package org.apache.cxf.rs.security.oauth2.services;

import java.net.MalformedURLException;
import java.net.URL;
import java.security.Principal;
import java.util.LinkedList;
import java.util.List;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oauth2.common.OAuthError;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeDataProvider;
import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrantHandler;
import org.apache.cxf.rs.security.oauth2.provider.AccessTokenGrantHandler;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.http.HttpHeaders;

/* JADX WARN: Classes with same name are omitted:
  input_file:cxf-rt-rs-security-oauth2-2.7.14.jar:org/apache/cxf/rs/security/oauth2/services/AccessTokenService.class
 */
@Path("/token")
/* loaded from: input_file:cxf-bundle-2.7.14.jar:org/apache/cxf/rs/security/oauth2/services/AccessTokenService.class */
public class AccessTokenService extends AbstractOAuthService {
    private List<AccessTokenGrantHandler> grantHandlers = new LinkedList();
    private List<String> audiences = new LinkedList();
    private boolean writeCustomErrors;
    private boolean canSupportPublicClients;

    public void setWriteCustomErrors(boolean z) {
        this.writeCustomErrors = z;
    }

    public void setGrantHandlers(List<AccessTokenGrantHandler> list) {
        this.grantHandlers = list;
    }

    public void setGrantHandler(AccessTokenGrantHandler accessTokenGrantHandler) {
        this.grantHandlers.add(accessTokenGrantHandler);
    }

    @POST
    @Produces({MediaType.APPLICATION_JSON})
    @Consumes({"application/x-www-form-urlencoded"})
    public Response handleTokenRequest(MultivaluedMap<String, String> multivaluedMap) {
        Client authenticateClientIfNeeded = authenticateClientIfNeeded(multivaluedMap);
        if (!OAuthUtils.isGrantSupportedForClient(authenticateClientIfNeeded, isCanSupportPublicClients(), multivaluedMap.getFirst(OAuthConstants.GRANT_TYPE))) {
            return createErrorResponse(multivaluedMap, OAuthConstants.UNAUTHORIZED_CLIENT);
        }
        try {
            checkAudience(multivaluedMap);
            AccessTokenGrantHandler findGrantHandler = findGrantHandler(multivaluedMap);
            if (findGrantHandler == null) {
                return createErrorResponse(multivaluedMap, OAuthConstants.UNSUPPORTED_GRANT_TYPE);
            }
            ServerAccessToken serverAccessToken = null;
            try {
                serverAccessToken = findGrantHandler.createAccessToken(authenticateClientIfNeeded, multivaluedMap);
            } catch (OAuthServiceException e) {
                OAuthError error = e.getError();
                if (this.writeCustomErrors && error != null) {
                    return createErrorResponseFromBean(error);
                }
            }
            if (serverAccessToken == null) {
                return createErrorResponse(multivaluedMap, OAuthConstants.INVALID_GRANT);
            }
            ClientAccessToken clientAccessToken = new ClientAccessToken(serverAccessToken.getTokenType(), serverAccessToken.getTokenKey());
            clientAccessToken.setRefreshToken(serverAccessToken.getRefreshToken());
            if (isWriteOptionalParameters()) {
                clientAccessToken.setExpiresIn(serverAccessToken.getExpiresIn());
                List<OAuthPermission> scopes = serverAccessToken.getScopes();
                if (!scopes.isEmpty()) {
                    clientAccessToken.setApprovedScope(OAuthUtils.convertPermissionsToScope(scopes));
                }
                clientAccessToken.setParameters(serverAccessToken.getParameters());
            }
            return Response.ok(clientAccessToken).header("Cache-Control", "no-store").header(HttpHeaders.PRAGMA, "no-cache").build();
        } catch (OAuthServiceException e2) {
            return createErrorResponseFromBean(e2.getError());
        }
    }

    private Client authenticateClientIfNeeded(MultivaluedMap<String, String> multivaluedMap) {
        Client client = null;
        SecurityContext securityContext = getMessageContext().getSecurityContext();
        if (multivaluedMap.containsKey(OAuthConstants.CLIENT_ID)) {
            client = getAndValidateClient(multivaluedMap.getFirst(OAuthConstants.CLIENT_ID), multivaluedMap.getFirst(OAuthConstants.CLIENT_SECRET));
        } else if (securityContext.getUserPrincipal() != null) {
            Principal userPrincipal = securityContext.getUserPrincipal();
            if ("Basic".equalsIgnoreCase(securityContext.getAuthenticationScheme())) {
                client = getClient(userPrincipal.getName());
            } else {
                Object obj = getMessageContext().get(OAuthConstants.CLIENT_ID);
                if (obj != null) {
                    client = getClient(obj.toString());
                }
            }
        } else {
            String[] authorizationParts = AuthorizationUtils.getAuthorizationParts(getMessageContext());
            if ("Basic".equalsIgnoreCase(authorizationParts[0])) {
                String[] basicAuthParts = AuthorizationUtils.getBasicAuthParts(authorizationParts[1]);
                client = getAndValidateClient(basicAuthParts[0], basicAuthParts[1]);
            }
        }
        if (client == null) {
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
        return client;
    }

    private Client getAndValidateClient(String str, String str2) {
        Client client = getClient(str);
        if (this.canSupportPublicClients && !client.isConfidential() && client.getClientSecret() == null && str2 == null) {
            return client;
        }
        if (str2 == null || client.getClientSecret() == null || !client.getClientId().equals(str) || !client.getClientSecret().equals(str2)) {
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
        return client;
    }

    protected void checkAudience(MultivaluedMap<String, String> multivaluedMap) {
        if (this.audiences.isEmpty()) {
            return;
        }
        String first = multivaluedMap.getFirst(OAuthConstants.CLIENT_AUDIENCE);
        if (first == null) {
            throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
        }
        try {
            new URL(first);
            if (!this.audiences.contains(first)) {
                throw new OAuthServiceException(new OAuthError(OAuthConstants.ACCESS_DENIED));
            }
        } catch (MalformedURLException e) {
            throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
        }
    }

    protected AccessTokenGrantHandler findGrantHandler(MultivaluedMap<String, String> multivaluedMap) {
        String first = multivaluedMap.getFirst(OAuthConstants.GRANT_TYPE);
        if (first == null) {
            return null;
        }
        for (AccessTokenGrantHandler accessTokenGrantHandler : this.grantHandlers) {
            if (accessTokenGrantHandler.getSupportedGrantTypes().contains(first)) {
                return accessTokenGrantHandler;
            }
        }
        if (this.grantHandlers.size() != 0) {
            return null;
        }
        AuthorizationCodeGrantHandler authorizationCodeGrantHandler = new AuthorizationCodeGrantHandler();
        if (!authorizationCodeGrantHandler.getSupportedGrantTypes().contains(first)) {
            return null;
        }
        authorizationCodeGrantHandler.setDataProvider((AuthorizationCodeDataProvider) super.getDataProvider());
        return authorizationCodeGrantHandler;
    }

    protected Response createErrorResponse(MultivaluedMap<String, String> multivaluedMap, String str) {
        return createErrorResponseFromBean(new OAuthError(str));
    }

    protected Response createErrorResponseFromBean(OAuthError oAuthError) {
        return Response.status(400).entity(oAuthError).build();
    }

    protected Client getClient(String str) {
        if (str == null) {
            reportInvalidRequestError("Client ID is null");
            return null;
        }
        Client client = null;
        try {
            client = getValidClient(str);
        } catch (OAuthServiceException e) {
            if (e.getError() != null) {
                reportInvalidClient(e.getError());
                return null;
            }
        }
        if (client == null) {
            reportInvalidClient();
        }
        return client;
    }

    protected void reportInvalidClient() {
        reportInvalidClient(new OAuthError(OAuthConstants.INVALID_CLIENT));
    }

    protected void reportInvalidClient(OAuthError oAuthError) {
        throw ExceptionUtils.toNotAuthorizedException(null, JAXRSUtils.toResponseBuilder(401).type(MediaType.APPLICATION_JSON_TYPE).entity(oAuthError).build());
    }

    public void setCanSupportPublicClients(boolean z) {
        this.canSupportPublicClients = z;
    }

    public boolean isCanSupportPublicClients() {
        return this.canSupportPublicClients;
    }

    public List<String> getAudiences() {
        return this.audiences;
    }

    public void setAudiences(List<String> list) {
        this.audiences = list;
    }
}
