package org.apereo.cas.support.oauth.web.endpoints;

import com.google.common.base.Throwables;
import java.util.Arrays;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.profile.OAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.support.oauth.profile.OAuthClientProfile;
import org.apereo.cas.support.oauth.profile.OAuthUserProfile;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuthUtils;
import org.apereo.cas.support.oauth.validator.OAuth20Validator;
import org.apereo.cas.support.oauth.web.AccessTokenResponseGenerator;
import org.apereo.cas.support.oauth.web.BaseOAuthWrapperController;
import org.apereo.cas.ticket.OAuthToken;
import org.apereo.cas.ticket.Ticket;
import org.apereo.cas.ticket.accesstoken.AccessToken;
import org.apereo.cas.ticket.accesstoken.AccessTokenFactory;
import org.apereo.cas.ticket.code.OAuthCode;
import org.apereo.cas.ticket.refreshtoken.RefreshToken;
import org.apereo.cas.ticket.refreshtoken.RefreshTokenFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.web.support.WebUtils;
import org.pac4j.core.context.J2EContext;
import org.pac4j.core.profile.ProfileManager;
import org.pac4j.core.profile.UserProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.servlet.ModelAndView;

/* loaded from: input_file:org/apereo/cas/support/oauth/web/endpoints/OAuth20AccessTokenEndpointController.class */
public class OAuth20AccessTokenEndpointController extends BaseOAuthWrapperController {
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20AccessTokenEndpointController.class);

    @Autowired
    private CasConfigurationProperties casProperties;
    private RefreshTokenFactory refreshTokenFactory;
    private AccessTokenResponseGenerator accessTokenResponseGenerator;

    public OAuth20AccessTokenEndpointController(ServicesManager servicesManager, TicketRegistry ticketRegistry, OAuth20Validator oAuth20Validator, AccessTokenFactory accessTokenFactory, PrincipalFactory principalFactory, ServiceFactory<WebApplicationService> serviceFactory, RefreshTokenFactory refreshTokenFactory, AccessTokenResponseGenerator accessTokenResponseGenerator, OAuth20ProfileScopeToAttributesFilter oAuth20ProfileScopeToAttributesFilter, CasConfigurationProperties casConfigurationProperties) {
        super(servicesManager, ticketRegistry, oAuth20Validator, accessTokenFactory, principalFactory, serviceFactory, oAuth20ProfileScopeToAttributesFilter, casConfigurationProperties);
        this.refreshTokenFactory = refreshTokenFactory;
        this.accessTokenResponseGenerator = accessTokenResponseGenerator;
    }

    @PostMapping(path = {"/oauth2.0/accessToken"})
    public ModelAndView handleRequestInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        OAuthRegisteredService registeredOAuthService;
        boolean z;
        Service service;
        Authentication authentication;
        try {
            httpServletResponse.setContentType("text/plain");
            if (!verifyAccessTokenRequest(httpServletRequest, httpServletResponse)) {
                LOGGER.error("Access token request verification fails");
                return OAuthUtils.writeTextError(httpServletResponse, "invalid_request");
            }
            String parameter = httpServletRequest.getParameter("grant_type");
            J2EContext pac4jJ2EContext = WebUtils.getPac4jJ2EContext(httpServletRequest, httpServletResponse);
            ProfileManager pac4jProfileManager = WebUtils.getPac4jProfileManager(httpServletRequest, httpServletResponse);
            if (isGrantType(parameter, OAuth20GrantTypes.AUTHORIZATION_CODE) || isGrantType(parameter, OAuth20GrantTypes.REFRESH_TOKEN)) {
                registeredOAuthService = OAuthUtils.getRegisteredOAuthService(getServicesManager(), ((UserProfile) pac4jProfileManager.get(true).get()).getId());
                z = registeredOAuthService != null && registeredOAuthService.isGenerateRefreshToken().booleanValue() && isGrantType(parameter, OAuth20GrantTypes.AUTHORIZATION_CODE);
                OAuthToken token = getToken(httpServletRequest, isGrantType(parameter, OAuth20GrantTypes.AUTHORIZATION_CODE) ? "code" : "refresh_token");
                if (token == null) {
                    LOGGER.error("No token found for authorization_code or refresh_token grant types");
                    return OAuthUtils.writeTextError(httpServletResponse, "invalid_grant");
                }
                service = token.getService();
                authentication = token.getAuthentication();
            } else {
                registeredOAuthService = OAuthUtils.getRegisteredOAuthService(getServicesManager(), httpServletRequest.getParameter("client_id"));
                z = registeredOAuthService != null && registeredOAuthService.isGenerateRefreshToken().booleanValue();
                try {
                    Optional optional = pac4jProfileManager.get(true);
                    if (!optional.isPresent()) {
                        throw new UnauthorizedServiceException("OAuth user profile cannot be determined");
                    }
                    service = createService(registeredOAuthService, pac4jJ2EContext);
                    authentication = createAuthentication((UserProfile) optional.get(), registeredOAuthService, pac4jJ2EContext, service);
                    RegisteredServiceAccessStrategyUtils.ensurePrincipalAccessIsAllowedForService(service, registeredOAuthService, authentication);
                } catch (Exception e) {
                    LOGGER.error(e.getMessage(), e);
                    return OAuthUtils.writeTextError(httpServletResponse, "invalid_grant");
                }
            }
            AccessToken generateAccessToken = generateAccessToken(service, authentication, pac4jJ2EContext);
            Ticket ticket = null;
            if (z) {
                ticket = this.refreshTokenFactory.create(service, authentication);
                getTicketRegistry().addTicket(ticket);
            }
            LOGGER.debug("access token: [{}] / timeout: [{}] / refresh token: [{}]", new Object[]{generateAccessToken, Integer.valueOf(this.casProperties.getTicket().getTgt().getTimeToKillInSeconds()), ticket});
            String requestParameter = pac4jJ2EContext.getRequestParameter("response_type");
            this.accessTokenResponseGenerator.generate(httpServletRequest, httpServletResponse, registeredOAuthService, service, generateAccessToken, ticket, this.casProperties.getTicket().getTgt().getTimeToKillInSeconds(), (OAuth20ResponseTypes) Arrays.stream(OAuth20ResponseTypes.values()).filter(oAuth20ResponseTypes -> {
                return oAuth20ResponseTypes.getType().equalsIgnoreCase(requestParameter);
            }).findFirst().orElse(OAuth20ResponseTypes.CODE));
            httpServletResponse.setStatus(200);
            return null;
        } catch (Exception e2) {
            LOGGER.error(e2.getMessage(), e2);
            throw Throwables.propagate(e2);
        }
    }

    private OAuthToken getToken(HttpServletRequest httpServletRequest, String str) {
        OAuthToken ticket = getTicketRegistry().getTicket(httpServletRequest.getParameter(str), OAuthToken.class);
        if (ticket != null && !ticket.isExpired()) {
            if ((ticket instanceof OAuthCode) && !(ticket instanceof RefreshToken)) {
                getTicketRegistry().deleteTicket(ticket.getId());
            }
            return ticket;
        }
        LOGGER.error("Code or refresh token expired: [{}]", ticket);
        if (ticket == null) {
            return null;
        }
        getTicketRegistry().deleteTicket(ticket.getId());
        return null;
    }

    private boolean verifyAccessTokenRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String parameter = httpServletRequest.getParameter("grant_type");
        if (!checkGrantTypes(parameter, OAuth20GrantTypes.AUTHORIZATION_CODE, OAuth20GrantTypes.PASSWORD, OAuth20GrantTypes.REFRESH_TOKEN)) {
            return false;
        }
        WebUtils.getPac4jJ2EContext(httpServletRequest, httpServletResponse);
        Optional optional = WebUtils.getPac4jProfileManager(httpServletRequest, httpServletResponse).get(true);
        if (optional == null || !optional.isPresent()) {
            return false;
        }
        UserProfile userProfile = (UserProfile) optional.get();
        if (isGrantType(parameter, OAuth20GrantTypes.AUTHORIZATION_CODE)) {
            return (userProfile instanceof OAuthClientProfile) && getValidator().checkParameterExist(httpServletRequest, "redirect_uri") && getValidator().checkParameterExist(httpServletRequest, "code") && getValidator().checkCallbackValid(OAuthUtils.getRegisteredOAuthService(getServicesManager(), userProfile.getId()), httpServletRequest.getParameter("redirect_uri"));
        }
        if (isGrantType(parameter, OAuth20GrantTypes.REFRESH_TOKEN)) {
            return (userProfile instanceof OAuthClientProfile) && getValidator().checkParameterExist(httpServletRequest, "refresh_token");
        }
        return (userProfile instanceof OAuthUserProfile) && getValidator().checkParameterExist(httpServletRequest, "client_id") && getValidator().checkServiceValid(OAuthUtils.getRegisteredOAuthService(getServicesManager(), httpServletRequest.getParameter("client_id")));
    }

    private boolean checkGrantTypes(String str, OAuth20GrantTypes... oAuth20GrantTypesArr) {
        LOGGER.debug("Grant type: [{}]", str);
        for (OAuth20GrantTypes oAuth20GrantTypes : oAuth20GrantTypesArr) {
            if (isGrantType(str, oAuth20GrantTypes)) {
                return true;
            }
        }
        LOGGER.error("Unsupported grant type: [{}]", str);
        return false;
    }

    private static boolean isGrantType(String str, OAuth20GrantTypes oAuth20GrantTypes) {
        return oAuth20GrantTypes.name().equalsIgnoreCase(str);
    }
}
