package org.restlet.ext.oauth;

import javax.naming.AuthenticationException;
import org.json.JSONException;
import org.json.JSONObject;
import org.restlet.data.CacheDirective;
import org.restlet.data.Form;
import org.restlet.data.Status;
import org.restlet.ext.json.JsonRepresentation;
import org.restlet.ext.oauth.internal.AuthSession;
import org.restlet.ext.oauth.internal.AuthSessionTimeoutException;
import org.restlet.ext.oauth.internal.Client;
import org.restlet.ext.oauth.internal.ResourceOwnerManager;
import org.restlet.ext.oauth.internal.Scopes;
import org.restlet.ext.oauth.internal.Token;
import org.restlet.representation.Representation;
import org.restlet.resource.Post;
import org.restlet.security.User;

/* loaded from: input_file:org/restlet/ext/oauth/AccessTokenServerResource.class */
public class AccessTokenServerResource extends OAuthServerResource {
    private Representation doAuthCodeFlow(Form form) throws OAuthException, JSONException {
        Client authenticatedClient = getAuthenticatedClient();
        if (authenticatedClient == null) {
            authenticatedClient = getClient(form);
        }
        ensureGrantTypeAllowed(authenticatedClient, GrantType.authorization_code);
        AuthSession restoreSession = this.tokens.restoreSession(getCode(form));
        if (!authenticatedClient.getClientId().equals(restoreSession.getClientId())) {
            throw new OAuthException(OAuthError.invalid_grant, "The code was not issued to the client.", null);
        }
        try {
            restoreSession.updateActivity();
            if (!restoreSession.getRedirectionURI().isDynamicConfigured() || getRedirectURI(form).equals(restoreSession.getRedirectionURI().getURI())) {
                return responseTokenRepresentation(this.tokens.generateToken(authenticatedClient, restoreSession.getScopeOwner(), restoreSession.getGrantedScope()), restoreSession.getRequestedScope());
            }
            throw new OAuthException(OAuthError.invalid_grant, "The redirect_uri is not identical to the one included in the initial authorization request.", null);
        } catch (AuthSessionTimeoutException e) {
            throw new OAuthException(OAuthError.invalid_grant, "Code expired.", null);
        }
    }

    protected void doCatch(Throwable th) {
        th.printStackTrace();
        OAuthException oAuthException = OAuthException.toOAuthException(th);
        getResponse().setStatus(Status.CLIENT_ERROR_BAD_REQUEST);
        getResponse().setEntity(responseErrorRepresentation(oAuthException));
        addCacheDirective(getResponse(), CacheDirective.noStore());
    }

    private Representation doClientFlow(Form form) throws OAuthException, JSONException {
        Client authenticatedClient = getAuthenticatedClient();
        if (authenticatedClient == null || authenticatedClient.getClientType() != Client.ClientType.CONFIDENTIAL) {
            throw new OAuthException(OAuthError.invalid_client, "The client credentials grant type MUST only be used by confidential clients.", null);
        }
        ensureGrantTypeAllowed(authenticatedClient, GrantType.client_credentials);
        String[] scope = getScope(form);
        return responseTokenRepresentation(this.tokens.generateToken(authenticatedClient, scope), scope);
    }

    private Representation doPasswordFlow(Form form) throws OAuthException, JSONException {
        Object obj = getContext().getAttributes().get(ResourceOwnerManager.class.getName());
        if (obj == null) {
            throw new OAuthException(OAuthError.unsupported_grant_type, "'password' flow is not supported.", null);
        }
        Client authenticatedClient = getAuthenticatedClient();
        if (authenticatedClient == null) {
            authenticatedClient = getClient(form);
        }
        ensureGrantTypeAllowed(authenticatedClient, GrantType.password);
        try {
            String authenticate = ((ResourceOwnerManager) obj).authenticate(getUsername(form), getPassword(form).toCharArray());
            String[] scope = getScope(form);
            return responseTokenRepresentation(this.tokens.generateToken(authenticatedClient, authenticate, scope), scope);
        } catch (AuthenticationException e) {
            throw new OAuthException(OAuthError.invalid_grant, e.getExplanation(), null);
        }
    }

    private Representation doRefreshFlow(Form form) throws OAuthException, JSONException {
        Client authenticatedClient = getAuthenticatedClient();
        if (authenticatedClient == null) {
            authenticatedClient = getClient(form);
        }
        ensureGrantTypeAllowed(authenticatedClient, GrantType.refresh_token);
        String refreshToken = getRefreshToken(form);
        String[] strArr = null;
        String firstValue = form.getFirstValue(OAuthResourceDefs.SCOPE);
        if (firstValue != null && !firstValue.isEmpty()) {
            strArr = Scopes.parseScope(firstValue);
        }
        return responseTokenRepresentation(this.tokens.refreshToken(authenticatedClient, refreshToken, strArr), strArr);
    }

    protected void ensureGrantTypeAllowed(Client client, GrantType grantType) throws OAuthException {
        if (!client.isGrantTypeAllowed(grantType)) {
            throw new OAuthException(OAuthError.unauthorized_client, "Unauthorized grant type.", null);
        }
    }

    protected Client getAuthenticatedClient() throws OAuthException {
        User user = getRequest().getClientInfo().getUser();
        if (user == null) {
            getLogger().warning("Authenticated client_id is missing.");
            return null;
        }
        Client findById = this.clients.findById(user.getIdentifier());
        getLogger().fine("Requested by authenticated client " + findById.getClientId());
        return findById;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.restlet.ext.oauth.OAuthServerResource
    public Client getClient(Form form) throws OAuthException {
        Client client = super.getClient(form);
        if (client.getClientType() == Client.ClientType.CONFIDENTIAL) {
            throw new OAuthException(OAuthError.invalid_client, "Unauthenticated confidential client.", null);
        }
        if (client.getClientSecret() != null) {
            throw new OAuthException(OAuthError.invalid_client, "Unauthenticated public client.", null);
        }
        return client;
    }

    protected String getCode(Form form) throws OAuthException {
        String firstValue = form.getFirstValue(OAuthResourceDefs.CODE);
        if (firstValue == null || firstValue.isEmpty()) {
            throw new OAuthException(OAuthError.invalid_request, "Mandatory parameter code is missing", null);
        }
        return firstValue;
    }

    protected GrantType getGrantType(Form form) throws OAuthException {
        String firstValue = form.getFirstValue(OAuthResourceDefs.GRANT_TYPE);
        getLogger().info("Type: " + firstValue);
        try {
            GrantType grantType = (GrantType) Enum.valueOf(GrantType.class, firstValue);
            getLogger().fine("Found flow - " + grantType);
            return grantType;
        } catch (IllegalArgumentException e) {
            throw new OAuthException(OAuthError.unsupported_grant_type, "Unsupported flow", null);
        } catch (NullPointerException e2) {
            throw new OAuthException(OAuthError.invalid_request, "No grant_type parameter found.", null);
        }
    }

    protected String getPassword(Form form) throws OAuthException {
        String firstValue = form.getFirstValue(OAuthResourceDefs.PASSWORD);
        if (firstValue == null || firstValue.isEmpty()) {
            throw new OAuthException(OAuthError.invalid_request, "Mandatory parameter password is missing", null);
        }
        return firstValue;
    }

    protected String getRedirectURI(Form form) throws OAuthException {
        String firstValue = form.getFirstValue(OAuthResourceDefs.REDIR_URI);
        if (firstValue == null || firstValue.isEmpty()) {
            throw new OAuthException(OAuthError.invalid_request, "Mandatory parameter redirect_uri is missing", null);
        }
        return firstValue;
    }

    protected String getRefreshToken(Form form) throws OAuthException {
        String firstValue = form.getFirstValue(OAuthResourceDefs.REFRESH_TOKEN);
        if (firstValue == null || firstValue.isEmpty()) {
            throw new OAuthException(OAuthError.invalid_request, "Mandatory parameter refresh_token is missing", null);
        }
        return firstValue;
    }

    protected String getUsername(Form form) throws OAuthException {
        String firstValue = form.getFirstValue(OAuthResourceDefs.USERNAME);
        if (firstValue == null || firstValue.isEmpty()) {
            throw new OAuthException(OAuthError.invalid_request, "Mandatory parameter username is missing", null);
        }
        return firstValue;
    }

    @Post("form:json")
    public Representation requestToken(Representation representation) throws OAuthException, JSONException {
        getLogger().fine("Grant request");
        Form form = new Form(representation);
        GrantType grantType = getGrantType(form);
        switch (grantType) {
            case authorization_code:
                getLogger().info("Authorization Code Grant");
                return doAuthCodeFlow(form);
            case password:
                getLogger().info("Resource Owner Password Credentials Grant");
                return doPasswordFlow(form);
            case client_credentials:
                getLogger().info("Client Credentials Grantt");
                return doClientFlow(form);
            case refresh_token:
                getLogger().info("Refreshing an Access Token");
                return doRefreshFlow(form);
            default:
                getLogger().warning("Unsupported flow: " + grantType);
                throw new OAuthException(OAuthError.unsupported_grant_type, "Flow not supported", null);
        }
    }

    protected Representation responseTokenRepresentation(Token token, String[] strArr) throws JSONException {
        JSONObject jSONObject = new JSONObject();
        jSONObject.put(OAuthResourceDefs.TOKEN_TYPE, token.getTokenType());
        jSONObject.put(OAuthResourceDefs.ACCESS_TOKEN, token.getAccessToken());
        jSONObject.put(OAuthResourceDefs.EXPIRES_IN, token.getExpirePeriod());
        String refreshToken = token.getRefreshToken();
        if (refreshToken != null && !refreshToken.isEmpty()) {
            jSONObject.put(OAuthResourceDefs.REFRESH_TOKEN, refreshToken);
        }
        String[] scope = token.getScope();
        if (!Scopes.isIdentical(scope, strArr)) {
            jSONObject.put(OAuthResourceDefs.SCOPE, Scopes.toString(scope));
        }
        addCacheDirective(getResponse(), CacheDirective.noStore());
        return new JsonRepresentation(jSONObject);
    }
}
