package de.adorsys.sts.token.tokenexchange;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import de.adorsys.sts.keymanagement.service.KeyManagementService;
import de.adorsys.sts.resourceserver.model.ResourceServerAndSecret;
import de.adorsys.sts.resourceserver.processing.ResourceServerProcessor;
import de.adorsys.sts.token.InvalidParameterException;
import de.adorsys.sts.token.JwtClaimSetHelper;
import de.adorsys.sts.token.MissingParameterException;
import de.adorsys.sts.token.api.TokenResponse;
import de.adorsys.sts.tokenauth.BearerToken;
import de.adorsys.sts.tokenauth.BearerTokenValidator;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.UUID;
import org.adorsys.encobject.userdata.ObjectMapperSPI;
import org.adorsys.jjwk.serverkey.KeyAndJwk;
import org.adorsys.jjwk.serverkey.KeyConverter;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:BOOT-INF/lib/sts-token-0.26.2.jar:de/adorsys/sts/token/tokenexchange/TokenExchangeService.class */
public class TokenExchangeService {
    private final ResourceServerProcessor resourceServerProcessor;
    private final KeyManagementService keyManager;
    private final BearerTokenValidator bearerTokenValidator;
    private ObjectMapperSPI mapper;

    public TokenExchangeService(ResourceServerProcessor resourceServerProcessor, KeyManagementService keyManagementService, BearerTokenValidator bearerTokenValidator, ObjectMapperSPI objectMapperSPI) {
        this.resourceServerProcessor = resourceServerProcessor;
        this.keyManager = keyManagementService;
        this.bearerTokenValidator = bearerTokenValidator;
        this.mapper = objectMapperSPI;
    }

    public TokenResponse exchangeToken(TokenExchangeRequest tokenExchangeRequest) {
        return exchangeToken(tokenExchangeRequest.getGrantType(), tokenExchangeRequest.getResources(), tokenExchangeRequest.getSubjectToken(), tokenExchangeRequest.getSubjectTokenType(), tokenExchangeRequest.getActorToken(), tokenExchangeRequest.getActorTokenType(), tokenExchangeRequest.getIssuer(), tokenExchangeRequest.getScope(), tokenExchangeRequest.getRequestedTokenType(), tokenExchangeRequest.getAudiences());
    }

    public TokenResponse exchangeToken(String str, String[] strArr, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String[] strArr2) throws InvalidParameterException, MissingParameterException, TokenValidationException {
        if (!StringUtils.equals(TokenResponse.TOKEN_EXCHANGE_GRANT_TYPE, str)) {
            throw new InvalidParameterException("Request parameter grant_type is missing or does not carry the value urn:ietf:params:oauth:grant-type:token-exchange. See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-08#section-2.1");
        }
        if (StringUtils.isBlank(str2)) {
            throw new MissingParameterException("subject_token");
        }
        if (StringUtils.isBlank(str3)) {
            throw new MissingParameterException("subject_token_type");
        }
        if (StringUtils.isNotBlank(str8) && !StringUtils.equals("urn:ietf:params:oauth:token-type:jwt", str8)) {
            throw new InvalidParameterException("Request parameter requested_token_type must be left blank or carry the value urn:ietf:params:oauth:token-type:jwt. Only JWT token types are supported by this version");
        }
        if (!StringUtils.equals("urn:ietf:params:oauth:token-type:jwt", str3)) {
            throw new InvalidParameterException("Request parameter subject_token_type is missing or does not carry the value urn:ietf:params:oauth:token-type:jwt. Only JWT token types can be consumed by this version");
        }
        BearerToken extract = this.bearerTokenValidator.extract(str2);
        if (!extract.isValid()) {
            throw new TokenValidationException("Token in field subject_token does not seam to be a valid token");
        }
        JWTClaimsSet jWTClaimsSet = null;
        if (StringUtils.isNotBlank(str4)) {
            if (!StringUtils.equals("urn:ietf:params:oauth:token-type:jwt", str5)) {
                throw new InvalidParameterException("The conditional parameter actor_token_type must be set when actor_token is sent and carry the value urn:ietf:params:oauth:token-type:jwt. Only JWT token types are supported by this version");
            }
            BearerToken extract2 = this.bearerTokenValidator.extract(str4);
            if (!extract2.isValid()) {
                throw new TokenValidationException("Token in field actor_token does not seam to be a valid token");
            }
            jWTClaimsSet = extract2.getClaims();
        }
        JWTClaimsSet claims = extract.getClaims();
        JWTClaimsSet.Builder claim = new JWTClaimsSet.Builder().subject(claims.getSubject()).expirationTime(claims.getExpirationTime()).issuer(str6).issueTime(new Date()).jwtID(UUID.randomUUID().toString()).notBeforeTime(claims.getNotBeforeTime()).claim("typ", TokenResponse.TOKEN_TYPE_BEARER).claim("acr", claims.getClaim("acr")).claim("role", "USER");
        List<String> roles = extract.getRoles();
        List<String> list = roles;
        if (StringUtils.isNotBlank(str7)) {
            list = new ArrayList();
            for (String str9 : StringUtils.split(str7)) {
                if (roles.contains(str9)) {
                    list.add(str9);
                }
            }
        }
        if (!list.isEmpty()) {
            claim.claim("scp", list);
        }
        List<ResourceServerAndSecret> processResources = this.resourceServerProcessor.processResources(strArr2, strArr);
        JWTClaimsSet.Builder handleResources = JwtClaimSetHelper.handleResources(claim, processResources, this.mapper);
        for (ResourceServerAndSecret resourceServerAndSecret : processResources) {
            if (resourceServerAndSecret.hasEncryptedSecret() && StringUtils.isNotBlank(resourceServerAndSecret.getResourceServer().getUserSecretClaimName())) {
                handleResources.claim(resourceServerAndSecret.getResourceServer().getUserSecretClaimName(), resourceServerAndSecret.getEncryptedSecret());
            }
        }
        if (jWTClaimsSet != null) {
            HashMap hashMap = new HashMap();
            hashMap.put("sub", jWTClaimsSet.getSubject());
            hashMap.put("iss", jWTClaimsSet.getIssuer());
            Object claim2 = jWTClaimsSet.getClaim("act");
            if (claim2 != null) {
                hashMap.put("act", claim2);
            }
            handleResources = handleResources.claim("act", hashMap);
        }
        JWTClaimsSet build = handleResources.build();
        KeyAndJwk randomSignKey = this.keyManager.randomSignKey();
        SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(KeyConverter.getJWSAlgo(randomSignKey)).type(JOSEObjectType.JWT).keyID(randomSignKey.jwk.getKeyID()).build(), build);
        try {
            signedJWT.sign(KeyConverter.findSigner(randomSignKey));
            TokenResponse tokenResponse = new TokenResponse();
            tokenResponse.setAccess_token(signedJWT.serialize());
            tokenResponse.setIssued_token_type(TokenResponse.ISSUED_TOKEN_TYPE_ACCESS_TOKEN);
            tokenResponse.setToken_type(TokenResponse.TOKEN_TYPE_BEARER);
            tokenResponse.setExpires_in((int) ((build.getExpirationTime().getTime() - new Date().getTime()) / 1000));
            String str10 = null;
            if (list != null) {
                for (String str11 : list) {
                    str10 = str10 == null ? str11 : str10 + StringUtils.SPACE + str11;
                }
            }
            tokenResponse.setScope(str10);
            return tokenResponse;
        } catch (JOSEException e) {
            throw new IllegalStateException(e);
        }
    }
}
