package com.netflix.genie.web.security.oauth2.pingfederate;

import java.io.IOException;
import java.util.Arrays;
import java.util.Map;
import javax.validation.constraints.NotNull;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerProperties;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.client.ClientHttpResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.AccessTokenConverter;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.util.Assert;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.DefaultResponseErrorHandler;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:com/netflix/genie/web/security/oauth2/pingfederate/PingFederateTokenServices.class */
public class PingFederateTokenServices implements ResourceServerTokenServices {
    private static final Logger log = LoggerFactory.getLogger(PingFederateTokenServices.class);
    protected static final String TOKEN_NAME_KEY = "token";
    protected static final String CLIENT_ID_KEY = "client_id";
    protected static final String CLIENT_SECRET_KEY = "client_secret";
    protected static final String GRANT_TYPE_KEY = "grant_type";
    protected static final String ERROR_KEY = "error";
    protected static final String SCOPE_KEY = "scope";
    protected static final String GRANT_TYPE = "urn:pingidentity.com:oauth2:grant_type:validate_bearer";
    private final AccessTokenConverter converter;
    private final String checkTokenEndpointUrl;
    private final String clientId;
    private final String clientSecret;
    private RestOperations restOperations = new RestTemplate();

    public PingFederateTokenServices(@NotNull ResourceServerProperties resourceServerProperties, @NotNull AccessTokenConverter accessTokenConverter) {
        this.restOperations.setErrorHandler(new DefaultResponseErrorHandler() { // from class: com.netflix.genie.web.security.oauth2.pingfederate.PingFederateTokenServices.1
            public void handleError(ClientHttpResponse clientHttpResponse) throws IOException {
                if (clientHttpResponse.getRawStatusCode() != HttpStatus.BAD_REQUEST.value()) {
                    super.handleError(clientHttpResponse);
                }
            }
        });
        this.checkTokenEndpointUrl = resourceServerProperties.getTokenInfoUri();
        this.clientId = resourceServerProperties.getClientId();
        this.clientSecret = resourceServerProperties.getClientSecret();
        Assert.state(StringUtils.isNotBlank(this.checkTokenEndpointUrl), "Check Endpoint URL is required");
        Assert.state(StringUtils.isNotBlank(this.clientId), "Client ID is required");
        Assert.state(StringUtils.isNotBlank(this.clientSecret), "Client secret is required");
        log.debug("checkTokenEndpointUrl = {}", this.checkTokenEndpointUrl);
        log.debug("clientId = {}", this.clientId);
        log.debug("clientSecret = {}", this.clientSecret);
        this.converter = accessTokenConverter;
    }

    public OAuth2Authentication loadAuthentication(String str) throws AuthenticationException, InvalidTokenException {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add(TOKEN_NAME_KEY, str);
        linkedMultiValueMap.add(CLIENT_ID_KEY, this.clientId);
        linkedMultiValueMap.add(CLIENT_SECRET_KEY, this.clientSecret);
        linkedMultiValueMap.add(GRANT_TYPE_KEY, GRANT_TYPE);
        Map<String, Object> postForMap = postForMap(this.checkTokenEndpointUrl, linkedMultiValueMap);
        if (postForMap.containsKey(ERROR_KEY)) {
            String obj = postForMap.get(ERROR_KEY).toString();
            log.debug("Validating the token produced an error: {}", obj);
            throw new InvalidTokenException(obj);
        }
        Assert.state(postForMap.containsKey(CLIENT_ID_KEY), "Client id must be present in response from auth server");
        Assert.state(postForMap.containsKey(SCOPE_KEY), "No scopes included in response from authentication server");
        convertScopes(postForMap);
        OAuth2Authentication extractAuthentication = this.converter.extractAuthentication(postForMap);
        log.info("User {} authenticated with authorities {}", extractAuthentication.getPrincipal(), extractAuthentication.getAuthorities());
        return extractAuthentication;
    }

    public OAuth2AccessToken readAccessToken(String str) {
        throw new UnsupportedOperationException("readAccessToken not implemented for Ping Federate");
    }

    protected AccessTokenConverter getAccessTokenConverter() {
        return this.converter;
    }

    protected RestOperations getRestOperations() {
        return this.restOperations;
    }

    protected void setRestOperations(@NotNull RestOperations restOperations) {
        this.restOperations = restOperations;
    }

    protected String getCheckTokenEndpointUrl() {
        return this.checkTokenEndpointUrl;
    }

    protected String getClientId() {
        return this.clientId;
    }

    protected String getClientSecret() {
        return this.clientSecret;
    }

    private Map<String, Object> postForMap(String str, MultiValueMap<String, String> multiValueMap) {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
        return (Map) this.restOperations.exchange(str, HttpMethod.POST, new HttpEntity(multiValueMap, httpHeaders), Map.class, new Object[0]).getBody();
    }

    private void convertScopes(Map<String, Object> map) {
        Object obj = map.get(SCOPE_KEY);
        if (obj == null) {
            throw new InvalidTokenException("Scopes were null");
        }
        if (!(obj instanceof String)) {
            throw new InvalidTokenException("Scopes was not a String");
        }
        String str = (String) obj;
        if (StringUtils.isBlank(str)) {
            throw new InvalidTokenException("No scopes found unable to authenticate");
        }
        map.put(SCOPE_KEY, Arrays.asList(StringUtils.split(str, ' ')));
    }
}
