package edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet;

import edu.uiuc.ncsa.myproxy.MPSingleConnectionProvider;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction;
import edu.uiuc.ncsa.myproxy.oa4mp.server.ServiceConstantKeys;
import edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.ACS2;
import edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.AbstractAuthorizationServlet;
import edu.uiuc.ncsa.security.core.exceptions.GeneralException;
import edu.uiuc.ncsa.security.core.util.BasicIdentifier;
import edu.uiuc.ncsa.security.core.util.DateUtils;
import edu.uiuc.ncsa.security.delegation.server.ServiceTransaction;
import edu.uiuc.ncsa.security.delegation.server.request.IssuerResponse;
import edu.uiuc.ncsa.security.delegation.servlet.TransactionState;
import edu.uiuc.ncsa.security.delegation.storage.Client;
import edu.uiuc.ncsa.security.delegation.token.AccessToken;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Client;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Constants;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Errors;
import edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Scopes;
import edu.uiuc.ncsa.security.oauth_2_0.server.PAIResponse2;
import java.io.IOException;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import net.sf.json.util.JSONUtils;
import org.apache.commons.codec.digest.DigestUtils;

/* loaded from: input_file:WEB-INF/lib/oa4mp-server-loader-oauth2-3.3.0.2.jar:edu/uiuc/ncsa/myproxy/oa4mp/oauth2/servlet/OA2CertServlet.class */
public class OA2CertServlet extends ACS2 {
    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.CRServlet
    public AccessToken getAccessToken(HttpServletRequest httpServletRequest) {
        try {
            return getServiceEnvironment().getTokenForge().getAccessToken(httpServletRequest);
        } catch (Throwable th) {
            List<String> authHeader = getAuthHeader(httpServletRequest, OA2Constants.BEARER_TOKEN_TYPE);
            if (authHeader.isEmpty()) {
                throw new GeneralException("Error: no access token");
            }
            if (1 < authHeader.size()) {
                throw new GeneralException("Error: too many access tokens");
            }
            return getServiceEnvironment().getTokenForge().getAccessToken(authHeader.get(0));
        }
    }

    @Override // edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.MyProxyDelegationServlet
    public Client getClient(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(CONST(ServiceConstantKeys.CONSUMER_KEY));
        String firstParameterValue = getFirstParameterValue(httpServletRequest, OA2Constants.CLIENT_SECRET);
        List<String> authHeader = getAuthHeader(httpServletRequest, "Basic");
        if (2 < authHeader.size()) {
            throw new OA2GeneralError(OA2Errors.INVALID_TOKEN, "Error: Too many authorization tokens.", 401);
        }
        if (parameter == null) {
            for (String str : authHeader) {
                try {
                    if (URI.create(str).getScheme() != null) {
                        parameter = str;
                    } else {
                        firstParameterValue = str;
                    }
                } catch (Throwable th) {
                    if (firstParameterValue == null) {
                        firstParameterValue = str;
                    }
                }
            }
        }
        if (parameter == null) {
            throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "Error: No client id.", 400);
        }
        OA2Client oA2Client = (OA2Client) getClient(BasicIdentifier.newID(parameter));
        if (firstParameterValue == null) {
            throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "Error: No secret. request refused.", 400);
        }
        if (oA2Client.getSecret().equals(DigestUtils.shaHex(firstParameterValue))) {
            return oA2Client;
        }
        throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "Error: Secret is incorrect. request refused.", 400);
    }

    @Override // edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.MyProxyDelegationServlet
    public ServiceTransaction verifyAndGet(IssuerResponse issuerResponse) throws IOException {
        AccessToken accessToken = ((PAIResponse2) issuerResponse).getAccessToken();
        OA2ServiceTransaction oA2ServiceTransaction = (OA2ServiceTransaction) getTransactionStore().get(accessToken);
        if (oA2ServiceTransaction == null) {
            throw new OA2GeneralError(OA2Errors.INVALID_TOKEN, "Invalid access token. Request refused", 401);
        }
        if (!oA2ServiceTransaction.getScopes().contains(OA2Scopes.SCOPE_MYPROXY)) {
            throw new OA2GeneralError(OA2Errors.INVALID_SCOPE, "Certificate request is not in scope.", 403);
        }
        if (oA2ServiceTransaction == null) {
            throw new OA2GeneralError(OA2Errors.INVALID_TOKEN, "No transaction found for access token \"" + accessToken + JSONUtils.DOUBLE_QUOTE, 401);
        }
        if (!oA2ServiceTransaction.isAccessTokenValid()) {
            throw new OA2GeneralError(OA2Errors.INVALID_TOKEN, "Invalid access token. Request refused", 401);
        }
        checkClient(oA2ServiceTransaction.getClient());
        DateUtils.checkTimestamp(accessToken.getToken());
        return oA2ServiceTransaction;
    }

    protected void checkMPConnection(OA2ServiceTransaction oA2ServiceTransaction) throws GeneralSecurityException {
        if (hasMPConnection(oA2ServiceTransaction)) {
            return;
        }
        createMPConnection(oA2ServiceTransaction.getIdentifier(), oA2ServiceTransaction.getMyproxyUsername(), "", oA2ServiceTransaction.getLifetime());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.CRServlet
    public void doRealCertRequest(ServiceTransaction serviceTransaction, String str) throws Throwable {
        OA2ServiceTransaction oA2ServiceTransaction = (OA2ServiceTransaction) serviceTransaction;
        if (!((OA2SE) getServiceEnvironment()).isTwoFactorSupportEnabled()) {
            checkMPConnection(oA2ServiceTransaction);
        } else {
            if (!getMyproxyConnectionCache().containsKey(oA2ServiceTransaction.getIdentifier())) {
                throw new GeneralException("No cached my proxy object with identifier " + oA2ServiceTransaction.getIdentifierString());
            }
            MPSingleConnectionProvider.MyProxyLogonConnection myProxyLogonConnection = (MPSingleConnectionProvider.MyProxyLogonConnection) getMyproxyConnectionCache().get((Object) oA2ServiceTransaction.getIdentifier()).getValue();
            if (myProxyLogonConnection.getMyProxyLogon() instanceof AbstractAuthorizationServlet.MyMyProxyLogon) {
                AbstractAuthorizationServlet.MyMyProxyLogon myMyProxyLogon = (AbstractAuthorizationServlet.MyMyProxyLogon) myProxyLogonConnection.getMyProxyLogon();
                getMyproxyConnectionCache().remove((Object) myProxyLogonConnection.getIdentifier());
                createMPConnection(serviceTransaction.getIdentifier(), myMyProxyLogon.getUsername(), myMyProxyLogon.getPassphrase(), serviceTransaction.getLifetime());
            }
        }
        doCertRequest(oA2ServiceTransaction, str);
    }

    @Override // edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.MyProxyDelegationServlet, edu.uiuc.ncsa.security.delegation.servlet.TransactionFilter
    public void postprocess(TransactionState transactionState) throws Throwable {
        super.postprocess(transactionState);
        OA2ServiceTransaction oA2ServiceTransaction = (OA2ServiceTransaction) transactionState.getTransaction();
        if (((OA2SE) getServiceEnvironment()).isRefreshTokenEnabled() && oA2ServiceTransaction.hasRefreshToken()) {
            oA2ServiceTransaction.setAccessTokenValid(true);
            getTransactionStore().save(oA2ServiceTransaction);
        }
    }
}
