package org.apereo.cas.support.oauth.web.endpoints;

import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.profile.OAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.response.introspection.OAuth20IntrospectionAccessTokenResponse;
import org.apereo.cas.ticket.accesstoken.AccessToken;
import org.apereo.cas.ticket.accesstoken.AccessTokenFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.HttpRequestUtils;
import org.apereo.cas.util.Pac4jUtils;
import org.apereo.cas.web.support.CookieRetrievingCookieGenerator;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.credentials.extractor.BasicAuthExtractor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;

/* loaded from: input_file:org/apereo/cas/support/oauth/web/endpoints/OAuth20IntrospectionEndpointController.class */
public class OAuth20IntrospectionEndpointController extends BaseOAuth20Controller {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20IntrospectionEndpointController.class);
    private final CentralAuthenticationService centralAuthenticationService;
    private final AuditableExecution registeredServiceAccessStrategyEnforcer;

    public OAuth20IntrospectionEndpointController(ServicesManager servicesManager, TicketRegistry ticketRegistry, AccessTokenFactory accessTokenFactory, PrincipalFactory principalFactory, ServiceFactory<WebApplicationService> serviceFactory, OAuth20ProfileScopeToAttributesFilter oAuth20ProfileScopeToAttributesFilter, CasConfigurationProperties casConfigurationProperties, CookieRetrievingCookieGenerator cookieRetrievingCookieGenerator, CentralAuthenticationService centralAuthenticationService, AuditableExecution auditableExecution) {
        super(servicesManager, ticketRegistry, accessTokenFactory, principalFactory, serviceFactory, oAuth20ProfileScopeToAttributesFilter, casConfigurationProperties, cookieRetrievingCookieGenerator);
        this.centralAuthenticationService = centralAuthenticationService;
        this.registeredServiceAccessStrategyEnforcer = auditableExecution;
    }

    @GetMapping(consumes = {"application/x-www-form-urlencoded"}, produces = {"application/json"}, value = {"//oauth2.0/introspect"})
    public ResponseEntity<OAuth20IntrospectionAccessTokenResponse> handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return handlePostRequest(httpServletRequest, httpServletResponse);
    }

    @PostMapping(consumes = {"application/x-www-form-urlencoded"}, produces = {"application/json"}, value = {"//oauth2.0/introspect"})
    public ResponseEntity<OAuth20IntrospectionAccessTokenResponse> handlePostRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        UsernamePasswordCredentials extract;
        try {
            extract = new BasicAuthExtractor().extract(Pac4jUtils.getPac4jJ2EContext(httpServletRequest, httpServletResponse));
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
        }
        if (extract == null) {
            throw new IllegalArgumentException("No credentials are provided to verify introspection on the access token");
        }
        OAuthRegisteredService registeredOAuthServiceByClientId = OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, extract.getUsername());
        if (validateIntrospectionRequest(registeredOAuthServiceByClientId, extract, httpServletRequest)) {
            String str = (String) StringUtils.defaultIfBlank(httpServletRequest.getParameter("access_token"), httpServletRequest.getParameter("token"));
            LOGGER.debug("Located access token [{}] in the request", str);
            AccessToken accessToken = (AccessToken) this.centralAuthenticationService.getTicket(str, AccessToken.class);
            if (accessToken != null) {
                return new ResponseEntity<>(createIntrospectionValidResponse(registeredOAuthServiceByClientId, accessToken), HttpStatus.OK);
            }
        }
        return new ResponseEntity<>(createIntrospectionInvalidResponse(), HttpStatus.UNAUTHORIZED);
    }

    private boolean validateIntrospectionRequest(OAuthRegisteredService oAuthRegisteredService, UsernamePasswordCredentials usernamePasswordCredentials, HttpServletRequest httpServletRequest) {
        if ((HttpRequestUtils.doesParameterExist(httpServletRequest, "access_token") || HttpRequestUtils.doesParameterExist(httpServletRequest, "token")) && OAuth20Utils.checkClientSecret(oAuthRegisteredService, usernamePasswordCredentials.getPassword())) {
            return !this.registeredServiceAccessStrategyEnforcer.execute(AuditableContext.builder().service(this.webApplicationServiceServiceFactory.createService(oAuthRegisteredService.getServiceId())).registeredService(oAuthRegisteredService).build()).isExecutionFailure();
        }
        return false;
    }

    protected OAuth20IntrospectionAccessTokenResponse createIntrospectionValidResponse(OAuthRegisteredService oAuthRegisteredService, AccessToken accessToken) {
        OAuth20IntrospectionAccessTokenResponse oAuth20IntrospectionAccessTokenResponse = new OAuth20IntrospectionAccessTokenResponse();
        oAuth20IntrospectionAccessTokenResponse.setActive(true);
        oAuth20IntrospectionAccessTokenResponse.setClientId(oAuthRegisteredService.getClientId());
        Authentication authentication = accessToken.getAuthentication();
        String id = authentication.getPrincipal().getId();
        oAuth20IntrospectionAccessTokenResponse.setSub(id);
        oAuth20IntrospectionAccessTokenResponse.setUniqueSecurityName(id);
        oAuth20IntrospectionAccessTokenResponse.setExp(accessToken.getExpirationPolicy().getTimeToLive().longValue());
        oAuth20IntrospectionAccessTokenResponse.setIat(accessToken.getCreationTime().toInstant().getEpochSecond());
        oAuth20IntrospectionAccessTokenResponse.setRealmName((String) CollectionUtils.toCollection(authentication.getAttributes().get("authenticationMethod")).stream().map((v0) -> {
            return v0.toString();
        }).collect(Collectors.joining(",")));
        oAuth20IntrospectionAccessTokenResponse.setTokenType("bearer");
        oAuth20IntrospectionAccessTokenResponse.setGrantType(authentication.getAttributes().getOrDefault("grant_type", "").toString().toLowerCase());
        oAuth20IntrospectionAccessTokenResponse.setScope("CAS");
        oAuth20IntrospectionAccessTokenResponse.setAud(oAuthRegisteredService.getServiceId());
        oAuth20IntrospectionAccessTokenResponse.setIss(this.casProperties.getAuthn().getOidc().getIssuer());
        return oAuth20IntrospectionAccessTokenResponse;
    }

    protected OAuth20IntrospectionAccessTokenResponse createIntrospectionInvalidResponse() {
        OAuth20IntrospectionAccessTokenResponse oAuth20IntrospectionAccessTokenResponse = new OAuth20IntrospectionAccessTokenResponse();
        oAuth20IntrospectionAccessTokenResponse.setActive(false);
        return oAuth20IntrospectionAccessTokenResponse;
    }
}
