package org.mitre.openid.connect.web;

import com.google.common.base.Strings;
import com.google.gson.JsonSyntaxException;
import java.io.UnsupportedEncodingException;
import java.text.ParseException;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;
import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
import org.mitre.oauth2.model.RegisteredClient;
import org.mitre.oauth2.model.SystemScope;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.oauth2.service.OAuth2TokenEntityService;
import org.mitre.oauth2.service.SystemScopeService;
import org.mitre.openid.connect.ClientDetailsEntityJsonProcessor;
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
import org.mitre.openid.connect.exception.ValidationException;
import org.mitre.openid.connect.service.BlacklistedSiteService;
import org.mitre.openid.connect.service.OIDCTokenService;
import org.mitre.openid.connect.view.ClientInformationResponseView;
import org.mitre.openid.connect.view.HttpCodeView;
import org.mitre.openid.connect.view.JsonErrorView;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.util.UriUtils;

@RequestMapping({"resource"})
@Controller
/* loaded from: input_file:WEB-INF/lib/openid-connect-server-1.2.0.jar:org/mitre/openid/connect/web/ProtectedResourceRegistrationEndpoint.class */
public class ProtectedResourceRegistrationEndpoint {
    public static final String URL = "resource";

    @Autowired
    private ClientDetailsEntityService clientService;

    @Autowired
    private OAuth2TokenEntityService tokenService;

    @Autowired
    private JWTSigningAndValidationService jwtService;

    @Autowired
    private SystemScopeService scopeService;

    @Autowired
    private BlacklistedSiteService blacklistService;

    @Autowired
    private ConfigurationPropertiesBean config;

    @Autowired
    private OIDCTokenService connectTokenService;
    private static final Logger logger = LoggerFactory.getLogger(ProtectedResourceRegistrationEndpoint.class);

    @RequestMapping(method = {RequestMethod.POST}, consumes = {"application/json"}, produces = {"application/json"})
    public String registerNewProtectedResource(@RequestBody String str, Model model) {
        try {
            ClientDetailsEntity parse = ClientDetailsEntityJsonProcessor.parse(str);
            if (parse == null) {
                logger.error("registerNewClient failed; submitted JSON is malformed");
                model.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
                return HttpCodeView.VIEWNAME;
            }
            parse.setClientId(null);
            parse.setClientSecret(null);
            try {
                ClientDetailsEntity validateAuth = validateAuth(validateScopes(parse));
                validateAuth.setGrantTypes(new HashSet());
                validateAuth.setResponseTypes(new HashSet());
                validateAuth.setRedirectUris(new HashSet());
                validateAuth.setAccessTokenValiditySeconds(0);
                validateAuth.setIdTokenValiditySeconds(0);
                validateAuth.setRefreshTokenValiditySeconds(0);
                validateAuth.setDefaultACRvalues(new HashSet());
                validateAuth.setDefaultMaxAge(null);
                validateAuth.setIdTokenEncryptedResponseAlg(null);
                validateAuth.setIdTokenEncryptedResponseEnc(null);
                validateAuth.setIdTokenSignedResponseAlg(null);
                validateAuth.setInitiateLoginUri(null);
                validateAuth.setPostLogoutRedirectUris(null);
                validateAuth.setRequestObjectSigningAlg(null);
                validateAuth.setRequireAuthTime(null);
                validateAuth.setReuseRefreshToken(false);
                validateAuth.setSectorIdentifierUri(null);
                validateAuth.setSubjectType(null);
                validateAuth.setUserInfoEncryptedResponseAlg(null);
                validateAuth.setUserInfoEncryptedResponseEnc(null);
                validateAuth.setUserInfoSignedResponseAlg(null);
                validateAuth.setDynamicallyRegistered(true);
                validateAuth.setAllowIntrospection(true);
                try {
                    ClientDetailsEntity saveNewClient = this.clientService.saveNewClient(validateAuth);
                    OAuth2AccessTokenEntity createResourceAccessToken = this.connectTokenService.createResourceAccessToken(saveNewClient);
                    this.tokenService.saveAccessToken(createResourceAccessToken);
                    model.addAttribute("client", new RegisteredClient(saveNewClient, createResourceAccessToken.getValue(), this.config.getIssuer() + "resource/" + UriUtils.encodePathSegment(saveNewClient.getClientId(), "UTF-8")));
                    model.addAttribute(HttpCodeView.CODE, HttpStatus.CREATED);
                    return ClientInformationResponseView.VIEWNAME;
                } catch (UnsupportedEncodingException e) {
                    logger.error("Unsupported encoding", (Throwable) e);
                    model.addAttribute(HttpCodeView.CODE, HttpStatus.INTERNAL_SERVER_ERROR);
                    return HttpCodeView.VIEWNAME;
                } catch (IllegalArgumentException e2) {
                    logger.error("Couldn't save client", (Throwable) e2);
                    model.addAttribute("error", "invalid_client_metadata");
                    model.addAttribute(JsonErrorView.ERROR_MESSAGE, "Unable to save client due to invalid or inconsistent metadata.");
                    model.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
                    return JsonErrorView.VIEWNAME;
                }
            } catch (ValidationException e3) {
                model.addAttribute("error", e3.getError());
                model.addAttribute(JsonErrorView.ERROR_MESSAGE, e3.getErrorDescription());
                model.addAttribute(HttpCodeView.CODE, e3.getStatus());
                return JsonErrorView.VIEWNAME;
            }
        } catch (JsonSyntaxException e4) {
            logger.error("registerNewProtectedResource failed; submitted JSON is malformed");
            model.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
            return HttpCodeView.VIEWNAME;
        }
    }

    private ClientDetailsEntity validateScopes(ClientDetailsEntity clientDetailsEntity) throws ValidationException {
        Set<SystemScope> removeRestrictedAndReservedScopes = this.scopeService.removeRestrictedAndReservedScopes(this.scopeService.fromStrings(clientDetailsEntity.getScope()));
        if (removeRestrictedAndReservedScopes == null || removeRestrictedAndReservedScopes.isEmpty()) {
            removeRestrictedAndReservedScopes = this.scopeService.getDefaults();
        }
        clientDetailsEntity.setScope(this.scopeService.toStrings(removeRestrictedAndReservedScopes));
        return clientDetailsEntity;
    }

    @RequestMapping(value = {"/{id}"}, method = {RequestMethod.GET}, produces = {"application/json"})
    @PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('resource-token')")
    public String readResourceConfiguration(@PathVariable("id") String str, Model model, OAuth2Authentication oAuth2Authentication) {
        ClientDetailsEntity loadClientByClientId = this.clientService.loadClientByClientId(str);
        if (loadClientByClientId == null || !loadClientByClientId.getClientId().equals(oAuth2Authentication.getOAuth2Request().getClientId())) {
            logger.error("readResourceConfiguration failed, client ID mismatch: " + str + " and " + oAuth2Authentication.getOAuth2Request().getClientId() + " do not match.");
            model.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
            return HttpCodeView.VIEWNAME;
        }
        try {
            model.addAttribute("client", new RegisteredClient(loadClientByClientId, fetchValidRegistrationToken(oAuth2Authentication, loadClientByClientId).getValue(), this.config.getIssuer() + "resource/" + UriUtils.encodePathSegment(loadClientByClientId.getClientId(), "UTF-8")));
            model.addAttribute(HttpCodeView.CODE, HttpStatus.OK);
            return ClientInformationResponseView.VIEWNAME;
        } catch (UnsupportedEncodingException e) {
            logger.error("Unsupported encoding", (Throwable) e);
            model.addAttribute(HttpCodeView.CODE, HttpStatus.INTERNAL_SERVER_ERROR);
            return HttpCodeView.VIEWNAME;
        }
    }

    @RequestMapping(value = {"/{id}"}, method = {RequestMethod.PUT}, produces = {"application/json"}, consumes = {"application/json"})
    @PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('resource-token')")
    public String updateProtectedResource(@PathVariable("id") String str, @RequestBody String str2, Model model, OAuth2Authentication oAuth2Authentication) {
        try {
            ClientDetailsEntity parse = ClientDetailsEntityJsonProcessor.parse(str2);
            ClientDetailsEntity loadClientByClientId = this.clientService.loadClientByClientId(str);
            if (parse == null || loadClientByClientId == null || !loadClientByClientId.getClientId().equals(oAuth2Authentication.getOAuth2Request().getClientId()) || !loadClientByClientId.getClientId().equals(parse.getClientId())) {
                logger.error("updateProtectedResource failed, client ID mismatch: " + str + " and " + oAuth2Authentication.getOAuth2Request().getClientId() + " do not match.");
                model.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
                return HttpCodeView.VIEWNAME;
            }
            parse.setClientSecret(loadClientByClientId.getClientSecret());
            parse.setCreatedAt(loadClientByClientId.getCreatedAt());
            parse.setGrantTypes(new HashSet());
            parse.setResponseTypes(new HashSet());
            parse.setRedirectUris(new HashSet());
            parse.setAccessTokenValiditySeconds(0);
            parse.setIdTokenValiditySeconds(0);
            parse.setRefreshTokenValiditySeconds(0);
            parse.setDefaultACRvalues(new HashSet());
            parse.setDefaultMaxAge(null);
            parse.setIdTokenEncryptedResponseAlg(null);
            parse.setIdTokenEncryptedResponseEnc(null);
            parse.setIdTokenSignedResponseAlg(null);
            parse.setInitiateLoginUri(null);
            parse.setPostLogoutRedirectUris(null);
            parse.setRequestObjectSigningAlg(null);
            parse.setRequireAuthTime(null);
            parse.setReuseRefreshToken(false);
            parse.setSectorIdentifierUri(null);
            parse.setSubjectType(null);
            parse.setUserInfoEncryptedResponseAlg(null);
            parse.setUserInfoEncryptedResponseEnc(null);
            parse.setUserInfoSignedResponseAlg(null);
            parse.setDynamicallyRegistered(true);
            parse.setAllowIntrospection(true);
            try {
                try {
                    ClientDetailsEntity updateClient = this.clientService.updateClient(loadClientByClientId, validateAuth(validateScopes(parse)));
                    model.addAttribute("client", new RegisteredClient(updateClient, fetchValidRegistrationToken(oAuth2Authentication, updateClient).getValue(), this.config.getIssuer() + "resource/" + UriUtils.encodePathSegment(updateClient.getClientId(), "UTF-8")));
                    model.addAttribute(HttpCodeView.CODE, HttpStatus.OK);
                    return ClientInformationResponseView.VIEWNAME;
                } catch (UnsupportedEncodingException e) {
                    logger.error("Unsupported encoding", (Throwable) e);
                    model.addAttribute(HttpCodeView.CODE, HttpStatus.INTERNAL_SERVER_ERROR);
                    return HttpCodeView.VIEWNAME;
                } catch (IllegalArgumentException e2) {
                    logger.error("Couldn't save client", (Throwable) e2);
                    model.addAttribute("error", "invalid_client_metadata");
                    model.addAttribute(JsonErrorView.ERROR_MESSAGE, "Unable to save client due to invalid or inconsistent metadata.");
                    model.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
                    return JsonErrorView.VIEWNAME;
                }
            } catch (ValidationException e3) {
                model.addAttribute("error", e3.getError());
                model.addAttribute(JsonErrorView.ERROR_MESSAGE, e3.getErrorDescription());
                model.addAttribute(HttpCodeView.CODE, e3.getStatus());
                return JsonErrorView.VIEWNAME;
            }
        } catch (JsonSyntaxException e4) {
            logger.error("updateProtectedResource failed; submitted JSON is malformed");
            model.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
            return HttpCodeView.VIEWNAME;
        }
    }

    @RequestMapping(value = {"/{id}"}, method = {RequestMethod.DELETE}, produces = {"application/json"})
    @PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('resource-token')")
    public String deleteResource(@PathVariable("id") String str, Model model, OAuth2Authentication oAuth2Authentication) {
        ClientDetailsEntity loadClientByClientId = this.clientService.loadClientByClientId(str);
        if (loadClientByClientId == null || !loadClientByClientId.getClientId().equals(oAuth2Authentication.getOAuth2Request().getClientId())) {
            logger.error("readClientConfiguration failed, client ID mismatch: " + str + " and " + oAuth2Authentication.getOAuth2Request().getClientId() + " do not match.");
            model.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
            return HttpCodeView.VIEWNAME;
        }
        this.clientService.deleteClient(loadClientByClientId);
        model.addAttribute(HttpCodeView.CODE, HttpStatus.NO_CONTENT);
        return HttpCodeView.VIEWNAME;
    }

    private ClientDetailsEntity validateAuth(ClientDetailsEntity clientDetailsEntity) throws ValidationException {
        if (clientDetailsEntity.getTokenEndpointAuthMethod() == null) {
            clientDetailsEntity.setTokenEndpointAuthMethod(ClientDetailsEntity.AuthMethod.SECRET_BASIC);
        }
        if (clientDetailsEntity.getTokenEndpointAuthMethod() == ClientDetailsEntity.AuthMethod.SECRET_BASIC || clientDetailsEntity.getTokenEndpointAuthMethod() == ClientDetailsEntity.AuthMethod.SECRET_JWT || clientDetailsEntity.getTokenEndpointAuthMethod() == ClientDetailsEntity.AuthMethod.SECRET_POST) {
            if (Strings.isNullOrEmpty(clientDetailsEntity.getClientSecret())) {
                clientDetailsEntity = this.clientService.generateClientSecret(clientDetailsEntity);
            }
        } else if (clientDetailsEntity.getTokenEndpointAuthMethod() == ClientDetailsEntity.AuthMethod.PRIVATE_KEY) {
            if (Strings.isNullOrEmpty(clientDetailsEntity.getJwksUri()) && clientDetailsEntity.getJwks() == null) {
                throw new ValidationException("invalid_client_metadata", "JWK Set URI required when using private key authentication", HttpStatus.BAD_REQUEST);
            }
            clientDetailsEntity.setClientSecret(null);
        } else {
            if (clientDetailsEntity.getTokenEndpointAuthMethod() != ClientDetailsEntity.AuthMethod.NONE) {
                throw new ValidationException("invalid_client_metadata", "Unknown authentication method", HttpStatus.BAD_REQUEST);
            }
            clientDetailsEntity.setClientSecret(null);
        }
        return clientDetailsEntity;
    }

    private OAuth2AccessTokenEntity fetchValidRegistrationToken(OAuth2Authentication oAuth2Authentication, ClientDetailsEntity clientDetailsEntity) {
        OAuth2AccessTokenEntity readAccessToken = this.tokenService.readAccessToken(((OAuth2AuthenticationDetails) oAuth2Authentication.getDetails()).getTokenValue());
        if (this.config.getRegTokenLifeTime() == null) {
            return readAccessToken;
        }
        try {
            if (!readAccessToken.getJwt().getJWTClaimsSet().getIssueTime().before(new Date(System.currentTimeMillis() - (this.config.getRegTokenLifeTime().longValue() * 1000)))) {
                return readAccessToken;
            }
            logger.info("Rotating the registration access token for " + clientDetailsEntity.getClientId());
            this.tokenService.revokeAccessToken(readAccessToken);
            OAuth2AccessTokenEntity createResourceAccessToken = this.connectTokenService.createResourceAccessToken(clientDetailsEntity);
            this.tokenService.saveAccessToken(createResourceAccessToken);
            return createResourceAccessToken;
        } catch (ParseException e) {
            logger.error("Couldn't parse a known-valid token?", (Throwable) e);
            return readAccessToken;
        }
    }
}
