package org.apereo.cas.support.oauth.web.endpoints;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.support.oauth.OAuth20Constants;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.TicketState;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.pac4j.core.context.JEEContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;

/* loaded from: input_file:org/apereo/cas/support/oauth/web/endpoints/OAuth20UserProfileEndpointController.class */
public class OAuth20UserProfileEndpointController extends BaseOAuth20Controller {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20UserProfileEndpointController.class);
    private final ResponseEntity expiredAccessTokenResponseEntity;

    public OAuth20UserProfileEndpointController(OAuth20ConfigurationContext oAuth20ConfigurationContext) {
        super(oAuth20ConfigurationContext);
        this.expiredAccessTokenResponseEntity = buildUnauthorizedResponseEntity(OAuth20Constants.EXPIRED_ACCESS_TOKEN);
    }

    protected static ResponseEntity buildUnauthorizedResponseEntity(String str) {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap(1);
        linkedMultiValueMap.add(OAuth20Constants.ERROR, str);
        return new ResponseEntity(OAuth20Utils.toJson(linkedMultiValueMap), HttpStatus.UNAUTHORIZED);
    }

    @PostMapping(path = {"/oauth2.0/profile"}, produces = {"application/json"})
    public ResponseEntity<String> handlePostRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        return handleGetRequest(httpServletRequest, httpServletResponse);
    }

    @GetMapping(path = {"/oauth2.0/profile"})
    public ResponseEntity<String> handleGetRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        TicketGrantingTicket ticketGrantingTicket;
        httpServletResponse.setContentType("application/json");
        JEEContext jEEContext = new JEEContext(httpServletRequest, httpServletResponse, getOAuthConfigurationContext().getSessionStore());
        String accessTokenFromRequest = getAccessTokenFromRequest(httpServletRequest);
        if (StringUtils.isBlank(accessTokenFromRequest)) {
            LOGGER.error("Missing [{}] from the request", OAuth20Constants.ACCESS_TOKEN);
            return buildUnauthorizedResponseEntity(OAuth20Constants.MISSING_ACCESS_TOKEN);
        }
        OAuth20AccessToken oAuth20AccessToken = (OAuth20AccessToken) getOAuthConfigurationContext().getTicketRegistry().getTicket(accessTokenFromRequest, OAuth20AccessToken.class);
        if (oAuth20AccessToken == null) {
            LOGGER.error("Access token [{}] cannot be found in the ticket registry.", accessTokenFromRequest);
            return this.expiredAccessTokenResponseEntity;
        }
        if (oAuth20AccessToken.isExpired()) {
            LOGGER.error("Access token [{}] has expired and will be removed from the ticket registry", accessTokenFromRequest);
            getOAuthConfigurationContext().getTicketRegistry().deleteTicket(accessTokenFromRequest);
            return this.expiredAccessTokenResponseEntity;
        }
        if (!getOAuthConfigurationContext().getCasProperties().getLogout().isRemoveDescendantTickets() || ((ticketGrantingTicket = oAuth20AccessToken.getTicketGrantingTicket()) != null && !ticketGrantingTicket.isExpired())) {
            updateAccessTokenUsage(oAuth20AccessToken);
            return getOAuthConfigurationContext().getUserProfileViewRenderer().render(getOAuthConfigurationContext().getUserProfileDataCreator().createFrom(oAuth20AccessToken, jEEContext), oAuth20AccessToken, httpServletResponse);
        }
        LOGGER.error("Ticket granting ticket [{}] parenting access token [{}] has expired or is not found", ticketGrantingTicket, oAuth20AccessToken);
        getOAuthConfigurationContext().getTicketRegistry().deleteTicket(accessTokenFromRequest);
        return this.expiredAccessTokenResponseEntity;
    }

    protected void updateAccessTokenUsage(OAuth20AccessToken oAuth20AccessToken) {
        ((TicketState) TicketState.class.cast(oAuth20AccessToken)).update();
        if (oAuth20AccessToken.isExpired()) {
            getOAuthConfigurationContext().getTicketRegistry().deleteTicket(oAuth20AccessToken.getId());
        } else {
            getOAuthConfigurationContext().getTicketRegistry().updateTicket(oAuth20AccessToken);
        }
    }

    protected String getAccessTokenFromRequest(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(OAuth20Constants.ACCESS_TOKEN);
        if (StringUtils.isBlank(parameter)) {
            String header = httpServletRequest.getHeader("Authorization");
            if (StringUtils.isNotBlank(header) && header.toLowerCase().startsWith(OAuth20Constants.TOKEN_TYPE_BEARER.toLowerCase() + " ")) {
                parameter = header.substring(OAuth20Constants.TOKEN_TYPE_BEARER.length() + 1);
            }
        }
        LOGGER.debug("[{}]: [{}]", OAuth20Constants.ACCESS_TOKEN, parameter);
        return extractAccessTokenFrom(parameter);
    }
}
