package ca.nrc.cadc.ac.server.oidc;

import ca.nrc.cadc.auth.AuthMethod;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.InvalidSignedTokenException;
import ca.nrc.cadc.auth.SignedToken;
import ca.nrc.cadc.rest.InlineContentHandler;
import ca.nrc.cadc.rest.RestAction;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.net.URI;
import java.security.Principal;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import org.apache.log4j.Logger;

/* loaded from: input_file:ca/nrc/cadc/ac/server/oidc/TokenAction.class */
public class TokenAction extends RestAction {
    private static final Logger log = Logger.getLogger(TokenAction.class);

    public void doAction() throws Exception {
        SignedToken parse;
        if (log.isDebugEnabled()) {
            log.debug("params:");
            for (String str : this.syncInput.getParameterNames()) {
                log.debug("param: " + str + "=" + this.syncInput.getParameter(str));
            }
        }
        log.debug("authenticating client");
        final String parameter = this.syncInput.getParameter("client_id");
        String parameter2 = this.syncInput.getParameter("client_secret");
        if (parameter == null || parameter2 == null) {
            sendError("invalid_client");
            return;
        }
        RelyParty relyParty = OIDCUtil.getRelyParty(parameter);
        if (relyParty == null || !relyParty.getClientSecret().equals(parameter2)) {
            sendError("invalid_client");
            return;
        }
        String parameter3 = this.syncInput.getParameter("grant_type");
        log.debug("checking grant type: " + parameter3);
        if ("refresh_token".equals(parameter3)) {
            String parameter4 = this.syncInput.getParameter("refresh_token");
            if (parameter4 == null) {
                sendError("invalid_request");
                return;
            }
            try {
                parse = SignedToken.parse(parameter4);
            } catch (InvalidSignedTokenException e) {
                log.debug("Invalid refresh Token", e);
                sendError("invalid_scope");
                return;
            }
        } else {
            if (!"authorization_code".equals(parameter3)) {
                log.debug("returning unsupported_grant_type");
                sendError("unsupported_grant_type");
                return;
            }
            log.debug("validating code");
            String parameter5 = this.syncInput.getParameter("code");
            if (parameter5 == null) {
                sendError("invalid_request");
                return;
            }
            try {
                parse = SignedToken.parse(parameter5);
            } catch (InvalidSignedTokenException e2) {
                log.debug("Invalid signed Token", e2);
                sendError("invalid_scope");
                return;
            }
        }
        final Principal principal = (HttpPrincipal) parse.getPrincipalByClass(HttpPrincipal.class);
        Subject subject = new Subject();
        subject.getPrincipals().add(principal);
        subject.getPublicCredentials().add(AuthMethod.TOKEN);
        log.debug("augmenting user subject");
        Subject.doAs(AuthenticationUtil.augmentSubject(subject), new PrivilegedExceptionAction<Object>() { // from class: ca.nrc.cadc.ac.server.oidc.TokenAction.1
            @Override // java.security.PrivilegedExceptionAction
            public Object run() throws Exception {
                String createJWT = TokenAction.this.createJWT(principal.getName(), parameter);
                TokenAction.log.debug("set headers and return json: \n" + createJWT);
                TokenAction.this.syncOutput.setHeader("Content-Type", "application/json");
                TokenAction.this.syncOutput.setHeader("Cache-Control", "no-store");
                TokenAction.this.syncOutput.setHeader("Pragma", "no-cache");
                OutputStreamWriter outputStreamWriter = new OutputStreamWriter(TokenAction.this.syncOutput.getOutputStream());
                outputStreamWriter.write(createJWT.toString());
                outputStreamWriter.flush();
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String createJWT(String str, String str2) throws Exception {
        log.debug("building jwt");
        String buildIDToken = OIDCUtil.buildIDToken(str2);
        log.debug("building access token");
        URI create = URI.create(OIDCUtil.ACCESS_TOKEN_SCOPE);
        URI create2 = URI.create(OIDCUtil.REFRESH_TOKEN_SCOPE);
        String token = OIDCUtil.getToken(str, create, OIDCUtil.ACCESS_CODE_EXPIRY_MINUTES.intValue());
        String token2 = OIDCUtil.getToken(str, create2, OIDCUtil.REFRESH_TOKEN_EXPIRY_MINUTES.intValue());
        StringBuilder sb = new StringBuilder();
        sb.append("{ ");
        sb.append("  \"access_token\": \"" + token + "\",");
        sb.append("  \"refresh_token\": \"" + token2 + "\",");
        sb.append("  \"token_type\": \"Bearer\",");
        sb.append("  \"expires_in\": \"").append(OIDCUtil.JWT_EXPIRY_MINUTES).append("\",");
        sb.append("  \"id_token\": \"").append(buildIDToken).append("\"");
        sb.append(" }");
        return sb.toString();
    }

    protected InlineContentHandler getInlineContentHandler() {
        return null;
    }

    private void sendError(String str) throws IOException {
        this.syncOutput.setHeader("Content-Type", "application/json");
        this.syncOutput.setHeader("Cache-Control", "no-store");
        this.syncOutput.setHeader("Pragma", "no-cache");
        this.syncOutput.setCode(400);
        OutputStreamWriter outputStreamWriter = new OutputStreamWriter(this.syncOutput.getOutputStream());
        String str2 = "{ \"error\": \"" + str + "\" }";
        log.debug("returning error:\n" + str2);
        outputStreamWriter.write(str2);
        outputStreamWriter.flush();
    }
}
