package pl.edu.icm.unity.oauth.as.token.access;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import jakarta.ws.rs.core.Response;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import pl.edu.icm.unity.base.entity.Entity;
import pl.edu.icm.unity.base.entity.EntityParam;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.identity.IdentityTaV;
import pl.edu.icm.unity.base.identity.IllegalIdentityValueException;
import pl.edu.icm.unity.base.token.Token;
import pl.edu.icm.unity.engine.api.EntityManagement;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.oauth.as.OAuthASProperties;
import pl.edu.icm.unity.oauth.as.OAuthRequestValidator;
import pl.edu.icm.unity.oauth.as.OAuthToken;
import pl.edu.icm.unity.oauth.as.OAuthValidationException;
import pl.edu.icm.unity.oauth.as.token.BaseOAuthResource;
import pl.edu.icm.unity.oauth.as.token.OAuthErrorException;

/* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/access/ExchangeTokenHandler.class */
class ExchangeTokenHandler {
    private final OAuthASProperties config;
    private final OAuthRefreshTokenRepository refreshTokensDAO;
    private final AccessTokenFactory accessTokenFactory;
    private final OAuthAccessTokenRepository accessTokensDAO;
    private final TokenService tokenService;
    private final ClientAttributesProvider clientAttributesProvider;
    private final OAuthTokenStatisticPublisher statisticPublisher;
    private final OAuthRequestValidator requestValidator;
    private final EntityManagement idMan;

    public ExchangeTokenHandler(OAuthASProperties oAuthASProperties, OAuthRefreshTokenRepository oAuthRefreshTokenRepository, AccessTokenFactory accessTokenFactory, OAuthAccessTokenRepository oAuthAccessTokenRepository, TokenService tokenService, OAuthTokenStatisticPublisher oAuthTokenStatisticPublisher, OAuthRequestValidator oAuthRequestValidator, EntityManagement entityManagement, ClientAttributesProvider clientAttributesProvider) {
        this.config = oAuthASProperties;
        this.refreshTokensDAO = oAuthRefreshTokenRepository;
        this.accessTokenFactory = accessTokenFactory;
        this.accessTokensDAO = oAuthAccessTokenRepository;
        this.tokenService = tokenService;
        this.statisticPublisher = oAuthTokenStatisticPublisher;
        this.requestValidator = oAuthRequestValidator;
        this.idMan = entityManagement;
        this.clientAttributesProvider = clientAttributesProvider;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Response handleExchangeToken(String str, String str2, String str3, String str4, String str5, String str6) throws EngineException, JsonProcessingException {
        long entityId = InvocationContext.getCurrent().getLoginSession().getEntityId();
        EntityParam entityParam = new EntityParam(new IdentityTaV("userName", str4));
        try {
            Token readAccessToken = this.accessTokensDAO.readAccessToken(str);
            OAuthToken parseInternalToken = BaseOAuthResource.parseInternalToken(readAccessToken);
            List<String> asList = Arrays.asList(parseInternalToken.getRequestedScope());
            try {
                validateExchangeRequest(str2, str3, str4, entityId, entityParam, asList);
                try {
                    OAuthToken prepareNewTokenBasedOnOldToken = this.tokenService.prepareNewTokenBasedOnOldToken(parseInternalToken, str5, asList, readAccessToken.getOwner().longValue(), entityId, str4, str3 != null && str3.equals(AccessTokenResource.ID_TOKEN_TYPE_ID), GrantType.TOKEN_EXCHANGE.getValue());
                    prepareNewTokenBasedOnOldToken.setClientId(entityId);
                    prepareNewTokenBasedOnOldToken.setAudience(List.of(str4));
                    prepareNewTokenBasedOnOldToken.setClientUsername(str4);
                    prepareNewTokenBasedOnOldToken.setClientType(parseInternalToken.getClientType());
                    try {
                        prepareNewTokenBasedOnOldToken.setClientName(this.clientAttributesProvider.getClientName(entityParam));
                        Date date = new Date();
                        AccessToken create = this.accessTokenFactory.create(prepareNewTokenBasedOnOldToken, date, str6);
                        prepareNewTokenBasedOnOldToken.setAccessToken(create.getValue());
                        RefreshToken orElse = this.refreshTokensDAO.createRefreshToken(this.config, date, prepareNewTokenBasedOnOldToken, readAccessToken.getOwner()).orElse(null);
                        Date accessTokenExpiration = TokenUtils.getAccessTokenExpiration(this.config, date);
                        HashMap hashMap = new HashMap();
                        hashMap.put("issued_token_type", AccessTokenResource.ACCESS_TOKEN_TYPE_ID);
                        AccessTokenResponse accessTokenResponse = this.tokenService.getAccessTokenResponse(prepareNewTokenBasedOnOldToken, create, orElse, hashMap);
                        this.accessTokensDAO.storeAccessToken(create, prepareNewTokenBasedOnOldToken, new EntityParam(readAccessToken.getOwner()), date, accessTokenExpiration);
                        this.statisticPublisher.reportSuccess(parseInternalToken.getClientUsername(), parseInternalToken.getClientName(), new EntityParam(readAccessToken.getOwner()));
                        return BaseOAuthResource.toResponse(Response.ok(BaseOAuthResource.getResponseContent(accessTokenResponse)));
                    } catch (OAuthErrorException e) {
                        return e.response;
                    }
                } catch (OAuthErrorException e2) {
                    return e2.response;
                }
            } catch (OAuthErrorException e3) {
                return e3.response;
            }
        } catch (Exception e4) {
            return BaseOAuthResource.makeError(OAuth2Error.INVALID_REQUEST, "wrong subject_token");
        }
    }

    private void validateExchangeRequest(String str, String str2, String str3, long j, EntityParam entityParam, List<String> list) throws OAuthErrorException {
        if (!str.equals(AccessTokenResource.ACCESS_TOKEN_TYPE_ID)) {
            throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.INVALID_REQUEST, "unsupported subject_token_type"));
        }
        if (str2 != null && !str2.equals(AccessTokenResource.ACCESS_TOKEN_TYPE_ID) && !str2.equals(AccessTokenResource.ID_TOKEN_TYPE_ID)) {
            throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.INVALID_REQUEST, "unsupported requested_token_type"));
        }
        try {
            Entity entity = this.idMan.getEntity(entityParam);
            this.requestValidator.validateGroupMembership(entityParam, str3);
            if (!entity.getId().equals(Long.valueOf(j))) {
                throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.INVALID_REQUEST, "wrong audience"));
            }
            if (!list.contains(AccessTokenResource.EXCHANGE_SCOPE)) {
                throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.INVALID_SCOPE, "Orginal token must have  token-exchange scope"));
            }
        } catch (EngineException e) {
            throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.SERVER_ERROR, "Internal error, can not retrieve OAuth client's data"));
        } catch (IllegalIdentityValueException | OAuthValidationException e2) {
            throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.INVALID_REQUEST, "wrong audience"));
        }
    }
}
