package org.apereo.cas.support.oauth.web;

import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.oauth.profile.OAuthClientProfile;
import org.apereo.cas.support.oauth.profile.OAuthUserProfile;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.ticket.OAuthToken;
import org.apereo.cas.support.oauth.ticket.accesstoken.AccessToken;
import org.apereo.cas.support.oauth.ticket.code.OAuthCode;
import org.apereo.cas.support.oauth.ticket.refreshtoken.RefreshToken;
import org.apereo.cas.support.oauth.ticket.refreshtoken.RefreshTokenFactory;
import org.apereo.cas.support.oauth.util.OAuthUtils;
import org.apereo.cas.ticket.Ticket;
import org.apereo.inspektr.aspect.TraceLogAspect;
import org.aspectj.lang.JoinPoint;
import org.aspectj.runtime.internal.AroundClosure;
import org.aspectj.runtime.reflect.Factory;
import org.pac4j.core.context.J2EContext;
import org.pac4j.core.profile.ProfileManager;
import org.pac4j.core.profile.UserProfile;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;

@Controller("accessTokenController")
/* loaded from: input_file:org/apereo/cas/support/oauth/web/OAuth20AccessTokenController.class */
public class OAuth20AccessTokenController extends BaseOAuthWrapperController {

    @Autowired
    private CasConfigurationProperties casProperties;
    private RefreshTokenFactory refreshTokenFactory;
    private AccessTokenResponseGenerator accessTokenResponseGenerator;
    private static final JoinPoint.StaticPart ajc$tjp_0 = null;

    /* loaded from: input_file:org/apereo/cas/support/oauth/web/OAuth20AccessTokenController$AjcClosure1.class */
    public class AjcClosure1 extends AroundClosure {
        public AjcClosure1(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return OAuth20AccessTokenController.getRefreshTokenFactory_aroundBody0((OAuth20AccessTokenController) objArr2[0], (JoinPoint) objArr2[1]);
        }
    }

    @RequestMapping(path = {"/oauth2.0/accessToken"}, method = {RequestMethod.POST})
    protected ModelAndView handleRequestInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        OAuthRegisteredService registeredOAuthService;
        boolean z;
        Service service;
        Authentication authentication;
        httpServletResponse.setContentType("text/plain");
        if (!verifyAccessTokenRequest(httpServletRequest, httpServletResponse)) {
            this.logger.error("Access token request verification fails");
            return OAuthUtils.writeTextError(httpServletResponse, "invalid_request");
        }
        String parameter = httpServletRequest.getParameter("grant_type");
        J2EContext j2EContext = new J2EContext(httpServletRequest, httpServletResponse);
        ProfileManager profileManager = new ProfileManager(j2EContext);
        if (isGrantType(parameter, OAuthGrantType.AUTHORIZATION_CODE) || isGrantType(parameter, OAuthGrantType.REFRESH_TOKEN)) {
            registeredOAuthService = OAuthUtils.getRegisteredOAuthService(this.servicesManager, ((UserProfile) profileManager.get(true).get()).getId());
            z = registeredOAuthService != null && registeredOAuthService.isGenerateRefreshToken().booleanValue() && isGrantType(parameter, OAuthGrantType.AUTHORIZATION_CODE);
            OAuthToken token = getToken(httpServletRequest, isGrantType(parameter, OAuthGrantType.AUTHORIZATION_CODE) ? "code" : "refresh_token");
            if (token == null) {
                this.logger.error("No token found for authorization_code or refresh_token grant types");
                return OAuthUtils.writeTextError(httpServletResponse, "invalid_grant");
            }
            service = token.getService();
            authentication = token.getAuthentication();
        } else {
            registeredOAuthService = OAuthUtils.getRegisteredOAuthService(this.servicesManager, httpServletRequest.getParameter("client_id"));
            z = registeredOAuthService != null && registeredOAuthService.isGenerateRefreshToken().booleanValue();
            try {
                Optional optional = profileManager.get(true);
                if (!optional.isPresent()) {
                    throw new UnauthorizedServiceException("Oauth user profile cannot be determined");
                }
                service = createService(registeredOAuthService);
                authentication = createAuthentication((UserProfile) optional.get(), registeredOAuthService, j2EContext);
                RegisteredServiceAccessStrategyUtils.ensurePrincipalAccessIsAllowedForService(service, registeredOAuthService, authentication);
            } catch (Exception e) {
                this.logger.error(e.getMessage(), e);
                return OAuthUtils.writeTextError(httpServletResponse, "invalid_grant");
            }
        }
        AccessToken generateAccessToken = generateAccessToken(service, authentication, j2EContext);
        Ticket ticket = null;
        if (z) {
            ticket = this.refreshTokenFactory.create(service, authentication);
            this.ticketRegistry.addTicket(ticket);
        }
        this.logger.debug("access token: {} / timeout: {} / refresh token: {}", new Object[]{generateAccessToken, Integer.valueOf(this.casProperties.getTicket().getTgt().getTimeToKillInSeconds()), ticket});
        this.accessTokenResponseGenerator.generate(httpServletRequest, httpServletResponse, registeredOAuthService, service, generateAccessToken, ticket, this.casProperties.getTicket().getTgt().getTimeToKillInSeconds());
        httpServletResponse.setStatus(200);
        return null;
    }

    private OAuthToken getToken(HttpServletRequest httpServletRequest, String str) {
        OAuthToken ticket = this.ticketRegistry.getTicket(httpServletRequest.getParameter(str), OAuthToken.class);
        if (ticket != null && !ticket.isExpired()) {
            if ((ticket instanceof OAuthCode) && !(ticket instanceof RefreshToken)) {
                this.ticketRegistry.deleteTicket(ticket.getId());
            }
            return ticket;
        }
        this.logger.error("Code or refresh token expired: {}", ticket);
        if (ticket == null) {
            return null;
        }
        this.ticketRegistry.deleteTicket(ticket.getId());
        return null;
    }

    private boolean verifyAccessTokenRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Optional optional;
        String parameter = httpServletRequest.getParameter("grant_type");
        if (!checkGrantTypes(parameter, OAuthGrantType.AUTHORIZATION_CODE, OAuthGrantType.PASSWORD, OAuthGrantType.REFRESH_TOKEN) || (optional = new ProfileManager(new J2EContext(httpServletRequest, httpServletResponse)).get(true)) == null || !optional.isPresent()) {
            return false;
        }
        UserProfile userProfile = (UserProfile) optional.get();
        if (isGrantType(parameter, OAuthGrantType.AUTHORIZATION_CODE)) {
            return (userProfile instanceof OAuthClientProfile) && this.validator.checkParameterExist(httpServletRequest, "redirect_uri") && this.validator.checkParameterExist(httpServletRequest, "code") && this.validator.checkCallbackValid(OAuthUtils.getRegisteredOAuthService(this.servicesManager, userProfile.getId()), httpServletRequest.getParameter("redirect_uri"));
        }
        if (isGrantType(parameter, OAuthGrantType.REFRESH_TOKEN)) {
            return (userProfile instanceof OAuthClientProfile) && this.validator.checkParameterExist(httpServletRequest, "refresh_token");
        }
        return (userProfile instanceof OAuthUserProfile) && this.validator.checkParameterExist(httpServletRequest, "client_id") && this.validator.checkServiceValid(OAuthUtils.getRegisteredOAuthService(this.servicesManager, httpServletRequest.getParameter("client_id")));
    }

    private boolean checkGrantTypes(String str, OAuthGrantType... oAuthGrantTypeArr) {
        this.logger.debug("Grant type: {}", str);
        for (OAuthGrantType oAuthGrantType : oAuthGrantTypeArr) {
            if (isGrantType(str, oAuthGrantType)) {
                return true;
            }
        }
        this.logger.error("Unsupported grant type: {}", str);
        return false;
    }

    private static boolean isGrantType(String str, OAuthGrantType oAuthGrantType) {
        return oAuthGrantType != null && oAuthGrantType.name().toLowerCase().equals(str);
    }

    public void setAccessTokenResponseGenerator(AccessTokenResponseGenerator accessTokenResponseGenerator) {
        this.accessTokenResponseGenerator = accessTokenResponseGenerator;
    }

    public RefreshTokenFactory getRefreshTokenFactory() {
        return (RefreshTokenFactory) TraceLogAspect.aspectOf().traceMethod(new AjcClosure1(new Object[]{this, Factory.makeJP(ajc$tjp_0, this, this)}).linkClosureAndJoinPoint(69648));
    }

    public void setRefreshTokenFactory(RefreshTokenFactory refreshTokenFactory) {
        this.refreshTokenFactory = refreshTokenFactory;
    }

    static {
        ajc$preClinit();
    }

    static final RefreshTokenFactory getRefreshTokenFactory_aroundBody0(OAuth20AccessTokenController oAuth20AccessTokenController, JoinPoint joinPoint) {
        return oAuth20AccessTokenController.refreshTokenFactory;
    }

    private static void ajc$preClinit() {
        Factory factory = new Factory("OAuth20AccessTokenController.java", OAuth20AccessTokenController.class);
        ajc$tjp_0 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "getRefreshTokenFactory", "org.apereo.cas.support.oauth.web.OAuth20AccessTokenController", "", "", "", "org.apereo.cas.support.oauth.ticket.refreshtoken.RefreshTokenFactory"), 256);
    }
}
