package com.adobe.granite.oauth.server.impl;

import com.adobe.granite.crypto.CryptoException;
import com.adobe.granite.crypto.CryptoSupport;
import com.adobe.granite.keystore.KeyStoreService;
import com.adobe.granite.oauth.jwt.JwsBuilderFactory;
import com.adobe.granite.oauth.jwt.JwsValidator;
import com.adobe.granite.oauth.server.OAuth2ResourceServer;
import com.adobe.granite.oauth.server.impl.helper.OAuth2Constants;
import com.adobe.granite.oauth.server.impl.helper.OAuth2Helper;
import com.adobe.granite.oauth.server.scopes.impl.OfflineAccessScope;
import com.adobe.granite.oauth.server.scopes.impl.ReplicateScope;
import java.io.IOException;
import java.io.PrintWriter;
import java.security.KeyPair;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Modified;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.oltu.oauth2.as.request.OAuthTokenRequest;
import org.apache.oltu.oauth2.as.response.OAuthASResponse;
import org.apache.oltu.oauth2.common.exception.OAuthProblemException;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.apache.oltu.oauth2.common.message.OAuthResponse;
import org.apache.oltu.oauth2.common.message.types.GrantType;
import org.apache.oltu.oauth2.common.utils.OAuthUtils;
import org.apache.oltu.oauth2.jwt.JWT;
import org.apache.oltu.oauth2.jwt.io.JWTReader;
import org.apache.oltu.oauth2.jwt.request.JWTOAuthRequest;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.apache.sling.jcr.api.SlingRepository;
import org.osgi.framework.BundleContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(metatype = true, label = "%oauth.token.endpoint.name", description = "%oauth.token.endpoint.description")
@Deprecated
@Service({Servlet.class})
@Properties({@Property(name = "service.description", value = {"OAuth2 Token Endpoint Servlet (DEPRECATED)"}), @Property(name = OAuth2TokenEndpointServlet.OAUTH_ISSUER_NAME, value = {OAuth2TokenEndpointServlet.OAUTH_ISSUER_NAME_DEFAULT}), @Property(name = OAuth2TokenEndpointServlet.OAUTH_TOKEN_EXPIRES_IN, value = {"3600"}), @Property(name = "osgi.http.whiteboard.servlet.pattern", value = {"/token/*"}), @Property(name = "osgi.http.whiteboard.context.select", value = {"(osgi.http.whiteboard.context.name=com.adobe.granite.oauth)"})})
/* loaded from: input_file:com/adobe/granite/oauth/server/impl/OAuth2TokenEndpointServlet.class */
public class OAuth2TokenEndpointServlet extends HttpServlet {
    private static final long serialVersionUID = -5800923073209065538L;
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private static final String REFRESH_TOKEN_EXPIRES_IN = "31536000";
    protected static final String DEFAULT_SERVLET_PATH = "/token";
    protected static final String OAUTH_ISSUER_NAME = "oauth.issuer";
    protected static final String OAUTH_TOKEN_EXPIRES_IN = "oauth.access.token.expires.in";
    protected static final String OAUTH_ISSUER_NAME_DEFAULT = "Adobe Granite";

    @Reference
    private SlingRepository repository;

    @Reference
    private CryptoSupport cryptoSupport;

    @Reference
    private JwsBuilderFactory jwsBuilderFactory;

    @Reference
    JwsValidator jwsValidator;

    @Reference
    KeyStoreService keyStoreService;

    @Reference
    ResourceResolverFactory resourceResolverFactory;

    @Reference
    private OAuth2ResourceServer oAuth2ResourceServer;

    @Reference
    private AuthorizationConfiguration authorizationConfiguration;
    private String oauthIssuerName;
    private String tokenExpiresIn;

    @Modified
    @Activate
    private void activate(BundleContext bundleContext, Map<String, Object> map) {
        this.logger.info("'Adobe Granite OAuth Server' has been deprecated.");
        this.oauthIssuerName = OsgiUtil.toString(map.get(OAUTH_ISSUER_NAME), OAUTH_ISSUER_NAME_DEFAULT);
        this.tokenExpiresIn = OsgiUtil.toString(map.get(OAUTH_TOKEN_EXPIRES_IN), "3600");
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            String parameter = httpServletRequest.getParameter("grant_type");
            if (GrantType.AUTHORIZATION_CODE.toString().equals(parameter)) {
                handleAuthorizationCodeGrantType(httpServletRequest, httpServletResponse);
            } else if (GrantType.REFRESH_TOKEN.toString().equals(parameter)) {
                handleRefreshTokenGrantType(httpServletRequest, httpServletResponse);
            } else {
                if (!GrantType.JWT_BEARER.toString().equals(parameter)) {
                    throw OAuthUtils.handleOAuthProblemException("Invalid grant_type parameter value");
                }
                handleJwtBearerGrantType(httpServletRequest, httpServletResponse);
            }
        } catch (OAuthProblemException e) {
            try {
                OAuthResponse buildJSONMessage = OAuthResponse.errorResponse(400).error(e).buildJSONMessage();
                httpServletResponse.setStatus(buildJSONMessage.getResponseStatus());
                PrintWriter writer = httpServletResponse.getWriter();
                writer.print(buildJSONMessage.getBody());
                writer.flush();
                httpServletResponse.sendError(400);
            } catch (OAuthSystemException e2) {
                OAuth2Helper.handleOAuthSystemException(e2, httpServletResponse);
            }
        } catch (OAuthSystemException e3) {
            OAuth2Helper.handleOAuthSystemException(e3, httpServletResponse);
        }
    }

    private void handleAuthorizationCodeGrantType(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws OAuthSystemException, OAuthProblemException, IOException {
        OAuthTokenRequest oAuthTokenRequest = new OAuthTokenRequest(httpServletRequest);
        String code = oAuthTokenRequest.getCode();
        if (!validAuthorizationCode(code)) {
            throw OAuthProblemException.error("invalid_grant", "Invalid code");
        }
        validateClient(oAuthTokenRequest, code);
        String subject = getSubject(code);
        String str = (String) ((JWT) new JWTReader().read(code)).getClaimsSet().getCustomField(OAuth2Constants.SCOPE, String.class);
        String generateAccessToken = generateAccessToken(oAuthTokenRequest.getClientId(), subject, str);
        String str2 = null;
        if (OAuth2Helper.getScopesSet(str).contains(OfflineAccessScope.OFFLINE_ACCESS_SCOPE_NAME)) {
            this.logger.debug("generating refresh token");
            str2 = generateRefreshToken(oAuthTokenRequest.getClientId(), subject, str);
            Session session = null;
            try {
                try {
                    session = this.repository.loginService((String) null, (String) null);
                    OAuth2Helper.createRefreshTokenReference(session, OAuth2Helper.getUser(session, subject), str2, oAuthTokenRequest.getClientId(), str);
                    if (session != null && session.isLive()) {
                        session.logout();
                    }
                } catch (RepositoryException e) {
                    this.logger.error("Failed create refresh token reference.", e);
                    if (session != null && session.isLive()) {
                        session.logout();
                    }
                }
            } catch (Throwable th) {
                if (session != null && session.isLive()) {
                    session.logout();
                }
                throw th;
            }
        }
        validResponse(httpServletResponse, generateAccessToken, str2);
    }

    private void handleRefreshTokenGrantType(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws OAuthSystemException, OAuthProblemException, IOException {
        OAuthTokenRequest oAuthTokenRequest = new OAuthTokenRequest(httpServletRequest);
        String refreshToken = oAuthTokenRequest.getRefreshToken();
        if (!validRefreshToken(refreshToken)) {
            throw OAuthProblemException.error("invalid_grant", "Invalid refresh token");
        }
        validateClient(oAuthTokenRequest, refreshToken);
        validResponse(httpServletResponse, generateAccessToken(oAuthTokenRequest.getClientId(), getSubject(refreshToken), (String) ((JWT) new JWTReader().read(refreshToken)).getClaimsSet().getCustomField(OAuth2Constants.SCOPE, String.class)), null);
    }

    private void handleJwtBearerGrantType(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws OAuthSystemException, OAuthProblemException, IOException {
        JWT jwt = (JWT) new JWTReader().read(new JWTOAuthRequest(httpServletRequest).getAssertion());
        String issuer = jwt.getClaimsSet().getIssuer();
        String str = (String) jwt.getClaimsSet().getCustomField(OAuth2Constants.SCOPE, String.class);
        String validateAssertion = validateAssertion(httpServletRequest, jwt, issuer, str);
        if (validateAssertion == null) {
            throw OAuthProblemException.error("invalid_grant", "Invalid assertion");
        }
        validResponse(httpServletResponse, generateAccessToken(issuer, validateAssertion, str), null);
    }

    private void validateClient(OAuthTokenRequest oAuthTokenRequest, String str) throws OAuthProblemException, OAuthSystemException {
        String clientId = oAuthTokenRequest.getClientId();
        String audience = ((JWT) new JWTReader().read(str)).getClaimsSet().getAudience();
        if (!clientId.equals(audience)) {
            this.logger.debug("the clientId from request parameter {} did not match the token aud {}", clientId, audience);
            throw OAuthProblemException.error("invalid_client", "Invalid client");
        }
        Session session = null;
        try {
            try {
                try {
                    Session loginService = this.repository.loginService((String) null, (String) null);
                    User oAuthClientAuthorizable = OAuth2Helper.getOAuthClientAuthorizable(loginService, this.cryptoSupport, clientId);
                    if (oAuthClientAuthorizable == null) {
                        this.logger.debug("validateClient: Invalid value {} for parameter client_id", clientId);
                        throw OAuthProblemException.error("invalid_client", "Invalid client");
                    }
                    if (!isValidClientSecret(oAuthTokenRequest, clientId, oAuthClientAuthorizable)) {
                        this.logger.debug("validateClient: client secret did not match");
                        throw OAuthProblemException.error("invalid_client", "Invalid client");
                    }
                    String oAuthClientPropertyValue = OAuth2Helper.getOAuthClientPropertyValue(oAuthClientAuthorizable, clientId, OAuth2Constants.REDIRECT_URI);
                    String redirectURI = oAuthTokenRequest.getRedirectURI();
                    if (!oAuthClientPropertyValue.equalsIgnoreCase(redirectURI)) {
                        this.logger.debug("validateClient: The redirect URI in the request {} did not match a registered redirect URI {}", redirectURI, oAuthClientPropertyValue);
                        throw OAuthProblemException.error(OAuth2Constants.REDIRECT_URI_MISMATCH, "");
                    }
                    if (loginService != null) {
                        loginService.logout();
                    }
                } catch (RepositoryException e) {
                    this.logger.error("validateClient: failed while accessing repository", e);
                    throw new OAuthSystemException("failed while accessing repository");
                }
            } catch (CryptoException e2) {
                this.logger.error("validateClient: failed while using crypto support", e2);
                throw new OAuthSystemException(" failed while using crypto support");
            }
        } catch (Throwable th) {
            if (0 != 0) {
                session.logout();
            }
            throw th;
        }
    }

    private boolean validAuthorizationCode(String str) {
        boolean validate = this.jwsValidator.validate(str);
        if (validate && !OAuth2Constants.CONTENT_TYPE_AUTHORIZATION_CODE.equals(OAuth2Helper.getContentType(str))) {
            validate = false;
        }
        return validate;
    }

    private boolean validRefreshToken(String str) {
        boolean validate = this.jwsValidator.validate(str);
        if (validate && !OAuth2Constants.CONTENT_TYPE_REFRESH_TOKEN.equals(OAuth2Helper.getContentType(str))) {
            validate = false;
        }
        return validate;
    }

    private String getSubject(String str) throws OAuthSystemException {
        if (str != null) {
            return ((JWT) new JWTReader().read(str)).getClaimsSet().getSubject();
        }
        this.logger.info("the provided authorization code is not valid");
        return null;
    }

    private String validateAssertion(HttpServletRequest httpServletRequest, JWT jwt, String str, String str2) throws OAuthSystemException, OAuthProblemException {
        String str3 = null;
        boolean z = false;
        String algorithm = jwt.getHeader().getAlgorithm();
        if (str != null && "RS256".equals(algorithm)) {
            if (getAudienceDomain(httpServletRequest).equals(jwt.getClaimsSet().getAudience())) {
                ResourceResolver resourceResolver = null;
                OAuth2Helper.validateScopes(this.oAuth2ResourceServer, OAuth2Helper.getScopesSet((String) jwt.getClaimsSet().getCustomField(OAuth2Constants.SCOPE, String.class)), true);
                try {
                    try {
                        resourceResolver = this.resourceResolverFactory.getServiceResourceResolver((Map) null);
                        Session session = (Session) resourceResolver.adaptTo(Session.class);
                        User user = OAuth2Helper.getUser(session, str);
                        if (user != null) {
                            KeyPair keyStoreKeyPair = this.keyStoreService.getKeyStoreKeyPair(resourceResolver, user.getID(), str);
                            User oAuthClientAuthorizable = OAuth2Helper.getOAuthClientAuthorizable(session, this.cryptoSupport, str);
                            z = this.jwsValidator.validate(jwt.getRawString(), keyStoreKeyPair.getPublic());
                            if (z && isAllowedScope(oAuthClientAuthorizable, str2) && oAuthClientAuthorizable != null) {
                                str3 = oAuthClientAuthorizable.getID();
                            } else {
                                z = false;
                            }
                        }
                        if (resourceResolver != null) {
                            resourceResolver.close();
                        }
                    } catch (RepositoryException e) {
                        this.logger.error("validateAssertion: failed while accessing repository", e);
                        throw new OAuthSystemException("failed while accessing repository");
                    } catch (LoginException e2) {
                        this.logger.error("validateAssertion: failed to login", e2);
                        throw new OAuthSystemException("failed to login");
                    }
                } catch (Throwable th) {
                    if (resourceResolver != null) {
                        resourceResolver.close();
                    }
                    throw th;
                }
            }
        }
        if (z) {
            return str3;
        }
        return null;
    }

    private String generateAccessToken(String str, String str2, String str3) throws OAuthSystemException {
        OAuth2GraniteIssuer expiresIn = new OAuth2GraniteIssuer(this.jwsBuilderFactory.getInstance("HS256")).setSubject(str2).setAudience(str).setIssuer(this.oauthIssuerName).setExpiresIn(this.tokenExpiresIn);
        if (str3 != null) {
            expiresIn.setScope(str3);
        }
        expiresIn.setCustomClaimsSetField(OAuth2Constants.CONTENT_TYPE, OAuth2Constants.CONTENT_TYPE_ACCESS_TOKEN);
        return expiresIn.accessToken();
    }

    private String generateRefreshToken(String str, String str2, String str3) throws OAuthSystemException {
        OAuth2GraniteIssuer expiresIn = new OAuth2GraniteIssuer(this.jwsBuilderFactory.getInstance("HS256")).setSubject(str2).setAudience(str).setIssuer(this.oauthIssuerName).setExpiresIn(REFRESH_TOKEN_EXPIRES_IN);
        if (str3 != null) {
            expiresIn.setScope(str3);
        }
        expiresIn.setCustomClaimsSetField(OAuth2Constants.CONTENT_TYPE, OAuth2Constants.CONTENT_TYPE_REFRESH_TOKEN);
        return expiresIn.refreshToken();
    }

    private void validResponse(HttpServletResponse httpServletResponse, String str, String str2) throws OAuthSystemException, IOException {
        OAuthASResponse.OAuthTokenResponseBuilder expiresIn = OAuthASResponse.tokenResponse(200).setAccessToken(str).setExpiresIn(this.tokenExpiresIn);
        if (str2 != null) {
            expiresIn.setRefreshToken(str2);
        }
        OAuthResponse buildJSONMessage = expiresIn.buildJSONMessage();
        httpServletResponse.setStatus(buildJSONMessage.getResponseStatus());
        PrintWriter writer = httpServletResponse.getWriter();
        writer.print(buildJSONMessage.getBody());
        writer.flush();
    }

    private String getAudienceDomain(HttpServletRequest httpServletRequest) {
        String scheme = httpServletRequest.getScheme();
        String serverName = httpServletRequest.getServerName();
        int serverPort = httpServletRequest.getServerPort();
        StringBuilder sb = new StringBuilder();
        sb.append(scheme).append("://").append(serverName);
        if ((!"https".equals(scheme) || serverPort != 443) && (!"http".equals(scheme) || serverPort != 80)) {
            sb.append(":").append(serverPort);
        }
        sb.append(OAuthServletContext.CONTEXT_PATH);
        sb.append(DEFAULT_SERVLET_PATH);
        return sb.toString();
    }

    private boolean isAllowedScope(Authorizable authorizable, String str) throws RepositoryException {
        if (authorizable == null) {
            return false;
        }
        if (!OAuth2Helper.getScopesSet(str).contains(ReplicateScope.REPLICATE_SCOPE_NAME) || ((User) authorizable).isAdmin()) {
            return true;
        }
        Set set = (Set) this.authorizationConfiguration.getParameters().getConfigValue("administrativePrincipals", Collections.EMPTY_SET);
        Iterator memberOf = authorizable.memberOf();
        while (memberOf.hasNext()) {
            if (set.contains(((Group) memberOf.next()).getPrincipal().getName())) {
                return true;
            }
        }
        return false;
    }

    private boolean isValidClientSecret(OAuthTokenRequest oAuthTokenRequest, String str, Authorizable authorizable) throws CryptoException, RepositoryException {
        return OAuth2Helper.compareSecure(this.cryptoSupport.unprotect(OAuth2Helper.getOAuthClientPropertyValue(authorizable, str, OAuth2Constants.CLIENT_SECRET)), oAuthTokenRequest.getClientSecret());
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }

    protected void bindCryptoSupport(CryptoSupport cryptoSupport) {
        this.cryptoSupport = cryptoSupport;
    }

    protected void unbindCryptoSupport(CryptoSupport cryptoSupport) {
        if (this.cryptoSupport == cryptoSupport) {
            this.cryptoSupport = null;
        }
    }

    protected void bindJwsBuilderFactory(JwsBuilderFactory jwsBuilderFactory) {
        this.jwsBuilderFactory = jwsBuilderFactory;
    }

    protected void unbindJwsBuilderFactory(JwsBuilderFactory jwsBuilderFactory) {
        if (this.jwsBuilderFactory == jwsBuilderFactory) {
            this.jwsBuilderFactory = null;
        }
    }

    protected void bindJwsValidator(JwsValidator jwsValidator) {
        this.jwsValidator = jwsValidator;
    }

    protected void unbindJwsValidator(JwsValidator jwsValidator) {
        if (this.jwsValidator == jwsValidator) {
            this.jwsValidator = null;
        }
    }

    protected void bindKeyStoreService(KeyStoreService keyStoreService) {
        this.keyStoreService = keyStoreService;
    }

    protected void unbindKeyStoreService(KeyStoreService keyStoreService) {
        if (this.keyStoreService == keyStoreService) {
            this.keyStoreService = null;
        }
    }

    protected void bindResourceResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        this.resourceResolverFactory = resourceResolverFactory;
    }

    protected void unbindResourceResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        if (this.resourceResolverFactory == resourceResolverFactory) {
            this.resourceResolverFactory = null;
        }
    }

    protected void bindOAuth2ResourceServer(OAuth2ResourceServer oAuth2ResourceServer) {
        this.oAuth2ResourceServer = oAuth2ResourceServer;
    }

    protected void unbindOAuth2ResourceServer(OAuth2ResourceServer oAuth2ResourceServer) {
        if (this.oAuth2ResourceServer == oAuth2ResourceServer) {
            this.oAuth2ResourceServer = null;
        }
    }

    protected void bindAuthorizationConfiguration(AuthorizationConfiguration authorizationConfiguration) {
        this.authorizationConfiguration = authorizationConfiguration;
    }

    protected void unbindAuthorizationConfiguration(AuthorizationConfiguration authorizationConfiguration) {
        if (this.authorizationConfiguration == authorizationConfiguration) {
            this.authorizationConfiguration = null;
        }
    }
}
