package org.apereo.cas.oidc.web.controllers;

import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.oidc.OidcConstants;
import org.apereo.cas.oidc.introspection.OidcIntrospectionAccessTokenResponse;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.profile.OAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.validator.OAuth20Validator;
import org.apereo.cas.support.oauth.web.endpoints.BaseOAuth20Controller;
import org.apereo.cas.ticket.accesstoken.AccessToken;
import org.apereo.cas.ticket.accesstoken.AccessTokenFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.Pac4jUtils;
import org.apereo.cas.web.support.CookieRetrievingCookieGenerator;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.credentials.extractor.BasicAuthExtractor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;

/* loaded from: input_file:org/apereo/cas/oidc/web/controllers/OidcIntrospectionEndpointController.class */
public class OidcIntrospectionEndpointController extends BaseOAuth20Controller {
    private static final Logger LOGGER = LoggerFactory.getLogger(OidcIntrospectionEndpointController.class);
    private final CentralAuthenticationService centralAuthenticationService;

    public OidcIntrospectionEndpointController(ServicesManager servicesManager, TicketRegistry ticketRegistry, OAuth20Validator oAuth20Validator, AccessTokenFactory accessTokenFactory, PrincipalFactory principalFactory, ServiceFactory<WebApplicationService> serviceFactory, OAuth20ProfileScopeToAttributesFilter oAuth20ProfileScopeToAttributesFilter, CasConfigurationProperties casConfigurationProperties, CookieRetrievingCookieGenerator cookieRetrievingCookieGenerator, CentralAuthenticationService centralAuthenticationService) {
        super(servicesManager, ticketRegistry, oAuth20Validator, accessTokenFactory, principalFactory, serviceFactory, oAuth20ProfileScopeToAttributesFilter, casConfigurationProperties, cookieRetrievingCookieGenerator);
        this.centralAuthenticationService = centralAuthenticationService;
    }

    @GetMapping(consumes = {"application/x-www-form-urlencoded"}, produces = {"application/json"}, value = {"/oidc/introspect"})
    public ResponseEntity<OidcIntrospectionAccessTokenResponse> handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        return handlePostRequest(httpServletRequest, httpServletResponse);
    }

    @PostMapping(consumes = {"application/x-www-form-urlencoded"}, produces = {"application/json"}, value = {"/oidc/introspect"})
    public ResponseEntity<OidcIntrospectionAccessTokenResponse> handlePostRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            UsernamePasswordCredentials usernamePasswordCredentials = (UsernamePasswordCredentials) new BasicAuthExtractor(getClass().getSimpleName()).extract(Pac4jUtils.getPac4jJ2EContext(httpServletRequest, httpServletResponse));
            if (usernamePasswordCredentials == null) {
                throw new IllegalArgumentException("No credentials are provided to verify introspection on the access token");
            }
            OAuthRegisteredService registeredOAuthService = OAuth20Utils.getRegisteredOAuthService(this.servicesManager, usernamePasswordCredentials.getUsername());
            if (validateIntrospectionRequest(registeredOAuthService, usernamePasswordCredentials, httpServletRequest)) {
                String str = (String) StringUtils.defaultIfBlank(httpServletRequest.getParameter("access_token"), httpServletRequest.getParameter("token"));
                LOGGER.debug("Located access token [{}] in the request", str);
                AccessToken accessToken = (AccessToken) this.centralAuthenticationService.getTicket(str, AccessToken.class);
                if (accessToken != null) {
                    return createIntrospectionResponse(registeredOAuthService, accessToken);
                }
            }
            return new ResponseEntity<>(HttpStatus.OK);
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            return new ResponseEntity<>(HttpStatus.INTERNAL_SERVER_ERROR);
        }
    }

    private boolean validateIntrospectionRequest(OAuthRegisteredService oAuthRegisteredService, UsernamePasswordCredentials usernamePasswordCredentials, HttpServletRequest httpServletRequest) {
        return this.validator.checkServiceValid(oAuthRegisteredService) && (this.validator.checkParameterExist(httpServletRequest, "access_token") || this.validator.checkParameterExist(httpServletRequest, "token")) && this.validator.checkClientSecret(oAuthRegisteredService, usernamePasswordCredentials.getPassword());
    }

    private ResponseEntity<OidcIntrospectionAccessTokenResponse> createIntrospectionResponse(OAuthRegisteredService oAuthRegisteredService, AccessToken accessToken) {
        OidcIntrospectionAccessTokenResponse oidcIntrospectionAccessTokenResponse = new OidcIntrospectionAccessTokenResponse();
        oidcIntrospectionAccessTokenResponse.setActive(true);
        oidcIntrospectionAccessTokenResponse.setClientId(oAuthRegisteredService.getClientId());
        Authentication authentication = accessToken.getAuthentication();
        String id = authentication.getPrincipal().getId();
        oidcIntrospectionAccessTokenResponse.setSub(id);
        oidcIntrospectionAccessTokenResponse.setUniqueSecurityName(id);
        oidcIntrospectionAccessTokenResponse.setExp(accessToken.getExpirationPolicy().getTimeToLive().longValue());
        oidcIntrospectionAccessTokenResponse.setIat(accessToken.getCreationTime().toInstant().toEpochMilli());
        oidcIntrospectionAccessTokenResponse.setRealmName((String) CollectionUtils.toCollection(authentication.getAttributes().get("authenticationMethod")).stream().map((v0) -> {
            return v0.toString();
        }).collect(Collectors.joining(",")));
        oidcIntrospectionAccessTokenResponse.setTokenType("bearer");
        oidcIntrospectionAccessTokenResponse.setGrantType(authentication.getAttributes().getOrDefault("grant_type", "").toString().toLowerCase());
        oidcIntrospectionAccessTokenResponse.setScope(OidcConstants.StandardScopes.OPENID.getScope());
        oidcIntrospectionAccessTokenResponse.setAud(oAuthRegisteredService.getServiceId());
        oidcIntrospectionAccessTokenResponse.setIss(this.casProperties.getAuthn().getOidc().getIssuer());
        return new ResponseEntity<>(oidcIntrospectionAccessTokenResponse, HttpStatus.OK);
    }
}
