package pl.edu.icm.unity.oauth.rp.verificator;

import com.nimbusds.common.contenttype.ContentType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import eu.unicore.util.httpclient.ServerHostnameCheckingMode;
import java.net.URL;
import java.net.URLEncoder;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Map;
import net.minidev.json.JSONObject;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.oauth.BaseRemoteASProperties;
import pl.edu.icm.unity.oauth.as.token.OAuthTokenEndpoint;
import pl.edu.icm.unity.oauth.as.token.TokenInfoResource;
import pl.edu.icm.unity.oauth.client.HttpRequestConfigurer;
import pl.edu.icm.unity.oauth.client.config.CustomProviderProperties;
import pl.edu.icm.unity.oauth.rp.OAuthRPProperties;

/* loaded from: input_file:pl/edu/icm/unity/oauth/rp/verificator/MitreTokenVerificator.class */
public class MitreTokenVerificator implements TokenVerificatorProtocol {
    private static final Logger log = Log.getLogger("unity.server.oauth", MitreTokenVerificator.class);
    private static final String DATE_PATTERN = "yyyy-MM-dd'T'HH:mm:ssZ";
    private OAuthRPProperties config;

    public MitreTokenVerificator(OAuthRPProperties oAuthRPProperties) {
        this.config = oAuthRPProperties;
    }

    @Override // pl.edu.icm.unity.oauth.rp.verificator.TokenVerificatorProtocol
    public TokenStatus checkToken(BearerAccessToken bearerAccessToken) throws Exception {
        HTTPRequest hTTPRequest = new HTTPRequest(HTTPRequest.Method.POST, new URL(this.config.getValue(OAuthRPProperties.VERIFICATION_ENDPOINT)));
        StringBuilder sb = new StringBuilder();
        sb.append("token=").append(URLEncoder.encode(bearerAccessToken.getValue(), "UTF-8"));
        CustomProviderProperties.ClientAuthnMode clientAuthnMode = (CustomProviderProperties.ClientAuthnMode) this.config.getEnumValue(BaseRemoteASProperties.CLIENT_AUTHN_MODE, CustomProviderProperties.ClientAuthnMode.class);
        String value = this.config.getValue("clientId");
        String value2 = this.config.getValue("clientSecret");
        switch (clientAuthnMode) {
            case secretBasic:
                hTTPRequest.setAuthorization(new ClientSecretBasic(new ClientID(value), new Secret(value2)).toHTTPAuthorizationHeader());
                break;
            case secretPost:
                sb.append("&client_id=").append(URLEncoder.encode(this.config.getValue("clientId"), "UTF-8"));
                sb.append("&client_secret=").append(URLEncoder.encode(this.config.getValue("clientSecret"), "UTF-8"));
                break;
            default:
                throw new IllegalStateException("Unsupported client authentication mode for Mitre token verificator: " + clientAuthnMode);
        }
        hTTPRequest.appendQueryString(sb.toString());
        new HttpRequestConfigurer().secureRequest(hTTPRequest, this.config.getValidator(), this.config.getEnumValue("httpClientHostnameChecking", ServerHostnameCheckingMode.class));
        HTTPResponse send = hTTPRequest.send();
        if (send.getStatusCode() != 200) {
            throw new AuthenticationException("Token status query was not successful: " + send.getStatusCode());
        }
        if (log.isTraceEnabled()) {
            log.trace("Received tokens's status:\n" + send.getBody());
        }
        if (send.getEntityContentType() == null || !ContentType.APPLICATION_JSON.matches(send.getEntityContentType())) {
            throw new AuthenticationException("Token status query was successful but it has non-JSON content type: " + send.getEntityContentType());
        }
        JSONObject bodyAsJSONObject = send.getBodyAsJSONObject();
        Date date = null;
        Scope scope = new Scope();
        boolean z = false;
        String str = null;
        for (Map.Entry entry : bodyAsJSONObject.entrySet()) {
            if (entry.getValue() != null) {
                if (TokenInfoResource.EXPIRATION.equals(entry.getKey())) {
                    date = parseExpiry(entry.getValue().toString());
                } else if (TokenInfoResource.SCOPE.equals(entry.getKey())) {
                    for (String str2 : ((String) entry.getValue()).split(" ")) {
                        if (!OAuthTokenEndpoint.PATH.equals(str2)) {
                            scope.add(str2);
                        }
                    }
                } else if ("active".equals(entry.getKey())) {
                    z = Boolean.parseBoolean(entry.getValue().toString());
                } else if (TokenInfoResource.SUBJECT.equals(entry.getKey())) {
                    str = entry.getValue().toString();
                }
            }
        }
        if (date == null || !new Date().after(date)) {
            return new TokenStatus(z, date, scope, str);
        }
        log.trace("The token information states that the token expired at " + date);
        return new TokenStatus();
    }

    private Date parseExpiry(String str) throws ParseException {
        Date parse;
        try {
            parse = new Date(Long.valueOf(1000 * Long.parseLong(str)).longValue());
        } catch (NumberFormatException e) {
            parse = new SimpleDateFormat(DATE_PATTERN).parse(str);
        }
        return parse;
    }
}
