package org.mitre.uma.web;

import com.google.common.collect.ImmutableMap;
import com.google.gson.JsonArray;
import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import com.google.gson.JsonPrimitive;
import java.util.Iterator;
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
import org.mitre.oauth2.service.OAuth2TokenEntityService;
import org.mitre.oauth2.web.AuthenticationUtilities;
import org.mitre.uma.model.Claim;
import org.mitre.uma.model.ClaimProcessingResult;
import org.mitre.uma.model.PermissionTicket;
import org.mitre.uma.model.ResourceSet;
import org.mitre.uma.service.ClaimsProcessingService;
import org.mitre.uma.service.PermissionService;
import org.mitre.uma.service.UmaTokenService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

@RequestMapping({"/authz_request"})
@Controller
/* loaded from: input_file:org/mitre/uma/web/AuthorizationRequestEndpoint.class */
public class AuthorizationRequestEndpoint {
    private static final Logger logger = LoggerFactory.getLogger(AuthorizationRequestEndpoint.class);
    public static final String RPT = "rpt";
    public static final String TICKET = "ticket";
    public static final String URL = "authz_request";

    @Autowired
    private PermissionService permissionService;

    @Autowired
    private OAuth2TokenEntityService tokenService;

    @Autowired
    private ClaimsProcessingService claimsProcessingService;

    @Autowired
    private UmaTokenService umaTokenService;

    @RequestMapping(method = {RequestMethod.POST}, consumes = {"application/json"}, produces = {"application/json"})
    public String authorizationRequest(@RequestBody String str, Model model, Authentication authentication) {
        AuthenticationUtilities.ensureOAuthScope(authentication, "uma_authorization");
        JsonElement parse = new JsonParser().parse(str);
        if (!parse.isJsonObject()) {
            model.addAttribute("code", HttpStatus.BAD_REQUEST);
            model.addAttribute("errorMessage", "Malformed JSON request.");
            return "jsonErrorView";
        }
        JsonObject asJsonObject = parse.getAsJsonObject();
        if (!asJsonObject.has(TICKET)) {
            model.addAttribute("code", HttpStatus.BAD_REQUEST);
            model.addAttribute("errorMessage", "Missing JSON elements.");
            return "jsonErrorView";
        }
        OAuth2AccessTokenEntity readAccessToken = asJsonObject.has(RPT) ? this.tokenService.readAccessToken(asJsonObject.get(RPT).getAsString()) : null;
        String asString = asJsonObject.get(TICKET).getAsString();
        PermissionTicket byTicket = this.permissionService.getByTicket(asString);
        if (byTicket == null) {
            model.addAttribute(HttpStatus.BAD_REQUEST);
            model.addAttribute("error", "invalid_ticket");
            return "jsonErrorView";
        }
        ResourceSet resourceSet = byTicket.getPermission().getResourceSet();
        if (resourceSet.getPolicies() == null || resourceSet.getPolicies().isEmpty()) {
            model.addAttribute("error", "not_authorized");
            model.addAttribute("errorMessage", "This resource set can not be accessed.");
            model.addAttribute("code", HttpStatus.FORBIDDEN);
            return "jsonErrorView";
        }
        ClaimProcessingResult claimsAreSatisfied = this.claimsProcessingService.claimsAreSatisfied(resourceSet, byTicket);
        if (claimsAreSatisfied.isSatisfied()) {
            OAuth2AccessTokenEntity createRequestingPartyToken = this.umaTokenService.createRequestingPartyToken((OAuth2Authentication) authentication, byTicket, claimsAreSatisfied.getMatched());
            if (readAccessToken != null) {
                this.tokenService.revokeAccessToken(readAccessToken);
            }
            model.addAttribute("entity", ImmutableMap.of(RPT, createRequestingPartyToken.getValue()));
            return "jsonEntityView";
        }
        JsonObject jsonObject = new JsonObject();
        jsonObject.addProperty("error", "need_info");
        JsonObject jsonObject2 = new JsonObject();
        JsonObject jsonObject3 = new JsonObject();
        jsonObject3.addProperty("redirect_user", true);
        jsonObject3.addProperty(TICKET, asString);
        JsonArray jsonArray = new JsonArray();
        for (Claim claim : claimsAreSatisfied.getUnmatched()) {
            JsonObject jsonObject4 = new JsonObject();
            jsonObject4.addProperty("name", claim.getName());
            jsonObject4.addProperty("friendly_name", claim.getFriendlyName());
            jsonObject4.addProperty("claim_type", claim.getClaimType());
            JsonArray jsonArray2 = new JsonArray();
            Iterator it = claim.getClaimTokenFormat().iterator();
            while (it.hasNext()) {
                jsonArray2.add(new JsonPrimitive((String) it.next()));
            }
            jsonObject4.add("claim_token_format", jsonArray2);
            JsonArray jsonArray3 = new JsonArray();
            Iterator it2 = claim.getIssuer().iterator();
            while (it2.hasNext()) {
                jsonArray3.add(new JsonPrimitive((String) it2.next()));
            }
            jsonObject4.add("issuer", jsonArray3);
            jsonArray.add(jsonObject4);
        }
        jsonObject3.add("required_claims", jsonArray);
        jsonObject2.add("requesting_party_claims", jsonObject3);
        jsonObject.add("error_details", jsonObject2);
        model.addAttribute("entity", jsonObject);
        return "jsonEntityView";
    }
}
