package com.mulesoft.modules.oauth2.provider.internal;

import com.google.gson.JsonObject;
import com.mulesoft.modules.oauth2.provider.api.Constants;
import com.mulesoft.modules.oauth2.provider.api.ResourceOwnerAuthentication;
import com.mulesoft.modules.oauth2.provider.api.client.Client;
import com.mulesoft.modules.oauth2.provider.api.client.ClientAlreadyExistsException;
import com.mulesoft.modules.oauth2.provider.api.client.ClientType;
import com.mulesoft.modules.oauth2.provider.api.client.NoSuchClientException;
import com.mulesoft.modules.oauth2.provider.api.exception.OAuth2ConfigurationException;
import com.mulesoft.modules.oauth2.provider.api.token.AccessTokenStoreHolder;
import com.mulesoft.modules.oauth2.provider.api.token.InvalidTokenException;
import com.mulesoft.modules.oauth2.provider.api.token.Token;
import com.mulesoft.modules.oauth2.provider.api.token.TokenStore;
import com.mulesoft.modules.oauth2.provider.api.token.UnauthorizedTokenException;
import com.mulesoft.modules.oauth2.provider.internal.error.CreateClientErrorProvider;
import com.mulesoft.modules.oauth2.provider.internal.error.DeleteClientErrorProvider;
import com.mulesoft.modules.oauth2.provider.internal.error.OAuth2ProviderError;
import com.mulesoft.modules.oauth2.provider.internal.error.RevokeTokenErrorProvider;
import com.mulesoft.modules.oauth2.provider.internal.error.ValidateTokenErrorProvider;
import com.mulesoft.modules.oauth2.provider.internal.token.ForbiddenSecurityException;
import com.mulesoft.modules.oauth2.provider.internal.token.TokenAuthentication;
import com.mulesoft.modules.oauth2.provider.internal.token.UnauthorizedSecurityException;
import java.util.Arrays;
import java.util.Set;
import org.mule.extension.http.api.HttpListenerResponseAttributes;
import org.mule.runtime.api.message.Message;
import org.mule.runtime.api.meta.ExpressionSupport;
import org.mule.runtime.api.security.SecurityException;
import org.mule.runtime.api.security.SecurityProviderNotFoundException;
import org.mule.runtime.api.security.UnknownAuthenticationTypeException;
import org.mule.runtime.api.util.MultiMap;
import org.mule.runtime.api.util.Preconditions;
import org.mule.runtime.core.api.util.StringUtils;
import org.mule.runtime.extension.api.annotation.Alias;
import org.mule.runtime.extension.api.annotation.Expression;
import org.mule.runtime.extension.api.annotation.error.Throws;
import org.mule.runtime.extension.api.annotation.param.Config;
import org.mule.runtime.extension.api.annotation.param.MediaType;
import org.mule.runtime.extension.api.annotation.param.NullSafe;
import org.mule.runtime.extension.api.annotation.param.Optional;
import org.mule.runtime.extension.api.exception.ModuleException;
import org.mule.runtime.extension.api.runtime.operation.Result;
import org.mule.runtime.extension.api.security.AuthenticationHandler;
import org.mule.runtime.http.api.HttpConstants;

/* loaded from: input_file:com/mulesoft/modules/oauth2/provider/internal/OAuth2ProviderOperations.class */
public class OAuth2ProviderOperations {
    @Throws({ValidateTokenErrorProvider.class})
    @MediaType("application/json")
    public Result<String, Void> validateToken(@Config OAuth2ProviderConfiguration oAuth2ProviderConfiguration, AuthenticationHandler authenticationHandler, @Optional(defaultValue = "#[(attributes.headers['authorization'] splitBy ' ')[1]]") @Expression(ExpressionSupport.REQUIRED) @Alias("accessToken") String str, @Optional @NullSafe @Expression(ExpressionSupport.REQUIRED) @Alias("scopes") Set<String> set, @NullSafe @Optional @Expression(ExpressionSupport.REQUIRED) Set<String> set2) throws UnauthorizedTokenException {
        if (str == null) {
            throw new UnauthorizedTokenException(createErrorMessage("No access token was received", HttpConstants.HttpStatus.UNAUTHORIZED.getStatusCode()));
        }
        TokenAuthentication.Builder builder = TokenAuthentication.builder();
        builder.withToken(str);
        if (!set2.isEmpty()) {
            builder.withResourceOwnerRoles(set2);
        }
        if (!set.isEmpty()) {
            builder.withScopes(set);
        }
        try {
            authenticationHandler.setAuthentication(Arrays.asList(oAuth2ProviderConfiguration.getTokenSecurityProvider().getName()), builder.build());
        } catch (SecurityException e) {
            handleTokenAuthenticationException((OAuth2ProviderSecurityException) e.getCause());
        } catch (SecurityProviderNotFoundException | UnknownAuthenticationTypeException e2) {
            throw new ModuleException(OAuth2ProviderError.OAUTH_SERVER_SECURITY, e2);
        }
        return Result.builder().output(buildJsonResponse((TokenAuthentication) authenticationHandler.getAuthentication().get())).build();
    }

    private void handleTokenAuthenticationException(OAuth2ProviderSecurityException oAuth2ProviderSecurityException) throws UnauthorizedTokenException {
        if (oAuth2ProviderSecurityException instanceof UnauthorizedSecurityException) {
            throw new UnauthorizedTokenException(createErrorMessage(oAuth2ProviderSecurityException.getMessage(), HttpConstants.HttpStatus.UNAUTHORIZED.getStatusCode()));
        }
        if (oAuth2ProviderSecurityException instanceof ForbiddenSecurityException) {
            throw new UnauthorizedTokenException(createErrorMessage(oAuth2ProviderSecurityException.getMessage(), HttpConstants.HttpStatus.FORBIDDEN.getStatusCode()));
        }
    }

    private String buildJsonResponse(TokenAuthentication tokenAuthentication) {
        Token accessToken = tokenAuthentication.getTokenHolder().getAccessToken();
        JsonObject jsonObject = new JsonObject();
        jsonObject.addProperty(Constants.EXPIRES_IN_PARAMETER, Long.valueOf(accessToken.getExpiresIn().getSeconds()));
        jsonObject.addProperty(Constants.SCOPE_PARAMETER, Utils.stringifyScopes(accessToken.getScopes()));
        if (!StringUtils.isBlank(accessToken.getClientId())) {
            jsonObject.addProperty(Constants.CLIENT_ID_PARAMETER, accessToken.getClientId());
        }
        ResourceOwnerAuthentication resourceOwnerAuthentication = tokenAuthentication.getTokenHolder().getResourceOwnerAuthentication();
        if (resourceOwnerAuthentication != null) {
            String username = resourceOwnerAuthentication.getUsername();
            if (!StringUtils.isBlank(username)) {
                jsonObject.addProperty(Constants.USERNAME_PARAMETER, username);
            }
        }
        return jsonObject.toString();
    }

    @Throws({CreateClientErrorProvider.class})
    public void createClient(@Config OAuth2ProviderConfiguration oAuth2ProviderConfiguration, @Expression(ExpressionSupport.SUPPORTED) String str, @Optional(defaultValue = "PUBLIC") @Expression(ExpressionSupport.SUPPORTED) @Alias("type") ClientType clientType, @Optional @Expression(ExpressionSupport.SUPPORTED) @Alias("secret") String str2, @Optional @Expression(ExpressionSupport.SUPPORTED) String str3, @Optional @Expression(ExpressionSupport.SUPPORTED) String str4, @Optional @Expression(ExpressionSupport.SUPPORTED) String str5, @NullSafe @Optional @Expression(ExpressionSupport.REQUIRED) Set<String> set, @NullSafe @Optional @Expression(ExpressionSupport.REQUIRED) Set<Constants.RequestGrantType> set2, @NullSafe @Optional @Expression(ExpressionSupport.REQUIRED) Set<String> set3, @Optional(defaultValue = "false") @Expression(ExpressionSupport.NOT_SUPPORTED) boolean z) throws ClientAlreadyExistsException, OAuth2ConfigurationException {
        Client client = new Client(str, str2, clientType, set, set2, set3);
        client.setClientName(str3);
        client.setDescription(str4);
        client.setPrincipal(str5);
        try {
            if (ClientType.CONFIDENTIAL.equals(clientType) && oAuth2ProviderConfiguration.getOAuthConfiguration().getClientSecurityProvider() == null) {
                Preconditions.checkArgument(!StringUtils.isEmpty(str2), String.format("Client secret should be specified for client: '%s' because his type is %s and no client security provider was configured", str3, ClientType.CONFIDENTIAL.toString()));
            }
            oAuth2ProviderConfiguration.getClientManager().addClient(client, z);
        } catch (IllegalArgumentException e) {
            throw new OAuth2ConfigurationException(e.getMessage());
        }
    }

    @Throws({DeleteClientErrorProvider.class})
    public void deleteClient(@Config OAuth2ProviderConfiguration oAuth2ProviderConfiguration, @Expression(ExpressionSupport.SUPPORTED) String str) throws NoSuchClientException {
        oAuth2ProviderConfiguration.getClientManager().removeClient(str);
    }

    @Throws({RevokeTokenErrorProvider.class})
    public void revokeToken(@Config OAuth2ProviderConfiguration oAuth2ProviderConfiguration, @Expression(ExpressionSupport.SUPPORTED) String str) throws InvalidTokenException {
        TokenStore tokenStore = oAuth2ProviderConfiguration.getTokenStore();
        if (tokenStore.retrieveByAccessToken(str) != null) {
            tokenStore.remove(str);
            return;
        }
        AccessTokenStoreHolder retrieveByRefreshToken = tokenStore.retrieveByRefreshToken(str);
        if (retrieveByRefreshToken == null) {
            throw new InvalidTokenException("Token is invalid");
        }
        tokenStore.remove(retrieveByRefreshToken.getAccessToken().getAccessToken());
    }

    private Message createErrorMessage(String str, int i) {
        return createErrorMessage(str, i, null);
    }

    private Message createErrorMessage(String str, int i, MultiMap<String, String> multiMap) {
        if (multiMap == null) {
            multiMap = new MultiMap<>();
        }
        multiMap.put("WWW-Authenticate", OAuth2ProviderConfiguration.WWW_AUTHENTICATE_HEADER_VALUE);
        return Message.builder().nullValue().attributesValue(new HttpListenerResponseAttributes(i, str, multiMap)).build();
    }
}
