package org.iplass.mtp.impl.auth.oauth.token.remote;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.List;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.message.BasicNameValuePair;
import org.iplass.mtp.auth.User;
import org.iplass.mtp.auth.login.IdPasswordCredential;
import org.iplass.mtp.impl.auth.authenticate.builtin.web.BasicAuthUtil;
import org.iplass.mtp.impl.auth.oauth.AccessTokenAccountHandle;
import org.iplass.mtp.impl.auth.oauth.ClientAuthenticationMethod;
import org.iplass.mtp.impl.auth.oauth.MetaOAuthClient;
import org.iplass.mtp.impl.auth.oauth.OAuthAuthorizationService;
import org.iplass.mtp.impl.auth.oauth.OAuthRuntimeException;
import org.iplass.mtp.impl.auth.oauth.token.AccessToken;
import org.iplass.mtp.impl.auth.oauth.token.OAuthAccessTokenStore;
import org.iplass.mtp.impl.auth.oauth.token.RefreshToken;
import org.iplass.mtp.impl.auth.oauth.util.OAuthEndpointConstants;
import org.iplass.mtp.impl.core.ExecuteContext;
import org.iplass.mtp.impl.http.ExponentialBackoff;
import org.iplass.mtp.impl.http.HttpClientConfig;
import org.iplass.mtp.impl.http.SimpleHttpInvoker;
import org.iplass.mtp.impl.webapi.MetaWebApi;
import org.iplass.mtp.impl.webapi.jackson.WebApiObjectMapperService;
import org.iplass.mtp.spi.Config;
import org.iplass.mtp.spi.ServiceInitListener;
import org.iplass.mtp.spi.ServiceRegistry;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/iplass/mtp/impl/auth/oauth/token/remote/RemoteOAuthAccessTokenStore.class */
public class RemoteOAuthAccessTokenStore implements OAuthAccessTokenStore, ServiceInitListener<OAuthAuthorizationService> {
    private static Logger logger = LoggerFactory.getLogger(RemoteOAuthAccessTokenStore.class);
    private static final String TENANT_NAME_VARIABLE = "${tenantName}";
    private String introspectionEndpointUrl;
    private String resourceServerId;
    private String resourceServerSecret;
    private HttpClientConfig httpClientConfig;
    private ExponentialBackoff exponentialBackoff;
    private boolean reloadUser;
    private WebApiObjectMapperService objectMapperService;
    private SimpleHttpInvoker httpInvoker;
    private TenantValidationType tenantValidationType = TenantValidationType.NAME;
    private ClientAuthenticationMethod authenticationMethod = ClientAuthenticationMethod.CLIENT_SECRET_BASIC;

    public ClientAuthenticationMethod getAuthenticationMethod() {
        return this.authenticationMethod;
    }

    public void setAuthenticationMethod(ClientAuthenticationMethod clientAuthenticationMethod) {
        this.authenticationMethod = clientAuthenticationMethod;
    }

    public HttpClientConfig getHttpClientConfig() {
        return this.httpClientConfig;
    }

    public void setHttpClientConfig(HttpClientConfig httpClientConfig) {
        this.httpClientConfig = httpClientConfig;
    }

    public ExponentialBackoff getExponentialBackoff() {
        return this.exponentialBackoff;
    }

    public void setExponentialBackoff(ExponentialBackoff exponentialBackoff) {
        this.exponentialBackoff = exponentialBackoff;
    }

    public TenantValidationType getTenantValidationType() {
        return this.tenantValidationType;
    }

    public void setTenantValidationType(TenantValidationType tenantValidationType) {
        this.tenantValidationType = tenantValidationType;
    }

    public String getIntrospectionEndpointUrl() {
        return this.introspectionEndpointUrl;
    }

    public void setIntrospectionEndpointUrl(String str) {
        this.introspectionEndpointUrl = str;
    }

    public String getResourceServerId() {
        return this.resourceServerId;
    }

    public void setResourceServerId(String str) {
        this.resourceServerId = str;
    }

    public String getResourceServerSecret() {
        return this.resourceServerSecret;
    }

    public void setResourceServerSecret(String str) {
        this.resourceServerSecret = str;
    }

    public boolean isReloadUser() {
        return this.reloadUser;
    }

    public void setReloadUser(boolean z) {
        this.reloadUser = z;
    }

    @Override // org.iplass.mtp.impl.auth.oauth.token.OAuthAccessTokenStore
    public AccessToken getAccessToken(String str) {
        ExecuteContext currentContext = ExecuteContext.getCurrentContext();
        HttpPost httpPost = new HttpPost(this.introspectionEndpointUrl.replace(TENANT_NAME_VARIABLE, currentContext.getCurrentTenant().getName()));
        ArrayList arrayList = new ArrayList();
        httpPost.setHeader(MetaWebApi.HEADER_ACCEPT, "application/json");
        if (this.authenticationMethod == ClientAuthenticationMethod.CLIENT_SECRET_BASIC) {
            httpPost.setHeader("Authorization", BasicAuthUtil.encodeValue(new IdPasswordCredential(this.resourceServerId, this.resourceServerSecret)));
        } else if (this.authenticationMethod == ClientAuthenticationMethod.CLIENT_SECRET_POST) {
            arrayList.add(new BasicNameValuePair(OAuthEndpointConstants.PARAM_CLIENT_ID, this.resourceServerId));
            arrayList.add(new BasicNameValuePair(OAuthEndpointConstants.PARAM_CLIENT_SECRET, this.resourceServerSecret));
        }
        arrayList.add(new BasicNameValuePair(OAuthEndpointConstants.PARAM_TOKEN, str));
        try {
            httpPost.setEntity(new UrlEncodedFormEntity(arrayList));
            SimpleHttpInvoker.Response call = this.httpInvoker.call(httpPost, response -> {
                return response.status == 200 || response.status == 400 || response.status == 401;
            });
            if (call.exception != null) {
                if (call.exception instanceof RuntimeException) {
                    throw ((RuntimeException) call.exception);
                }
                throw new OAuthRuntimeException(call.exception);
            }
            if (call.status != 200) {
                throw new OAuthRuntimeException("Introspection Endpoint return error:" + call.status + " " + call.content);
            }
            try {
                if (logger.isDebugEnabled()) {
                    logger.debug("response: " + call.content);
                }
                IntroResponse introResponse = (IntroResponse) this.objectMapperService.getObjectMapper().readValue(call.content, IntroResponse.class);
                if (!introResponse.active) {
                    if (!logger.isDebugEnabled()) {
                        return null;
                    }
                    logger.debug("token is not active: " + introResponse);
                    return null;
                }
                if (this.tenantValidationType == TenantValidationType.NAME) {
                    if (!currentContext.getCurrentTenant().getName().equals(introResponse.tenant_name)) {
                        if (!logger.isDebugEnabled()) {
                            return null;
                        }
                        logger.debug("mismatch tenant_name: " + introResponse);
                        return null;
                    }
                } else if (this.tenantValidationType == TenantValidationType.ID && (introResponse.tenant_id == null || introResponse.tenant_id.intValue() != currentContext.getClientTenantId())) {
                    if (!logger.isDebugEnabled()) {
                        return null;
                    }
                    logger.debug("mismatch tenant_id: " + introResponse);
                    return null;
                }
                RemoteAccessToken remoteAccessToken = new RemoteAccessToken(str, introResponse);
                if (this.reloadUser) {
                    User searchUser = UserEntityResolverHolder.userEntityResolver.searchUser(new AccessTokenAccountHandle(remoteAccessToken.getSub(), remoteAccessToken, null));
                    if (searchUser == null) {
                        return null;
                    }
                    remoteAccessToken.setUser(searchUser);
                }
                return remoteAccessToken;
            } catch (IOException e) {
                throw new OAuthRuntimeException(call.exception);
            }
        } catch (UnsupportedEncodingException e2) {
            throw new RuntimeException(e2);
        }
    }

    public void inited(OAuthAuthorizationService oAuthAuthorizationService, Config config) {
        this.objectMapperService = (WebApiObjectMapperService) ServiceRegistry.getRegistry().getService(WebApiObjectMapperService.class);
        if (this.httpClientConfig == null) {
            this.httpClientConfig = new HttpClientConfig();
        }
        this.httpClientConfig.inited(oAuthAuthorizationService, config);
        this.httpInvoker = new SimpleHttpInvoker(this.httpClientConfig.getInstance(), this.exponentialBackoff);
    }

    public void destroyed() {
    }

    @Override // org.iplass.mtp.impl.auth.oauth.token.OAuthAccessTokenStore
    public AccessToken createAccessToken(MetaOAuthClient.OAuthClientRuntime oAuthClientRuntime, String str, List<String> list) {
        throw new UnsupportedOperationException("RemoteOAuthAccessTokenStore cannot support AccessToken creation");
    }

    @Override // org.iplass.mtp.impl.auth.oauth.token.OAuthAccessTokenStore
    public AccessToken createAccessToken(MetaOAuthClient.OAuthClientRuntime oAuthClientRuntime, RefreshToken refreshToken) {
        throw new UnsupportedOperationException("RemoteOAuthAccessTokenStore cannot support AccessToken creation");
    }

    @Override // org.iplass.mtp.impl.auth.oauth.token.OAuthAccessTokenStore
    public AccessToken getAccessTokenByUserOid(MetaOAuthClient.OAuthClientRuntime oAuthClientRuntime, String str) {
        throw new UnsupportedOperationException("RemoteOAuthAccessTokenStore cannot support getAccessTokenByUserOid");
    }

    @Override // org.iplass.mtp.impl.auth.oauth.token.OAuthAccessTokenStore
    public RefreshToken getRefreshToken(String str) {
        throw new UnsupportedOperationException("RemoteOAuthAccessTokenStore cannot support getRefreshToken");
    }

    @Override // org.iplass.mtp.impl.auth.oauth.token.OAuthAccessTokenStore
    public void revokeToken(MetaOAuthClient.OAuthClientRuntime oAuthClientRuntime, String str, String str2) {
        throw new UnsupportedOperationException("RemoteOAuthAccessTokenStore cannot support revokeToken");
    }

    @Override // org.iplass.mtp.impl.auth.oauth.token.OAuthAccessTokenStore
    public void revokeTokenByUserOid(String str) {
        throw new UnsupportedOperationException("RemoteOAuthAccessTokenStore cannot support revokeToken");
    }
}
