package net.trajano.ms.authz;

import io.swagger.annotations.Api;
import java.net.URI;
import javax.annotation.security.PermitAll;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Response;
import net.trajano.ms.auth.token.GrantTypes;
import net.trajano.ms.auth.util.AuthorizationType;
import net.trajano.ms.auth.util.HttpAuthorizationHeaders;
import net.trajano.ms.authz.internal.TokenCache;
import net.trajano.ms.authz.internal.TokenCacheEntry;
import net.trajano.ms.authz.spi.ClientValidator;
import net.trajano.ms.core.ErrorResponses;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Api
@Path("/check")
@PermitAll
@Component
/* loaded from: input_file:BOOT-INF/lib/ms-common-auth-1.1.18.jar:net/trajano/ms/authz/ClientCheckResource.class */
public class ClientCheckResource {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) ClientCheckResource.class);

    @Autowired
    private ClientValidator clientValidator;

    @Autowired
    private TokenCache tokenCache;

    @GET
    @Produces({"text/plain"})
    @Path("/openid-redirect-uri")
    public String redirectUri(@HeaderParam("Authorization") String str) {
        LOG.debug("redirect URI for authorization={}", str);
        if (this.clientValidator.isValid(GrantTypes.OPENID, str)) {
            return this.clientValidator.getRedirectUriFromAuthorization(str).toASCIIString();
        }
        throw ErrorResponses.invalidAuthorization();
    }

    @POST
    @Consumes({"application/json"})
    public Response validateClient(ClientCheckRequest clientCheckRequest) {
        boolean z = false;
        AuthorizationType authorizationType = HttpAuthorizationHeaders.getAuthorizationType(clientCheckRequest.getAuthorization());
        if (authorizationType == AuthorizationType.BASIC) {
            z = this.clientValidator.isOriginAllowedFromAuthorization(URI.create(clientCheckRequest.getOrigin()), clientCheckRequest.getAuthorization());
        } else if (authorizationType == AuthorizationType.BEARER) {
            TokenCacheEntry cacheEntry = this.tokenCache.getCacheEntry(HttpAuthorizationHeaders.parseBeaerAuthorization(clientCheckRequest.getAuthorization()));
            if (cacheEntry == null) {
                throw ErrorResponses.invalidRequest("access_token is not valid");
            }
            z = this.clientValidator.isOriginAllowed(cacheEntry.getAudiences().iterator().next(), clientCheckRequest.getOrigin());
        }
        if (z) {
            return Response.noContent().build();
        }
        throw ErrorResponses.invalidRequest("Invalid Origin for Client");
    }
}
