package org.apereo.cas.support.oauth.web.endpoints;

import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20ConfigurationContext;
import org.apereo.cas.support.oauth.web.response.introspection.BaseOAuth20IntrospectionAccessTokenResponse;
import org.apereo.cas.support.oauth.web.response.introspection.OAuth20IntrospectionAccessTokenFailureResponse;
import org.apereo.cas.support.oauth.web.response.introspection.OAuth20IntrospectionAccessTokenSuccessResponse;
import org.apereo.cas.ticket.InvalidTicketException;
import org.apereo.cas.ticket.OAuth20Token;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.HttpRequestUtils;
import org.apereo.cas.util.LoggingUtils;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.credentials.extractor.BasicAuthExtractor;
import org.pac4j.jee.context.JEEContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;

/* loaded from: input_file:org/apereo/cas/support/oauth/web/endpoints/OAuth20IntrospectionEndpointController.class */
public class OAuth20IntrospectionEndpointController<T extends OAuth20ConfigurationContext> extends BaseOAuth20Controller<T> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20IntrospectionEndpointController.class);

    public OAuth20IntrospectionEndpointController(T t) {
        super(t);
    }

    private static ResponseEntity<OAuth20IntrospectionAccessTokenFailureResponse> buildUnauthorizedResponseEntity(String str, boolean z) {
        OAuth20IntrospectionAccessTokenFailureResponse oAuth20IntrospectionAccessTokenFailureResponse = new OAuth20IntrospectionAccessTokenFailureResponse();
        oAuth20IntrospectionAccessTokenFailureResponse.setError(str);
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        if (z) {
            linkedMultiValueMap.add("WWW-Authenticate", "Basic");
        }
        return new ResponseEntity<>(oAuth20IntrospectionAccessTokenFailureResponse, linkedMultiValueMap, HttpStatus.UNAUTHORIZED);
    }

    private static ResponseEntity<OAuth20IntrospectionAccessTokenFailureResponse> buildBadRequestResponseEntity(String str) {
        OAuth20IntrospectionAccessTokenFailureResponse oAuth20IntrospectionAccessTokenFailureResponse = new OAuth20IntrospectionAccessTokenFailureResponse();
        oAuth20IntrospectionAccessTokenFailureResponse.setError(str);
        return new ResponseEntity<>(oAuth20IntrospectionAccessTokenFailureResponse, HttpStatus.BAD_REQUEST);
    }

    @GetMapping({"/oauth2.0/introspect"})
    public ResponseEntity<? extends BaseOAuth20IntrospectionAccessTokenResponse> handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return handlePostRequest(httpServletRequest, httpServletResponse);
    }

    @PostMapping({"/oauth2.0/introspect"})
    public ResponseEntity<? extends BaseOAuth20IntrospectionAccessTokenResponse> handlePostRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        ResponseEntity<? extends BaseOAuth20IntrospectionAccessTokenResponse> buildBadRequestResponseEntity;
        Optional extract;
        try {
            extract = new BasicAuthExtractor().extract(new JEEContext(httpServletRequest, httpServletResponse), getConfigurationContext().getSessionStore());
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            buildBadRequestResponseEntity = buildBadRequestResponseEntity("invalid_request");
        }
        if (extract.isEmpty()) {
            LOGGER.warn("Unable to locate and extract credentials from the request");
            return buildUnauthorizedResponseEntity("invalid_client", true);
        }
        UsernamePasswordCredentials usernamePasswordCredentials = (UsernamePasswordCredentials) extract.get();
        OAuthRegisteredService registeredOAuthServiceByClientId = OAuth20Utils.getRegisteredOAuthServiceByClientId(getConfigurationContext().getServicesManager(), usernamePasswordCredentials.getUsername());
        if (registeredOAuthServiceByClientId == null) {
            LOGGER.warn("Unable to locate service definition by client id [{}]", usernamePasswordCredentials.getUsername());
            return buildUnauthorizedResponseEntity("invalid_client", true);
        }
        Optional<ResponseEntity<? extends BaseOAuth20IntrospectionAccessTokenResponse>> validateIntrospectionRequest = validateIntrospectionRequest(registeredOAuthServiceByClientId, usernamePasswordCredentials, httpServletRequest);
        if (validateIntrospectionRequest.isPresent()) {
            buildBadRequestResponseEntity = validateIntrospectionRequest.get();
        } else {
            String str = (String) StringUtils.defaultIfBlank(httpServletRequest.getParameter("token"), httpServletRequest.getParameter("access_token"));
            LOGGER.debug("Located access token [{}] in the request", str);
            OAuth20Token oAuth20Token = null;
            try {
                oAuth20Token = (OAuth20Token) getConfigurationContext().getTicketRegistry().getTicket(extractAccessTokenFrom(str), OAuth20Token.class);
            } catch (InvalidTicketException e2) {
                LOGGER.trace(e2.getMessage(), e2);
                LOGGER.info("Unable to fetch access token [{}]: [{}]", str, e2.getMessage());
            }
            OAuth20IntrospectionAccessTokenSuccessResponse createIntrospectionValidResponse = createIntrospectionValidResponse(str, oAuth20Token);
            createIntrospectionValidResponse.setToken(str);
            buildBadRequestResponseEntity = new ResponseEntity<>(createIntrospectionValidResponse, HttpStatus.OK);
        }
        return buildBadRequestResponseEntity;
    }

    protected OAuth20IntrospectionAccessTokenSuccessResponse createIntrospectionValidResponse(String str, OAuth20Token oAuth20Token) {
        OAuth20IntrospectionAccessTokenSuccessResponse oAuth20IntrospectionAccessTokenSuccessResponse = new OAuth20IntrospectionAccessTokenSuccessResponse();
        oAuth20IntrospectionAccessTokenSuccessResponse.setScope("CAS");
        if (oAuth20Token != null) {
            oAuth20IntrospectionAccessTokenSuccessResponse.setClientId(oAuth20Token.getClientId());
            oAuth20IntrospectionAccessTokenSuccessResponse.setAud(oAuth20Token.getService().getId());
            oAuth20IntrospectionAccessTokenSuccessResponse.setActive(true);
            Authentication authentication = oAuth20Token.getAuthentication();
            String id = authentication.getPrincipal().getId();
            oAuth20IntrospectionAccessTokenSuccessResponse.setSub(id);
            oAuth20IntrospectionAccessTokenSuccessResponse.setUniqueSecurityName(id);
            oAuth20IntrospectionAccessTokenSuccessResponse.setIat(oAuth20Token.getCreationTime().toInstant().getEpochSecond());
            oAuth20IntrospectionAccessTokenSuccessResponse.setExp(oAuth20IntrospectionAccessTokenSuccessResponse.getIat() + oAuth20Token.getExpirationPolicy().getTimeToLive().longValue());
            oAuth20IntrospectionAccessTokenSuccessResponse.setRealmName((String) CollectionUtils.toCollection((List) authentication.getAttributes().get("authenticationMethod")).stream().map((v0) -> {
                return v0.toString();
            }).collect(Collectors.joining(",")));
            oAuth20IntrospectionAccessTokenSuccessResponse.setTokenType(oAuth20Token.getAuthentication().containsAttribute("DPoPConfirmation") ? "DPoP" : "Bearer");
            List list = (List) authentication.getAttributes().getOrDefault("grant_type", new ArrayList(0));
            if (!list.isEmpty()) {
                oAuth20IntrospectionAccessTokenSuccessResponse.setGrantType(list.get(0).toString().toLowerCase());
            }
        } else {
            oAuth20IntrospectionAccessTokenSuccessResponse.setActive(false);
        }
        return oAuth20IntrospectionAccessTokenSuccessResponse;
    }

    private Optional<ResponseEntity<? extends BaseOAuth20IntrospectionAccessTokenResponse>> validateIntrospectionRequest(OAuthRegisteredService oAuthRegisteredService, UsernamePasswordCredentials usernamePasswordCredentials, HttpServletRequest httpServletRequest) {
        if (!(HttpRequestUtils.doesParameterExist(httpServletRequest, "token") || HttpRequestUtils.doesParameterExist(httpServletRequest, "access_token"))) {
            LOGGER.warn("Access token cannot be found in the request");
            return Optional.of(buildBadRequestResponseEntity("missing_accessToken"));
        }
        if (getConfigurationContext().getClientSecretValidator().validate(oAuthRegisteredService, usernamePasswordCredentials.getPassword())) {
            return getConfigurationContext().getRegisteredServiceAccessStrategyEnforcer().execute(AuditableContext.builder().service(getConfigurationContext().getWebApplicationServiceServiceFactory().createService(oAuthRegisteredService.getServiceId())).registeredService(oAuthRegisteredService).build()).isExecutionFailure() ? Optional.of(buildUnauthorizedResponseEntity("unauthorized_client", false)) : Optional.empty();
        }
        LOGGER.warn("Unable to match client secret for registered service [{}] with client id [{}]", oAuthRegisteredService.getName(), oAuthRegisteredService.getClientId());
        return Optional.of(buildUnauthorizedResponseEntity("invalid_client", true));
    }
}
