package org.apereo.cas.support.oauth.web.endpoints;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20ConfigurationContext;
import org.apereo.cas.support.oauth.web.response.introspection.BaseOAuth20IntrospectionAccessTokenResponse;
import org.apereo.cas.support.oauth.web.response.introspection.OAuth20IntrospectionAccessTokenFailureResponse;
import org.apereo.cas.support.oauth.web.response.introspection.OAuth20IntrospectionAccessTokenResponse;
import org.apereo.cas.ticket.InvalidTicketException;
import org.apereo.cas.ticket.OAuth20Token;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.http.HttpRequestUtils;
import org.pac4j.core.context.CallContext;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.credentials.extractor.BasicAuthExtractor;
import org.pac4j.jee.context.JEEContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;

/* loaded from: input_file:org/apereo/cas/support/oauth/web/endpoints/OAuth20IntrospectionEndpointController.class */
public class OAuth20IntrospectionEndpointController<T extends OAuth20ConfigurationContext> extends BaseOAuth20Controller<T> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20IntrospectionEndpointController.class);

    public OAuth20IntrospectionEndpointController(T t) {
        super(t);
    }

    private static ResponseEntity<OAuth20IntrospectionAccessTokenFailureResponse> buildUnauthorizedResponseEntity(String str, boolean z) {
        OAuth20IntrospectionAccessTokenFailureResponse oAuth20IntrospectionAccessTokenFailureResponse = new OAuth20IntrospectionAccessTokenFailureResponse();
        oAuth20IntrospectionAccessTokenFailureResponse.setError(str);
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        if (z) {
            linkedMultiValueMap.add("WWW-Authenticate", "Basic");
        }
        return new ResponseEntity<>(oAuth20IntrospectionAccessTokenFailureResponse, linkedMultiValueMap, HttpStatus.UNAUTHORIZED);
    }

    private static ResponseEntity<OAuth20IntrospectionAccessTokenFailureResponse> buildBadRequestResponseEntity(String str) {
        OAuth20IntrospectionAccessTokenFailureResponse oAuth20IntrospectionAccessTokenFailureResponse = new OAuth20IntrospectionAccessTokenFailureResponse();
        oAuth20IntrospectionAccessTokenFailureResponse.setError(str);
        return new ResponseEntity<>(oAuth20IntrospectionAccessTokenFailureResponse, HttpStatus.BAD_REQUEST);
    }

    @GetMapping(value = {"/oauth2.0/introspect"}, produces = {"application/json"})
    public ResponseEntity<? extends BaseOAuth20IntrospectionAccessTokenResponse> handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable {
        return handlePostRequest(httpServletRequest, httpServletResponse);
    }

    @PostMapping(value = {"/oauth2.0/introspect"}, produces = {"application/json"})
    public ResponseEntity handlePostRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable {
        try {
            JEEContext jEEContext = new JEEContext(httpServletRequest, httpServletResponse);
            Optional<Credentials> extractCredentials = extractCredentials(jEEContext);
            if (extractCredentials.isEmpty()) {
                LOGGER.warn("Unable to locate and extract credentials from the request");
                return buildUnauthorizedResponseEntity("invalid_client", true);
            }
            UsernamePasswordCredentials usernamePasswordCredentials = extractCredentials.get();
            OAuthRegisteredService registeredOAuthServiceByClientId = OAuth20Utils.getRegisteredOAuthServiceByClientId(getConfigurationContext().getServicesManager(), usernamePasswordCredentials.getUsername());
            if (registeredOAuthServiceByClientId == null) {
                LOGGER.warn("Unable to locate service definition by client id [{}]", usernamePasswordCredentials.getUsername());
                return buildUnauthorizedResponseEntity("invalid_client", true);
            }
            Optional<ResponseEntity<? extends BaseOAuth20IntrospectionAccessTokenResponse>> validateIntrospectionRequest = validateIntrospectionRequest(registeredOAuthServiceByClientId, usernamePasswordCredentials, httpServletRequest);
            if (validateIntrospectionRequest.isPresent()) {
                return validateIntrospectionRequest.get();
            }
            String str = (String) StringUtils.defaultIfBlank(httpServletRequest.getParameter("token"), httpServletRequest.getParameter("access_token"));
            LOGGER.debug("Located access token [{}] in the request", str);
            LoggingUtils.protocolMessage("OpenID Connect Introspection Request", CollectionUtils.wrap("Token", str, "Client ID", registeredOAuthServiceByClientId.getClientId(), "Service", registeredOAuthServiceByClientId.getName()));
            OAuth20Token fetchAccessTokenFromRegistry = fetchAccessTokenFromRegistry(str);
            return buildIntrospectionEntityResponse(jEEContext, getConfigurationContext().getIntrospectionResponseGenerator().stream().filter(oAuth20IntrospectionResponseGenerator -> {
                return oAuth20IntrospectionResponseGenerator.supports(fetchAccessTokenFromRegistry);
            }).findFirst().orElseThrow().generate(str, fetchAccessTokenFromRegistry));
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            return buildBadRequestResponseEntity("invalid_request");
        }
    }

    private OAuth20Token fetchAccessTokenFromRegistry(String str) {
        try {
            return getConfigurationContext().getTicketRegistry().getTicket(extractAccessTokenFrom(str), OAuth20Token.class);
        } catch (InvalidTicketException e) {
            LOGGER.trace(e.getMessage(), e);
            LOGGER.info("Unable to fetch access token [{}]: [{}]", str, e.getMessage());
            return null;
        }
    }

    protected Optional<Credentials> extractCredentials(JEEContext jEEContext) {
        return new BasicAuthExtractor().extract(new CallContext(jEEContext, getConfigurationContext().getSessionStore(), getConfigurationContext().getOauthConfig().getProfileManagerFactory()));
    }

    private Optional<ResponseEntity<? extends BaseOAuth20IntrospectionAccessTokenResponse>> validateIntrospectionRequest(OAuthRegisteredService oAuthRegisteredService, UsernamePasswordCredentials usernamePasswordCredentials, HttpServletRequest httpServletRequest) throws Throwable {
        if (!(HttpRequestUtils.doesParameterExist(httpServletRequest, "token") || HttpRequestUtils.doesParameterExist(httpServletRequest, "access_token"))) {
            LOGGER.warn("Access token cannot be found in the request");
            return Optional.of(buildBadRequestResponseEntity("missing_accessToken"));
        }
        if (getConfigurationContext().getClientSecretValidator().validate(oAuthRegisteredService, usernamePasswordCredentials.getPassword())) {
            return getConfigurationContext().getRegisteredServiceAccessStrategyEnforcer().execute(AuditableContext.builder().service(getConfigurationContext().getWebApplicationServiceServiceFactory().createService(oAuthRegisteredService.getServiceId())).registeredService(oAuthRegisteredService).build()).isExecutionFailure() ? Optional.of(buildUnauthorizedResponseEntity("unauthorized_client", false)) : Optional.empty();
        }
        LOGGER.warn("Unable to match client secret for registered service [{}] with client id [{}]", oAuthRegisteredService.getName(), oAuthRegisteredService.getClientId());
        return Optional.of(buildUnauthorizedResponseEntity("invalid_client", true));
    }

    protected ResponseEntity buildIntrospectionEntityResponse(WebContext webContext, OAuth20IntrospectionAccessTokenResponse oAuth20IntrospectionAccessTokenResponse) {
        return new ResponseEntity(oAuth20IntrospectionAccessTokenResponse, HttpStatus.OK);
    }
}
