package org.cloudfoundry.identity.uaa.oauth;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.xerces.impl.xs.SchemaSymbols;
import org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.client.ClientHttpResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.util.Assert;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.DefaultResponseErrorHandler;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.12.4.jar:org/cloudfoundry/identity/uaa/oauth/RemoteTokenServices.class */
public class RemoteTokenServices implements ResourceServerTokenServices {
    private String checkTokenEndpointUrl;
    private String clientId;
    private String clientSecret;
    protected final Log logger = LogFactory.getLog(getClass());
    private boolean storeClaims = false;
    private RestOperations restTemplate = new RestTemplate();

    public RemoteTokenServices() {
        ((RestTemplate) this.restTemplate).setErrorHandler(new DefaultResponseErrorHandler() { // from class: org.cloudfoundry.identity.uaa.oauth.RemoteTokenServices.1
            @Override // org.springframework.web.client.DefaultResponseErrorHandler, org.springframework.web.client.ResponseErrorHandler
            public void handleError(ClientHttpResponse clientHttpResponse) throws IOException {
                if (clientHttpResponse.getRawStatusCode() != 400) {
                    super.handleError(clientHttpResponse);
                }
            }
        });
    }

    public boolean isStoreClaims() {
        return this.storeClaims;
    }

    public void setStoreClaims(boolean z) {
        this.storeClaims = z;
    }

    public void setRestTemplate(RestOperations restOperations) {
        this.restTemplate = restOperations;
    }

    public void setCheckTokenEndpointUrl(String str) {
        this.checkTokenEndpointUrl = str;
    }

    public void setClientId(String str) {
        this.clientId = str;
    }

    public void setClientSecret(String str) {
        this.clientSecret = str;
    }

    @Override // org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
    public OAuth2Authentication loadAuthentication(String str) throws AuthenticationException {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add(SchemaSymbols.ATTVAL_TOKEN, str);
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.set("Authorization", getAuthorizationHeader(this.clientId, this.clientSecret));
        Map<String, Object> postForMap = postForMap(this.checkTokenEndpointUrl, linkedMultiValueMap, httpHeaders);
        if (postForMap.containsKey("error")) {
            this.logger.debug("check_token returned error: " + postForMap.get("error"));
            throw new InvalidTokenException(str);
        }
        Assert.state(postForMap.containsKey("client_id"), "Client id must be present in response from auth server");
        String str2 = (String) postForMap.get("client_id");
        HashSet hashSet = new HashSet();
        if (postForMap.containsKey("scope")) {
            hashSet.addAll((Collection) postForMap.get("scope"));
        }
        AuthorizationRequest authorizationRequest = new AuthorizationRequest(str2, hashSet);
        if (postForMap.containsKey("resource_ids") || postForMap.containsKey("client_authorities")) {
            HashSet hashSet2 = new HashSet();
            if (postForMap.containsKey("resource_ids")) {
                hashSet2.addAll((Collection) postForMap.get("resource_ids"));
            }
            HashSet hashSet3 = new HashSet();
            if (postForMap.containsKey("client_authorities")) {
                hashSet3.addAll(getAuthorities((Collection) postForMap.get("client_authorities")));
            }
            BaseClientDetails baseClientDetails = new BaseClientDetails();
            baseClientDetails.setClientId(str2);
            baseClientDetails.setResourceIds(hashSet2);
            baseClientDetails.setAuthorities(hashSet3);
            authorizationRequest.setResourceIdsAndAuthoritiesFromClientDetails(baseClientDetails);
        }
        HashMap hashMap = new HashMap();
        if (isStoreClaims()) {
            for (Map.Entry<String, Object> entry : postForMap.entrySet()) {
                if (entry.getValue() != null && (entry.getValue() instanceof String)) {
                    hashMap.put(entry.getKey(), (String) entry.getValue());
                }
            }
        }
        if (postForMap.containsKey(ClaimConstants.ADDITIONAL_AZ_ATTR)) {
            try {
                hashMap.put(ClaimConstants.ADDITIONAL_AZ_ATTR, JsonUtils.writeValueAsString(postForMap.get(ClaimConstants.ADDITIONAL_AZ_ATTR)));
            } catch (JsonUtils.JsonUtilException e) {
                throw new IllegalStateException("Cannot convert access token to JSON", e);
            }
        }
        authorizationRequest.setRequestParameters(Collections.unmodifiableMap(hashMap));
        Authentication userAuthentication = getUserAuthentication(postForMap, hashSet);
        authorizationRequest.setApproved(true);
        return new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication);
    }

    private Authentication getUserAuthentication(Map<String, Object> map, Set<String> set) {
        String str = (String) map.get("user_name");
        if (str == null) {
            return null;
        }
        HashSet hashSet = new HashSet();
        if (map.containsKey("user_authorities")) {
            hashSet.addAll(getAuthorities((Collection) map.get("user_authorities")));
        } else {
            hashSet.addAll(getAuthorities(set));
        }
        return new RemoteUserAuthentication((String) map.get("user_id"), str, (String) map.get("email"), hashSet);
    }

    @Override // org.springframework.security.oauth2.provider.token.ResourceServerTokenServices
    public OAuth2AccessToken readAccessToken(String str) {
        throw new UnsupportedOperationException("Not supported: read access token");
    }

    private Set<GrantedAuthority> getAuthorities(Collection<String> collection) {
        HashSet hashSet = new HashSet();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            hashSet.add(new SimpleGrantedAuthority(it.next()));
        }
        return hashSet;
    }

    private String getAuthorizationHeader(String str, String str2) {
        try {
            return "Basic " + new String(Base64.encode(String.format("%s:%s", str, str2).getBytes("UTF-8")));
        } catch (UnsupportedEncodingException e) {
            throw new IllegalStateException("Could not convert String");
        }
    }

    private Map<String, Object> postForMap(String str, MultiValueMap<String, String> multiValueMap, HttpHeaders httpHeaders) {
        if (httpHeaders.getContentType() == null) {
            httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
        }
        return (Map) this.restTemplate.exchange(str, HttpMethod.POST, new HttpEntity<>(multiValueMap, httpHeaders), Map.class, new Object[0]).getBody();
    }
}
