package org.mule.modules.oauth2.provider.processor;

import java.util.HashMap;
import java.util.List;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.mule.api.MuleEvent;
import org.mule.api.security.Authentication;
import org.mule.modules.oauth2.provider.AuthorizationRequest;
import org.mule.modules.oauth2.provider.Constants;
import org.mule.modules.oauth2.provider.OAuth2Exception;
import org.mule.modules.oauth2.provider.Utils;
import org.mule.modules.oauth2.provider.client.Client;
import org.mule.modules.oauth2.provider.client.ClientType;
import org.mule.modules.oauth2.provider.code.AuthorizationCodeStoreHolder;
import org.mule.modules.oauth2.provider.config.Configuration;
import org.mule.modules.oauth2.provider.processor.RequestProcessingException;
import org.mule.modules.oauth2.provider.token.Token;
import org.mule.util.StringUtils;

/* loaded from: input_file:mule/lib/mule/mule-module-security-oauth2-provider-1.5.0.jar:org/mule/modules/oauth2/provider/processor/TokenRequestMessageProcessor.class */
public class TokenRequestMessageProcessor extends AbstractHttpRequestMessageProcessor {
    private static final Authentication NO_RESOURCE_OWNER_AUTHENTICATION = null;

    public TokenRequestMessageProcessor(Configuration configuration) {
        super(configuration);
    }

    @Override // org.mule.modules.oauth2.provider.processor.AbstractHttpRequestMessageProcessor
    protected MuleEvent processRequest(MuleEvent muleEvent) throws OAuth2Exception {
        Constants.RequestGrantType supportedRequestGrantTypeOrFail = getSupportedRequestGrantTypeOrFail(muleEvent);
        Client knownClientOrFail = getKnownClientOrFail(muleEvent);
        if (knownClientOrFail.getType() == ClientType.CONFIDENTIAL && !validateClientCredentials(knownClientOrFail, muleEvent)) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_CLIENT, "Invalid credentials");
        }
        if (!knownClientOrFail.isGrantTypeAuthorized(supportedRequestGrantTypeOrFail)) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.UNSUPPORTED_GRANT_TYPE, "Client doesn't support grant type: " + supportedRequestGrantTypeOrFail);
        }
        if (supportedRequestGrantTypeOrFail == Constants.RequestGrantType.AUTHORIZATION_CODE) {
            return processAuthorizationCodeRequest(supportedRequestGrantTypeOrFail, knownClientOrFail, muleEvent);
        }
        if (supportedRequestGrantTypeOrFail == Constants.RequestGrantType.REFRESH_TOKEN) {
            return processRefreshTokenRequest(supportedRequestGrantTypeOrFail, knownClientOrFail, muleEvent);
        }
        if (supportedRequestGrantTypeOrFail == Constants.RequestGrantType.PASSWORD) {
            return processPasswordRequest(supportedRequestGrantTypeOrFail, knownClientOrFail, muleEvent);
        }
        if (supportedRequestGrantTypeOrFail == Constants.RequestGrantType.CLIENT_CREDENTIALS) {
            return processClientCredentialsRequest(supportedRequestGrantTypeOrFail, knownClientOrFail, muleEvent);
        }
        throw new RequestProcessingException(RequestProcessingException.ErrorType.UNSUPPORTED_GRANT_TYPE, "Unsupported grant type: " + supportedRequestGrantTypeOrFail);
    }

    private MuleEvent processAuthorizationCodeRequest(Constants.RequestGrantType requestGrantType, Client client, MuleEvent muleEvent) throws OAuth2Exception {
        String mandatoryParameterOrFail = getMandatoryParameterOrFail(muleEvent, "code");
        String mandatoryParameterOrFail2 = getMandatoryParameterOrFail(muleEvent, "redirect_uri");
        AuthorizationCodeStoreHolder consumeAuthorizationCode = this.configuration.getAuthorizationCodeManager().consumeAuthorizationCode(mandatoryParameterOrFail);
        if (consumeAuthorizationCode.getAuthorizationCode().isExpired()) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_GRANT, "Authorization code has expired");
        }
        AuthorizationRequest authorizationRequest = consumeAuthorizationCode.getAuthorizationRequest();
        if (!authorizationRequest.getClientId().equals(client.getClientId())) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_CLIENT_ID);
        }
        if (StringUtils.equals(org.apache.commons.lang.StringUtils.trimToNull(mandatoryParameterOrFail2), org.apache.commons.lang.StringUtils.trimToNull(authorizationRequest.getRedirectUri()))) {
            return respondToken(this.configuration.getTokenManager().grantAccessToken(requestGrantType, this.configuration.isRefreshTokenEnabled(), authorizationRequest, NO_RESOURCE_OWNER_AUTHENTICATION), muleEvent);
        }
        throw new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_REDIRECTION_URI);
    }

    private MuleEvent processRefreshTokenRequest(Constants.RequestGrantType requestGrantType, Client client, MuleEvent muleEvent) throws OAuth2Exception {
        String mandatoryParameterOrFail = getMandatoryParameterOrFail(muleEvent, "refresh_token");
        List<String> effectiveScopes = getEffectiveScopes(muleEvent, client);
        Token exchangeRefreshToken = this.configuration.getTokenManager().exchangeRefreshToken(mandatoryParameterOrFail, client.getClientId());
        if (!CollectionUtils.isNotEmpty(effectiveScopes) || CollectionUtils.isSubCollection(effectiveScopes, exchangeRefreshToken.getScopes())) {
            return respondToken(exchangeRefreshToken, muleEvent);
        }
        throw new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_SCOPE, "Scope doesn't match originally granted scope");
    }

    private MuleEvent processPasswordRequest(Constants.RequestGrantType requestGrantType, Client client, MuleEvent muleEvent) throws OAuth2Exception {
        Pair<Boolean, Authentication> validateResourceOwnerCredentials = validateResourceOwnerCredentials(client, muleEvent);
        if (!validateResourceOwnerCredentials.getLeft().booleanValue()) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.ACCESS_DENIED);
        }
        return respondToken(this.configuration.getTokenManager().grantAccessToken(Constants.RequestGrantType.TOKEN, this.configuration.isRefreshTokenEnabled(), client.getClientId(), getEffectiveScopes(muleEvent, client), validateResourceOwnerCredentials.getRight()), muleEvent);
    }

    private MuleEvent processClientCredentialsRequest(Constants.RequestGrantType requestGrantType, Client client, MuleEvent muleEvent) throws OAuth2Exception {
        if (client.getType() != ClientType.CONFIDENTIAL) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.UNAUTHORIZED_CLIENT, "Client is not confidential!");
        }
        if (!validateClientCredentials(client, muleEvent)) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_CLIENT, "Invalid credentials");
        }
        return respondToken(this.configuration.getTokenManager().grantAccessToken(Constants.RequestGrantType.TOKEN, false, client.getClientId(), getEffectiveScopes(muleEvent, client), NO_RESOURCE_OWNER_AUTHENTICATION), muleEvent);
    }

    private MuleEvent respondToken(Token token, MuleEvent muleEvent) {
        HashMap hashMap = new HashMap();
        hashMap.put("access_token", token.getAccessToken());
        hashMap.put(Constants.TOKEN_TYPE_PARAMETER, token.getType());
        hashMap.put("expires_in", Long.valueOf(token.getExpiresIn().toDuration().getStandardSeconds()));
        if (CollectionUtils.isNotEmpty(token.getScopes())) {
            hashMap.put("scope", Utils.stringifyScopes(token.getScopes()));
        }
        if (org.apache.commons.lang.StringUtils.isNotBlank(token.getRefreshToken())) {
            hashMap.put("refresh_token", token.getRefreshToken());
        }
        muleEvent.getMessage().setPayload(hashMap);
        return muleEvent;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.mule.modules.oauth2.provider.processor.AbstractHttpRequestMessageProcessor
    public MuleEvent handleException(RequestProcessingException requestProcessingException, MuleEvent muleEvent) {
        MuleEvent handleException = super.handleException(requestProcessingException, muleEvent);
        if (org.apache.commons.lang.StringUtils.isNotBlank(getOptionalParameter(muleEvent, "Authorization")) && requestProcessingException.getErrorType() == RequestProcessingException.ErrorType.INVALID_CLIENT) {
            muleEvent.getMessage().setOutboundProperty("http.status", 401);
            muleEvent.getMessage().setOutboundProperty("WWW-Authenticate", "Basic realm=\"OAuth2 Client Realm\"");
        }
        return handleException;
    }

    @Override // org.mule.modules.oauth2.provider.processor.AbstractHttpRequestMessageProcessor
    protected boolean isRedirectingForError(RequestProcessingException.ErrorType errorType, String str) {
        return false;
    }

    @Override // org.mule.modules.oauth2.provider.processor.AbstractHttpRequestMessageProcessor
    protected Object buildResponsePayload(String str, String... strArr) {
        return keyValuePairsToMap(strArr);
    }
}
