package org.apereo.cas.support.oauth.web.endpoints;

import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.support.oauth.OAuth20Constants;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20ConfigurationContext;
import org.apereo.cas.support.oauth.web.response.introspection.OAuth20IntrospectionAccessTokenResponse;
import org.apereo.cas.ticket.InvalidTicketException;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.HttpRequestUtils;
import org.apereo.cas.util.LoggingUtils;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.credentials.extractor.BasicAuthExtractor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oauth-core-api-6.5.5.jar:org/apereo/cas/support/oauth/web/endpoints/OAuth20IntrospectionEndpointController.class */
public class OAuth20IntrospectionEndpointController<T extends OAuth20ConfigurationContext> extends BaseOAuth20Controller<T> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OAuth20IntrospectionEndpointController.class);

    public OAuth20IntrospectionEndpointController(T t) {
        super(t);
    }

    private static ResponseEntity<OAuth20IntrospectionAccessTokenResponse> buildUnauthorizedResponseEntity(String str, boolean z) {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap(1);
        linkedMultiValueMap.add("error", str);
        String json = OAuth20Utils.toJson(linkedMultiValueMap);
        LinkedMultiValueMap linkedMultiValueMap2 = new LinkedMultiValueMap();
        if (z) {
            linkedMultiValueMap2.add("WWW-Authenticate", "Basic");
        }
        return new ResponseEntity<>(json, (MultiValueMap<String, String>) linkedMultiValueMap2, HttpStatus.UNAUTHORIZED);
    }

    private static ResponseEntity<OAuth20IntrospectionAccessTokenResponse> buildBadRequestResponseEntity(String str) {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap(1);
        linkedMultiValueMap.add("error", str);
        return new ResponseEntity<>(OAuth20Utils.toJson(linkedMultiValueMap), HttpStatus.BAD_REQUEST);
    }

    @GetMapping(consumes = {"application/x-www-form-urlencoded"}, produces = {"application/json"}, value = {"//oauth2.0/introspect"})
    public ResponseEntity<OAuth20IntrospectionAccessTokenResponse> handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return handlePostRequest(httpServletRequest, httpServletResponse);
    }

    @PostMapping(consumes = {"application/x-www-form-urlencoded"}, produces = {"application/json"}, value = {"//oauth2.0/introspect"})
    public ResponseEntity<OAuth20IntrospectionAccessTokenResponse> handlePostRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        ResponseEntity<OAuth20IntrospectionAccessTokenResponse> responseEntity;
        Optional<Credentials> extract;
        try {
            extract = new BasicAuthExtractor().extract(new JEEContext(httpServletRequest, httpServletResponse), getConfigurationContext().getSessionStore());
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            responseEntity = new ResponseEntity<>(HttpStatus.INTERNAL_SERVER_ERROR);
        }
        if (extract.isEmpty()) {
            LOGGER.warn("Unable to locate and extract credentials from the request");
            return buildUnauthorizedResponseEntity("invalid_client", true);
        }
        UsernamePasswordCredentials usernamePasswordCredentials = (UsernamePasswordCredentials) extract.get();
        OAuthRegisteredService registeredOAuthServiceByClientId = OAuth20Utils.getRegisteredOAuthServiceByClientId(getConfigurationContext().getServicesManager(), usernamePasswordCredentials.getUsername());
        if (registeredOAuthServiceByClientId == null) {
            LOGGER.warn("Unable to locate service definition by client id [{}]", usernamePasswordCredentials.getUsername());
            return buildUnauthorizedResponseEntity("invalid_client", true);
        }
        Optional<ResponseEntity<OAuth20IntrospectionAccessTokenResponse>> validateIntrospectionRequest = validateIntrospectionRequest(registeredOAuthServiceByClientId, usernamePasswordCredentials, httpServletRequest);
        if (validateIntrospectionRequest.isPresent()) {
            responseEntity = validateIntrospectionRequest.get();
        } else {
            String str = (String) StringUtils.defaultIfBlank(httpServletRequest.getParameter("token"), httpServletRequest.getParameter("access_token"));
            LOGGER.debug("Located access token [{}] in the request", str);
            OAuth20AccessToken oAuth20AccessToken = (OAuth20AccessToken) null;
            try {
                oAuth20AccessToken = (OAuth20AccessToken) getConfigurationContext().getCentralAuthenticationService().getTicket(extractAccessTokenFrom(str), OAuth20AccessToken.class);
            } catch (InvalidTicketException e2) {
                LOGGER.trace(e2.getMessage(), (Throwable) e2);
                LOGGER.info("Unable to fetch access token [{}]: [{}]", str, e2.getMessage());
            }
            responseEntity = new ResponseEntity<>(createIntrospectionValidResponse(oAuth20AccessToken), HttpStatus.OK);
        }
        return responseEntity;
    }

    protected OAuth20IntrospectionAccessTokenResponse createIntrospectionValidResponse(OAuth20AccessToken oAuth20AccessToken) {
        OAuth20IntrospectionAccessTokenResponse oAuth20IntrospectionAccessTokenResponse = new OAuth20IntrospectionAccessTokenResponse();
        oAuth20IntrospectionAccessTokenResponse.setScope("CAS");
        if (oAuth20AccessToken != null) {
            oAuth20IntrospectionAccessTokenResponse.setClientId(oAuth20AccessToken.getClientId());
            oAuth20IntrospectionAccessTokenResponse.setAud(oAuth20AccessToken.getService().getId());
            oAuth20IntrospectionAccessTokenResponse.setActive(true);
            Authentication authentication = oAuth20AccessToken.getAuthentication();
            String id = authentication.getPrincipal().getId();
            oAuth20IntrospectionAccessTokenResponse.setSub(id);
            oAuth20IntrospectionAccessTokenResponse.setUniqueSecurityName(id);
            oAuth20IntrospectionAccessTokenResponse.setIat(oAuth20AccessToken.getCreationTime().toInstant().getEpochSecond());
            oAuth20IntrospectionAccessTokenResponse.setExp(oAuth20IntrospectionAccessTokenResponse.getIat() + oAuth20AccessToken.getExpirationPolicy().getTimeToLive().longValue());
            oAuth20IntrospectionAccessTokenResponse.setRealmName((String) CollectionUtils.toCollection(authentication.getAttributes().get("authenticationMethod")).stream().map((v0) -> {
                return v0.toString();
            }).collect(Collectors.joining(",")));
            oAuth20IntrospectionAccessTokenResponse.setTokenType(OAuth20Constants.TOKEN_TYPE_BEARER);
            List<Object> orDefault = authentication.getAttributes().getOrDefault("grant_type", new ArrayList(0));
            if (!orDefault.isEmpty()) {
                oAuth20IntrospectionAccessTokenResponse.setGrantType(orDefault.get(0).toString().toLowerCase());
            }
        } else {
            oAuth20IntrospectionAccessTokenResponse.setActive(false);
        }
        return oAuth20IntrospectionAccessTokenResponse;
    }

    /* JADX WARN: Type inference failed for: r0v17, types: [org.apereo.cas.audit.AuditableContext$AuditableContextBuilder] */
    private Optional<ResponseEntity<OAuth20IntrospectionAccessTokenResponse>> validateIntrospectionRequest(OAuthRegisteredService oAuthRegisteredService, UsernamePasswordCredentials usernamePasswordCredentials, HttpServletRequest httpServletRequest) {
        if (!(HttpRequestUtils.doesParameterExist(httpServletRequest, "token") || HttpRequestUtils.doesParameterExist(httpServletRequest, "access_token"))) {
            LOGGER.warn("Access token cannot be found in the request");
            return Optional.of(buildBadRequestResponseEntity(OAuth20Constants.MISSING_ACCESS_TOKEN));
        }
        if (OAuth20Utils.checkClientSecret(oAuthRegisteredService, usernamePasswordCredentials.getPassword(), getConfigurationContext().getRegisteredServiceCipherExecutor())) {
            return getConfigurationContext().getRegisteredServiceAccessStrategyEnforcer().execute(AuditableContext.builder().service(getConfigurationContext().getWebApplicationServiceServiceFactory().createService(oAuthRegisteredService.getServiceId())).registeredService(oAuthRegisteredService).build()).isExecutionFailure() ? Optional.of(buildUnauthorizedResponseEntity("unauthorized_client", false)) : Optional.empty();
        }
        LOGGER.warn("Unable to match client secret for registered service [{}] with client id [{}]", oAuthRegisteredService.getName(), oAuthRegisteredService.getClientId());
        return Optional.of(buildUnauthorizedResponseEntity("invalid_client", true));
    }
}
