }
}
