package org.mitre.oauth2.web;

import com.google.common.base.Strings;
import com.google.common.collect.ImmutableMap;
import java.security.Principal;
import java.util.Set;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.oauth2.service.IntrospectionAuthorizer;
import org.mitre.oauth2.service.OAuth2TokenEntityService;
import org.mitre.oauth2.view.TokenIntrospectionView;
import org.mitre.openid.connect.model.UserInfo;
import org.mitre.openid.connect.service.UserInfoService;
import org.mitre.openid.connect.view.HttpCodeView;
import org.mitre.openid.connect.view.JsonEntityView;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;

@Controller
/* loaded from: input_file:org/mitre/oauth2/web/IntrospectionEndpoint.class */
public class IntrospectionEndpoint {

    @Autowired
    private OAuth2TokenEntityService tokenServices;

    @Autowired
    private ClientDetailsEntityService clientService;

    @Autowired
    private IntrospectionAuthorizer introspectionAuthorizer;

    @Autowired
    private UserInfoService userInfoService;
    private static Logger logger = LoggerFactory.getLogger(IntrospectionEndpoint.class);

    public IntrospectionEndpoint() {
    }

    public IntrospectionEndpoint(OAuth2TokenEntityService oAuth2TokenEntityService) {
        this.tokenServices = oAuth2TokenEntityService;
    }

    @RequestMapping({"/introspect"})
    @PreAuthorize("hasRole('ROLE_CLIENT')")
    public String verify(@RequestParam("token") String str, @RequestParam(value = "resource_id", required = false) String str2, @RequestParam(value = "token_type_hint", required = false) String str3, Principal principal, Model model) {
        ClientDetailsEntity client;
        Set scope;
        UserInfo byUsernameAndClientId;
        OAuth2AccessTokenEntity oAuth2AccessTokenEntity;
        if (Strings.isNullOrEmpty(str)) {
            logger.error("Verify failed; token value is null");
            model.addAttribute("entity", ImmutableMap.of("active", Boolean.FALSE));
            return JsonEntityView.VIEWNAME;
        }
        String name = principal.getName();
        ClientDetailsEntity loadClientByClientId = this.clientService.loadClientByClientId(name);
        try {
            OAuth2AccessTokenEntity readAccessToken = this.tokenServices.readAccessToken(str);
            client = readAccessToken.getClient();
            scope = readAccessToken.getScope();
            oAuth2AccessTokenEntity = readAccessToken;
            byUsernameAndClientId = this.userInfoService.getByUsernameAndClientId(readAccessToken.getAuthenticationHolder().getAuthentication().getName(), client.getClientId());
        } catch (InvalidTokenException e) {
            logger.error("Verify failed; Invalid access token. Checking refresh token.", e);
            try {
                OAuth2AccessTokenEntity refreshToken = this.tokenServices.getRefreshToken(str);
                client = refreshToken.getClient();
                scope = refreshToken.getAuthenticationHolder().getAuthentication().getOAuth2Request().getScope();
                byUsernameAndClientId = this.userInfoService.getByUsernameAndClientId(refreshToken.getAuthenticationHolder().getAuthentication().getName(), client.getClientId());
                oAuth2AccessTokenEntity = refreshToken;
            } catch (InvalidTokenException e2) {
                logger.error("Verify failed; Invalid refresh token", e2);
                model.addAttribute("entity", ImmutableMap.of("active", Boolean.FALSE));
                return JsonEntityView.VIEWNAME;
            }
        }
        if (client == null || loadClientByClientId == null) {
            logger.error("Verify failed; client " + name + " not found.");
            model.addAttribute("code", HttpStatus.NOT_FOUND);
            return HttpCodeView.VIEWNAME;
        }
        if (!loadClientByClientId.isAllowIntrospection()) {
            logger.error("Verify failed; client " + name + " is not allowed to call introspection endpoint");
            model.addAttribute("code", HttpStatus.FORBIDDEN);
            return HttpCodeView.VIEWNAME;
        }
        if (this.introspectionAuthorizer.isIntrospectionPermitted(loadClientByClientId, client, scope)) {
            model.addAttribute("token", oAuth2AccessTokenEntity);
            model.addAttribute("user", byUsernameAndClientId);
            return TokenIntrospectionView.VIEWNAME;
        }
        logger.error("Verify failed; client configuration or scope don't permit token introspection");
        model.addAttribute("code", HttpStatus.FORBIDDEN);
        return HttpCodeView.VIEWNAME;
    }
}
