package org.mitre.openid.connect.web;

import com.google.common.collect.Sets;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
import org.mitre.oauth2.model.RegisteredClient;
import org.mitre.oauth2.model.SystemScope;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.oauth2.service.OAuth2TokenEntityService;
import org.mitre.oauth2.service.SystemScopeService;
import org.mitre.openid.connect.ClientDetailsEntityJsonProcessor;
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.provider.DefaultAuthorizationRequest;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@RequestMapping({"register"})
@Controller
/* loaded from: input_file:WEB-INF/classes/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.class */
public class ClientDynamicRegistrationEndpoint {

    @Autowired
    private ClientDetailsEntityService clientService;

    @Autowired
    private OAuth2TokenEntityService tokenService;

    @Autowired
    private SystemScopeService scopeService;

    @Autowired
    private ConfigurationPropertiesBean config;
    private static Logger logger = LoggerFactory.getLogger(ClientDynamicRegistrationEndpoint.class);

    @RequestMapping(method = {RequestMethod.POST}, consumes = {"application/json"}, produces = {"application/json"})
    public String registerNewClient(@RequestBody String str, Model model) {
        ClientDetailsEntity parse = ClientDetailsEntityJsonProcessor.parse(str);
        if (parse == null) {
            logger.error("registerNewClient failed; submitted JSON is malformed");
            model.addAttribute("code", HttpStatus.BAD_REQUEST);
            return "httpCodeView";
        }
        parse.setClientId(null);
        parse.setClientSecret(null);
        Set<SystemScope> dynReg = this.scopeService.getDynReg();
        Set<SystemScope> fromStrings = this.scopeService.fromStrings(parse.getScope());
        if (fromStrings == null || fromStrings.isEmpty()) {
            fromStrings = this.scopeService.getDefaults();
        }
        parse.setScope(this.scopeService.toStrings(Sets.intersection(dynReg, fromStrings)));
        if (parse.getGrantTypes() == null || parse.getGrantTypes().isEmpty()) {
            if (parse.getScope().contains("offline_access")) {
                parse.setGrantTypes(Sets.newHashSet("authorization_code", OAuth2AccessToken.REFRESH_TOKEN));
            } else {
                parse.setGrantTypes(Sets.newHashSet("authorization_code"));
            }
        }
        if (parse.getResponseTypes() == null || parse.getResponseTypes().isEmpty()) {
            parse.setResponseTypes(Sets.newHashSet("code"));
        }
        if (parse.getTokenEndpointAuthMethod() == null) {
            parse.setTokenEndpointAuthMethod(ClientDetailsEntity.AuthMethod.SECRET_BASIC);
        }
        if (parse.getTokenEndpointAuthMethod() == ClientDetailsEntity.AuthMethod.SECRET_BASIC || parse.getTokenEndpointAuthMethod() == ClientDetailsEntity.AuthMethod.SECRET_JWT || parse.getTokenEndpointAuthMethod() == ClientDetailsEntity.AuthMethod.SECRET_POST) {
            parse = this.clientService.generateClientSecret(parse);
        }
        parse.setAccessTokenValiditySeconds(Integer.valueOf((int) TimeUnit.HOURS.toSeconds(1L)));
        parse.setIdTokenValiditySeconds(Integer.valueOf((int) TimeUnit.MINUTES.toSeconds(10L)));
        parse.setRefreshTokenValiditySeconds(null);
        parse.setDynamicallyRegistered(true);
        ClientDetailsEntity saveNewClient = this.clientService.saveNewClient(parse);
        model.addAttribute("client", new RegisteredClient(saveNewClient, createRegistrationAccessToken(saveNewClient).getValue(), this.config.getIssuer() + "register/" + saveNewClient.getClientId()));
        model.addAttribute("code", HttpStatus.CREATED);
        return "clientInformationResponseView";
    }

    @RequestMapping(value = {"/{id}"}, method = {RequestMethod.GET}, produces = {"application/json"})
    @PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('registration-token')")
    public String readClientConfiguration(@PathVariable("id") String str, Model model, OAuth2Authentication oAuth2Authentication) {
        ClientDetailsEntity loadClientByClientId = this.clientService.loadClientByClientId(str);
        if (loadClientByClientId == null || !loadClientByClientId.getClientId().equals(oAuth2Authentication.getAuthorizationRequest().getClientId())) {
            logger.error("readClientConfiguration failed, client ID mismatch: " + str + " and " + oAuth2Authentication.getAuthorizationRequest().getClientId() + " do not match.");
            model.addAttribute("code", HttpStatus.FORBIDDEN);
            return "httpCodeView";
        }
        model.addAttribute("client", new RegisteredClient(loadClientByClientId, this.tokenService.readAccessToken(((OAuth2AuthenticationDetails) oAuth2Authentication.getDetails()).getTokenValue()).getValue(), this.config.getIssuer() + "register/" + loadClientByClientId.getClientId()));
        model.addAttribute("code", HttpStatus.OK);
        return "clientInformationResponseView";
    }

    @RequestMapping(value = {"/{id}"}, method = {RequestMethod.PUT}, produces = {"application/json"}, consumes = {"application/json"})
    @PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('registration-token')")
    public String updateClient(@PathVariable("id") String str, @RequestBody String str2, Model model, OAuth2Authentication oAuth2Authentication) {
        ClientDetailsEntity parse = ClientDetailsEntityJsonProcessor.parse(str2);
        ClientDetailsEntity loadClientByClientId = this.clientService.loadClientByClientId(str);
        if (parse == null || loadClientByClientId == null || !loadClientByClientId.getClientId().equals(oAuth2Authentication.getAuthorizationRequest().getClientId()) || !loadClientByClientId.getClientId().equals(parse.getClientId())) {
            logger.error("readClientConfiguration failed, client ID mismatch: " + str + " and " + oAuth2Authentication.getAuthorizationRequest().getClientId() + " do not match.");
            model.addAttribute("code", HttpStatus.FORBIDDEN);
            return "httpCodeView";
        }
        parse.setClientSecret(loadClientByClientId.getClientSecret());
        parse.setAccessTokenValiditySeconds(loadClientByClientId.getAccessTokenValiditySeconds());
        parse.setIdTokenValiditySeconds(loadClientByClientId.getIdTokenValiditySeconds());
        parse.setRefreshTokenValiditySeconds(loadClientByClientId.getRefreshTokenValiditySeconds());
        parse.setDynamicallyRegistered(true);
        parse.setAllowIntrospection(loadClientByClientId.isAllowIntrospection());
        parse.setAuthorities(loadClientByClientId.getAuthorities());
        parse.setClientDescription(loadClientByClientId.getClientDescription());
        parse.setCreatedAt(loadClientByClientId.getCreatedAt());
        parse.setReuseRefreshToken(loadClientByClientId.isReuseRefreshToken());
        parse.setScope(this.scopeService.toStrings(Sets.intersection(this.scopeService.getDynReg(), this.scopeService.fromStrings(parse.getScope()))));
        ClientDetailsEntity updateClient = this.clientService.updateClient(loadClientByClientId, parse);
        model.addAttribute("client", new RegisteredClient(updateClient, this.tokenService.readAccessToken(((OAuth2AuthenticationDetails) oAuth2Authentication.getDetails()).getTokenValue()).getValue(), this.config.getIssuer() + "register/" + updateClient.getClientId()));
        model.addAttribute("code", HttpStatus.OK);
        return "clientInformationResponseView";
    }

    @RequestMapping(value = {"/{id}"}, method = {RequestMethod.DELETE}, produces = {"application/json"})
    @PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('registration-token')")
    public String deleteClient(@PathVariable("id") String str, Model model, OAuth2Authentication oAuth2Authentication) {
        ClientDetailsEntity loadClientByClientId = this.clientService.loadClientByClientId(str);
        if (loadClientByClientId == null || !loadClientByClientId.getClientId().equals(oAuth2Authentication.getAuthorizationRequest().getClientId())) {
            logger.error("readClientConfiguration failed, client ID mismatch: " + str + " and " + oAuth2Authentication.getAuthorizationRequest().getClientId() + " do not match.");
            model.addAttribute("code", HttpStatus.FORBIDDEN);
            return "httpCodeView";
        }
        this.clientService.deleteClient(loadClientByClientId);
        model.addAttribute("client", loadClientByClientId);
        model.addAttribute("code", HttpStatus.NO_CONTENT);
        return "httpCodeView";
    }

    private OAuth2AccessTokenEntity createRegistrationAccessToken(ClientDetailsEntity clientDetailsEntity) throws AuthenticationException {
        DefaultAuthorizationRequest defaultAuthorizationRequest = new DefaultAuthorizationRequest(clientDetailsEntity.getClientId(), Sets.newHashSet(OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE));
        defaultAuthorizationRequest.setApproved(true);
        defaultAuthorizationRequest.setAuthorities(Sets.newHashSet(new SimpleGrantedAuthority("ROLE_CLIENT")));
        return (OAuth2AccessTokenEntity) this.tokenService.createAccessToken(new OAuth2Authentication(defaultAuthorizationRequest, null));
    }
}
