package com.liferay.oauth2.provider.rest.internal.endpoint.introspect;

import com.liferay.oauth2.provider.model.OAuth2Application;
import com.liferay.oauth2.provider.rest.internal.endpoint.constants.OAuth2ProviderRESTEndpointConstants;
import com.liferay.oauth2.provider.rest.internal.endpoint.liferay.LiferayOAuthDataProvider;
import com.liferay.oauth2.provider.rest.spi.bearer.token.provider.BearerTokenProvider;
import com.liferay.portal.kernel.util.ListUtil;
import com.liferay.portal.kernel.util.MapUtil;
import com.liferay.portal.remote.cors.annotation.CORS;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import javax.ws.rs.Consumes;
import javax.ws.rs.Encoded;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.services.AbstractTokenService;
import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;

@Path("introspect")
/* loaded from: input_file:com/liferay/oauth2/provider/rest/internal/endpoint/introspect/LiferayTokenIntrospectionService.class */
public class LiferayTokenIntrospectionService extends AbstractTokenService {
    private final LiferayOAuthDataProvider _liferayOAuthDataProvider;

    public LiferayTokenIntrospectionService(LiferayOAuthDataProvider liferayOAuthDataProvider, boolean z) {
        this._liferayOAuthDataProvider = liferayOAuthDataProvider;
        setCanSupportPublicClients(z);
        setDataProvider(liferayOAuthDataProvider);
    }

    @Consumes({"application/x-www-form-urlencoded"})
    @POST
    @Produces({"application/json"})
    @CORS(allowMethods = {"POST"})
    public Response getTokenIntrospection(@Encoded MultivaluedMap<String, String> multivaluedMap) {
        Client authenticateClientIfNeeded = authenticateClientIfNeeded(multivaluedMap);
        String str = (String) multivaluedMap.getFirst("token");
        String str2 = (String) multivaluedMap.getFirst(OAuthConstants.TOKEN_TYPE_HINT);
        if (str2 == null) {
            ServerAccessToken accessToken = this._liferayOAuthDataProvider.getAccessToken(str);
            if (accessToken != null) {
                return handleAccessToken(authenticateClientIfNeeded, accessToken);
            }
            RefreshToken refreshToken = this._liferayOAuthDataProvider.getRefreshToken(str);
            if (refreshToken != null) {
                return handleRefreshToken(authenticateClientIfNeeded, refreshToken);
            }
        } else if (OAuthConstants.ACCESS_TOKEN.equals(str2)) {
            ServerAccessToken accessToken2 = this._liferayOAuthDataProvider.getAccessToken(str);
            if (accessToken2 != null) {
                return handleAccessToken(authenticateClientIfNeeded, accessToken2);
            }
        } else {
            if (!"refresh_token".equals(str2)) {
                return createErrorResponseFromErrorCode(OAuthConstants.UNSUPPORTED_TOKEN_TYPE);
            }
            RefreshToken refreshToken2 = this._liferayOAuthDataProvider.getRefreshToken(str);
            if (refreshToken2 != null) {
                return handleRefreshToken(authenticateClientIfNeeded, refreshToken2);
            }
        }
        return Response.ok(new TokenIntrospection(false)).build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.cxf.rs.security.oauth2.services.AbstractTokenService
    public Client authenticateClientIfNeeded(MultivaluedMap<String, String> multivaluedMap) {
        String str = (String) multivaluedMap.getFirst("client_id");
        if (str != null && str.isEmpty()) {
            reportInvalidClient();
        }
        String str2 = (String) multivaluedMap.getFirst("client_secret");
        if (str2 != null && str2.isEmpty()) {
            multivaluedMap.remove("client_secret");
        }
        return super.authenticateClientIfNeeded(multivaluedMap);
    }

    protected boolean clientsMatch(Client client, Client client2) {
        return Objects.equals(client.getClientId(), client2.getClientId()) && Objects.equals(MapUtil.getString(client.getProperties(), OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_COMPANY_ID), MapUtil.getString(client2.getProperties(), OAuth2ProviderRESTEndpointConstants.PROPERTY_KEY_COMPANY_ID));
    }

    protected TokenIntrospection createTokenIntrospection(ServerAccessToken serverAccessToken) {
        TokenIntrospection tokenIntrospection = new TokenIntrospection(true);
        List<String> audiences = serverAccessToken.getAudiences();
        if (ListUtil.isNotEmpty(audiences)) {
            tokenIntrospection.setAud(audiences);
        }
        tokenIntrospection.setClientId(serverAccessToken.getClient().getClientId());
        tokenIntrospection.setExp(Long.valueOf(serverAccessToken.getIssuedAt() + serverAccessToken.getExpiresIn()));
        Map<String, String> extraProperties = serverAccessToken.getExtraProperties();
        if (extraProperties != null) {
            tokenIntrospection.getExtensions().putAll(extraProperties);
        }
        String issuer = serverAccessToken.getIssuer();
        if (issuer != null) {
            tokenIntrospection.setIss(issuer);
        }
        tokenIntrospection.setIat(Long.valueOf(serverAccessToken.getIssuedAt()));
        List<OAuthPermission> scopes = serverAccessToken.getScopes();
        if (ListUtil.isNotEmpty(scopes)) {
            tokenIntrospection.setScope(OAuthUtils.convertPermissionsToScope(scopes));
        }
        UserSubject subject = serverAccessToken.getSubject();
        if (subject != null) {
            tokenIntrospection.setUsername(subject.getLogin());
            tokenIntrospection.setSub(subject.getId());
        }
        tokenIntrospection.setTokenType(serverAccessToken.getTokenType());
        return tokenIntrospection;
    }

    protected Response handleAccessToken(Client client, ServerAccessToken serverAccessToken) {
        if (!verifyClient(client, serverAccessToken)) {
            return createErrorResponseFromErrorCode(OAuthConstants.UNAUTHORIZED_CLIENT);
        }
        if (!verifyServerAccessToken(serverAccessToken)) {
            return Response.ok(new TokenIntrospection(false)).build();
        }
        BearerTokenProvider.AccessToken fromCXFAccessToken = this._liferayOAuthDataProvider.fromCXFAccessToken(serverAccessToken);
        OAuth2Application oAuth2Application = fromCXFAccessToken.getOAuth2Application();
        return !this._liferayOAuthDataProvider.getBearerTokenProvider(oAuth2Application.getCompanyId(), oAuth2Application.getClientId()).isValid(fromCXFAccessToken) ? Response.ok(new TokenIntrospection(false)).build() : Response.ok(createTokenIntrospection(serverAccessToken)).build();
    }

    protected Response handleRefreshToken(Client client, RefreshToken refreshToken) {
        if (!verifyClient(client, refreshToken)) {
            return createErrorResponseFromErrorCode(OAuthConstants.UNAUTHORIZED_CLIENT);
        }
        if (!verifyServerAccessToken(refreshToken)) {
            return Response.ok(new TokenIntrospection(false)).build();
        }
        BearerTokenProvider.RefreshToken fromCXFRefreshToken = this._liferayOAuthDataProvider.fromCXFRefreshToken(refreshToken);
        OAuth2Application oAuth2Application = fromCXFRefreshToken.getOAuth2Application();
        return !this._liferayOAuthDataProvider.getBearerTokenProvider(oAuth2Application.getCompanyId(), oAuth2Application.getClientId()).isValid(fromCXFRefreshToken) ? Response.ok(new TokenIntrospection(false)).build() : Response.status(Response.Status.OK).entity(createTokenIntrospection(refreshToken)).build();
    }

    protected boolean verifyClient(Client client, ServerAccessToken serverAccessToken) {
        return clientsMatch(client, serverAccessToken.getClient()) && client.getProperties().containsKey("feature.token.introspection");
    }

    protected boolean verifyServerAccessToken(ServerAccessToken serverAccessToken) {
        return !OAuthUtils.isExpired(Long.valueOf(serverAccessToken.getIssuedAt()), Long.valueOf(serverAccessToken.getExpiresIn()));
    }
}
