package pl.edu.icm.unity.oauth.as.token;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.id.Subject;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.oauth2.sdk.token.Tokens;
import com.nimbusds.openid.connect.sdk.OIDCResponseTypeValue;
import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import javax.ws.rs.FormParam;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Response;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.token.Token;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.EntityManagement;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.idp.EntityInGroup;
import pl.edu.icm.unity.engine.api.idp.IdPEngine;
import pl.edu.icm.unity.engine.api.token.TokensManagement;
import pl.edu.icm.unity.engine.api.translation.ExecutionFailException;
import pl.edu.icm.unity.engine.api.translation.out.TranslationResult;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.IllegalGroupValueException;
import pl.edu.icm.unity.exceptions.IllegalIdentityValueException;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.oauth.as.OAuthASProperties;
import pl.edu.icm.unity.oauth.as.OAuthAuthzContext;
import pl.edu.icm.unity.oauth.as.OAuthProcessor;
import pl.edu.icm.unity.oauth.as.OAuthRequestValidator;
import pl.edu.icm.unity.oauth.as.OAuthSystemAttributesProvider;
import pl.edu.icm.unity.oauth.as.OAuthToken;
import pl.edu.icm.unity.oauth.as.OAuthTokenRepository;
import pl.edu.icm.unity.oauth.as.OAuthValidationException;
import pl.edu.icm.unity.oauth.as.webauthz.OAuthIdPEngine;
import pl.edu.icm.unity.store.api.tx.TransactionalRunner;
import pl.edu.icm.unity.types.basic.AttributeExt;
import pl.edu.icm.unity.types.basic.Entity;
import pl.edu.icm.unity.types.basic.EntityParam;
import pl.edu.icm.unity.types.basic.IdentityTaV;

@Produces({"application/json"})
@Path(OAuthTokenEndpoint.TOKEN_PATH)
/* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/AccessTokenResource.class */
public class AccessTokenResource extends BaseOAuthResource {
    private static final Logger log = Log.getLogger("unity.server.oauth", AccessTokenResource.class);
    public static final String EXCHANGE_GRANT = "urn:ietf:params:oauth:grant-type:token-exchange";
    public static final String ACCESS_TOKEN_TYPE_ID = "urn:ietf:params:oauth:token-type:access_token";
    public static final String ID_TOKEN_TYPE_ID = "urn:ietf:params:oauth:token-type:id_token";
    public static final String EXCHANGE_SCOPE = "token-exchange";
    private TokensManagement tokensManagement;
    private OAuthASProperties config;
    private ClientCredentialsProcessor clientGrantProcessor;
    private OAuthIdPEngine notAuthorizedOauthIdpEngine;
    private OAuthRequestValidator requestValidator;
    private EntityManagement idMan;
    private AuthzCodeHandler authzCodeHandler;
    private final AccessTokenFactory accessTokenFactory;
    private final OAuthTokenRepository oauthTokensDAO;

    public AccessTokenResource(TokensManagement tokensManagement, OAuthTokenRepository oAuthTokenRepository, OAuthASProperties oAuthASProperties, OAuthRequestValidator oAuthRequestValidator, IdPEngine idPEngine, EntityManagement entityManagement, TransactionalRunner transactionalRunner) {
        this.tokensManagement = tokensManagement;
        this.oauthTokensDAO = oAuthTokenRepository;
        this.config = oAuthASProperties;
        this.clientGrantProcessor = new ClientCredentialsProcessor(oAuthRequestValidator, idPEngine, oAuthASProperties);
        this.notAuthorizedOauthIdpEngine = new OAuthIdPEngine(idPEngine);
        this.requestValidator = oAuthRequestValidator;
        this.idMan = entityManagement;
        this.accessTokenFactory = new AccessTokenFactory(oAuthASProperties);
        this.authzCodeHandler = new AuthzCodeHandler(tokensManagement, oAuthTokenRepository, oAuthASProperties, transactionalRunner, this.accessTokenFactory);
    }

    @POST
    @Path("/")
    public Response getToken(@FormParam("grant_type") String str, @FormParam("code") String str2, @FormParam("scope") String str3, @FormParam("redirect_uri") String str4, @FormParam("refresh_token") String str5, @FormParam("audience") String str6, @FormParam("requested_token_type") String str7, @FormParam("subject_token") String str8, @FormParam("subject_token_type") String str9, @FormParam("code_verifier") String str10, @HeaderParam("Accept") String str11) throws EngineException, JsonProcessingException {
        if (str == null) {
            return makeError(OAuth2Error.INVALID_REQUEST, "grant_type is required");
        }
        log.trace("Handle new token request with " + str + " grant");
        return str.equals(GrantType.AUTHORIZATION_CODE.getValue()) ? str2 == null ? makeError(OAuth2Error.INVALID_REQUEST, "code is required") : this.authzCodeHandler.handleAuthzCodeFlow(str2, str4, str10, str11) : str.equals(GrantType.CLIENT_CREDENTIALS.getValue()) ? handleClientCredentialFlow(str3, str11) : str.equals(EXCHANGE_GRANT) ? str6 == null ? makeError(OAuth2Error.INVALID_REQUEST, "audience is required") : str8 == null ? makeError(OAuth2Error.INVALID_REQUEST, "subject_token is required") : str9 == null ? makeError(OAuth2Error.INVALID_REQUEST, "subject_token_type is required") : handleExchangeToken(str8, str9, str7, str6, str3, str11) : str.equals(GrantType.REFRESH_TOKEN.getValue()) ? str5 == null ? makeError(OAuth2Error.INVALID_REQUEST, "refresh_token is required") : handleRefreshToken(str5, str3, str11) : makeError(OAuth2Error.INVALID_GRANT, "wrong or not supported grant_type value");
    }

    private void validateExchangeRequest(String str, String str2, String str3, String str4, long j, EntityParam entityParam, List<String> list) throws OAuthErrorException {
        if (!str2.equals(ACCESS_TOKEN_TYPE_ID)) {
            throw new OAuthErrorException(makeError(OAuth2Error.INVALID_REQUEST, "unsupported subject_token_type"));
        }
        if (str3 != null && !str3.equals(ACCESS_TOKEN_TYPE_ID) && !str3.equals(ID_TOKEN_TYPE_ID)) {
            throw new OAuthErrorException(makeError(OAuth2Error.INVALID_REQUEST, "unsupported requested_token_type"));
        }
        try {
            Entity entity = this.idMan.getEntity(entityParam);
            this.requestValidator.validateGroupMembership(entityParam, str4);
            if (!entity.getId().equals(Long.valueOf(j))) {
                throw new OAuthErrorException(makeError(OAuth2Error.INVALID_REQUEST, "wrong audience"));
            }
            if (!list.contains(EXCHANGE_SCOPE)) {
                throw new OAuthErrorException(makeError(OAuth2Error.INVALID_SCOPE, "Orginal token must have  token-exchange scope"));
            }
        } catch (EngineException e) {
            throw new OAuthErrorException(makeError(OAuth2Error.SERVER_ERROR, "Internal error, can not retrieve OAuth client's data"));
        } catch (IllegalIdentityValueException | OAuthValidationException e2) {
            throw new OAuthErrorException(makeError(OAuth2Error.INVALID_REQUEST, "wrong audience"));
        }
    }

    private Response handleExchangeToken(String str, String str2, String str3, String str4, String str5, String str6) throws EngineException, JsonProcessingException {
        long entityId = InvocationContext.getCurrent().getLoginSession().getEntityId();
        EntityParam entityParam = new EntityParam(new IdentityTaV("userName", str4));
        try {
            Token readAccessToken = this.oauthTokensDAO.readAccessToken(str);
            OAuthToken parseInternalToken = parseInternalToken(readAccessToken);
            List<String> asList = Arrays.asList(parseInternalToken.getRequestedScope());
            try {
                validateExchangeRequest(str, str2, str3, str4, entityId, entityParam, asList);
                try {
                    OAuthToken prepareNewToken = prepareNewToken(parseInternalToken, str5, asList, readAccessToken.getOwner().longValue(), entityId, str4, str3 != null && str3.equals(ID_TOKEN_TYPE_ID), EXCHANGE_GRANT);
                    prepareNewToken.setClientId(entityId);
                    prepareNewToken.setAudience(str4);
                    prepareNewToken.setClientUsername(str4);
                    prepareNewToken.setClientType(parseInternalToken.getClientType());
                    try {
                        prepareNewToken.setClientName(getClientName(entityParam));
                        Date date = new Date();
                        AccessToken create = this.accessTokenFactory.create(prepareNewToken, date, str6);
                        prepareNewToken.setAccessToken(create.getValue());
                        RefreshToken addRefreshToken = TokenUtils.addRefreshToken(this.config, this.tokensManagement, date, prepareNewToken, readAccessToken.getOwner());
                        Date accessTokenExpiration = TokenUtils.getAccessTokenExpiration(this.config, date);
                        HashMap hashMap = new HashMap();
                        hashMap.put("issued_token_type", ACCESS_TOKEN_TYPE_ID);
                        AccessTokenResponse accessTokenResponse = TokenUtils.getAccessTokenResponse(prepareNewToken, create, addRefreshToken, hashMap);
                        this.oauthTokensDAO.storeAccessToken(create, prepareNewToken, new EntityParam(readAccessToken.getOwner()), date, accessTokenExpiration);
                        return toResponse(Response.ok(getResponseContent(accessTokenResponse)));
                    } catch (OAuthErrorException e) {
                        return e.response;
                    }
                } catch (OAuthErrorException e2) {
                    return e2.response;
                }
            } catch (OAuthErrorException e3) {
                return e3.response;
            }
        } catch (Exception e4) {
            return makeError(OAuth2Error.INVALID_REQUEST, "wrong subject_token");
        }
    }

    private Response handleRefreshToken(String str, String str2, String str3) throws EngineException, JsonProcessingException {
        try {
            Token tokenById = this.tokensManagement.getTokenById(OAuthProcessor.INTERNAL_REFRESH_TOKEN, str);
            OAuthToken parseInternalToken = parseInternalToken(tokenById);
            long entityId = InvocationContext.getCurrent().getLoginSession().getEntityId();
            if (parseInternalToken.getClientId() != entityId) {
                log.warn("Client with id " + entityId + " presented use refresh code issued for client " + parseInternalToken.getClientId());
                return makeError(OAuth2Error.INVALID_GRANT, "wrong refresh token");
            }
            List<String> asList = Arrays.asList(parseInternalToken.getRequestedScope());
            if (str2 == null) {
                str2 = String.join(" ", asList);
            }
            try {
                OAuthToken prepareNewToken = prepareNewToken(parseInternalToken, str2, asList, tokenById.getOwner().longValue(), entityId, parseInternalToken.getClientUsername(), true, GrantType.REFRESH_TOKEN.getValue());
                Date date = new Date();
                Date accessTokenExpiration = TokenUtils.getAccessTokenExpiration(this.config, date);
                AccessToken create = this.accessTokenFactory.create(prepareNewToken, date, str3);
                prepareNewToken.setAccessToken(create.getValue());
                AccessTokenResponse accessTokenResponse = TokenUtils.getAccessTokenResponse(prepareNewToken, create, null, null);
                log.debug("Refreshed access token {} of entity {}, valid until {}", tokenToLog(create.getValue()), tokenById.getOwner(), accessTokenExpiration);
                this.oauthTokensDAO.storeAccessToken(create, prepareNewToken, new EntityParam(tokenById.getOwner()), date, accessTokenExpiration);
                return toResponse(Response.ok(getResponseContent(accessTokenResponse)));
            } catch (OAuthErrorException e) {
                return e.response;
            }
        } catch (Exception e2) {
            return makeError(OAuth2Error.INVALID_REQUEST, "wrong refresh token");
        }
    }

    private Response handleClientCredentialFlow(String str, String str2) throws EngineException, JsonProcessingException {
        Date date = new Date();
        try {
            OAuthToken processClientFlowRequest = this.clientGrantProcessor.processClientFlowRequest(str);
            AccessToken create = this.accessTokenFactory.create(processClientFlowRequest, date, str2);
            processClientFlowRequest.setAccessToken(create.getValue());
            Date accessTokenExpiration = TokenUtils.getAccessTokenExpiration(this.config, date);
            log.debug("Client cred grant: issuing new access token {}, valid until {}", tokenToLog(create.getValue()), accessTokenExpiration);
            AccessTokenResponse accessTokenResponse = new AccessTokenResponse(new Tokens(create, (RefreshToken) null));
            this.oauthTokensDAO.storeAccessToken(create, processClientFlowRequest, new EntityParam(Long.valueOf(processClientFlowRequest.getClientId())), date, accessTokenExpiration);
            return toResponse(Response.ok(getResponseContent(accessTokenResponse)));
        } catch (OAuthValidationException e) {
            return makeError(OAuth2Error.INVALID_REQUEST, e.getMessage());
        }
    }

    private String getClientName(EntityParam entityParam) throws OAuthErrorException {
        try {
            AttributeExt attributeExt = this.requestValidator.getAttributesNoAuthZ(entityParam).get(OAuthSystemAttributesProvider.CLIENT_NAME);
            if (attributeExt != null) {
                return (String) attributeExt.getValues().get(0);
            }
            return null;
        } catch (Exception e) {
            throw new OAuthErrorException(makeError(OAuth2Error.SERVER_ERROR, e.getMessage()));
        }
    }

    private OAuthToken prepareNewToken(OAuthToken oAuthToken, String str, List<String> list, long j, long j2, String str2, boolean z, String str3) throws OAuthErrorException {
        OAuthToken oAuthToken2 = new OAuthToken(oAuthToken);
        ArrayList arrayList = new ArrayList();
        if (str != null && !str.isEmpty()) {
            arrayList.addAll(Arrays.asList(str.split(" ")));
        }
        if (!list.containsAll(arrayList)) {
            throw new OAuthErrorException(makeError(OAuth2Error.INVALID_SCOPE, "wrong scope"));
        }
        oAuthToken2.setRequestedScope((String[]) arrayList.stream().toArray(i -> {
            return new String[i];
        }));
        TranslationResult attributes = getAttributes(j2, j, str3);
        List<OAuthAuthzContext.ScopeInfo> validRequestedScopes = this.requestValidator.getValidRequestedScopes(Scope.parse(String.join(" ", arrayList)));
        oAuthToken2.setEffectiveScope((String[]) validRequestedScopes.stream().map(scopeInfo -> {
            return scopeInfo.getName();
        }).toArray(i2 -> {
            return new String[i2];
        }));
        UserInfo createUserInfo = createUserInfo(validRequestedScopes, oAuthToken2.getSubject(), attributes);
        oAuthToken2.setUserInfo(createUserInfo.toJSONObject().toJSONString());
        Date date = new Date();
        if (arrayList.contains(OIDCScopeValue.OPENID.getValue()) && z) {
            try {
                oAuthToken2.setOpenidToken(createIdToken(date, oAuthToken2, Arrays.asList(new Audience(str2)), createUserInfo));
            } catch (Exception e) {
                log.error("Cannot create new id token", e);
                throw new OAuthErrorException(makeError(OAuth2Error.SERVER_ERROR, e.getMessage()));
            }
        } else {
            oAuthToken2.setOpenidToken(null);
        }
        oAuthToken2.setMaxExtendedValidity(this.config.getMaxExtendedAccessTokenValidity());
        oAuthToken2.setTokenValidity(this.config.getAccessTokenValidity());
        oAuthToken2.setAccessToken(null);
        oAuthToken2.setRefreshToken(null);
        oAuthToken2.setIssuerUri(this.config.getIssuerName());
        return oAuthToken2;
    }

    private TranslationResult getAttributes(long j, long j2, String str) throws OAuthErrorException {
        try {
            return this.notAuthorizedOauthIdpEngine.getUserInfoUnsafe(j2, String.valueOf(j), Optional.of(new EntityInGroup(this.config.getValue(OAuthASProperties.CLIENTS_GROUP), new EntityParam(Long.valueOf(j)))), this.config.getValue(OAuthASProperties.USERS_GROUP), this.config.getOutputTranslationProfile(), str, this.config);
        } catch (IllegalGroupValueException e) {
            log.debug("Entity trying to access OAuth resource is not a member of required group");
            throw new OAuthErrorException(makeError(OAuth2Error.ACCESS_DENIED, e.getMessage()));
        } catch (Exception e2) {
            log.error("Engine problem when handling client request", e2);
            throw new OAuthErrorException(makeError(OAuth2Error.SERVER_ERROR, e2.getMessage()));
        } catch (ExecutionFailException e3) {
            log.debug("Authentication failed due to profile's decision, returning error");
            throw new OAuthErrorException(makeError(OAuth2Error.ACCESS_DENIED, e3.getMessage()));
        }
    }

    private UserInfo createUserInfo(List<OAuthAuthzContext.ScopeInfo> list, String str, TranslationResult translationResult) {
        HashSet hashSet = new HashSet();
        Iterator<OAuthAuthzContext.ScopeInfo> it = list.iterator();
        while (it.hasNext()) {
            hashSet.addAll(it.next().getAttributes());
        }
        return OAuthProcessor.prepareUserInfoClaimSet(str, OAuthProcessor.filterAttributes(translationResult, hashSet));
    }

    private String createIdToken(Date date, OAuthToken oAuthToken, List<Audience> list, UserInfo userInfo) throws ParseException, JOSEException, EngineException {
        JWT decodeIDToken = decodeIDToken(oAuthToken);
        if (decodeIDToken == null) {
            return null;
        }
        try {
            IDTokenClaimsSet iDTokenClaimsSet = new IDTokenClaimsSet(decodeIDToken.getJWTClaimsSet());
            IDTokenClaimsSet iDTokenClaimsSet2 = new IDTokenClaimsSet(new Issuer(this.config.getIssuerName()), new Subject(oAuthToken.getSubject()), list, TokenUtils.getAccessTokenExpiration(this.config, date), date);
            iDTokenClaimsSet2.setNonce(iDTokenClaimsSet.getNonce());
            if (oAuthToken.getResponseType() != null && !oAuthToken.getResponseType().isEmpty()) {
                ResponseType parse = ResponseType.parse(oAuthToken.getResponseType());
                if (parse.contains(OIDCResponseTypeValue.ID_TOKEN) && parse.size() == 1) {
                    iDTokenClaimsSet2.putAll(userInfo);
                }
            }
            return this.config.getTokenSigner().sign(iDTokenClaimsSet2).serialize();
        } catch (Exception e) {
            throw new InternalException("Can not parse the internal id token", e);
        }
    }
}
