package org.mitre.oauth2.introspectingfilter;

import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import com.nimbusds.jose.util.Base64;
import java.io.IOException;
import java.net.URI;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import org.apache.http.client.HttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.hspconsortium.platform.authorization.launchcontext.LaunchContextIntrospectionInterceptor;
import org.mitre.oauth2.introspectingfilter.service.IntrospectionAuthorityGranter;
import org.mitre.oauth2.introspectingfilter.service.IntrospectionConfigurationService;
import org.mitre.oauth2.introspectingfilter.service.impl.SimpleIntrospectionAuthorityGranter;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.RegisteredClient;
import org.mitre.oauth2.model.RegisteredClientFields;
import org.mitre.oauth2.service.IntrospectionResultAssembler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpMethod;
import org.springframework.http.client.ClientHttpRequest;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:WEB-INF/lib/openid-connect-client-1.2.0.jar:org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.class */
public class IntrospectingTokenService implements ResourceServerTokenServices {
    private IntrospectionConfigurationService introspectionConfigurationService;
    private IntrospectionAuthorityGranter introspectionAuthorityGranter = new SimpleIntrospectionAuthorityGranter();
    private int defaultExpireTime = 300000;
    private boolean forceCacheExpireTime = false;
    private boolean cacheNonExpiringTokens = false;
    private boolean cacheTokens = true;
    private HttpClient httpClient = HttpClientBuilder.create().useSystemProperties().build();
    private HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(this.httpClient);
    private Map<String, TokenCacheObject> authCache = new HashMap();
    private static final Logger logger = LoggerFactory.getLogger(IntrospectingTokenService.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/openid-connect-client-1.2.0.jar:org/mitre/oauth2/introspectingfilter/IntrospectingTokenService$TokenCacheObject.class */
    public class TokenCacheObject {
        OAuth2AccessToken token;
        OAuth2Authentication auth;
        Date cacheExpire;

        private TokenCacheObject(OAuth2AccessToken oAuth2AccessToken, OAuth2Authentication oAuth2Authentication) {
            this.token = oAuth2AccessToken;
            this.auth = oAuth2Authentication;
            if (this.token.getExpiration() != null && (!IntrospectingTokenService.this.forceCacheExpireTime || (IntrospectingTokenService.this.forceCacheExpireTime && this.token.getExpiration().getTime() - System.currentTimeMillis() <= IntrospectingTokenService.this.defaultExpireTime))) {
                this.cacheExpire = this.token.getExpiration();
                return;
            }
            Calendar calendar = Calendar.getInstance();
            calendar.add(14, IntrospectingTokenService.this.defaultExpireTime);
            this.cacheExpire = calendar.getTime();
        }
    }

    public IntrospectionConfigurationService getIntrospectionConfigurationService() {
        return this.introspectionConfigurationService;
    }

    public void setIntrospectionConfigurationService(IntrospectionConfigurationService introspectionConfigurationService) {
        this.introspectionConfigurationService = introspectionConfigurationService;
    }

    public void setIntrospectionAuthorityGranter(IntrospectionAuthorityGranter introspectionAuthorityGranter) {
        this.introspectionAuthorityGranter = introspectionAuthorityGranter;
    }

    public IntrospectionAuthorityGranter getIntrospectionAuthorityGranter() {
        return this.introspectionAuthorityGranter;
    }

    public int getDefaultExpireTime() {
        return this.defaultExpireTime;
    }

    public void setDefaultExpireTime(int i) {
        this.defaultExpireTime = i;
    }

    public boolean isForceCacheExpireTime() {
        return this.forceCacheExpireTime;
    }

    public void setForceCacheExpireTime(boolean z) {
        this.forceCacheExpireTime = z;
    }

    public boolean isCacheNonExpiringTokens() {
        return this.cacheNonExpiringTokens;
    }

    public void setCacheNonExpiringTokens(boolean z) {
        this.cacheNonExpiringTokens = z;
    }

    public boolean isCacheTokens() {
        return this.cacheTokens;
    }

    public void setCacheTokens(boolean z) {
        this.cacheTokens = z;
    }

    private TokenCacheObject checkCache(String str) {
        if (!this.cacheTokens || !this.authCache.containsKey(str)) {
            return null;
        }
        TokenCacheObject tokenCacheObject = this.authCache.get(str);
        if (tokenCacheObject != null && tokenCacheObject.cacheExpire != null && tokenCacheObject.cacheExpire.after(new Date())) {
            return tokenCacheObject;
        }
        this.authCache.remove(str);
        return null;
    }

    private OAuth2Request createStoredRequest(JsonObject jsonObject) {
        String asString = jsonObject.get("client_id").getAsString();
        HashSet hashSet = new HashSet();
        if (jsonObject.has("scope")) {
            hashSet.addAll(OAuth2Utils.parseParameterList(jsonObject.get("scope").getAsString()));
        }
        HashMap hashMap = new HashMap();
        hashMap.put("client_id", asString);
        hashMap.put("scope", OAuth2Utils.formatParameterList(hashSet));
        return new OAuth2Request(hashMap, asString, null, true, hashSet, null, null, null, null);
    }

    private Authentication createAuthentication(JsonObject jsonObject) {
        return new PreAuthenticatedAuthenticationToken(jsonObject.get("sub").getAsString(), jsonObject, this.introspectionAuthorityGranter.getAuthorities(jsonObject));
    }

    private OAuth2AccessToken createAccessToken(JsonObject jsonObject, String str) {
        return new OAuth2AccessTokenImpl(jsonObject, str);
    }

    private TokenCacheObject parseToken(String str) {
        RestTemplate restTemplate;
        try {
            String introspectionUrl = this.introspectionConfigurationService.getIntrospectionUrl(str);
            RegisteredClient clientConfiguration = this.introspectionConfigurationService.getClientConfiguration(str);
            String str2 = null;
            LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
            final String clientId = clientConfiguration.getClientId();
            final String clientSecret = clientConfiguration.getClientSecret();
            if (ClientDetailsEntity.AuthMethod.SECRET_BASIC.equals(clientConfiguration.getTokenEndpointAuthMethod())) {
                restTemplate = new RestTemplate(this.factory) { // from class: org.mitre.oauth2.introspectingfilter.IntrospectingTokenService.1
                    /* JADX INFO: Access modifiers changed from: protected */
                    @Override // org.springframework.http.client.support.HttpAccessor
                    public ClientHttpRequest createRequest(URI uri, HttpMethod httpMethod) throws IOException {
                        ClientHttpRequest createRequest = super.createRequest(uri, httpMethod);
                        createRequest.getHeaders().add("Authorization", String.format("Basic %s", Base64.encode(String.format("%s:%s", clientId, clientSecret))));
                        return createRequest;
                    }
                };
            } else {
                restTemplate = new RestTemplate(this.factory);
                linkedMultiValueMap.add("client_id", clientId);
                linkedMultiValueMap.add(RegisteredClientFields.CLIENT_SECRET, clientSecret);
            }
            linkedMultiValueMap.add(LaunchContextIntrospectionInterceptor.ACCESS_TOKEN_PARAM_KEY, str);
            try {
                str2 = (String) restTemplate.postForObject(introspectionUrl, linkedMultiValueMap, String.class, new Object[0]);
            } catch (RestClientException e) {
                logger.error("validateToken", (Throwable) e);
            }
            if (str2 == null) {
                return null;
            }
            JsonElement parse = new JsonParser().parse(str2);
            if (!parse.isJsonObject()) {
                return null;
            }
            JsonObject asJsonObject = parse.getAsJsonObject();
            if (asJsonObject.get("error") != null) {
                logger.error("Got an error back: " + asJsonObject.get("error") + ", " + asJsonObject.get(OAuth2Exception.DESCRIPTION));
                return null;
            }
            if (!asJsonObject.get(IntrospectionResultAssembler.ACTIVE).getAsBoolean()) {
                logger.info("Server returned non-active token");
                return null;
            }
            OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(createStoredRequest(asJsonObject), createAuthentication(asJsonObject));
            OAuth2AccessToken createAccessToken = createAccessToken(asJsonObject, str);
            if (createAccessToken.getExpiration() != null && !createAccessToken.getExpiration().after(new Date())) {
                return null;
            }
            TokenCacheObject tokenCacheObject = new TokenCacheObject(createAccessToken, oAuth2Authentication);
            if (this.cacheTokens && (this.cacheNonExpiringTokens || createAccessToken.getExpiration() != null)) {
                this.authCache.put(str, tokenCacheObject);
            }
            return tokenCacheObject;
        } catch (IllegalArgumentException e2) {
            logger.error("Unable to load introspection URL or client configuration", (Throwable) e2);
            return null;
        }
    }

    @Override // org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
    public OAuth2Authentication loadAuthentication(String str) throws AuthenticationException {
        TokenCacheObject checkCache = checkCache(str);
        if (checkCache != null) {
            return checkCache.auth;
        }
        TokenCacheObject parseToken = parseToken(str);
        if (parseToken != null) {
            return parseToken.auth;
        }
        return null;
    }

    @Override // org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
    public OAuth2AccessToken readAccessToken(String str) {
        TokenCacheObject checkCache = checkCache(str);
        if (checkCache != null) {
            return checkCache.token;
        }
        TokenCacheObject parseToken = parseToken(str);
        if (parseToken != null) {
            return parseToken.token;
        }
        return null;
    }
}
