package net.trajano.ms.authz;

import io.swagger.annotations.Api;
import io.swagger.annotations.ApiParam;
import java.net.URI;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import javax.annotation.security.PermitAll;
import javax.ws.rs.Consumes;
import javax.ws.rs.FormParam;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import net.trajano.ms.auth.spi.ClientValidator;
import net.trajano.ms.auth.token.GrantTypes;
import net.trajano.ms.auth.token.IdTokenResponse;
import net.trajano.ms.auth.token.OAuthTokenResponse;
import net.trajano.ms.auth.util.HttpAuthorizationHeaders;
import net.trajano.ms.authz.internal.TokenCache;
import net.trajano.ms.authz.spi.InternalClaimsBuilder;
import net.trajano.ms.core.CryptoOps;
import net.trajano.ms.core.ErrorCodes;
import net.trajano.ms.core.ErrorResponses;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.stereotype.Component;

@Api
@Path("/token")
@PermitAll
@Configuration
@Component
/* loaded from: input_file:BOOT-INF/lib/ms-common-auth-1.1.0.jar:net/trajano/ms/authz/TokenResource.class */
public class TokenResource {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) TokenResource.class);

    @Autowired
    private ClientValidator clientValidator;

    @Autowired
    private CryptoOps cryptoOps;

    @Autowired
    private InternalClaimsBuilder internalClaimsBuilder;

    @Value("${issuer}")
    private URI issuer;
    private final ConcurrentMap<URI, HttpsJwks> jwksMap = new ConcurrentHashMap();

    @Value("${token.jwtMaximumLifetime:86400}")
    private int jwtMaximumLifetimeInSeconds;

    @Value("${realmName:client_credentials}")
    private String realmName;

    @Autowired
    private TokenCache tokenCache;

    @POST
    @Produces({"application/json"})
    @Consumes({"application/x-www-form-urlencoded"})
    public OAuthTokenResponse dispatch(@FormParam("grant_type") @ApiParam(allowableValues = "refresh_token, authorization_code") String str, @FormParam("code") String str2, @FormParam("assertion") String str3, @FormParam("aud") String str4, @FormParam("refresh_token") String str5, @FormParam("jwks_uri") URI uri, @HeaderParam("Authorization") String str6) {
        String[] parseBasicAuthorization = HttpAuthorizationHeaders.parseBasicAuthorization(str6);
        String str7 = parseBasicAuthorization[0];
        if (!this.clientValidator.isValid(str, str7, parseBasicAuthorization[1])) {
            throw ErrorResponses.unauthorized(ErrorCodes.UNAUTHORIZED_CLIENT, "Unauthorized client", String.format("Basic realm=\"%s\", encoding=\"UTF-8\"", this.realmName));
        }
        if (GrantTypes.REFRESH_TOKEN.equals(str)) {
            return handleRefreshGrant(str5, str7);
        }
        if (GrantTypes.AUTHORIZATION_CODE.equals(str)) {
            return handleAuthorizationCodeGrant(str2);
        }
        if (GrantTypes.JWT_ASSERTION.equals(str)) {
            return handleJwtAssertionGrant(str3, str7, str4);
        }
        throw ErrorResponses.badRequest(ErrorCodes.UNSUPPORT_GRANT_TYPE, "Invalid grant type");
    }

    private IdTokenResponse handleAuthorizationCodeGrant(String str) {
        if (str == null) {
            throw ErrorResponses.invalidRequest("Missing access token");
        }
        IdTokenResponse idTokenResponse = this.tokenCache.get(str);
        if (idTokenResponse == null) {
            throw ErrorResponses.unauthorized(ErrorCodes.UNAUTHORIZED_CLIENT, "Access token was not valid", "Bearer");
        }
        return idTokenResponse;
    }

    private OAuthTokenResponse handleJwtAssertionGrant(String str, String str2, String str3) {
        if (str == null) {
            throw ErrorResponses.badRequest(ErrorCodes.INVALID_REQUEST, "Missing assertion");
        }
        if (str2 == null) {
            throw ErrorResponses.badRequest(ErrorCodes.INVALID_REQUEST, "Missing client_id");
        }
        try {
            URI jwksUri = this.clientValidator.getJwksUri(str2);
            LOG.debug("jwksUri={}", jwksUri);
            HttpsJwks httpsJwks = null;
            if (jwksUri != null) {
                httpsJwks = this.jwksMap.computeIfAbsent(jwksUri, uri -> {
                    return new HttpsJwks(uri.toASCIIString());
                });
            }
            JwtConsumerBuilder jwtConsumerBuilder = new JwtConsumerBuilder();
            if (httpsJwks == null) {
                jwtConsumerBuilder.setDisableRequireSignature().setSkipSignatureVerification();
            } else {
                jwtConsumerBuilder.setVerificationKeyResolver(new HttpsJwksVerificationKeyResolver(httpsJwks));
            }
            if (str3 == null) {
                jwtConsumerBuilder.setExpectedAudience(str2);
            } else {
                jwtConsumerBuilder.setExpectedAudience(str2, str3);
            }
            JwtClaims buildInternalJWTClaimsSet = this.internalClaimsBuilder.buildInternalJWTClaimsSet(jwtConsumerBuilder.build().processToClaims(str));
            if (buildInternalJWTClaimsSet.getSubject() == null) {
                LOG.error("Subject is missing from {}", buildInternalJWTClaimsSet);
                throw ErrorResponses.internalServerError("Subject is missing from the resulting claims set.");
            }
            buildInternalJWTClaimsSet.setGeneratedJwtId();
            buildInternalJWTClaimsSet.setIssuer(this.issuer.toASCIIString());
            if (str3 == null) {
                buildInternalJWTClaimsSet.setAudience(str2);
            } else {
                buildInternalJWTClaimsSet.setAudience(str2, str3);
            }
            buildInternalJWTClaimsSet.setIssuedAtToNow();
            Instant plus = Instant.now().plus(this.jwtMaximumLifetimeInSeconds, (TemporalUnit) ChronoUnit.SECONDS);
            buildInternalJWTClaimsSet.setExpirationTime(NumericDate.fromMilliseconds(plus.toEpochMilli()));
            return this.tokenCache.store(this.cryptoOps.sign(buildInternalJWTClaimsSet), buildInternalJWTClaimsSet.getAudience(), plus);
        } catch (MalformedClaimException | InvalidJwtException e) {
            LOG.error("Unable to parse assertion", e);
            throw ErrorResponses.badRequest(ErrorCodes.INVALID_REQUEST, "Unable to parse assertion");
        }
    }

    private OAuthTokenResponse handleRefreshGrant(String str, String str2) {
        if (str == null) {
            throw ErrorResponses.badRequest(ErrorCodes.INVALID_REQUEST, "Missing refresh token");
        }
        return this.tokenCache.refresh(str, str2);
    }
}
