package org.apereo.cas.support.oauth.web.endpoints;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.AuthenticationCredentialsThreadLocalBinder;
import org.apereo.cas.support.oauth.OAuth20Constants;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20ConfigurationContext;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.pac4j.jee.context.JEEContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oauth-core-api-6.6.0.jar:org/apereo/cas/support/oauth/web/endpoints/OAuth20UserProfileEndpointController.class */
public class OAuth20UserProfileEndpointController<T extends OAuth20ConfigurationContext> extends BaseOAuth20Controller<T> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OAuth20UserProfileEndpointController.class);

    public OAuth20UserProfileEndpointController(T t) {
        super(t);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static ResponseEntity buildUnauthorizedResponseEntity(String str) {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap(1);
        linkedMultiValueMap.add("error", str);
        return new ResponseEntity(OAuth20Utils.toJson(linkedMultiValueMap), HttpStatus.UNAUTHORIZED);
    }

    @PostMapping(path = {"/oauth2.0/profile"}, produces = {"application/json"})
    public ResponseEntity<String> handlePostRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        return handleGetRequest(httpServletRequest, httpServletResponse);
    }

    @GetMapping(path = {"/oauth2.0/profile"}, produces = {"application/json"})
    public ResponseEntity<String> handleGetRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        httpServletResponse.setContentType("application/json");
        Pair<String, String> accessTokenFromRequest = getAccessTokenFromRequest(httpServletRequest);
        String value = accessTokenFromRequest.getValue();
        if (StringUtils.isBlank(value)) {
            LOGGER.error("Missing required parameter [{}] from the request", "access_token");
            return buildUnauthorizedResponseEntity(OAuth20Constants.MISSING_ACCESS_TOKEN);
        }
        OAuth20AccessToken oAuth20AccessToken = (OAuth20AccessToken) FunctionUtils.doAndHandle(() -> {
            OAuth20AccessToken oAuth20AccessToken2 = (OAuth20AccessToken) getConfigurationContext().getTicketRegistry().getTicket(value, OAuth20AccessToken.class);
            if (oAuth20AccessToken2 == null || oAuth20AccessToken2.isExpired()) {
                return null;
            }
            return oAuth20AccessToken2;
        });
        if (oAuth20AccessToken == null || oAuth20AccessToken.isExpired()) {
            LOGGER.error("Access token [{}] cannot be found in the ticket registry or has expired.", value);
            return buildUnauthorizedResponseEntity(OAuth20Constants.EXPIRED_ACCESS_TOKEN);
        }
        try {
            validateAccessToken(accessTokenFromRequest.getKey(), oAuth20AccessToken, httpServletRequest, httpServletResponse);
            return (ResponseEntity) FunctionUtils.doAndHandle(() -> {
                AuthenticationCredentialsThreadLocalBinder.bindCurrent(oAuth20AccessToken.getAuthentication());
                updateAccessTokenUsage(oAuth20AccessToken);
                return getConfigurationContext().getUserProfileViewRenderer().render(getConfigurationContext().getUserProfileDataCreator().createFrom(oAuth20AccessToken, new JEEContext(httpServletRequest, httpServletResponse)), oAuth20AccessToken, httpServletResponse);
            }, th -> {
                return buildUnauthorizedResponseEntity("invalid_request");
            }).get();
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            return buildUnauthorizedResponseEntity("invalid_request");
        }
    }

    protected void validateAccessToken(String str, OAuth20AccessToken oAuth20AccessToken, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
    }

    protected void updateAccessTokenUsage(OAuth20AccessToken oAuth20AccessToken) throws Exception {
        oAuth20AccessToken.update();
        if (oAuth20AccessToken.isExpired()) {
            getConfigurationContext().getTicketRegistry().deleteTicket(oAuth20AccessToken.getId());
        } else {
            getConfigurationContext().getTicketRegistry().updateTicket(oAuth20AccessToken);
        }
    }

    protected Pair<String, String> getAccessTokenFromRequest(HttpServletRequest httpServletRequest) {
        String str = (String) StringUtils.defaultIfBlank(httpServletRequest.getParameter("access_token"), httpServletRequest.getParameter("token"));
        if (StringUtils.isBlank(str)) {
            String header = httpServletRequest.getHeader("Authorization");
            if (StringUtils.isNotBlank(header) && header.toLowerCase().startsWith(OAuth20Constants.TOKEN_TYPE_BEARER.toLowerCase() + " ")) {
                str = header.substring(OAuth20Constants.TOKEN_TYPE_BEARER.length() + 1);
            }
        }
        LOGGER.debug("[{}]: [{}]", "access_token", str);
        return Pair.of(str, extractAccessTokenFrom(str));
    }
}
