package org.apereo.cas.support.oauth.web.endpoints;

import com.google.common.base.Throwables;
import java.util.Arrays;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.authenticator.OAuth20CasAuthenticationBuilder;
import org.apereo.cas.support.oauth.profile.OAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.support.oauth.profile.OAuthClientProfile;
import org.apereo.cas.support.oauth.profile.OAuthUserProfile;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.validator.OAuth20Validator;
import org.apereo.cas.support.oauth.web.response.accesstoken.AccessTokenResponseGenerator;
import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20TokenGenerator;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenAuthorizationCodeGrantRequestExtractor;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenPasswordGrantRequestExtractor;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRefreshTokenGrantRequestExtractor;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRequestDataHolder;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.BaseAccessTokenGrantRequestExtractor;
import org.apereo.cas.ticket.ExpirationPolicy;
import org.apereo.cas.ticket.accesstoken.AccessToken;
import org.apereo.cas.ticket.accesstoken.AccessTokenFactory;
import org.apereo.cas.ticket.refreshtoken.RefreshToken;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.web.support.CookieRetrievingCookieGenerator;
import org.apereo.cas.web.support.WebUtils;
import org.pac4j.core.context.J2EContext;
import org.pac4j.core.profile.UserProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;

/* loaded from: input_file:org/apereo/cas/support/oauth/web/endpoints/OAuth20AccessTokenEndpointController.class */
public class OAuth20AccessTokenEndpointController extends BaseOAuth20Controller {
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20AccessTokenEndpointController.class);

    @Autowired
    private CasConfigurationProperties casProperties;
    private final OAuth20TokenGenerator accessTokenGenerator;
    private final AccessTokenResponseGenerator accessTokenResponseGenerator;
    private final OAuth20CasAuthenticationBuilder authenticationBuilder;
    private final CentralAuthenticationService centralAuthenticationService;
    private final ExpirationPolicy accessTokenExpirationPolicy;

    public OAuth20AccessTokenEndpointController(ServicesManager servicesManager, TicketRegistry ticketRegistry, OAuth20Validator oAuth20Validator, AccessTokenFactory accessTokenFactory, PrincipalFactory principalFactory, ServiceFactory<WebApplicationService> serviceFactory, OAuth20TokenGenerator oAuth20TokenGenerator, AccessTokenResponseGenerator accessTokenResponseGenerator, OAuth20ProfileScopeToAttributesFilter oAuth20ProfileScopeToAttributesFilter, CasConfigurationProperties casConfigurationProperties, CookieRetrievingCookieGenerator cookieRetrievingCookieGenerator, OAuth20CasAuthenticationBuilder oAuth20CasAuthenticationBuilder, CentralAuthenticationService centralAuthenticationService, ExpirationPolicy expirationPolicy) {
        super(servicesManager, ticketRegistry, oAuth20Validator, accessTokenFactory, principalFactory, serviceFactory, oAuth20ProfileScopeToAttributesFilter, casConfigurationProperties, cookieRetrievingCookieGenerator);
        this.accessTokenGenerator = oAuth20TokenGenerator;
        this.accessTokenResponseGenerator = accessTokenResponseGenerator;
        this.authenticationBuilder = oAuth20CasAuthenticationBuilder;
        this.centralAuthenticationService = centralAuthenticationService;
        this.accessTokenExpirationPolicy = expirationPolicy;
    }

    @PostMapping(path = {"/oauth2.0/accessToken"})
    public void handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        try {
            httpServletResponse.setContentType("text/plain");
            if (!verifyAccessTokenRequest(httpServletRequest, httpServletResponse)) {
                LOGGER.error("Access token request verification failed");
                OAuth20Utils.writeTextError(httpServletResponse, "invalid_request");
                return;
            }
            try {
                AccessTokenRequestDataHolder examineAndExtractAccessTokenGrantRequest = examineAndExtractAccessTokenGrantRequest(httpServletRequest, httpServletResponse);
                LOGGER.debug("Creating access token for [{}]", examineAndExtractAccessTokenGrantRequest);
                J2EContext pac4jJ2EContext = WebUtils.getPac4jJ2EContext(httpServletRequest, httpServletResponse);
                Pair<AccessToken, RefreshToken> generate = this.accessTokenGenerator.generate(examineAndExtractAccessTokenGrantRequest);
                LOGGER.debug("Access token generated is: [{}]. Refresh token generated is [{}]", generate.getKey(), generate.getValue());
                generateAccessTokenResponse(httpServletRequest, httpServletResponse, examineAndExtractAccessTokenGrantRequest, pac4jJ2EContext, (AccessToken) generate.getKey(), (RefreshToken) generate.getValue());
                httpServletResponse.setStatus(200);
            } catch (Exception e) {
                LOGGER.error("Could not identify and extract access token request", e);
                OAuth20Utils.writeTextError(httpServletResponse, "invalid_grant");
            }
        } catch (Exception e2) {
            LOGGER.error(e2.getMessage(), e2);
            throw Throwables.propagate(e2);
        }
    }

    private void generateAccessTokenResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessTokenRequestDataHolder accessTokenRequestDataHolder, J2EContext j2EContext, AccessToken accessToken, RefreshToken refreshToken) {
        LOGGER.debug("Generating access token response for [{}]", accessToken);
        OAuth20ResponseTypes responseType = OAuth20Utils.getResponseType(j2EContext);
        LOGGER.debug("Located response type as [{}]", responseType);
        this.accessTokenResponseGenerator.generate(httpServletRequest, httpServletResponse, accessTokenRequestDataHolder.getRegisteredService(), accessTokenRequestDataHolder.getService(), accessToken, refreshToken, this.accessTokenExpirationPolicy.getTimeToLive().longValue(), responseType);
    }

    private AccessTokenRequestDataHolder examineAndExtractAccessTokenGrantRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return ((BaseAccessTokenGrantRequestExtractor) Arrays.asList(new AccessTokenAuthorizationCodeGrantRequestExtractor(this.servicesManager, this.ticketRegistry, httpServletRequest, httpServletResponse, this.centralAuthenticationService, this.casProperties.getAuthn().getOauth()), new AccessTokenRefreshTokenGrantRequestExtractor(this.servicesManager, this.ticketRegistry, httpServletRequest, httpServletResponse, this.centralAuthenticationService, this.casProperties.getAuthn().getOauth()), new AccessTokenPasswordGrantRequestExtractor(this.servicesManager, this.ticketRegistry, httpServletRequest, httpServletResponse, this.authenticationBuilder, this.centralAuthenticationService, this.casProperties.getAuthn().getOauth())).stream().filter(baseAccessTokenGrantRequestExtractor -> {
            return baseAccessTokenGrantRequestExtractor.supports(httpServletRequest);
        }).findFirst().orElseThrow(() -> {
            return new UnsupportedOperationException("Request is not supported");
        })).extract();
    }

    private boolean verifyAccessTokenRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String parameter = httpServletRequest.getParameter("grant_type");
        if (!isGrantTypeSupported(parameter, OAuth20GrantTypes.AUTHORIZATION_CODE, OAuth20GrantTypes.PASSWORD, OAuth20GrantTypes.REFRESH_TOKEN)) {
            LOGGER.warn("Grant type is not supported: [{}]", parameter);
            return false;
        }
        Optional optional = WebUtils.getPac4jProfileManager(httpServletRequest, httpServletResponse).get(true);
        if (optional == null || !optional.isPresent()) {
            LOGGER.warn("Could not locate authenticated profile for this request");
            return false;
        }
        UserProfile userProfile = (UserProfile) optional.get();
        if (OAuth20Utils.isGrantType(parameter, OAuth20GrantTypes.AUTHORIZATION_CODE)) {
            String id = userProfile.getId();
            String parameter2 = httpServletRequest.getParameter("redirect_uri");
            RegisteredService registeredOAuthService = OAuth20Utils.getRegisteredOAuthService(this.servicesManager, id);
            LOGGER.debug("Received grant type [{}] with client id [{}] and redirect URI [{}]", new Object[]{parameter, id, parameter2});
            return (userProfile instanceof OAuthClientProfile) && this.validator.checkParameterExist(httpServletRequest, "redirect_uri") && this.validator.checkParameterExist(httpServletRequest, "code") && this.validator.checkCallbackValid(registeredOAuthService, parameter2);
        }
        if (OAuth20Utils.isGrantType(parameter, OAuth20GrantTypes.REFRESH_TOKEN)) {
            return (userProfile instanceof OAuthClientProfile) && this.validator.checkParameterExist(httpServletRequest, "refresh_token");
        }
        if (!OAuth20Utils.isGrantType(parameter, OAuth20GrantTypes.PASSWORD)) {
            return false;
        }
        String parameter3 = httpServletRequest.getParameter("client_id");
        LOGGER.debug("Received grant type [{}] with client id [{}]", parameter, parameter3);
        return (userProfile instanceof OAuthUserProfile) && this.validator.checkParameterExist(httpServletRequest, "client_id") && this.validator.checkServiceValid(OAuth20Utils.getRegisteredOAuthService(this.servicesManager, parameter3));
    }

    private static boolean isGrantTypeSupported(String str, OAuth20GrantTypes... oAuth20GrantTypesArr) {
        LOGGER.debug("Grant type: [{}]", str);
        for (OAuth20GrantTypes oAuth20GrantTypes : oAuth20GrantTypesArr) {
            if (OAuth20Utils.isGrantType(str, oAuth20GrantTypes)) {
                return true;
            }
        }
        LOGGER.error("Unsupported grant type: [{}]", str);
        return false;
    }
}
