package org.apereo.cas.uma.web.controllers.authz;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.Set;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRequestContext;
import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.uma.UmaConfigurationContext;
import org.apereo.cas.uma.claim.UmaResourceSetClaimPermissionResult;
import org.apereo.cas.uma.ticket.permission.UmaPermissionTicket;
import org.apereo.cas.uma.ticket.resource.ResourceSet;
import org.apereo.cas.uma.web.controllers.BaseUmaEndpointController;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.LoggingUtils;
import org.hjson.JsonValue;
import org.pac4j.core.profile.UserProfile;
import org.pac4j.jee.context.JEEContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;

@Controller("umaAuthorizationRequestEndpointController")
/* loaded from: input_file:org/apereo/cas/uma/web/controllers/authz/UmaAuthorizationRequestEndpointController.class */
public class UmaAuthorizationRequestEndpointController extends BaseUmaEndpointController {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(UmaAuthorizationRequestEndpointController.class);

    public UmaAuthorizationRequestEndpointController(UmaConfigurationContext umaConfigurationContext) {
        super(umaConfigurationContext);
    }

    @PostMapping({"/oauth2.0/rptAuthzRequest"})
    public ResponseEntity handleAuthorizationRequest(@RequestBody String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            UserProfile authenticatedProfile = getAuthenticatedProfile(httpServletRequest, httpServletResponse, "uma_authorization");
            UmaAuthorizationRequest umaAuthorizationRequest = (UmaAuthorizationRequest) MAPPER.readValue(JsonValue.readHjson(str).toString(), UmaAuthorizationRequest.class);
            if (StringUtils.isBlank(umaAuthorizationRequest.getGrantType())) {
                return new ResponseEntity("Unable to accept authorization request; grant type is missing", HttpStatus.BAD_REQUEST);
            }
            if (!umaAuthorizationRequest.getGrantType().equalsIgnoreCase(OAuth20GrantTypes.UMA_TICKET.getType())) {
                return new ResponseEntity("Unable to accept authorization request; need grant type " + OAuth20GrantTypes.UMA_TICKET.getType(), HttpStatus.BAD_REQUEST);
            }
            if (StringUtils.isBlank(umaAuthorizationRequest.getTicket())) {
                return new ResponseEntity("Unable to accept authorization request; ticket parameter is missing", HttpStatus.BAD_REQUEST);
            }
            UmaPermissionTicket umaPermissionTicket = (UmaPermissionTicket) getUmaConfigurationContext().getTicketRegistry().getTicket(umaAuthorizationRequest.getTicket(), UmaPermissionTicket.class);
            ResourceSet resourceSet = umaPermissionTicket.getResourceSet();
            if (resourceSet == null || resourceSet.getPolicies() == null || resourceSet.getPolicies().isEmpty()) {
                return new ResponseEntity("resource-set or linked policies are undefined", HttpStatus.BAD_REQUEST);
            }
            UmaResourceSetClaimPermissionResult examine = getUmaConfigurationContext().getClaimPermissionExaminer().examine(resourceSet, umaPermissionTicket);
            return examine.isSatisfied() ? generateRequestingPartyToken(httpServletRequest, httpServletResponse, authenticatedProfile, umaAuthorizationRequest, umaPermissionTicket, resourceSet) : handleMismatchedClaims(httpServletRequest, httpServletResponse, resourceSet, authenticatedProfile, examine, umaPermissionTicket);
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            return new ResponseEntity("Unable to handle authorization request", HttpStatus.BAD_REQUEST);
        }
    }

    protected ResponseEntity handleMismatchedClaims(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ResourceSet resourceSet, UserProfile userProfile, UmaResourceSetClaimPermissionResult umaResourceSetClaimPermissionResult, UmaPermissionTicket umaPermissionTicket) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("error", "need_info");
        UmaAuthorizationNeedInfoResponse umaAuthorizationNeedInfoResponse = new UmaAuthorizationNeedInfoResponse();
        umaAuthorizationNeedInfoResponse.setRedirectUser(true);
        umaAuthorizationNeedInfoResponse.setTicket(umaPermissionTicket.getId());
        umaAuthorizationNeedInfoResponse.setRequiredClaims((Set) umaResourceSetClaimPermissionResult.getDetails().values().stream().map(details -> {
            return (Set) details.getUnmatchedClaims().keySet().stream().map((v0) -> {
                return v0.toString();
            }).collect(Collectors.toSet());
        }).flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toSet()));
        umaAuthorizationNeedInfoResponse.setRequiredScopes((Set) umaResourceSetClaimPermissionResult.getDetails().values().stream().map(details2 -> {
            return (Set) details2.getUnmatchedScopes().stream().map((v0) -> {
                return v0.toString();
            }).collect(Collectors.toSet());
        }).flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toSet()));
        linkedHashMap.put("error_details", CollectionUtils.wrap("requesting_party_claims", umaAuthorizationNeedInfoResponse));
        return new ResponseEntity(linkedHashMap, HttpStatus.PERMANENT_REDIRECT);
    }

    protected ResponseEntity generateRequestingPartyToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, UserProfile userProfile, UmaAuthorizationRequest umaAuthorizationRequest, UmaPermissionTicket umaPermissionTicket, ResourceSet resourceSet) throws Exception {
        OAuth20AccessToken oAuth20AccessToken = (OAuth20AccessToken) userProfile.getAttribute(OAuth20AccessToken.class.getName());
        OAuthRegisteredService registeredOAuthServiceByClientId = OAuth20Utils.getRegisteredOAuthServiceByClientId(getUmaConfigurationContext().getServicesManager(), OAuth20Utils.getClientIdFromAuthenticatedProfile(userProfile));
        LinkedHashSet linkedHashSet = new LinkedHashSet(umaPermissionTicket.getScopes());
        linkedHashSet.add("uma_authorization");
        linkedHashSet.addAll(resourceSet.getScopes());
        AccessTokenRequestContext build = AccessTokenRequestContext.builder().authentication(oAuth20AccessToken.getAuthentication()).ticketGrantingTicket(oAuth20AccessToken.getTicketGrantingTicket()).grantType(OAuth20GrantTypes.UMA_TICKET).responseType(OAuth20ResponseTypes.NONE).registeredService(registeredOAuthServiceByClientId).generateRefreshToken(false).scopes(linkedHashSet).service(oAuth20AccessToken.getService()).build();
        OAuth20AccessToken oAuth20AccessToken2 = (OAuth20AccessToken) getUmaConfigurationContext().getAccessTokenGenerator().generate(build).getAccessToken().get();
        String str = (String) OAuth20JwtAccessTokenEncoder.builder().accessToken(oAuth20AccessToken2).registeredService(build.getRegisteredService()).service(build.getService()).accessTokenJwtBuilder(getUmaConfigurationContext().getAccessTokenJwtBuilder()).casProperties(getUmaConfigurationContext().getCasProperties()).build().encode(oAuth20AccessToken2.getId());
        UserProfile authenticatedUserProfile = OAuth20Utils.getAuthenticatedUserProfile(new JEEContext(httpServletRequest, httpServletResponse), getUmaConfigurationContext().getSessionStore());
        authenticatedUserProfile.addAttribute(UmaPermissionTicket.class.getName(), umaPermissionTicket);
        authenticatedUserProfile.addAttribute(ResourceSet.class.getName(), resourceSet);
        oAuth20AccessToken2.setIdToken(getUmaConfigurationContext().getRequestingPartyTokenGenerator().generate(oAuth20AccessToken2, authenticatedUserProfile, OAuth20ResponseTypes.CODE, OAuth20GrantTypes.UMA_TICKET, registeredOAuthServiceByClientId));
        getUmaConfigurationContext().getTicketRegistry().updateTicket(oAuth20AccessToken2);
        if (StringUtils.isNotBlank(umaAuthorizationRequest.getRpt())) {
            getUmaConfigurationContext().getTicketRegistry().deleteTicket(umaAuthorizationRequest.getRpt());
        }
        return new ResponseEntity(CollectionUtils.wrap("rpt", str, "code", HttpStatus.CREATED), HttpStatus.OK);
    }
}
