package com.mulesoft.modules.oauth2.provider.internal.processor;

import com.google.gson.Gson;
import com.mulesoft.modules.oauth2.provider.api.AuthorizationRequest;
import com.mulesoft.modules.oauth2.provider.api.Constants;
import com.mulesoft.modules.oauth2.provider.api.ResourceOwnerAuthentication;
import com.mulesoft.modules.oauth2.provider.api.client.Client;
import com.mulesoft.modules.oauth2.provider.api.client.ClientType;
import com.mulesoft.modules.oauth2.provider.api.client.NoSuchClientException;
import com.mulesoft.modules.oauth2.provider.api.token.Token;
import com.mulesoft.modules.oauth2.provider.internal.Utils;
import com.mulesoft.modules.oauth2.provider.internal.config.OAuthConfiguration;
import com.mulesoft.modules.oauth2.provider.internal.processor.RequestProcessingException;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.mule.runtime.api.metadata.MediaType;
import org.mule.runtime.api.security.SecurityException;
import org.mule.runtime.api.util.Preconditions;
import org.mule.runtime.http.api.HttpConstants;
import org.mule.runtime.http.api.domain.entity.ByteArrayHttpEntity;
import org.mule.runtime.http.api.domain.message.response.HttpResponseBuilder;

/* loaded from: input_file:com/mulesoft/modules/oauth2/provider/internal/processor/TokenRequestProcessor.class */
public class TokenRequestProcessor extends OAuth2ProviderRequestProcessor {
    private static final ResourceOwnerAuthentication NO_RESOURCE_OWNER_AUTHENTICATION = null;

    public TokenRequestProcessor(OAuthConfiguration oAuthConfiguration) {
        super(oAuthConfiguration);
    }

    public void processRequest(RequestData requestData, HttpResponseBuilder httpResponseBuilder) throws SecurityException {
        Constants.RequestGrantType supportedRequestGrantTypeOrFail = getSupportedRequestGrantTypeOrFail(requestData);
        Client knownClientOrFail = getKnownClientOrFail(requestData);
        if (knownClientOrFail.getType() == ClientType.CONFIDENTIAL && !validateClientCredentials(knownClientOrFail, requestData)) {
            throw RequestProcessingExceptionFactory.wrongClientSecretException();
        }
        if (!knownClientOrFail.isGrantTypeAuthorized(supportedRequestGrantTypeOrFail)) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.UNSUPPORTED_GRANT_TYPE, "Client does not support grant type: " + supportedRequestGrantTypeOrFail);
        }
        if (supportedRequestGrantTypeOrFail == Constants.RequestGrantType.AUTHORIZATION_CODE) {
            processAuthorizationCodeRequest(supportedRequestGrantTypeOrFail, knownClientOrFail, requestData, httpResponseBuilder);
            return;
        }
        if (supportedRequestGrantTypeOrFail == Constants.RequestGrantType.REFRESH_TOKEN) {
            processRefreshTokenRequest(supportedRequestGrantTypeOrFail, knownClientOrFail, requestData, httpResponseBuilder);
        } else if (supportedRequestGrantTypeOrFail == Constants.RequestGrantType.PASSWORD) {
            processPasswordRequest(supportedRequestGrantTypeOrFail, knownClientOrFail, requestData, httpResponseBuilder);
        } else {
            if (supportedRequestGrantTypeOrFail != Constants.RequestGrantType.CLIENT_CREDENTIALS) {
                throw new RequestProcessingException(RequestProcessingException.ErrorType.UNSUPPORTED_GRANT_TYPE, "Unsupported grant type: " + supportedRequestGrantTypeOrFail);
            }
            processClientCredentialsRequest(supportedRequestGrantTypeOrFail, knownClientOrFail, requestData, httpResponseBuilder);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.mulesoft.modules.oauth2.provider.internal.processor.OAuth2ProviderRequestProcessor
    public RequestProcessingException convertToRequestProcessingException(Exception exc) {
        return exc instanceof NoSuchClientException ? RequestProcessingExceptionFactory.unkownClientIdException() : super.convertToRequestProcessingException(exc);
    }

    private void processAuthorizationCodeRequest(Constants.RequestGrantType requestGrantType, Client client, RequestData requestData, HttpResponseBuilder httpResponseBuilder) throws SecurityException {
        String mandatoryParameterOrFail = getMandatoryParameterOrFail(requestData, Constants.CODE_PARAMETER);
        String mandatoryParameterOrFail2 = getMandatoryParameterOrFail(requestData, Constants.REDIRECT_URI_PARAMETER);
        AuthorizationRequest authorizationRequest = this.configuration.getAuthorizationCodeManager().consumeAuthorizationCode(mandatoryParameterOrFail).getAuthorizationRequest();
        if (!authorizationRequest.getClientId().equals(client.getClientId())) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_CLIENT_ID);
        }
        if (!StringUtils.equals(StringUtils.trimToNull(mandatoryParameterOrFail2), StringUtils.trimToNull(authorizationRequest.getRedirectUri()))) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_REDIRECTION_URI);
        }
        respondToken(this.configuration.getTokenManager().grantAccessToken(requestGrantType, authorizationRequest, NO_RESOURCE_OWNER_AUTHENTICATION), httpResponseBuilder);
    }

    private void processRefreshTokenRequest(Constants.RequestGrantType requestGrantType, Client client, RequestData requestData, HttpResponseBuilder httpResponseBuilder) throws SecurityException {
        String mandatoryParameterOrFail = getMandatoryParameterOrFail(requestData, Constants.REFRESH_TOKEN_PARAMETER);
        Set<String> effectiveScopes = getEffectiveScopes(requestData, client);
        Token exchangeRefreshToken = this.configuration.getTokenManager().exchangeRefreshToken(mandatoryParameterOrFail, client.getClientId());
        if (CollectionUtils.isNotEmpty(effectiveScopes) && !CollectionUtils.isSubCollection(effectiveScopes, exchangeRefreshToken.getScopes())) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.INVALID_SCOPE, "Scope doesn't match originally granted scope");
        }
        respondToken(exchangeRefreshToken, httpResponseBuilder);
    }

    private void processPasswordRequest(Constants.RequestGrantType requestGrantType, Client client, RequestData requestData, HttpResponseBuilder httpResponseBuilder) throws SecurityException {
        Pair<Boolean, ResourceOwnerAuthentication> validateResourceOwnerCredentials = validateResourceOwnerCredentials(client, requestData);
        if (!((Boolean) validateResourceOwnerCredentials.getLeft()).booleanValue()) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.ACCESS_DENIED);
        }
        respondToken(this.configuration.getTokenManager().grantAccessToken(Constants.RequestGrantType.TOKEN, client.getClientId(), getEffectiveScopes(requestData, client), (ResourceOwnerAuthentication) validateResourceOwnerCredentials.getRight()), httpResponseBuilder);
    }

    private void processClientCredentialsRequest(Constants.RequestGrantType requestGrantType, Client client, RequestData requestData, HttpResponseBuilder httpResponseBuilder) throws SecurityException {
        if (client.getType() != ClientType.CONFIDENTIAL) {
            throw new RequestProcessingException(RequestProcessingException.ErrorType.UNAUTHORIZED_CLIENT, "Client is not confidential!");
        }
        if (!validateClientCredentials(client, requestData)) {
            throw RequestProcessingExceptionFactory.wrongClientSecretException();
        }
        respondToken(this.configuration.getTokenManager().grantAccessToken(Constants.RequestGrantType.TOKEN, client.getClientId(), getEffectiveScopes(requestData, client), NO_RESOURCE_OWNER_AUTHENTICATION), httpResponseBuilder);
    }

    private void respondToken(Token token, HttpResponseBuilder httpResponseBuilder) {
        HashMap hashMap = new HashMap();
        hashMap.put(Constants.ACCESS_TOKEN_PARAMETER, token.getAccessToken());
        hashMap.put(Constants.TOKEN_TYPE_PARAMETER, token.getType());
        hashMap.put(Constants.EXPIRES_IN_PARAMETER, this.configuration.getTokenConfig().getTokenTtlInSeconds());
        if (CollectionUtils.isNotEmpty(token.getScopes())) {
            hashMap.put(Constants.SCOPE_PARAMETER, Utils.stringifyScopes(token.getScopes()));
        }
        if (StringUtils.isNotBlank(token.getRefreshToken())) {
            hashMap.put(Constants.REFRESH_TOKEN_PARAMETER, token.getRefreshToken());
        }
        httpResponseBuilder.addHeader("Content-Type", MediaType.APPLICATION_JSON.toRfcString());
        httpResponseBuilder.entity(new ByteArrayHttpEntity(new Gson().toJson(hashMap).getBytes()));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.mulesoft.modules.oauth2.provider.internal.processor.OAuth2ProviderRequestProcessor
    public void handleException(RequestProcessingException requestProcessingException, RequestData requestData, HttpResponseBuilder httpResponseBuilder) {
        super.handleException(requestProcessingException, requestData, httpResponseBuilder);
        if (StringUtils.isNotBlank(getOptionalParameter(requestData, "Authorization")) && requestProcessingException.getErrorType() == RequestProcessingException.ErrorType.INVALID_CLIENT) {
            httpResponseBuilder.statusCode(Integer.valueOf(HttpConstants.HttpStatus.UNAUTHORIZED.getStatusCode()));
            httpResponseBuilder.addHeader("WWW-Authenticate", "Basic realm=\"OAuth2 Client Realm\"");
        }
    }

    @Override // com.mulesoft.modules.oauth2.provider.internal.processor.OAuth2ProviderRequestProcessor
    protected boolean isRedirectingForError(RequestProcessingException.ErrorType errorType, String str) {
        return false;
    }

    @Override // com.mulesoft.modules.oauth2.provider.internal.processor.OAuth2ProviderRequestProcessor
    protected void setResponsePayload(HttpResponseBuilder httpResponseBuilder, String str, String... strArr) {
        httpResponseBuilder.addHeader("Content-Type", MediaType.APPLICATION_JSON.toRfcString());
        httpResponseBuilder.entity(new ByteArrayHttpEntity(new Gson().toJson(keyValuePairsToMap(strArr)).getBytes()));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.mulesoft.modules.oauth2.provider.internal.processor.OAuth2ProviderRequestProcessor
    public Map<String, Object> keyValuePairsToMap(Object... objArr) {
        Preconditions.checkArgument(objArr.length % 2 == 0, "need an even number of (param name, param value) string pairs");
        HashMap hashMap = new HashMap();
        for (int i = 0; i < objArr.length; i += 2) {
            Object obj = objArr[i + 1];
            if (obj != null) {
                hashMap.put((String) objArr[i], StringEscapeUtils.escapeHtml((String) obj));
            }
        }
        return hashMap;
    }
}
