package com.sap.cloud.security.xsuaa.token;

import com.sap.xs2.security.container.UserInfo;
import com.sap.xs2.security.container.UserInfoException;
import com.sap.xs2.security.container.XSTokenRequestImpl;
import com.sap.xsa.security.container.XSTokenRequest;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import net.minidev.json.JSONObject;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.util.Assert;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:com/sap/cloud/security/xsuaa/token/XsuaaTokenExchanger.class */
public class XsuaaTokenExchanger {
    Token token;
    RestTemplate restTemplate;

    /* JADX INFO: Access modifiers changed from: package-private */
    public XsuaaTokenExchanger(RestTemplate restTemplate, Token token) {
        Assert.notNull(token, "token is required");
        this.token = token;
        this.restTemplate = restTemplate != null ? restTemplate : new RestTemplate();
    }

    public String requestToken(XSTokenRequest xSTokenRequest) throws UserInfoException, URISyntaxException {
        Assert.isTrue(xSTokenRequest.isValid(), "Invalid grant type or missing parameters for requested grant type.");
        String str = null;
        if (xSTokenRequest.getAdditionalAuthorizationAttributes() != null) {
            HashMap hashMap = new HashMap();
            hashMap.put("az_attr", xSTokenRequest.getAdditionalAuthorizationAttributes());
            StringBuilder sb = new StringBuilder();
            try {
                JSONObject.writeJSON(hashMap, sb);
                str = sb.toString();
            } catch (IOException e) {
                throw new UserInfoException("Error creating json representation", e);
            }
        }
        String subdomain = this.token.getSubdomain();
        String subdomain2 = getSubdomain(xSTokenRequest.getTokenEndpoint().toString());
        if (subdomain != null && subdomain2 != null && !subdomain.equals(subdomain2)) {
            xSTokenRequest.setTokenEndpoint(replaceSubdomain(xSTokenRequest.getTokenEndpoint(), subdomain));
        }
        switch (xSTokenRequest.getType()) {
            case XSTokenRequestImpl.TYPE_USER_TOKEN /* 0 */:
                return requestTokenNamedUser(xSTokenRequest.getClientId(), xSTokenRequest.getClientSecret(), xSTokenRequest.getTokenEndpoint().toString(), str);
            case XSTokenRequestImpl.TYPE_CLIENT_CREDENTIALS_TOKEN /* 1 */:
                return requestTokenTechnicalUser(xSTokenRequest, str);
            default:
                throw new UserInfoException("Invalid grant type.");
        }
    }

    protected URI replaceSubdomain(URI uri, String str) {
        if (uri == null || str == null || !uri.getHost().contains(".")) {
            return null;
        }
        return uri.resolve(UriComponentsBuilder.newInstance().scheme(uri.getScheme()).host(str + uri.getHost().substring(uri.getHost().indexOf("."))).port(uri.getPort()).path(uri.getPath()).build().toString());
    }

    private String requestTokenTechnicalUser(XSTokenRequest xSTokenRequest, String str) throws UserInfoException {
        UriComponentsBuilder queryParam = UriComponentsBuilder.fromUri(xSTokenRequest.getTokenEndpoint()).queryParam(TokenClaims.CLAIM_GRANT_TYPE, new Object[]{"client_credentials"});
        if (str != null) {
            queryParam.queryParam("authorities", new Object[]{str});
        }
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.add("Accept", "application/json");
        httpHeaders.add("Authorization", "Basic " + Base64.getEncoder().encodeToString((xSTokenRequest.getClientId() + ":" + xSTokenRequest.getClientSecret()).getBytes()));
        ResponseEntity postForEntity = this.restTemplate.postForEntity(queryParam.build().encode().toUri(), new HttpEntity(httpHeaders), Map.class);
        if (postForEntity.getStatusCode() == HttpStatus.UNAUTHORIZED) {
            throw new UserInfoException("Call to /oauth/token was not successful (grant_type: client_credentials). Client credentials invalid");
        }
        if (postForEntity.getStatusCode() != HttpStatus.OK) {
            throw new UserInfoException("Call to /oauth/token was not successful (grant_type: client_credentials). HTTP status code: " + postForEntity.getStatusCode());
        }
        return ((Map) postForEntity.getBody()).get("access_token").toString();
    }

    private String requestTokenNamedUser(String str, String str2, String str3, String str4) throws UserInfoException {
        if (str == null || str2 == null) {
            throw new UserInfoException("Invalid service credentials: Missing clientid/clientsecret.");
        }
        if (str3 == null) {
            throw new UserInfoException("Invalid service credentials: Missing url.");
        }
        if (!checkScope("uaa.user")) {
            throw new UserInfoException("JWT token does not include scope 'uaa.user'.");
        }
        UriComponentsBuilder queryParam = UriComponentsBuilder.fromHttpUrl(str3).queryParam(TokenClaims.CLAIM_GRANT_TYPE, new Object[]{UserInfo.GRANTTYPE_USERTOKEN}).queryParam("response_type", new Object[]{"token"}).queryParam("client_id", new Object[]{str});
        if (str4 != null) {
            queryParam.queryParam("authorities", new Object[]{str4});
        }
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.add("Accept", "application/json");
        httpHeaders.add("Authorization", "Bearer " + this.token.getAppToken());
        ResponseEntity postForEntity = this.restTemplate.postForEntity(queryParam.build().encode().toUri(), new HttpEntity(httpHeaders), Map.class);
        if (postForEntity.getStatusCode() == HttpStatus.UNAUTHORIZED) {
            throw new UserInfoException("Call to /oauth/token was not successful (grant_type: user_token). Bearer token invalid, requesting client does not have grant_type=user_token or no scopes were granted.");
        }
        if (postForEntity.getStatusCode() != HttpStatus.OK) {
            throw new UserInfoException("Call to /oauth/token was not successful (grant_type: user_token). HTTP status code: " + postForEntity.getStatusCode());
        }
        UriComponentsBuilder queryParam2 = UriComponentsBuilder.fromHttpUrl(str3).queryParam(TokenClaims.CLAIM_GRANT_TYPE, new Object[]{"refresh_token"}).queryParam("refresh_token", new Object[]{((Map) postForEntity.getBody()).get("refresh_token").toString()});
        httpHeaders.clear();
        String encodeToString = Base64.getEncoder().encodeToString((str + ":" + str2).getBytes());
        httpHeaders.add("Accept", "application/json");
        httpHeaders.add("Authorization", "Basic " + encodeToString);
        ResponseEntity postForEntity2 = this.restTemplate.postForEntity(queryParam2.build().encode().toUri(), new HttpEntity(httpHeaders), Map.class);
        if (postForEntity2.getStatusCode() == HttpStatus.UNAUTHORIZED) {
            throw new UserInfoException("Call to /oauth/token was not successful (grant_type: refresh_token). Client credentials invalid");
        }
        if (postForEntity2.getStatusCode() != HttpStatus.OK) {
            throw new UserInfoException("Call to /oauth/token was not successful (grant_type: refresh_token). HTTP status code: " + postForEntity2.getStatusCode());
        }
        return ((Map) postForEntity2.getBody()).get("access_token").toString();
    }

    protected String getSubdomain(String str) {
        try {
            String host = new URI(str).getHost();
            if (host == null || !host.contains(".")) {
                return null;
            }
            return host.split("\\.")[0];
        } catch (URISyntaxException e) {
            return null;
        }
    }

    protected boolean checkScope(String str) {
        return ((XsuaaToken) this.token).getClaimAsStringList("scope").contains(str);
    }
}
