package org.apereo.cas.uma.web.controllers.authz;

import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.Set;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20TokenGeneratedResult;
import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20TokenGenerator;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRequestDataHolder;
import org.apereo.cas.ticket.IdTokenGeneratorService;
import org.apereo.cas.ticket.accesstoken.AccessToken;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.uma.claim.UmaResourceSetClaimPermissionExaminer;
import org.apereo.cas.uma.claim.UmaResourceSetClaimPermissionResult;
import org.apereo.cas.uma.ticket.permission.UmaPermissionTicket;
import org.apereo.cas.uma.ticket.permission.UmaPermissionTicketFactory;
import org.apereo.cas.uma.ticket.resource.ResourceSet;
import org.apereo.cas.uma.ticket.resource.repository.ResourceSetRepository;
import org.apereo.cas.uma.web.controllers.BaseUmaEndpointController;
import org.apereo.cas.util.CollectionUtils;
import org.pac4j.core.profile.CommonProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;

@Controller("umaAuthorizationRequestEndpointController")
/* loaded from: input_file:org/apereo/cas/uma/web/controllers/authz/UmaAuthorizationRequestEndpointController.class */
public class UmaAuthorizationRequestEndpointController extends BaseUmaEndpointController {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(UmaAuthorizationRequestEndpointController.class);
    private final ServicesManager servicesManager;
    private final TicketRegistry ticketRegistry;
    private final OAuth20TokenGenerator accessTokenGenerator;
    private final UmaResourceSetClaimPermissionExaminer claimPermissionExaminer;
    private final IdTokenGeneratorService requestingPartyTokenGenerator;

    public UmaAuthorizationRequestEndpointController(UmaPermissionTicketFactory umaPermissionTicketFactory, ResourceSetRepository resourceSetRepository, CasConfigurationProperties casConfigurationProperties, ServicesManager servicesManager, TicketRegistry ticketRegistry, OAuth20TokenGenerator oAuth20TokenGenerator, UmaResourceSetClaimPermissionExaminer umaResourceSetClaimPermissionExaminer, IdTokenGeneratorService idTokenGeneratorService) {
        super(umaPermissionTicketFactory, resourceSetRepository, casConfigurationProperties);
        this.servicesManager = servicesManager;
        this.ticketRegistry = ticketRegistry;
        this.accessTokenGenerator = oAuth20TokenGenerator;
        this.claimPermissionExaminer = umaResourceSetClaimPermissionExaminer;
        this.requestingPartyTokenGenerator = idTokenGeneratorService;
    }

    @PostMapping(value = {"//oauth2.0/rptAuthzRequest"}, consumes = {"application/json"}, produces = {"application/json"})
    public ResponseEntity handleAuthorizationRequest(@RequestBody String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            CommonProfile authenticatedProfile = getAuthenticatedProfile(httpServletRequest, httpServletResponse, "uma_authorization");
            UmaAuthorizationRequest umaAuthorizationRequest = (UmaAuthorizationRequest) MAPPER.readValue(str, UmaAuthorizationRequest.class);
            if (StringUtils.isBlank(umaAuthorizationRequest.getGrantType())) {
                return new ResponseEntity("Unable to accept authorization request; grant type is missing", HttpStatus.BAD_REQUEST);
            }
            if (!umaAuthorizationRequest.getGrantType().equalsIgnoreCase(OAuth20GrantTypes.UMA_TICKET.getType())) {
                return new ResponseEntity("Unable to accept authorization request; need grant type " + OAuth20GrantTypes.UMA_TICKET.getType(), HttpStatus.BAD_REQUEST);
            }
            if (StringUtils.isBlank(umaAuthorizationRequest.getTicket())) {
                return new ResponseEntity("Unable to accept authorization request; ticket parameter is missing", HttpStatus.BAD_REQUEST);
            }
            UmaPermissionTicket umaPermissionTicket = (UmaPermissionTicket) this.ticketRegistry.getTicket(umaAuthorizationRequest.getTicket(), UmaPermissionTicket.class);
            if (umaPermissionTicket == null || umaPermissionTicket.isExpired()) {
                return new ResponseEntity("Permission ticket is invalid or has expired", HttpStatus.BAD_REQUEST);
            }
            ResourceSet resourceSet = umaPermissionTicket.getResourceSet();
            if (resourceSet == null || resourceSet.getPolicies() == null || resourceSet.getPolicies().isEmpty()) {
                return new ResponseEntity("resource-set or linked policies are undefined", HttpStatus.BAD_REQUEST);
            }
            UmaResourceSetClaimPermissionResult examine = this.claimPermissionExaminer.examine(resourceSet, umaPermissionTicket);
            return examine.isSatisfied() ? generateRequestingPartyToken(httpServletRequest, httpServletResponse, authenticatedProfile, umaAuthorizationRequest, umaPermissionTicket, resourceSet) : handleMismatchedClaims(httpServletRequest, httpServletResponse, resourceSet, authenticatedProfile, examine, umaPermissionTicket);
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            return new ResponseEntity("Unable to handle authorization request", HttpStatus.BAD_REQUEST);
        }
    }

    protected ResponseEntity handleMismatchedClaims(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ResourceSet resourceSet, CommonProfile commonProfile, UmaResourceSetClaimPermissionResult umaResourceSetClaimPermissionResult, UmaPermissionTicket umaPermissionTicket) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("error", "need_info");
        UmaAuthorizationNeedInfoResponse umaAuthorizationNeedInfoResponse = new UmaAuthorizationNeedInfoResponse();
        umaAuthorizationNeedInfoResponse.setRedirectUser(true);
        umaAuthorizationNeedInfoResponse.setTicket(umaPermissionTicket.getId());
        umaAuthorizationNeedInfoResponse.setRequiredClaims((Set) umaResourceSetClaimPermissionResult.getDetails().values().stream().map(details -> {
            return (Set) details.getUnmatchedClaims().keySet().stream().map((v0) -> {
                return v0.toString();
            }).collect(Collectors.toSet());
        }).flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toSet()));
        umaAuthorizationNeedInfoResponse.setRequiredScopes((Set) umaResourceSetClaimPermissionResult.getDetails().values().stream().map(details2 -> {
            return (Set) details2.getUnmatchedScopes().stream().map((v0) -> {
                return v0.toString();
            }).collect(Collectors.toSet());
        }).flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toSet()));
        linkedHashMap.put("error_details", CollectionUtils.wrap("requesting_party_claims", umaAuthorizationNeedInfoResponse));
        return new ResponseEntity(linkedHashMap, HttpStatus.PERMANENT_REDIRECT);
    }

    protected ResponseEntity generateRequestingPartyToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, CommonProfile commonProfile, UmaAuthorizationRequest umaAuthorizationRequest, UmaPermissionTicket umaPermissionTicket, ResourceSet resourceSet) {
        AccessToken accessToken = (AccessToken) commonProfile.getAttribute(AccessToken.class.getName(), AccessToken.class);
        OAuthRegisteredService registeredOAuthServiceByClientId = OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, OAuth20Utils.getClientIdFromAuthenticatedProfile(commonProfile));
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        linkedHashSet.add("uma_authorization");
        linkedHashSet.addAll(umaPermissionTicket.getScopes());
        linkedHashSet.addAll(resourceSet.getScopes());
        OAuth20TokenGeneratedResult generate = this.accessTokenGenerator.generate(AccessTokenRequestDataHolder.builder().authentication(accessToken.getAuthentication()).ticketGrantingTicket(accessToken.getTicketGrantingTicket()).grantType(OAuth20GrantTypes.UMA_TICKET).responseType(OAuth20ResponseTypes.NONE).registeredService(registeredOAuthServiceByClientId).generateRefreshToken(false).scopes(linkedHashSet).service(accessToken.getService()).build());
        if (generate.getAccessToken().isEmpty()) {
            return new ResponseEntity("Unable to generate access token", HttpStatus.BAD_REQUEST);
        }
        AccessToken accessToken2 = (AccessToken) generate.getAccessToken().get();
        long seconds = Beans.newDuration(this.casProperties.getAuthn().getUma().getRequestingPartyToken().getMaxTimeToLiveInSeconds()).getSeconds();
        httpServletRequest.setAttribute(UmaPermissionTicket.class.getName(), umaPermissionTicket);
        httpServletRequest.setAttribute(ResourceSet.class.getName(), resourceSet);
        accessToken2.setIdToken(this.requestingPartyTokenGenerator.generate(httpServletRequest, httpServletResponse, accessToken2, seconds, OAuth20ResponseTypes.CODE, registeredOAuthServiceByClientId));
        this.ticketRegistry.updateTicket(accessToken2);
        if (StringUtils.isNotBlank(umaAuthorizationRequest.getRpt())) {
            this.ticketRegistry.deleteTicket(umaAuthorizationRequest.getRpt());
        }
        return new ResponseEntity(CollectionUtils.wrap("rpt", accessToken2.getId(), "code", HttpStatus.CREATED), HttpStatus.OK);
    }
}
