package org.jasig.cas.support.oauth.web;

import com.fasterxml.jackson.core.JsonFactory;
import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.jasig.cas.authentication.principal.Principal;
import org.jasig.cas.authentication.principal.Service;
import org.jasig.cas.services.RegisteredService;
import org.jasig.cas.ticket.TicketGrantingTicket;
import org.jasig.cas.util.Pair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.ModelAndView;

@Component("profileController")
/* loaded from: input_file:org/jasig/cas/support/oauth/web/OAuth20ProfileController.class */
public final class OAuth20ProfileController extends BaseOAuthWrapperController {
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20ProfileController.class);
    private static final String ID = "id";
    private static final String ATTRIBUTES = "attributes";

    @Autowired
    @Qualifier("defaultAccessTokenGenerator")
    private AccessTokenGenerator accessTokenGenerator;
    private final JsonFactory jsonFactory = new JsonFactory(new ObjectMapper());

    @Override // org.jasig.cas.support.oauth.web.BaseOAuthWrapperController
    protected ModelAndView internalHandleRequest(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        Pair<String, Service> degenerate;
        TicketGrantingTicket verifyAccessToken;
        String parameter = httpServletRequest.getParameter("access_token");
        if (StringUtils.isBlank(parameter)) {
            String header = httpServletRequest.getHeader("Authorization");
            if (StringUtils.isNotBlank(header) && header.toLowerCase().startsWith(String.valueOf("Bearer".toLowerCase()) + ' ')) {
                parameter = header.substring("Bearer".length() + 1);
            }
        }
        LOGGER.debug("{} : {}", "access_token", parameter);
        Throwable th = null;
        try {
            try {
                JsonGenerator createJsonGenerator = this.jsonFactory.createJsonGenerator(httpServletResponse.getWriter());
                try {
                    httpServletResponse.setContentType("application/json");
                    if (StringUtils.isBlank(parameter)) {
                        LOGGER.error("Missing {}", "access_token");
                        createJsonGenerator.writeStartObject();
                        createJsonGenerator.writeStringField("error", "missing_accessToken");
                        createJsonGenerator.writeEndObject();
                        if (createJsonGenerator != null) {
                            createJsonGenerator.close();
                        }
                        httpServletResponse.flushBuffer();
                        return null;
                    }
                    try {
                        degenerate = this.accessTokenGenerator.degenerate(parameter);
                        verifyAccessToken = verifyAccessToken((String) degenerate.getFirst(), createJsonGenerator);
                    } catch (Exception e) {
                        createJsonGenerator.writeStartObject();
                        createJsonGenerator.writeStringField("error", "invalid_request. " + e.getMessage());
                        createJsonGenerator.writeEndObject();
                    }
                    if (verifyAccessToken == null) {
                        httpServletResponse.flushBuffer();
                        return null;
                    }
                    RegisteredService verifyRegisteredService = verifyRegisteredService(createJsonGenerator, degenerate);
                    if (verifyRegisteredService == null) {
                        if (createJsonGenerator != null) {
                            createJsonGenerator.close();
                        }
                        httpServletResponse.flushBuffer();
                        return null;
                    }
                    Principal principal = verifyAccessToken.getAuthentication().getPrincipal();
                    if (!verifyPrincipalServiceAccess(createJsonGenerator, verifyRegisteredService, principal)) {
                        if (createJsonGenerator != null) {
                            createJsonGenerator.close();
                        }
                        httpServletResponse.flushBuffer();
                        return null;
                    }
                    writeOutProfileResponse(createJsonGenerator, verifyRegisteredService, principal);
                    if (createJsonGenerator != null) {
                        createJsonGenerator.close();
                    }
                    httpServletResponse.flushBuffer();
                    return null;
                } finally {
                    if (createJsonGenerator != null) {
                        createJsonGenerator.close();
                    }
                }
            } catch (Throwable th2) {
                if (0 == 0) {
                    th = th2;
                } else if (null != th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } catch (Throwable th3) {
            httpServletResponse.flushBuffer();
            throw th3;
        }
    }

    private boolean verifyPrincipalServiceAccess(JsonGenerator jsonGenerator, RegisteredService registeredService, Principal principal) throws IOException {
        if (registeredService.getAccessStrategy().doPrincipalAttributesAllowServiceAccess(principal.getId(), principal.getAttributes())) {
            return true;
        }
        this.logger.warn("Service [{}] is not authorized for use by [{}].", registeredService.getServiceId(), principal);
        jsonGenerator.writeStartObject();
        jsonGenerator.writeStringField("error", "screen.service.error.message");
        jsonGenerator.writeEndObject();
        return false;
    }

    private RegisteredService verifyRegisteredService(JsonGenerator jsonGenerator, Pair<String, Service> pair) throws IOException {
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(Long.parseLong(((Service) pair.getSecond()).getId()));
        if (findServiceBy != null && findServiceBy.getAccessStrategy().isServiceAccessAllowed()) {
            return findServiceBy;
        }
        this.logger.warn("Service {}] is not found in the registry or it is disabled.", findServiceBy);
        jsonGenerator.writeStartObject();
        jsonGenerator.writeStringField("error", "invalid_request");
        jsonGenerator.writeEndObject();
        return null;
    }

    private TicketGrantingTicket verifyAccessToken(String str, JsonGenerator jsonGenerator) throws IOException {
        TicketGrantingTicket ticket = this.ticketRegistry.getTicket(str);
        if (ticket != null && !ticket.isExpired()) {
            return ticket;
        }
        LOGGER.error("expired accessToken : {}", str);
        jsonGenerator.writeStartObject();
        jsonGenerator.writeStringField("error", "invalid_request");
        jsonGenerator.writeEndObject();
        return null;
    }

    private void writeOutProfileResponse(JsonGenerator jsonGenerator, RegisteredService registeredService, Principal principal) throws IOException {
        jsonGenerator.writeStartObject();
        jsonGenerator.writeStringField(ID, principal.getId());
        jsonGenerator.writeArrayFieldStart(ATTRIBUTES);
        for (Map.Entry entry : registeredService.getAttributeReleasePolicy().getAttributes(principal).entrySet()) {
            jsonGenerator.writeStartObject();
            jsonGenerator.writeObjectField((String) entry.getKey(), entry.getValue());
            jsonGenerator.writeEndObject();
        }
        jsonGenerator.writeEndArray();
        jsonGenerator.writeEndObject();
    }
}
