package org.mitre.oauth2.web;

import com.google.common.base.Strings;
import com.google.common.collect.ImmutableMap;
import java.util.HashSet;
import java.util.Iterator;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.oauth2.service.IntrospectionResultAssembler;
import org.mitre.oauth2.service.OAuth2TokenEntityService;
import org.mitre.oauth2.service.SystemScopeService;
import org.mitre.openid.connect.model.UserInfo;
import org.mitre.openid.connect.service.UserInfoService;
import org.mitre.openid.connect.view.HttpCodeView;
import org.mitre.openid.connect.view.JsonEntityView;
import org.mitre.uma.model.ResourceSet;
import org.mitre.uma.service.ResourceSetService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;

@Controller
/* loaded from: input_file:WEB-INF/lib/openid-connect-server-1.3.4.jar:org/mitre/oauth2/web/IntrospectionEndpoint.class */
public class IntrospectionEndpoint {
    public static final String URL = "introspect";

    @Autowired
    private OAuth2TokenEntityService tokenServices;

    @Autowired
    private ClientDetailsEntityService clientService;

    @Autowired
    private IntrospectionResultAssembler introspectionResultAssembler;

    @Autowired
    private UserInfoService userInfoService;

    @Autowired
    private ResourceSetService resourceSetService;
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) IntrospectionEndpoint.class);

    public IntrospectionEndpoint() {
    }

    public IntrospectionEndpoint(OAuth2TokenEntityService oAuth2TokenEntityService) {
        this.tokenServices = oAuth2TokenEntityService;
    }

    @RequestMapping({"/introspect"})
    public String verify(@RequestParam("token") String str, @RequestParam(value = "token_type_hint", required = false) String str2, Authentication authentication, Model model) {
        UserInfo byUsernameAndClientId;
        HashSet hashSet = new HashSet();
        if (authentication instanceof OAuth2Authentication) {
            AuthenticationUtilities.ensureOAuthScope(authentication, SystemScopeService.UMA_PROTECTION_SCOPE);
            OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) authentication;
            String clientId = oAuth2Authentication.getOAuth2Request().getClientId();
            ClientDetailsEntity loadClientByClientId = this.clientService.loadClientByClientId(clientId);
            String name = oAuth2Authentication.getUserAuthentication().getName();
            hashSet.addAll(loadClientByClientId.getScope());
            Iterator<ResourceSet> it = this.resourceSetService.getAllForOwnerAndClient(name, clientId).iterator();
            while (it.hasNext()) {
                hashSet.addAll(it.next().getScopes());
            }
        } else {
            ClientDetailsEntity loadClientByClientId2 = this.clientService.loadClientByClientId(authentication.getName());
            hashSet.addAll(loadClientByClientId2.getScope());
            if (!AuthenticationUtilities.hasRole(authentication, "ROLE_CLIENT") || !loadClientByClientId2.isAllowIntrospection()) {
                logger.error("Client " + loadClientByClientId2.getClientId() + " is not allowed to call introspection endpoint");
                model.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN);
                return HttpCodeView.VIEWNAME;
            }
        }
        if (Strings.isNullOrEmpty(str)) {
            logger.error("Verify failed; token value is null");
            model.addAttribute(JsonEntityView.ENTITY, ImmutableMap.of(IntrospectionResultAssembler.ACTIVE, Boolean.FALSE));
            return JsonEntityView.VIEWNAME;
        }
        OAuth2AccessTokenEntity oAuth2AccessTokenEntity = null;
        OAuth2RefreshTokenEntity oAuth2RefreshTokenEntity = null;
        try {
            oAuth2AccessTokenEntity = this.tokenServices.readAccessToken(str);
            byUsernameAndClientId = this.userInfoService.getByUsernameAndClientId(oAuth2AccessTokenEntity.getAuthenticationHolder().getAuthentication().getName(), oAuth2AccessTokenEntity.getClient().getClientId());
        } catch (InvalidTokenException e) {
            logger.info("Invalid access token. Checking refresh token.");
            try {
                oAuth2RefreshTokenEntity = this.tokenServices.getRefreshToken(str);
                byUsernameAndClientId = this.userInfoService.getByUsernameAndClientId(oAuth2RefreshTokenEntity.getAuthenticationHolder().getAuthentication().getName(), oAuth2RefreshTokenEntity.getClient().getClientId());
            } catch (InvalidTokenException e2) {
                logger.error("Invalid refresh token");
                model.addAttribute(JsonEntityView.ENTITY, ImmutableMap.of(IntrospectionResultAssembler.ACTIVE, Boolean.FALSE));
                return JsonEntityView.VIEWNAME;
            }
        }
        if (oAuth2AccessTokenEntity != null) {
            model.addAttribute(JsonEntityView.ENTITY, this.introspectionResultAssembler.assembleFrom(oAuth2AccessTokenEntity, byUsernameAndClientId, hashSet));
            return JsonEntityView.VIEWNAME;
        }
        if (oAuth2RefreshTokenEntity != null) {
            model.addAttribute(JsonEntityView.ENTITY, this.introspectionResultAssembler.assembleFrom(oAuth2RefreshTokenEntity, byUsernameAndClientId, hashSet));
            return JsonEntityView.VIEWNAME;
        }
        logger.error("Verify failed; Invalid access/refresh token");
        model.addAttribute(JsonEntityView.ENTITY, ImmutableMap.of(IntrospectionResultAssembler.ACTIVE, Boolean.FALSE));
        return JsonEntityView.VIEWNAME;
    }
}
