package org.gcube.portal.oauth;

import java.net.URLDecoder;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.inject.Singleton;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.xml.bind.DatatypeConverter;
import org.gcube.common.authorization.client.Constants;
import org.gcube.common.authorization.library.ClientType;
import org.gcube.common.authorization.library.provider.AuthorizationProvider;
import org.gcube.common.authorization.library.provider.SecurityTokenProvider;
import org.gcube.common.authorization.library.utils.Caller;
import org.gcube.common.scope.api.ScopeProvider;
import org.gcube.portal.oauth.cache.CacheBean;
import org.gcube.portal.oauth.cache.CacheCleaner;
import org.gcube.portal.oauth.input.PushCodeBean;
import org.gcube.portal.oauth.output.AccessTokenBeanResponse;
import org.gcube.portal.oauth.output.AccessTokenErrorResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
@Path("/v2")
/* loaded from: input_file:WEB-INF/classes/org/gcube/portal/oauth/OauthService.class */
public class OauthService {
    public static final String OAUTH_TOKEN_GET_METHOD_NAME_REQUEST = "access-token";
    private static final String GRANT_TYPE_VALUE = "authorization_code";
    private static final String AUTHORIZATION_HEADER = "Authorization";
    private static final Logger logger = LoggerFactory.getLogger(OauthService.class);
    private Map<String, CacheBean> entries;
    CacheCleaner cleaner;

    public OauthService() {
        logger.info("Singleton gcube-oauth service built.");
        this.entries = new ConcurrentHashMap();
        this.cleaner = new CacheCleaner(this.entries);
        this.cleaner.start();
    }

    protected void finalize() {
        if (this.cleaner != null) {
            this.cleaner.interrupt();
        }
    }

    private boolean checkIsQualifierTokenType(ClientType clientType) {
        return clientType.equals(ClientType.USER);
    }

    private boolean checkIsapplicationTokenType(ClientType clientType) {
        return clientType.equals(ClientType.EXTERNALSERVICE);
    }

    @GET
    @Produces({MediaType.TEXT_PLAIN})
    @Path("check")
    public Response checkService() {
        return Response.status(Response.Status.OK).entity("Ready!").build();
    }

    @Path("push-authentication-code")
    @Consumes({MediaType.APPLICATION_JSON})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public Response pushAuthCode(PushCodeBean pushCodeBean) {
        logger.info("Request to push ");
        Caller caller = AuthorizationProvider.instance.get();
        String str = SecurityTokenProvider.instance.get();
        Response.Status status = Response.Status.CREATED;
        if (!checkIsQualifierTokenType(caller.getClient().getType())) {
            Response.Status status2 = Response.Status.FORBIDDEN;
            logger.warn("Trying to access users method via a token different than USER is not allowed");
            return Response.status(status2).entity("{\"error\"=\"Trying to access push-authentication-code method via a token different than USER is not allowed\"").build();
        }
        String code = pushCodeBean.getCode();
        String clientId = pushCodeBean.getClientId();
        String redirectUri = pushCodeBean.getRedirectUri();
        if (code == null || code.isEmpty()) {
            return Response.status(Response.Status.BAD_REQUEST).entity("{\"error\"=\"'code' cannot be null or missing\"").build();
        }
        if (clientId == null || clientId.isEmpty()) {
            return Response.status(Response.Status.BAD_REQUEST).entity("{\"error\"=\"'client_id' cannot be null or missing\"").build();
        }
        if (redirectUri == null || redirectUri.isEmpty()) {
            return Response.status(Response.Status.BAD_REQUEST).entity("{\"error\"=\"'redirect_uri' cannot be null or missing\"").build();
        }
        logger.info("Saving entry defined by " + pushCodeBean + " in cache, token is " + str.substring(0, 10) + "***************");
        this.entries.put(code, new CacheBean(str, ScopeProvider.instance.get(), redirectUri, clientId, Long.valueOf(System.currentTimeMillis())));
        return Response.status(status).build();
    }

    @Path(OAUTH_TOKEN_GET_METHOD_NAME_REQUEST)
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public Response tokenRequest(@FormParam("client_id") String str, @FormParam("client_secret") String str2, @FormParam("redirect_uri") String str3, @FormParam("code") String str4, @FormParam("grant_type") String str5, @Context HttpServletRequest httpServletRequest) {
        Response.Status status = Response.Status.BAD_REQUEST;
        logger.info("Request to exchange code for token");
        try {
            CredentialsBean credentialsBean = new CredentialsBean(str, str2);
            if (str == null) {
                credentialsBean = getCredentialFromBasicAuthorization(httpServletRequest);
            } else if (httpServletRequest.getHeader("Authorization") != null) {
                throw new Exception("he client MUST NOT use more than one authentication method");
            }
            logger.info("Params are client_id = " + credentialsBean.getClientId() + ", client_secret = " + credentialsBean.getClientSecret() + "*******************, redirect_uri = " + str3 + ", code = " + str4 + "*******************, grant_type = " + str5);
            String checkRequest = checkRequest(credentialsBean, str3, str4, str5, httpServletRequest);
            if (checkRequest != null) {
                logger.error("The request fails because of " + checkRequest);
                return Response.status(status).entity(new AccessTokenErrorResponse(checkRequest, null)).build();
            }
            logger.info("The request is ok");
            return Response.status(Response.Status.OK).entity(new AccessTokenBeanResponse(this.entries.get(str4).getToken(), this.entries.get(str4).getScope())).build();
        } catch (Exception e) {
            logger.error("Failed to perform this operation", e);
            return Response.status(Response.Status.BAD_REQUEST).entity(new AccessTokenErrorResponse("invalid_request", null)).build();
        }
    }

    private CredentialsBean getCredentialFromBasicAuthorization(HttpServletRequest httpServletRequest) {
        String[] split = new String(DatatypeConverter.parseBase64Binary(httpServletRequest.getHeader("Authorization").substring("Basic".length()).trim())).split(":");
        return new CredentialsBean(URLDecoder.decode(split[0]), URLDecoder.decode(split[1]));
    }

    private String checkRequest(CredentialsBean credentialsBean, String str, String str2, String str3, HttpServletRequest httpServletRequest) {
        try {
            if (credentialsBean.getClientId() == null || credentialsBean.getClientSecret() == null || str == null || str2 == null || str3 == null || credentialsBean.getClientId().isEmpty() || credentialsBean.getClientSecret().isEmpty() || str.isEmpty() || str2.isEmpty() || str3.isEmpty()) {
                return "invalid_request";
            }
            if (!checkIsapplicationTokenType(Constants.authorizationService().get(credentialsBean.getClientSecret()).getClientInfo().getType())) {
                return "invalid_client";
            }
            if (!this.entries.containsKey(str2) || CacheBean.isExpired(this.entries.get(str2))) {
                return "invalid_grant";
            }
            CacheBean cacheBean = this.entries.get(str2);
            if (!cacheBean.getRedirectUri().equals(str) || !cacheBean.getClientId().equals(credentialsBean.getClientId())) {
                return "invalid_grant";
            }
            if (str3.equals(GRANT_TYPE_VALUE)) {
                return null;
            }
            return "unsupported_grant_type";
        } catch (Exception e) {
            logger.error("Failed to check the correctness of the request", e);
            return "invalid_request";
        }
    }
}
