package io.jans.ca.server.op;

import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import com.google.inject.Injector;
import io.jans.as.client.OpenIdConfigurationResponse;
import io.jans.as.client.TokenClient;
import io.jans.as.client.TokenRequest;
import io.jans.as.client.TokenResponse;
import io.jans.as.model.common.AuthenticationMethod;
import io.jans.as.model.common.GrantType;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.jwk.Algorithm;
import io.jans.as.model.jwk.Use;
import io.jans.as.model.jwt.Jwt;
import io.jans.ca.common.Command;
import io.jans.ca.common.ErrorResponseCode;
import io.jans.ca.common.ExpiredObjectType;
import io.jans.ca.common.Jackson2;
import io.jans.ca.common.params.GetTokensByCodeParams;
import io.jans.ca.common.response.GetTokensByCodeResponse;
import io.jans.ca.common.response.IOpResponse;
import io.jans.ca.server.HttpException;
import io.jans.ca.server.op.Validator;
import io.jans.ca.server.service.Rp;
import org.python.jline.internal.Log;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/jans/ca/server/op/GetTokensByCodeOperation.class */
public class GetTokensByCodeOperation extends BaseOperation<GetTokensByCodeParams> {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) GetTokensByCodeOperation.class);

    /* JADX INFO: Access modifiers changed from: protected */
    public GetTokensByCodeOperation(Command command, Injector injector) {
        super(command, injector, GetTokensByCodeParams.class);
    }

    @Override // io.jans.ca.server.op.IOperation
    public IOpResponse execute(GetTokensByCodeParams getTokensByCodeParams) throws Exception {
        validate(getTokensByCodeParams);
        Rp rp = getRp();
        OpenIdConfigurationResponse connectDiscoveryResponse = getDiscoveryService().getConnectDiscoveryResponse(rp);
        TokenRequest tokenRequest = new TokenRequest(GrantType.AUTHORIZATION_CODE);
        tokenRequest.setCode(getTokensByCodeParams.getCode());
        tokenRequest.setRedirectUri(rp.getRedirectUri());
        tokenRequest.setAuthUsername(rp.getClientId());
        AuthenticationMethod fromString = Strings.isNullOrEmpty(getTokensByCodeParams.getAuthenticationMethod()) ? AuthenticationMethod.fromString(rp.getTokenEndpointAuthMethod()) : AuthenticationMethod.fromString(getTokensByCodeParams.getAuthenticationMethod());
        if (fromString == null) {
            LOG.debug("TokenEndpointAuthMethod is either not set or not valid. Setting `client_secret_basic` as AuthenticationMethod. TokenEndpointAuthMethod : {} ", rp.getTokenEndpointAuthMethod());
            tokenRequest.setAuthenticationMethod(AuthenticationMethod.CLIENT_SECRET_BASIC);
        } else {
            tokenRequest.setAuthenticationMethod(fromString);
        }
        if (Lists.newArrayList(AuthenticationMethod.PRIVATE_KEY_JWT, AuthenticationMethod.TLS_CLIENT_AUTH, AuthenticationMethod.SELF_SIGNED_TLS_CLIENT_AUTH).contains(fromString)) {
            Algorithm fromString2 = Strings.isNullOrEmpty(getTokensByCodeParams.getAlgorithm()) ? Algorithm.fromString(rp.getTokenEndpointAuthSigningAlg()) : Algorithm.fromString(getTokensByCodeParams.getAlgorithm());
            if (fromString2 == null) {
                LOG.error("TokenEndpointAuthSigningAlg is either not set or not valid. TokenEndpointAuthSigningAlg : {} ", rp.getTokenEndpointAuthSigningAlg());
                throw new HttpException(ErrorResponseCode.INVALID_SIGNATURE_ALGORITHM);
            }
            tokenRequest.setAlgorithm(SignatureAlgorithm.fromString(rp.getTokenEndpointAuthSigningAlg()));
            if (!getConfigurationService().getConfiguration().getEnableJwksGeneration().booleanValue()) {
                LOG.error("The Token Authentication Method is {}. Please set `enable_jwks_generation` (to `true`), `crypt_provider_key_store_path` and `crypt_provider_key_store_password` in `client-api-server.yml` to enable RP-jwks generation in jans-client-api.", fromString.toString());
                throw new HttpException(ErrorResponseCode.JWKS_GENERATION_DISABLE);
            }
            tokenRequest.setCryptoProvider(getKeyGeneratorService().getCryptoProvider());
            tokenRequest.setKeyId(getKeyGeneratorService().getCryptoProvider().getKeyId(getKeyGeneratorService().getKeys(), fromString2, Use.SIGNATURE));
            tokenRequest.setAudience(connectDiscoveryResponse.getTokenEndpoint());
        } else {
            tokenRequest.setAuthPassword(rp.getClientSecret());
        }
        TokenClient createTokenClient = getOpClientFactory().createTokenClient(connectDiscoveryResponse.getTokenEndpoint());
        createTokenClient.setExecutor(getHttpService().getClientEngine());
        createTokenClient.setRequest(tokenRequest);
        TokenResponse exec = createTokenClient.exec();
        if (exec.getStatus() != 200 && exec.getStatus() != 302) {
            if (exec.getStatus() == 400) {
                throw new HttpException(ErrorResponseCode.BAD_REQUEST_INVALID_CODE);
            }
            LOG.error("Failed to get tokens because response code is: " + exec.getScope());
            return null;
        }
        if (Strings.isNullOrEmpty(exec.getIdToken())) {
            LOG.error("id_token is not returned. Please check: 1) OP log file for error (oxauth.log) 2) whether 'openid' scope is present for 'get_authorization_url' command");
            LOG.error("Entity: " + exec.getEntity());
            throw new HttpException(ErrorResponseCode.NO_ID_TOKEN_RETURNED);
        }
        if (Strings.isNullOrEmpty(exec.getAccessToken())) {
            LOG.error("access_token is not returned");
            throw new HttpException(ErrorResponseCode.NO_ACCESS_TOKEN_RETURNED);
        }
        Jwt parse = Jwt.parse(exec.getIdToken());
        Validator build = new Validator.Builder().discoveryResponse(connectDiscoveryResponse).idToken(parse).keyService(getKeyService()).opClientFactory(getOpClientFactory()).rpServerConfiguration(getConfigurationService().getConfiguration()).rp(rp).build();
        String encodeExpiredObject = getStateService().encodeExpiredObject(getTokensByCodeParams.getState(), ExpiredObjectType.STATE);
        build.validateNonce(getStateService());
        build.validateIdToken();
        build.validateAccessToken(exec.getAccessToken());
        build.validateState(encodeExpiredObject);
        rp.setIdToken(exec.getIdToken());
        rp.setAccessToken(exec.getAccessToken());
        getRpService().update(rp);
        getStateService().deleteExpiredObjectsByKey(encodeExpiredObject);
        LOG.trace("Scope: " + exec.getScope());
        GetTokensByCodeResponse getTokensByCodeResponse = new GetTokensByCodeResponse();
        getTokensByCodeResponse.setAccessToken(exec.getAccessToken());
        getTokensByCodeResponse.setIdToken(exec.getIdToken());
        getTokensByCodeResponse.setRefreshToken(exec.getRefreshToken());
        getTokensByCodeResponse.setExpiresIn(exec.getExpiresIn() != null ? exec.getExpiresIn().intValue() : -1);
        getTokensByCodeResponse.setIdTokenClaims(Jackson2.createJsonMapper().readTree(parse.getClaims().toJsonString()));
        return getTokensByCodeResponse;
    }

    private void validate(GetTokensByCodeParams getTokensByCodeParams) {
        if (Strings.isNullOrEmpty(getTokensByCodeParams.getCode())) {
            throw new HttpException(ErrorResponseCode.BAD_REQUEST_NO_CODE);
        }
        if (Strings.isNullOrEmpty(getTokensByCodeParams.getState())) {
            throw new HttpException(ErrorResponseCode.BAD_REQUEST_NO_STATE);
        }
        try {
            if (getStateService().isExpiredObjectPresent(getStateService().encodeExpiredObject(getTokensByCodeParams.getState(), ExpiredObjectType.STATE))) {
            } else {
                throw new HttpException(ErrorResponseCode.BAD_REQUEST_STATE_NOT_VALID);
            }
        } catch (Exception e) {
            Log.error(e.getMessage(), e);
            throw new HttpException(ErrorResponseCode.BAD_REQUEST_STATE_NOT_VALID);
        }
    }
}
