package io.jans.ca.server.service;

import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import io.jans.as.client.AuthorizationRequest;
import io.jans.as.client.AuthorizationResponse;
import io.jans.as.client.AuthorizeClient;
import io.jans.as.client.OpenIdConfigurationResponse;
import io.jans.as.client.TokenClient;
import io.jans.as.client.TokenRequest;
import io.jans.as.client.TokenResponse;
import io.jans.as.model.common.AuthenticationMethod;
import io.jans.as.model.common.GrantType;
import io.jans.as.model.common.Prompt;
import io.jans.as.model.common.ResponseType;
import io.jans.as.model.uma.UmaMetadata;
import io.jans.as.model.uma.UmaScopeType;
import io.jans.as.model.uma.UmaTokenResponse;
import io.jans.as.model.util.Util;
import io.jans.ca.common.CoreUtils;
import io.jans.ca.common.ErrorResponseCode;
import io.jans.ca.common.Jackson2;
import io.jans.ca.common.introspection.CorrectRptIntrospectionResponse;
import io.jans.ca.common.params.RpGetRptParams;
import io.jans.ca.common.response.RpGetRptResponse;
import io.jans.ca.server.HttpException;
import io.jans.ca.server.Utils;
import io.jans.ca.server.configuration.ApiAppConfiguration;
import io.jans.ca.server.configuration.model.Rp;
import io.jans.ca.server.model.Pat;
import io.jans.ca.server.model.Token;
import io.jans.ca.server.model.TokenFactory;
import io.jans.ca.server.op.OpClientFactoryImpl;
import io.jans.ca.server.op.RpGetRptOperation;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import jakarta.ws.rs.client.Entity;
import jakarta.ws.rs.client.Invocation;
import jakarta.ws.rs.core.Form;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ApplicationScoped
/* loaded from: input_file:io/jans/ca/server/service/UmaTokenService.class */
public class UmaTokenService {
    private static final Logger LOG = LoggerFactory.getLogger(UmaTokenService.class);

    @Inject
    RpService rpService;

    @Inject
    RpSyncService rpSyncService;

    @Inject
    ValidationService validationService;

    @Inject
    DiscoveryService discoveryService;

    @Inject
    HttpService httpService;

    @Inject
    ApiAppConfiguration configuration;

    @Inject
    StateService stateService;

    @Inject
    private OpClientFactoryImpl opClientFactory;

    @Inject
    IntrospectionService introspectionService;

    public RpGetRptResponse getRpt(RpGetRptParams rpGetRptParams) throws Exception {
        Rp rp = this.rpSyncService.getRp(rpGetRptParams.getRpId());
        UmaMetadata umaDiscoveryByRpId = this.discoveryService.getUmaDiscoveryByRpId(rpGetRptParams.getRpId());
        if (!Strings.isNullOrEmpty(rp.getRpt()) && rp.getRptExpiresAt() != null && !CoreUtils.isExpired(rp.getRptExpiresAt())) {
            LOG.debug("RPT from rp, RPT: " + rp.getRpt() + ", rp: " + rp);
            RpGetRptResponse rpGetRptResponse = new RpGetRptResponse();
            rpGetRptResponse.setRpt(rp.getRpt());
            rpGetRptResponse.setTokenType(rp.getRptTokenType());
            rpGetRptResponse.setPct(rp.getRptPct());
            rpGetRptResponse.setUpdated(rp.getRptUpgraded());
            return rpGetRptResponse;
        }
        Invocation.Builder createClientRequest = this.opClientFactory.createClientRequest(umaDiscoveryByRpId.getTokenEndpoint(), this.httpService.getClientEngine());
        createClientRequest.header("Authorization", "Basic " + Utils.encodeCredentials(rp.getClientId(), rp.getClientSecret()));
        Form form = new Form();
        form.param("grant_type", GrantType.OXAUTH_UMA_TICKET.getValue());
        form.param("ticket", rpGetRptParams.getTicket());
        if (rpGetRptParams.getClaimToken() != null) {
            form.param("claim_token", rpGetRptParams.getClaimToken());
        }
        if (rpGetRptParams.getClaimTokenFormat() != null) {
            form.param("claim_token_format", rpGetRptParams.getClaimTokenFormat());
        }
        if (rpGetRptParams.getPct() != null) {
            form.param("pct", rpGetRptParams.getPct());
        }
        if (rpGetRptParams.getRpt() != null) {
            form.param("rpt", rpGetRptParams.getRpt());
        }
        if (rpGetRptParams.getScope() != null) {
            form.param("scope", Utils.joinAndUrlEncode(rpGetRptParams.getScope()));
        }
        if (rpGetRptParams.getParams() != null && !rpGetRptParams.getParams().isEmpty()) {
            for (Map.Entry entry : rpGetRptParams.getParams().entrySet()) {
                form.param((String) entry.getKey(), (String) entry.getValue());
            }
        }
        try {
            Response invoke = createClientRequest.buildPost(Entity.form(form)).invoke();
            try {
                try {
                    String str = (String) invoke.readEntity(String.class);
                    invoke.close();
                    UmaTokenResponse asTokenResponse = asTokenResponse(str);
                    if (asTokenResponse == null || !StringUtils.isNotBlank(asTokenResponse.getAccessToken())) {
                        RpGetRptOperation.handleRptError(invoke.getStatus(), str);
                    } else {
                        CorrectRptIntrospectionResponse introspectRpt = this.introspectionService.introspectRpt(rpGetRptParams.getRpId(), asTokenResponse.getAccessToken());
                        LOG.debug("RPT " + asTokenResponse.getAccessToken() + ", status: " + introspectRpt);
                        if (introspectRpt.getActive()) {
                            LOG.debug("RPT is successfully obtained from AS. RPT: {}", asTokenResponse.getAccessToken());
                            rp.setRpt(asTokenResponse.getAccessToken());
                            rp.setRptTokenType(asTokenResponse.getTokenType());
                            rp.setRptPct(asTokenResponse.getPct());
                            rp.setRptUpgraded(asTokenResponse.getUpgraded());
                            rp.setRptCreatedAt(new Date(introspectRpt.getIssuedAt().intValue() * 1000));
                            rp.setRptExpiresAt(new Date(introspectRpt.getExpiresAt().intValue() * 1000));
                            this.rpService.updateSilently(rp);
                            RpGetRptResponse rpGetRptResponse2 = new RpGetRptResponse();
                            rpGetRptResponse2.setRpt(rp.getRpt());
                            rpGetRptResponse2.setTokenType(rp.getRptTokenType());
                            rpGetRptResponse2.setPct(rp.getRptPct());
                            rpGetRptResponse2.setUpdated(rp.getRptUpgraded());
                            return rpGetRptResponse2;
                        }
                    }
                    LOG.error("Failed to get RPT for rp: " + rp);
                    throw new HttpException(ErrorResponseCode.FAILED_TO_GET_RPT);
                } catch (Exception e) {
                    LOG.error("Failed to read RPT response for rp: " + rp, e);
                    throw new HttpException(ErrorResponseCode.FAILED_TO_GET_RPT);
                }
            } catch (Throwable th) {
                invoke.close();
                throw th;
            }
        } catch (Exception e2) {
            LOG.error("Failed to receive RPT response for rp: " + rp, e2);
            throw new HttpException(ErrorResponseCode.FAILED_TO_GET_RPT);
        }
    }

    private static UmaTokenResponse asTokenResponse(String str) {
        try {
            return (UmaTokenResponse) Jackson2.createJsonMapper().readValue(str, UmaTokenResponse.class);
        } catch (IOException e) {
            return null;
        }
    }

    public Pat getPat(String str) {
        this.validationService.notBlankRpId(str);
        Rp rp = this.rpSyncService.getRp(str);
        if (rp.getPat() != null && rp.getPatCreatedAt() != null && rp.getPatExpiresIn() != null && rp.getPatExpiresIn().intValue() > 0) {
            Calendar calendar = Calendar.getInstance();
            calendar.setTime(rp.getPatCreatedAt());
            calendar.add(13, rp.getPatExpiresIn().intValue());
            if (!CoreUtils.isExpired(calendar.getTime())) {
                LOG.debug("PAT from site configuration, PAT: " + rp.getPat());
                return new Pat(rp.getPat(), "", rp.getPatExpiresIn().intValue());
            }
        }
        return obtainPat(str);
    }

    public Pat obtainPat(String str) {
        Rp rp = this.rpSyncService.getRp(str);
        Token obtainToken = obtainToken(str, UmaScopeType.PROTECTION, rp);
        rp.setPat(obtainToken.getToken());
        rp.setPatCreatedAt(new Date());
        rp.setPatExpiresIn(Integer.valueOf(obtainToken.getExpiresIn()));
        rp.setPatRefreshToken(obtainToken.getRefreshToken());
        this.rpService.updateSilently(rp);
        return (Pat) obtainToken;
    }

    public Token getOAuthToken(String str) {
        this.validationService.notBlankRpId(str);
        Rp rp = this.rpSyncService.getRp(str);
        if (rp.getOauthToken() != null && rp.getOauthTokenCreatedAt() != null && rp.getOauthTokenExpiresIn() != null && rp.getOauthTokenExpiresIn().intValue() > 0) {
            Calendar calendar = Calendar.getInstance();
            calendar.setTime(rp.getOauthTokenCreatedAt());
            calendar.add(13, rp.getOauthTokenExpiresIn().intValue());
            if (!CoreUtils.isExpired(calendar.getTime())) {
                LOG.debug("OauthToken from site configuration, OauthToken: " + rp.getOauthToken());
                return new Token(rp.getOauthToken(), "", rp.getOauthTokenExpiresIn().intValue());
            }
        }
        return obtainOauthToken(str);
    }

    public Token obtainOauthToken(String str) {
        Rp rp = this.rpSyncService.getRp(str);
        Token obtainToken = obtainToken(str, null, rp);
        rp.setOauthToken(obtainToken.getToken());
        rp.setOauthTokenCreatedAt(new Date());
        rp.setOauthTokenExpiresIn(Integer.valueOf(obtainToken.getExpiresIn()));
        rp.setOauthTokenRefreshToken(obtainToken.getRefreshToken());
        this.rpService.updateSilently(rp);
        return obtainToken;
    }

    private Token obtainToken(String str, UmaScopeType umaScopeType, Rp rp) {
        Token obtainTokenWithUserCredentials;
        OpenIdConfigurationResponse connectDiscoveryResponseByRpId = this.discoveryService.getConnectDiscoveryResponseByRpId(str);
        if (useClientAuthentication(umaScopeType)) {
            obtainTokenWithUserCredentials = obtainTokenWithClientCredentials(connectDiscoveryResponseByRpId, rp, umaScopeType);
            LOG.trace("Obtained token with client authentication: " + obtainTokenWithUserCredentials);
        } else {
            obtainTokenWithUserCredentials = obtainTokenWithUserCredentials(connectDiscoveryResponseByRpId, rp, umaScopeType);
            LOG.trace("Obtained token with user credentials: " + obtainTokenWithUserCredentials);
        }
        return obtainTokenWithUserCredentials;
    }

    public boolean useClientAuthentication(UmaScopeType umaScopeType) {
        if (umaScopeType == UmaScopeType.PROTECTION) {
            return this.configuration.getUseClientAuthenticationForPat() != null && this.configuration.getUseClientAuthenticationForPat().booleanValue();
        }
        return true;
    }

    private Token obtainTokenWithClientCredentials(OpenIdConfigurationResponse openIdConfigurationResponse, Rp rp, UmaScopeType umaScopeType) {
        TokenClient createTokenClientWithUmaProtectionScope = this.opClientFactory.createTokenClientWithUmaProtectionScope(openIdConfigurationResponse.getTokenEndpoint());
        createTokenClientWithUmaProtectionScope.setExecutor(this.httpService.getClientEngine());
        TokenResponse execClientCredentialsGrant = createTokenClientWithUmaProtectionScope.execClientCredentialsGrant(scopesAsString(umaScopeType), rp.getClientId(), rp.getClientSecret());
        if (execClientCredentialsGrant == null) {
            LOG.error("No response from TokenClient");
        } else {
            if (Util.allNotBlank(new String[]{execClientCredentialsGrant.getAccessToken()})) {
                if (umaScopeType != null && !execClientCredentialsGrant.getScope().contains(umaScopeType.getValue())) {
                    LOG.error("rp requested scope " + umaScopeType + " but AS returned access_token without that scope, token scopes :" + execClientCredentialsGrant.getScope());
                    LOG.error("Please check AS(oxauth) configuration and make sure UMA scope (uma_protection) is enabled.");
                    throw new RuntimeException("rp requested scope " + umaScopeType + " but AS returned access_token without that scope, token scopes :" + execClientCredentialsGrant.getScope());
                }
                Token newToken = TokenFactory.newToken(umaScopeType);
                newToken.setToken(execClientCredentialsGrant.getAccessToken());
                newToken.setRefreshToken(execClientCredentialsGrant.getRefreshToken());
                newToken.setExpiresIn(execClientCredentialsGrant.getExpiresIn().intValue());
                return newToken;
            }
            LOG.error("Token is blank in response, site: " + rp);
        }
        throw new RuntimeException("Failed to obtain PAT.");
    }

    private List<String> scopes(UmaScopeType umaScopeType) {
        ArrayList arrayList = new ArrayList();
        if (umaScopeType != null) {
            arrayList.add(umaScopeType.getValue());
        }
        arrayList.add("openid");
        return arrayList;
    }

    private String scopesAsString(UmaScopeType umaScopeType) {
        String str = "";
        Iterator<String> it = scopes(umaScopeType).iterator();
        while (it.hasNext()) {
            str = str + it.next() + " ";
        }
        return str.trim();
    }

    private Token obtainTokenWithUserCredentials(OpenIdConfigurationResponse openIdConfigurationResponse, Rp rp, UmaScopeType umaScopeType) {
        ArrayList newArrayList = Lists.newArrayList();
        newArrayList.add(ResponseType.CODE);
        newArrayList.add(ResponseType.ID_TOKEN);
        String generateState = this.stateService.generateState();
        AuthorizationRequest authorizationRequest = new AuthorizationRequest(newArrayList, rp.getClientId(), scopes(umaScopeType), rp.getRedirectUri(), (String) null);
        authorizationRequest.setState(generateState);
        authorizationRequest.setAuthUsername(rp.getUserId());
        authorizationRequest.setAuthPassword(rp.getUserSecret());
        authorizationRequest.getPrompts().add(Prompt.NONE);
        AuthorizeClient authorizeClient = new AuthorizeClient(openIdConfigurationResponse.getAuthorizationEndpoint());
        authorizeClient.setExecutor(this.httpService.getClientEngine());
        authorizeClient.setRequest(authorizationRequest);
        AuthorizationResponse exec = authorizeClient.exec();
        String scope = exec.getScope();
        String code = exec.getCode();
        if (!generateState.equals(exec.getState())) {
            throw new HttpException(ErrorResponseCode.INVALID_STATE);
        }
        if (Util.allNotBlank(new String[]{code})) {
            TokenRequest tokenRequest = new TokenRequest(GrantType.AUTHORIZATION_CODE);
            tokenRequest.setCode(code);
            tokenRequest.setRedirectUri(rp.getRedirectUri());
            tokenRequest.setAuthUsername(rp.getClientId());
            tokenRequest.setAuthPassword(rp.getClientSecret());
            tokenRequest.setAuthenticationMethod(AuthenticationMethod.CLIENT_SECRET_BASIC);
            tokenRequest.setScope(scope);
            TokenClient tokenClient = new TokenClient(openIdConfigurationResponse.getTokenEndpoint());
            tokenClient.setRequest(tokenRequest);
            tokenClient.setExecutor(this.httpService.getClientEngine());
            TokenResponse exec2 = tokenClient.exec();
            if (exec2.getStatus() == 200 && Util.allNotBlank(new String[]{exec2.getAccessToken()})) {
                Token newToken = TokenFactory.newToken(umaScopeType);
                newToken.setToken(exec2.getAccessToken());
                newToken.setRefreshToken(exec2.getRefreshToken());
                newToken.setExpiresIn(exec2.getExpiresIn().intValue());
                return newToken;
            }
            LOG.error("Status: " + exec2.getStatus() + ", Entity: " + exec2.getEntity());
        } else {
            LOG.debug("Authorization code is blank.");
        }
        throw new RuntimeException("Failed to obtain Token, scopeType: " + umaScopeType + ", site: " + rp);
    }

    public HttpService getHttpService() {
        return this.httpService;
    }

    public OpClientFactoryImpl getOpClientFactory() {
        return this.opClientFactory;
    }

    public IntrospectionService getIntrospectionService() {
        return this.introspectionService;
    }

    public RpService getRpService() {
        return this.rpService;
    }

    public DiscoveryService getDiscoveryService() {
        return this.discoveryService;
    }

    public StateService getStateService() {
        return this.stateService;
    }
}
