package net.trajano.ms.example.authz;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.DefaultJOSEProcessor;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SimpleSecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiParam;
import java.io.IOException;
import java.net.URI;
import java.text.ParseException;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Date;
import javax.annotation.security.PermitAll;
import javax.validation.constraints.NotNull;
import javax.ws.rs.Consumes;
import javax.ws.rs.FormParam;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.UriBuilderException;
import net.trajano.ms.common.oauth.ClientValidator;
import net.trajano.ms.common.oauth.GrantTypes;
import net.trajano.ms.common.oauth.IdTokenResponse;
import net.trajano.ms.common.oauth.OAuthTokenResponse;
import net.trajano.ms.vertx.beans.TokenGenerator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.stereotype.Component;

@Api
@Path("/token")
@PermitAll
@Configuration
@Component
/* loaded from: input_file:net/trajano/ms/example/authz/TokenResource.class */
public class TokenResource {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) TokenResource.class);

    @Autowired
    private ClientValidator clientValidator;

    @Autowired
    private InternalClaimsBuilder internalClaimsBuilder;

    @Value("${issuer}")
    private URI issuer;

    @Value("${token.jwtMaximumLifetime:86400}")
    private int jwtMaximumLifetimeInSeconds;

    @Value("${realmName:client_credentials}")
    private String realmName;

    @Autowired
    private TokenCache tokenCache;

    @Autowired
    private TokenGenerator tokenGenerator;

    @POST
    @Produces({"application/json"})
    @Consumes({"application/x-www-form-urlencoded"})
    public OAuthTokenResponse dispatch(@FormParam("grant_type") @NotNull @ApiParam(allowableValues = "refresh_token, authorization_code") String str, @FormParam("code") String str2, @FormParam("assertion") String str3, @FormParam("refresh_token") String str4, @HeaderParam("Authorization") String str5) {
        String[] parseBasicAuthorization = HttpAuthorizationHeaders.parseBasicAuthorization(str5);
        if (parseBasicAuthorization == null) {
            throw OAuthTokenResponse.unauthorized("unauthorized_client", "Missing credentials", String.format("Basic realm=\"%s\", encoding=\"UTF-8\"", this.realmName));
        }
        String str6 = parseBasicAuthorization[0];
        if (!this.clientValidator.isValid(str, str6, parseBasicAuthorization[1])) {
            throw OAuthTokenResponse.unauthorized("unauthorized_client", "Unauthorized client", String.format("Basic realm=\"%s\", encoding=\"UTF-8\"", this.realmName));
        }
        if (GrantTypes.REFRESH_TOKEN.equals(str)) {
            return handleRefreshGrant(str4, str6);
        }
        if (GrantTypes.AUTHORIZATION_CODE.equals(str)) {
            return handleAuthorizationCodeGrant(str2, str6);
        }
        if (GrantTypes.JWT_ASSERTION.equals(str)) {
            return handleJwtAssertionGrant(str3, str6);
        }
        throw OAuthTokenResponse.badRequest("invalid_grant", "Invalid grant");
    }

    private IdTokenResponse handleAuthorizationCodeGrant(String str, @NotNull String str2) {
        if (str == null) {
            throw OAuthTokenResponse.badRequest("invalid_request", "Missing access token");
        }
        return this.tokenCache.get(str, str2);
    }

    private OAuthTokenResponse handleJwtAssertionGrant(String str, String str2) {
        if (str == null) {
            throw OAuthTokenResponse.badRequest("invalid_request", "Missing Assertion");
        }
        try {
            DefaultJOSEProcessor defaultJOSEProcessor = new DefaultJOSEProcessor();
            defaultJOSEProcessor.setJWSKeySelector(new JWSVerificationKeySelector(JWSAlgorithm.RS512, new RemoteJWKSet(this.clientValidator.getJwksUri(str2).toURL())));
            JWTClaimsSet build = this.internalClaimsBuilder.buildInternalJWTClaimsSet(JWTClaimsSet.parse(defaultJOSEProcessor.process(str, (String) new SimpleSecurityContext()).toString())).issuer(this.issuer.toASCIIString()).audience(str2).jwtID(this.tokenGenerator.newToken()).issueTime(Date.from(Instant.now())).expirationTime(Date.from(Instant.now().plus(this.jwtMaximumLifetimeInSeconds, (TemporalUnit) ChronoUnit.SECONDS))).build();
            if (build.getSubject() != null) {
                return this.tokenCache.store(build);
            }
            LOG.error("Subject is missing from {}", build);
            throw OAuthTokenResponse.internalServerError("Subject is missing from the resulting claims set.");
        } catch (JOSEException | IOException | IllegalArgumentException | UriBuilderException e) {
            throw OAuthTokenResponse.internalServerError(e);
        } catch (BadJOSEException | ParseException e2) {
            throw OAuthTokenResponse.badRequest("invalid_request", "Unable to parse assertion");
        }
    }

    private OAuthTokenResponse handleRefreshGrant(String str, @NotNull String str2) {
        if (str == null) {
            throw OAuthTokenResponse.badRequest("invalid_request", "Missing refresh token");
        }
        return this.tokenCache.refresh(str, str2);
    }
}
