package com.bornium.security.oauth2openid.server.endpoints;

import com.bornium.http.Exchange;
import com.bornium.http.util.UriUtil;
import com.bornium.security.oauth2openid.Constants;
import com.bornium.security.oauth2openid.User;
import com.bornium.security.oauth2openid.Util;
import com.bornium.security.oauth2openid.providers.ConfigProvider;
import com.bornium.security.oauth2openid.providers.Session;
import com.bornium.security.oauth2openid.responsegenerators.CombinedResponseGenerator;
import com.bornium.security.oauth2openid.server.ServerServices;
import com.bornium.security.oauth2openid.server.TokenContext;
import com.bornium.security.oauth2openid.token.Token;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;

/* loaded from: input_file:WEB-INF/lib/oauth2-openid-1.2.0.jar:com/bornium/security/oauth2openid/server/endpoints/TokenEndpoint.class */
public class TokenEndpoint extends Endpoint {
    private final ConfigProvider configProvider;

    public TokenEndpoint(ServerServices serverServices) {
        super(serverServices, Constants.ENDPOINT_TOKEN);
        this.configProvider = serverServices.getProvidedServices().getConfigProvider();
    }

    @Override // com.bornium.security.oauth2openid.server.endpoints.Endpoint
    public void invokeOn(Exchange exchange) throws Exception {
        boolean z = false;
        String str = null;
        if (exchange.getRequest().getHeader().getValue("Authorization") != null) {
            try {
                User decodeFromBasicAuthValue = Util.decodeFromBasicAuthValue(exchange.getRequest().getHeader().getValue("Authorization"));
                z = this.serverServices.getProvidedServices().getClientDataProvider().verify(decodeFromBasicAuthValue.getName(), decodeFromBasicAuthValue.getPassword());
                if (z) {
                    str = decodeFromBasicAuthValue.getName();
                }
            } catch (Exception e) {
                z = false;
                str = null;
            }
        }
        Session session = this.serverServices.getProvidedServices().getSessionProvider().getSession(exchange);
        Map<String, String> stripEmptyParams = Parameters.stripEmptyParams(UriUtil.queryToParameters(exchange.getRequest().getBody()));
        if (str == null) {
            str = stripEmptyParams.get("client_id");
        }
        if (str == null) {
            this.log.debug("No clientId detected.");
            exchange.setResponse(answerWithError(401, Constants.ERROR_ACCESS_DENIED));
            return;
        }
        if (!z && this.serverServices.getProvidedServices().getClientDataProvider().isConfidential(str) && !this.serverServices.getProvidedServices().getClientDataProvider().verify(str, stripEmptyParams.get("client_secret"))) {
            this.log.debug("Client is confidential and client_secret incorrect.");
            exchange.setResponse(answerWithError(401, Constants.ERROR_ACCESS_DENIED));
            return;
        }
        session.putValue("client_id", str);
        if (stripEmptyParams.get("grant_type") == null) {
            this.log.debug("Parameter 'grant_type' missing.");
            exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_REQUEST));
            return;
        }
        String str2 = stripEmptyParams.get("grant_type");
        if (!grantTypeIsSupported(str2)) {
            this.log.debug("Unsupported grant_type: " + str2);
            exchange.setResponse(answerWithError(400, Constants.ERROR_UNSUPPORTED_GRANT_TYPE));
            return;
        }
        session.putValue("grant_type", str2);
        if (str2.equals("authorization_code")) {
            String str3 = stripEmptyParams.get("code");
            if (str3 == null) {
                this.log.debug("Parameter 'code' is missing.");
                exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_REQUEST));
                return;
            }
            Token token = this.serverServices.getTokenManager().getAuthorizationCodes().getToken(str3);
            if (token == null) {
                this.log.debug("Code is invalid.");
                exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_GRANT));
                return;
            }
            stripEmptyParams.put("scope", token.getScope());
        }
        if (str2.equals(Constants.PARAMETER_VALUE_DEVICE_CODE)) {
            String str4 = stripEmptyParams.get(Constants.PARAMETER_DEVICE_CODE);
            if (str4 == null) {
                this.log.debug("Parameter device_code is missing.");
                exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_REQUEST));
                return;
            }
            Token token2 = this.serverServices.getTokenManager().getDeviceCodes().getToken(str4);
            if (token2 == null) {
                Token token3 = this.serverServices.getTokenManager().getDeviceCodes().getToken("pre:" + str4);
                if (token3 == null) {
                    this.log.debug("Device Code is invalid.");
                    exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_GRANT));
                    return;
                } else if (token3.isExpired()) {
                    this.log.debug("Device Code is expired.");
                    exchange.setResponse(answerWithError(400, Constants.ERROR_EXPIRED_TOKEN));
                    return;
                } else if (token3.getClientId().equals(str)) {
                    exchange.setResponse(answerWithError(400, Constants.ERROR_AUTHORIZATION_PENDING));
                    return;
                } else {
                    this.log.debug("Device Code belongs to one client ('" + token3.getClientId() + "') while token was requested from a different client ('" + str + "').");
                    exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_CLIENT));
                    return;
                }
            }
            if (token2.isExpired()) {
                this.log.debug("Device Code is expired.");
                exchange.setResponse(answerWithError(400, Constants.ERROR_EXPIRED_TOKEN));
                return;
            } else if (!token2.getClientId().equals(str)) {
                this.log.debug("Device Code belongs to one client ('" + token2.getClientId() + "') while token was requested from a different client ('" + str + "').");
                exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_GRANT));
                return;
            } else {
                session.putValue("username", token2.getUsername());
                stripEmptyParams.put("scope", token2.getScope());
            }
        }
        String str5 = stripEmptyParams.get("scope");
        if (str5 == null && str2.equals("refresh_token") && stripEmptyParams.get("refresh_token") != null) {
            String str6 = stripEmptyParams.get("refresh_token");
            if (!this.serverServices.getTokenManager().getRefreshTokens().tokenExists(str6)) {
                this.log.debug("RefreshToken is not known.");
                exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_GRANT));
                return;
            }
            str5 = this.serverServices.getTokenManager().getRefreshTokens().getToken(str6).getScope();
        }
        if (!this.serverServices.getSupportedScopes().scopesSupported(str5) || scopeIsSuperior(session.getValue("scope"), str5)) {
            this.log.debug("Scope '" + str5 + "' from parameter is not supported or is supperior to session scope.");
            exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_SCOPE));
            return;
        }
        session.putValue("scope", str5);
        if (str2.equals("authorization_code")) {
            Token token4 = this.serverServices.getTokenManager().getAuthorizationCodes().getToken(stripEmptyParams.get("code"));
            if (stripEmptyParams.get("redirect_uri") == null || !token4.getRedirectUri().equals(stripEmptyParams.get("redirect_uri")) || stripEmptyParams.get("code") == null) {
                this.log.debug("Parameter redirect_uri does not match the token's redirect_uri.");
                exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_REQUEST));
                return;
            }
            String str7 = stripEmptyParams.get("code");
            if (!this.serverServices.getTokenManager().getAuthorizationCodes().tokenExists(str7)) {
                this.log.debug("Code is invalid.");
                exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_GRANT));
                return;
            }
            Token token5 = this.serverServices.getTokenManager().getAuthorizationCodes().getToken(str7);
            if (token5.getUsages() > 0) {
                token5.revokeCascade();
                this.log.debug("Code has already been used, revoking all child tokens.");
                exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_GRANT));
                return;
            } else if (token5.isExpired()) {
                this.log.debug("Code is expired.");
                exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_GRANT));
                return;
            } else if (!token5.getClientId().equals(str)) {
                this.log.debug("Code does not fit to the clientId.");
                exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_GRANT));
                return;
            } else {
                if (!this.serverServices.getProvidedServices().getClientDataProvider().getRedirectUris(str).contains(stripEmptyParams.get("redirect_uri"))) {
                    this.log.debug("Parameter redirect_uri does not match one of the client's redirect_uris.");
                    exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_REQUEST));
                    return;
                }
                session.putValue("authorization_code", str7);
            }
        }
        if (str2.equals("password")) {
            if (stripEmptyParams.get("username") == null || stripEmptyParams.get("password") == null) {
                this.log.debug("Parameter username or password missing.");
                exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_REQUEST));
                return;
            } else {
                if (!this.serverServices.getProvidedServices().getUserDataProvider().verifyUser(stripEmptyParams.get("username"), stripEmptyParams.get("password"))) {
                    this.log.debug("Parameter username or password incorrect.");
                    exchange.setResponse(answerWithError(401, Constants.ERROR_ACCESS_DENIED));
                    return;
                }
                session.putValue("username", stripEmptyParams.get("username"));
            }
        }
        if (str2.equals(Constants.PARAMETER_VALUE_CLIENT_CREDENTIALS) && !z) {
            this.log.debug("Client is not authorized.");
            exchange.setResponse(answerWithError(401, Constants.ERROR_ACCESS_DENIED));
            return;
        }
        if (str2.equals("refresh_token")) {
            if (stripEmptyParams.get("refresh_token") == null) {
                this.log.debug("Parameter refresh_token is missing.");
                exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_REQUEST));
                return;
            }
            String str8 = stripEmptyParams.get("refresh_token");
            if (!this.serverServices.getTokenManager().getRefreshTokens().tokenExists(str8)) {
                this.log.debug("RefreshToken is not known.");
                exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_GRANT));
                return;
            }
            Token token6 = this.serverServices.getTokenManager().getRefreshTokens().getToken(str8);
            if (this.configProvider == null || !this.configProvider.useReusableRefreshTokens(new TokenContext(str))) {
                if (token6.getUsages() > 0) {
                    token6.revokeCascade();
                    this.log.debug("RefreshToken has already been used, revoking all child tokens.");
                    exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_GRANT));
                    return;
                } else if (token6.isExpired() || token6.getUsages() > 1) {
                    this.log.debug("RefreshToken is expired.");
                    exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_GRANT));
                    return;
                }
            } else if (token6.isExpired()) {
                this.log.debug("RefreshToken is expired.");
                exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_GRANT));
                return;
            }
            if (!token6.getClientId().equals(str)) {
                this.log.debug("RefreshToken does not fit to the clientId.");
                exchange.setResponse(answerWithError(400, Constants.ERROR_INVALID_GRANT));
                return;
            }
            session.putValue("refresh_token", str8);
        }
        stripEmptyParams.keySet().stream().forEach(str9 -> {
            try {
                session.putValue(str9, (String) stripEmptyParams.get(str9));
            } catch (Exception e2) {
                e2.printStackTrace();
            }
        });
        session.putValue(Constants.SESSION_ENDPOINT, Constants.ENDPOINT_TOKEN);
        String str10 = "token";
        if (hasOpenIdScope(exchange) && session.getValue("scope").contains(Constants.SCOPE_OPENID)) {
            str10 = str10 + " id_token";
        }
        session.putValue("response_type", str10);
        exchange.setResponse(okWithJSONBody(new CombinedResponseGenerator(this.serverServices, exchange).invokeResponse(str10)));
    }

    private boolean scopeIsSuperior(String str, String str2) {
        if (str == null) {
            return false;
        }
        Set set = (Set) Stream.of((Object[]) str.split(Pattern.quote(" "))).collect(Collectors.toSet());
        Iterator it = ((Set) Stream.of((Object[]) str2.split(Pattern.quote(" "))).collect(Collectors.toSet())).iterator();
        while (it.hasNext()) {
            if (!set.contains((String) it.next())) {
                return true;
            }
        }
        return false;
    }

    private boolean grantTypeIsSupported(String str) {
        HashSet hashSet = new HashSet();
        hashSet.add("authorization_code");
        hashSet.add("password");
        hashSet.add(Constants.PARAMETER_VALUE_CLIENT_CREDENTIALS);
        hashSet.add("refresh_token");
        hashSet.add(Constants.PARAMETER_VALUE_DEVICE_CODE);
        return hashSet.contains(str);
    }

    @Override // com.bornium.security.oauth2openid.server.endpoints.Endpoint
    public String getScope(Exchange exchange) throws Exception {
        return this.serverServices.getProvidedServices().getSessionProvider().getSession(exchange).getValue("scope");
    }
}
