package io.jans.as.server.introspection.ws.rs;

import com.google.common.collect.Lists;
import io.jans.as.common.claims.Audience;
import io.jans.as.common.service.AttributeService;
import io.jans.as.model.authorize.AuthorizeErrorResponseType;
import io.jans.as.model.common.IntrospectionResponse;
import io.jans.as.model.common.TokenType;
import io.jans.as.model.config.WebKeysConfiguration;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.uma.UmaScopeType;
import io.jans.as.model.util.Util;
import io.jans.as.server.model.common.AbstractToken;
import io.jans.as.server.model.common.AccessToken;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.common.AuthorizationGrantList;
import io.jans.as.server.model.token.JwtSigner;
import io.jans.as.server.service.ClientService;
import io.jans.as.server.service.external.ExternalIntrospectionService;
import io.jans.as.server.service.external.context.ExternalIntrospectionContext;
import io.jans.as.server.service.token.TokenService;
import io.jans.as.server.util.ServerUtil;
import io.jans.util.Pair;
import jakarta.inject.Inject;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.FormParam;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.HeaderParam;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.Iterator;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.StringUtils;
import org.jetbrains.annotations.Nullable;
import org.json.JSONException;
import org.json.JSONObject;
import org.slf4j.Logger;

@Path("/introspection")
/* loaded from: input_file:io/jans/as/server/introspection/ws/rs/IntrospectionWebService.class */
public class IntrospectionWebService {
    private static final Pair<AuthorizationGrant, Boolean> EMPTY = new Pair<>((Object) null, false);

    @Inject
    private Logger log;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private TokenService tokenService;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private ClientService clientService;

    @Inject
    private ExternalIntrospectionService externalIntrospectionService;

    @Inject
    private AttributeService attributeService;

    @Inject
    private WebKeysConfiguration webKeysConfiguration;

    @Produces({"application/json"})
    @GET
    public Response introspectGet(@HeaderParam("Authorization") String str, @QueryParam("token") String str2, @QueryParam("token_type_hint") String str3, @QueryParam("response_as_jwt") String str4, @Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        return introspect(str, str2, str3, str4, httpServletRequest, httpServletResponse);
    }

    @POST
    @Produces({"application/json"})
    public Response introspectPost(@HeaderParam("Authorization") String str, @FormParam("token") String str2, @FormParam("token_type_hint") String str3, @FormParam("response_as_jwt") String str4, @Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) {
        return introspect(str, str2, str3, str4, httpServletRequest, httpServletResponse);
    }

    private AuthorizationGrant validateAuthorization(String str, String str2) throws UnsupportedEncodingException {
        boolean isTrue = BooleanUtils.isTrue(this.appConfiguration.getIntrospectionSkipAuthorization());
        this.log.trace("skipAuthorization: {}", Boolean.valueOf(isTrue));
        if (isTrue) {
            return null;
        }
        if (StringUtils.isBlank(str)) {
            this.log.trace("Bad request: Authorization header or token is blank.");
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, "")).build());
        }
        Pair<AuthorizationGrant, Boolean> authorizationGrant = getAuthorizationGrant(str, str2);
        AuthorizationGrant authorizationGrant2 = (AuthorizationGrant) authorizationGrant.getFirst();
        if (authorizationGrant2 == null) {
            this.log.error("Authorization grant is null.");
            throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(AuthorizeErrorResponseType.ACCESS_DENIED, "Authorization grant is null.")).build());
        }
        AbstractToken accessToken = authorizationGrant2.getAccessToken(this.tokenService.getToken(str));
        if ((accessToken == null || !accessToken.isValid()) && org.apache.commons.lang3.BooleanUtils.isFalse((Boolean) authorizationGrant.getSecond())) {
            this.log.error("Access token is not valid. Valid: {}, basicClientAuthentication: {}", Boolean.valueOf(accessToken != null && accessToken.isValid()), authorizationGrant.getSecond());
            throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(AuthorizeErrorResponseType.ACCESS_DENIED, "Access token is not valid")).build());
        }
        if (!BooleanUtils.isTrue(this.appConfiguration.getIntrospectionAccessTokenMustHaveUmaProtectionScope()) || authorizationGrant2.getScopesAsString().contains(UmaScopeType.PROTECTION.getValue())) {
            return authorizationGrant2;
        }
        this.log.trace("access_token used to access introspection endpoint does not have uma_protection scope, however in oxauth configuration `checkUmaProtectionScopePresenceDuringIntrospection` is true");
        throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.errorAsJson(AuthorizeErrorResponseType.ACCESS_DENIED, "access_token used to access introspection endpoint does not have uma_protection scope, however in oxauth configuration `checkUmaProtectionScopePresenceDuringIntrospection` is true")).type(MediaType.APPLICATION_JSON_TYPE).build());
    }

    private Response introspect(String str, String str2, String str3, String str4, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            if (this.log.isTraceEnabled()) {
                this.log.trace("Introspect token, authorization: {}, token to introspect: {}, tokenTypeHint: {}", new Object[]{Util.escapeLog(str), Util.escapeLog(str2), Util.escapeLog(str3)});
            }
            AuthorizationGrant validateAuthorization = validateAuthorization(str, str2);
            if (StringUtils.isBlank(str2)) {
                this.log.trace("Bad request: Token is blank.");
                return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, "")).build();
            }
            IntrospectionResponse introspectionResponse = new IntrospectionResponse(false);
            AuthorizationGrant authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str2);
            AbstractToken fillResponse = fillResponse(str2, introspectionResponse, authorizationGrantByAccessToken);
            JSONObject createResponseAsJsonObject = createResponseAsJsonObject(introspectionResponse, fillResponse);
            ExternalIntrospectionContext externalIntrospectionContext = new ExternalIntrospectionContext(validateAuthorization, httpServletRequest, httpServletResponse, this.appConfiguration, this.attributeService);
            externalIntrospectionContext.setGrantOfIntrospectionToken(authorizationGrantByAccessToken);
            if (this.externalIntrospectionService.executeExternalModifyResponse(createResponseAsJsonObject, externalIntrospectionContext)) {
                this.log.trace("Successfully run external introspection scripts.");
            } else {
                createResponseAsJsonObject = createResponseAsJsonObject(introspectionResponse, fillResponse);
                this.log.trace("Canceled changes made by external introspection script since method returned `false`.");
            }
            if (introspectionResponse.getScope() != null && !this.appConfiguration.getIntrospectionResponseScopesBackwardCompatibility().booleanValue()) {
                createResponseAsJsonObject.put("scope", StringUtils.join(introspectionResponse.getScope().toArray(), " "));
            }
            return Boolean.TRUE.toString().equalsIgnoreCase(str4) ? Response.status(Response.Status.OK).entity(createResponseAsJwt(createResponseAsJsonObject, authorizationGrantByAccessToken)).build() : Response.status(Response.Status.OK).entity(createResponseAsJsonObject.toString()).type(MediaType.APPLICATION_JSON_TYPE).build();
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
            return Response.status(Response.Status.INTERNAL_SERVER_ERROR).type(MediaType.APPLICATION_JSON_TYPE).build();
        } catch (WebApplicationException e2) {
            if (this.log.isErrorEnabled()) {
                this.log.error(e2.getMessage(), e2);
            }
            throw e2;
        }
    }

    @Nullable
    private AbstractToken fillResponse(String str, IntrospectionResponse introspectionResponse, AuthorizationGrant authorizationGrant) {
        AbstractToken abstractToken = null;
        if (authorizationGrant != null) {
            abstractToken = authorizationGrant.getAccessToken(str);
            introspectionResponse.setActive(abstractToken.isValid());
            introspectionResponse.setExpiresAt(ServerUtil.dateToSeconds(abstractToken.getExpirationDate()));
            introspectionResponse.setIssuedAt(ServerUtil.dateToSeconds(abstractToken.getCreationDate()));
            introspectionResponse.setAcrValues(authorizationGrant.getAcrValues());
            introspectionResponse.setScope(authorizationGrant.getScopes() != null ? authorizationGrant.getScopes() : Lists.newArrayList());
            introspectionResponse.setClientId(authorizationGrant.getClientId());
            introspectionResponse.setSub(authorizationGrant.getSub());
            introspectionResponse.setUsername(authorizationGrant.getUserId());
            introspectionResponse.setIssuer(this.appConfiguration.getIssuer());
            introspectionResponse.setAudience(authorizationGrant.getClientId());
            if (abstractToken instanceof AccessToken) {
                AccessToken accessToken = (AccessToken) abstractToken;
                introspectionResponse.setTokenType(accessToken.getTokenType() != null ? accessToken.getTokenType().getName() : TokenType.BEARER.getName());
                if (StringUtils.isNotBlank(accessToken.getDpop())) {
                    introspectionResponse.setNotBefore(Long.valueOf(accessToken.getCreationDate().getTime()));
                    HashMap hashMap = new HashMap();
                    hashMap.put("jkt", accessToken.getDpop());
                    introspectionResponse.setCnf(hashMap);
                }
            }
        } else if (this.log.isDebugEnabled()) {
            this.log.debug("Failed to find grant for access_token: {}. Return 200 with active=false.", Util.escapeLog(str));
        }
        return abstractToken;
    }

    private String createResponseAsJwt(JSONObject jSONObject, AuthorizationGrant authorizationGrant) throws Exception {
        JwtSigner newJwtSigner = JwtSigner.newJwtSigner(this.appConfiguration, this.webKeysConfiguration, authorizationGrant.getClient());
        Jwt newJwt = newJwtSigner.newJwt();
        Audience.setAudience(newJwt.getClaims(), authorizationGrant.getClient());
        Iterator<String> keys = jSONObject.keys();
        while (keys.hasNext()) {
            String next = keys.next();
            Object opt = jSONObject.opt(next);
            if (opt != null) {
                try {
                    newJwt.getClaims().setClaimObject(next, opt, false);
                } catch (Exception e) {
                    this.log.error("Failed to put claims into jwt. Key: " + next + ", response: " + jSONObject.toString(), e);
                }
            }
        }
        return newJwtSigner.sign().toString();
    }

    private static JSONObject createResponseAsJsonObject(IntrospectionResponse introspectionResponse, AbstractToken abstractToken) throws JSONException, IOException {
        JSONObject jSONObject = new JSONObject(ServerUtil.asJson(introspectionResponse));
        if (abstractToken != null && StringUtils.isNotBlank(abstractToken.getX5ts256())) {
            JSONObject jSONObject2 = new JSONObject();
            jSONObject2.put("x5t#S256", abstractToken.getX5ts256());
            jSONObject.put("cnf", jSONObject2);
        }
        return jSONObject;
    }

    private Pair<AuthorizationGrant, Boolean> getAuthorizationGrant(String str, String str2) throws UnsupportedEncodingException {
        AuthorizationGrant bearerAuthorizationGrant = this.tokenService.getBearerAuthorizationGrant(str);
        if (bearerAuthorizationGrant == null) {
            AuthorizationGrant basicAuthorizationGrant = this.tokenService.getBasicAuthorizationGrant(str);
            return basicAuthorizationGrant != null ? new Pair<>(basicAuthorizationGrant, false) : this.tokenService.isBasicAuthToken(str) ? isBasicTokenValid(str, str2) : EMPTY;
        }
        String bearerToken = this.tokenService.getBearerToken(str);
        AbstractToken accessToken = bearerAuthorizationGrant.getAccessToken(bearerToken);
        if (accessToken != null && accessToken.isValid()) {
            return new Pair<>(bearerAuthorizationGrant, false);
        }
        this.log.error("Access token is not valid: {}", bearerToken);
        return EMPTY;
    }

    private Pair<AuthorizationGrant, Boolean> isBasicTokenValid(String str, String str2) throws UnsupportedEncodingException {
        String str3 = new String(Base64.decodeBase64(this.tokenService.getBasicToken(str)), StandardCharsets.UTF_8);
        int indexOf = str3.indexOf(":");
        if (indexOf == -1) {
            return EMPTY;
        }
        String decode = URLDecoder.decode(str3.substring(0, indexOf), "UTF-8");
        if (!this.clientService.authenticate(decode, URLDecoder.decode(str3.substring(indexOf + 1), "UTF-8"))) {
            if (this.log.isTraceEnabled()) {
                this.log.trace("Failed to perform basic authentication for client: {}", decode);
            }
            return EMPTY;
        }
        AuthorizationGrant authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str2);
        if (authorizationGrantByAccessToken == null || authorizationGrantByAccessToken.getClientId().equals(decode)) {
            return new Pair<>(authorizationGrantByAccessToken, true);
        }
        this.log.trace("Failed to match grant object clientId and client id provided during authentication.");
        return EMPTY;
    }
}
