package org.restlet.ext.oauth;

import org.json.JSONException;
import org.json.JSONObject;
import org.restlet.data.Protocol;
import org.restlet.data.Status;
import org.restlet.ext.json.JsonRepresentation;
import org.restlet.ext.oauth.internal.Scopes;
import org.restlet.ext.oauth.internal.Token;
import org.restlet.ext.oauth.internal.memory.ExpireToken;
import org.restlet.representation.Representation;
import org.restlet.resource.Post;
import org.restlet.resource.ResourceException;

/* loaded from: input_file:org/restlet/ext/oauth/TokenAuthServerResource.class */
public class TokenAuthServerResource extends OAuthServerResource {
    public static final String LOCAL_ACCESS_ONLY = "localOnly";

    private boolean isLocalAcessOnly() {
        String str = (String) getContext().getAttributes().get(LOCAL_ACCESS_ONLY);
        return str != null && str.length() > 0 && Boolean.parseBoolean(str);
    }

    protected void doCatch(Throwable th) {
        OAuthException oAuthException = OAuthException.toOAuthException(th);
        getResponse().setStatus(Status.SUCCESS_OK);
        getResponse().setEntity(responseErrorRepresentation(oAuthException));
    }

    @Post("json")
    public Representation authenticate(Representation representation) throws Exception {
        getLogger().fine("In Authenticate resource");
        if (isLocalAcessOnly()) {
            if (!Protocol.RIAP.getSchemeName().equals(getOriginalRef().getScheme())) {
                throw new ResourceException(Status.CLIENT_ERROR_BAD_REQUEST, "Auth server only allows local resource validation");
            }
        }
        JSONObject jsonObject = new JsonRepresentation(representation).getJsonObject();
        if (!jsonObject.has(OAuthServerResource.TOKEN_TYPE)) {
            throw new OAuthException(OAuthError.invalid_request, "No token_type", null);
        }
        if (!jsonObject.getString(OAuthServerResource.TOKEN_TYPE).equals(OAuthServerResource.TOKEN_TYPE_BEARER)) {
            throw new OAuthException(OAuthError.invalid_request, "Unsupported token_type", null);
        }
        AuthenticatedUser user = validateBearerToken(jsonObject).getUser();
        if (user == null) {
            throw new OAuthException(OAuthError.invalid_token, "AuthenticatedUser not found", null);
        }
        String scope = Scopes.toScope(user.getGrantedRoles());
        JSONObject jSONObject = new JSONObject();
        jSONObject.put(OAuthServerResource.USERNAME, user.getId());
        jSONObject.put(OAuthServerResource.SCOPE, scope);
        return new JsonRepresentation(jSONObject);
    }

    private Token validateBearerToken(JSONObject jSONObject) throws JSONException, OAuthException {
        String obj = jSONObject.get(OAuthServerResource.ACCESS_TOKEN).toString();
        getLogger().fine("In Validator resource - searching for token = " + obj);
        Token findToken = this.generator.findToken(obj);
        if (findToken == null) {
            throw new OAuthException(OAuthError.invalid_token, "Token not found.", null);
        }
        getLogger().fine("In Validator resource - got token = " + findToken);
        if (!(findToken instanceof ExpireToken) || obj.equals(((ExpireToken) findToken).getToken())) {
            return findToken;
        }
        getLogger().warning("Should not use the refresh_token to sign!");
        throw new OAuthException(OAuthError.invalid_token, "Invalid Token.", null);
    }
}
