package org.nuxeo.ecm.restapi.server.jaxrs;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.api.client.auth.oauth2.Credential;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.nuxeo.ecm.core.api.DocumentModel;
import org.nuxeo.ecm.core.api.NuxeoException;
import org.nuxeo.ecm.core.api.NuxeoPrincipal;
import org.nuxeo.ecm.directory.Session;
import org.nuxeo.ecm.directory.api.DirectoryService;
import org.nuxeo.ecm.platform.oauth2.clients.OAuth2Client;
import org.nuxeo.ecm.platform.oauth2.clients.OAuth2ClientService;
import org.nuxeo.ecm.platform.oauth2.providers.AbstractOAuth2UserEmailProvider;
import org.nuxeo.ecm.platform.oauth2.providers.NuxeoOAuth2ServiceProvider;
import org.nuxeo.ecm.platform.oauth2.providers.OAuth2ServiceProviderRegistry;
import org.nuxeo.ecm.platform.oauth2.tokens.NuxeoOAuth2Token;
import org.nuxeo.ecm.platform.oauth2.tokens.OAuth2TokenStore;
import org.nuxeo.ecm.webengine.model.WebObject;
import org.nuxeo.ecm.webengine.model.exceptions.WebResourceNotFoundException;
import org.nuxeo.ecm.webengine.model.exceptions.WebSecurityException;
import org.nuxeo.ecm.webengine.model.impl.AbstractResource;
import org.nuxeo.ecm.webengine.model.impl.ResourceTypeImpl;
import org.nuxeo.runtime.api.Framework;

@WebObject(type = "oauth2")
/* loaded from: input_file:org/nuxeo/ecm/restapi/server/jaxrs/OAuth2Object.class */
public class OAuth2Object extends AbstractResource<ResourceTypeImpl> {
    public static final String APPLICATION_JSON_NXENTITY = "application/json+nxentity";
    public static final String TOKEN_DIR = "oauth2Tokens";

    @GET
    @Path("provider")
    public List<NuxeoOAuth2ServiceProvider> getProviders(@Context HttpServletRequest httpServletRequest) {
        return getProviders();
    }

    @GET
    @Path("provider/{providerId}")
    public Response getProvider(@PathParam("providerId") String str, @Context HttpServletRequest httpServletRequest) {
        return Response.ok(getProvider(str)).build();
    }

    @POST
    @Path("provider")
    @Consumes({APPLICATION_JSON_NXENTITY, "application/json"})
    public Response addProvider(@Context HttpServletRequest httpServletRequest, NuxeoOAuth2ServiceProvider nuxeoOAuth2ServiceProvider) {
        checkPermission(null);
        Framework.doPrivileged(() -> {
            ((OAuth2ServiceProviderRegistry) Framework.getService(OAuth2ServiceProviderRegistry.class)).addProvider(nuxeoOAuth2ServiceProvider.getServiceName(), nuxeoOAuth2ServiceProvider.getDescription(), nuxeoOAuth2ServiceProvider.getTokenServerURL(), nuxeoOAuth2ServiceProvider.getAuthorizationServerURL(), nuxeoOAuth2ServiceProvider.getUserAuthorizationURL(), nuxeoOAuth2ServiceProvider.getClientId(), nuxeoOAuth2ServiceProvider.getClientSecret(), nuxeoOAuth2ServiceProvider.getScopes(), Boolean.valueOf(nuxeoOAuth2ServiceProvider.isEnabled()));
        });
        return Response.ok(getProvider(nuxeoOAuth2ServiceProvider.getServiceName())).build();
    }

    @Path("provider/{providerId}")
    @PUT
    @Consumes({APPLICATION_JSON_NXENTITY, "application/json"})
    public Response updateProvider(@PathParam("providerId") String str, @Context HttpServletRequest httpServletRequest, NuxeoOAuth2ServiceProvider nuxeoOAuth2ServiceProvider) {
        checkPermission(null);
        getProvider(str);
        Framework.doPrivileged(() -> {
            ((OAuth2ServiceProviderRegistry) Framework.getService(OAuth2ServiceProviderRegistry.class)).updateProvider(str, nuxeoOAuth2ServiceProvider);
        });
        return Response.ok(getProvider(nuxeoOAuth2ServiceProvider.getServiceName())).build();
    }

    @Path("provider/{providerId}")
    @DELETE
    public Response deleteProvider(@PathParam("providerId") String str, @Context HttpServletRequest httpServletRequest) {
        checkPermission(null);
        getProvider(str);
        Framework.doPrivileged(() -> {
            ((OAuth2ServiceProviderRegistry) Framework.getService(OAuth2ServiceProviderRegistry.class)).deleteProvider(str);
        });
        return Response.noContent().build();
    }

    @GET
    @Path("provider/{providerId}/token")
    public Response getToken(@PathParam("providerId") String str, @Context HttpServletRequest httpServletRequest) throws IOException {
        Credential credential;
        NuxeoOAuth2ServiceProvider provider = getProvider(str);
        NuxeoOAuth2Token token = getToken(provider, httpServletRequest.getUserPrincipal().getName());
        if (token != null && (credential = getCredential(provider, token)) != null) {
            Long expiresInSeconds = credential.getExpiresInSeconds();
            if (expiresInSeconds != null && expiresInSeconds.longValue() <= 0) {
                credential.refreshToken();
            }
            HashMap hashMap = new HashMap();
            hashMap.put("token", credential.getAccessToken());
            return buildResponse(Response.Status.OK, hashMap);
        }
        return Response.status(Response.Status.NOT_FOUND).build();
    }

    @GET
    @Path("token")
    public List<NuxeoOAuth2Token> getTokens(@Context HttpServletRequest httpServletRequest) {
        checkPermission(null);
        return getTokens();
    }

    @GET
    @Path("token/provider/{providerId}/user/{nxuser}")
    public Response getProviderToken(@PathParam("providerId") String str, @PathParam("nxuser") String str2, @Context HttpServletRequest httpServletRequest) {
        checkPermission(str2);
        return Response.ok(getToken(getProvider(str), str2)).build();
    }

    @GET
    @Path("token/{providerId}/{nxuser}")
    @Deprecated
    public Response getToken(@PathParam("providerId") String str, @PathParam("nxuser") String str2, @Context HttpServletRequest httpServletRequest) {
        return getProviderToken(str, str2, httpServletRequest);
    }

    @Path("token/provider/{providerId}/user/{nxuser}")
    @PUT
    @Consumes({APPLICATION_JSON_NXENTITY, "application/json"})
    public Response updateProviderToken(@PathParam("providerId") String str, @PathParam("nxuser") String str2, @Context HttpServletRequest httpServletRequest, NuxeoOAuth2Token nuxeoOAuth2Token) {
        checkPermission(str2);
        return Response.ok(updateToken(getProvider(str), str2, nuxeoOAuth2Token)).build();
    }

    @Path("token/{providerId}/{nxuser}")
    @Consumes({APPLICATION_JSON_NXENTITY, "application/json"})
    @Deprecated
    @PUT
    public Response updateToken(@PathParam("providerId") String str, @PathParam("nxuser") String str2, @Context HttpServletRequest httpServletRequest, NuxeoOAuth2Token nuxeoOAuth2Token) {
        return updateProviderToken(str, str2, httpServletRequest, nuxeoOAuth2Token);
    }

    @Path("token/provider/{providerId}/user/{nxuser}")
    @DELETE
    public Response deleteProviderToken(@PathParam("providerId") String str, @PathParam("nxuser") String str2, @Context HttpServletRequest httpServletRequest) {
        checkPermission(str2);
        deleteToken(getTokenDoc(getProvider(str), str2));
        return Response.noContent().build();
    }

    @Path("token/{providerId}/{nxuser}")
    @Deprecated
    @DELETE
    public Response deleteToken(@PathParam("providerId") String str, @PathParam("nxuser") String str2, @Context HttpServletRequest httpServletRequest) {
        return deleteProviderToken(str, str2, httpServletRequest);
    }

    @GET
    @Path("token/provider")
    public List<NuxeoOAuth2Token> getProviderUserTokens(@Context HttpServletRequest httpServletRequest) {
        checkNotAnonymousUser();
        return (List) getTokens(httpServletRequest.getUserPrincipal().getName()).stream().filter(nuxeoOAuth2Token -> {
            return nuxeoOAuth2Token.getClientId() == null;
        }).collect(Collectors.toList());
    }

    @GET
    @Path("token/client")
    public List<NuxeoOAuth2Token> getClientUserTokens(@Context HttpServletRequest httpServletRequest) {
        checkNotAnonymousUser();
        return (List) getTokens(httpServletRequest.getUserPrincipal().getName()).stream().filter(nuxeoOAuth2Token -> {
            return nuxeoOAuth2Token.getClientId() != null;
        }).collect(Collectors.toList());
    }

    @GET
    @Path("token/client/{clientId}/user/{nxuser}")
    public Response getClientToken(@PathParam("clientId") String str, @PathParam("nxuser") String str2, @Context HttpServletRequest httpServletRequest) {
        checkPermission(str2);
        return Response.ok(getToken(getClient(str), str2)).build();
    }

    @Path("token/client/{clientId}/user/{nxuser}")
    @PUT
    @Consumes({APPLICATION_JSON_NXENTITY, "application/json"})
    public Response updateClientToken(@PathParam("clientId") String str, @PathParam("nxuser") String str2, @Context HttpServletRequest httpServletRequest, NuxeoOAuth2Token nuxeoOAuth2Token) {
        checkPermission(str2);
        return Response.ok(updateToken(((OAuth2ClientService) Framework.getService(OAuth2ClientService.class)).getClient(str), str2, nuxeoOAuth2Token)).build();
    }

    @Path("token/client/{clientId}/user/{nxuser}")
    @DELETE
    public Response deleteClientToken(@PathParam("clientId") String str, @PathParam("nxuser") String str2, @Context HttpServletRequest httpServletRequest) {
        checkPermission(str2);
        deleteToken(getTokenDoc(((OAuth2ClientService) Framework.getService(OAuth2ClientService.class)).getClient(str), str2));
        return Response.noContent().build();
    }

    @GET
    @Path("client")
    public List<OAuth2Client> getClients(@Context HttpServletRequest httpServletRequest) {
        return ((OAuth2ClientService) Framework.getService(OAuth2ClientService.class)).getClients();
    }

    @GET
    @Path("client/{clientId}")
    public Response getClient(@PathParam("clientId") String str, @Context HttpServletRequest httpServletRequest) {
        return Response.ok(getClient(str)).build();
    }

    protected List<NuxeoOAuth2ServiceProvider> getProviders() {
        Stream stream = ((OAuth2ServiceProviderRegistry) Framework.getService(OAuth2ServiceProviderRegistry.class)).getProviders().stream();
        Class<NuxeoOAuth2ServiceProvider> cls = NuxeoOAuth2ServiceProvider.class;
        NuxeoOAuth2ServiceProvider.class.getClass();
        return (List) stream.filter((v1) -> {
            return r1.isInstance(v1);
        }).map(oAuth2ServiceProvider -> {
            return (NuxeoOAuth2ServiceProvider) oAuth2ServiceProvider;
        }).collect(Collectors.toList());
    }

    protected NuxeoOAuth2ServiceProvider getProvider(String str) {
        NuxeoOAuth2ServiceProvider provider = ((OAuth2ServiceProviderRegistry) Framework.getService(OAuth2ServiceProviderRegistry.class)).getProvider(str);
        if (provider == null || !(provider instanceof NuxeoOAuth2ServiceProvider)) {
            throw new WebResourceNotFoundException("Invalid provider: " + str);
        }
        return provider;
    }

    protected List<NuxeoOAuth2Token> getTokens() {
        return getTokens((String) null);
    }

    protected List<NuxeoOAuth2Token> getTokens(String str) {
        return (List) Framework.doPrivileged(() -> {
            Session open = ((DirectoryService) Framework.getService(DirectoryService.class)).open(TOKEN_DIR);
            Throwable th = null;
            try {
                try {
                    HashMap hashMap = new HashMap();
                    if (str != null) {
                        hashMap.put("nuxeoLogin", str);
                    }
                    List list = (List) open.query(hashMap, Collections.emptySet(), Collections.emptyMap(), true, 0, 0).stream().map(NuxeoOAuth2Token::new).collect(Collectors.toList());
                    if (open != null) {
                        if (0 != 0) {
                            try {
                                open.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            open.close();
                        }
                    }
                    return list;
                } finally {
                }
            } catch (Throwable th3) {
                if (open != null) {
                    if (th != null) {
                        try {
                            open.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        open.close();
                    }
                }
                throw th3;
            }
        });
    }

    protected OAuth2Client getClient(String str) {
        OAuth2Client client = ((OAuth2ClientService) Framework.getService(OAuth2ClientService.class)).getClient(str);
        if (client == null) {
            throw new WebResourceNotFoundException("Invalid client: " + str);
        }
        return client;
    }

    protected DocumentModel getTokenDoc(NuxeoOAuth2ServiceProvider nuxeoOAuth2ServiceProvider, String str) {
        HashMap hashMap = new HashMap();
        hashMap.put("serviceName", nuxeoOAuth2ServiceProvider.getServiceName());
        hashMap.put("nuxeoLogin", str);
        List list = (List) Framework.doPrivileged(() -> {
            return (List) nuxeoOAuth2ServiceProvider.getCredentialDataStore().query(hashMap).stream().filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.toList());
        });
        if (list.size() > 1) {
            throw new NuxeoException("Found multiple " + nuxeoOAuth2ServiceProvider.getId() + " accounts for " + str);
        }
        if (list.isEmpty()) {
            throw new WebResourceNotFoundException("No token found for provider: " + nuxeoOAuth2ServiceProvider.getServiceName());
        }
        return (DocumentModel) list.get(0);
    }

    protected DocumentModel getTokenDoc(OAuth2Client oAuth2Client, String str) {
        HashMap hashMap = new HashMap();
        hashMap.put("clientId", oAuth2Client.getId());
        hashMap.put("nuxeoLogin", str);
        List list = (List) new OAuth2TokenStore("org.nuxeo.server.token.store").query(hashMap).stream().filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toList());
        if (list.size() > 1) {
            throw new NuxeoException("Found multiple " + oAuth2Client.getId() + " accounts for " + str);
        }
        if (list.size() == 0) {
            throw new WebResourceNotFoundException("No token found for client: " + oAuth2Client.getId());
        }
        return (DocumentModel) list.get(0);
    }

    protected NuxeoOAuth2Token getToken(NuxeoOAuth2ServiceProvider nuxeoOAuth2ServiceProvider, String str) {
        return new NuxeoOAuth2Token(getTokenDoc(nuxeoOAuth2ServiceProvider, str));
    }

    protected NuxeoOAuth2Token getToken(OAuth2Client oAuth2Client, String str) {
        return new NuxeoOAuth2Token(getTokenDoc(oAuth2Client, str));
    }

    protected NuxeoOAuth2Token updateToken(NuxeoOAuth2ServiceProvider nuxeoOAuth2ServiceProvider, String str, NuxeoOAuth2Token nuxeoOAuth2Token) {
        updateTokenDoc(nuxeoOAuth2Token, getTokenDoc(nuxeoOAuth2ServiceProvider, str));
        return getToken(nuxeoOAuth2ServiceProvider, str);
    }

    protected NuxeoOAuth2Token updateToken(OAuth2Client oAuth2Client, String str, NuxeoOAuth2Token nuxeoOAuth2Token) {
        updateTokenDoc(nuxeoOAuth2Token, getTokenDoc(oAuth2Client, str));
        return getToken(oAuth2Client, str);
    }

    protected void updateTokenDoc(NuxeoOAuth2Token nuxeoOAuth2Token, DocumentModel documentModel) {
        documentModel.setProperty("oauth2Token", "serviceName", nuxeoOAuth2Token.getServiceName());
        documentModel.setProperty("oauth2Token", "nuxeoLogin", nuxeoOAuth2Token.getNuxeoLogin());
        documentModel.setProperty("oauth2Token", "clientId", nuxeoOAuth2Token.getClientId());
        documentModel.setProperty("oauth2Token", "isShared", Boolean.valueOf(nuxeoOAuth2Token.isShared()));
        documentModel.setProperty("oauth2Token", "sharedWith", nuxeoOAuth2Token.getSharedWith());
        documentModel.setProperty("oauth2Token", "serviceLogin", nuxeoOAuth2Token.getServiceLogin());
        documentModel.setProperty("oauth2Token", "creationDate", nuxeoOAuth2Token.getCreationDate());
        Framework.doPrivileged(() -> {
            Session open = ((DirectoryService) Framework.getService(DirectoryService.class)).open(TOKEN_DIR);
            Throwable th = null;
            try {
                try {
                    open.updateEntry(documentModel);
                    if (open != null) {
                        if (0 == 0) {
                            open.close();
                            return;
                        }
                        try {
                            open.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } catch (Throwable th4) {
                if (open != null) {
                    if (th != null) {
                        try {
                            open.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        open.close();
                    }
                }
                throw th4;
            }
        });
    }

    protected void deleteToken(DocumentModel documentModel) {
        Framework.doPrivileged(() -> {
            Session open = ((DirectoryService) Framework.getService(DirectoryService.class)).open(TOKEN_DIR);
            Throwable th = null;
            try {
                try {
                    open.deleteEntry(documentModel);
                    if (open != null) {
                        if (0 == 0) {
                            open.close();
                            return;
                        }
                        try {
                            open.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } catch (Throwable th4) {
                if (open != null) {
                    if (th != null) {
                        try {
                            open.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        open.close();
                    }
                }
                throw th4;
            }
        });
    }

    protected Credential getCredential(NuxeoOAuth2ServiceProvider nuxeoOAuth2ServiceProvider, NuxeoOAuth2Token nuxeoOAuth2Token) {
        return nuxeoOAuth2ServiceProvider.loadCredential(nuxeoOAuth2ServiceProvider instanceof AbstractOAuth2UserEmailProvider ? nuxeoOAuth2Token.getServiceLogin() : nuxeoOAuth2Token.getNuxeoLogin());
    }

    protected Response buildResponse(Response.StatusType statusType, Object obj) throws IOException {
        String writeValueAsString = new ObjectMapper().writeValueAsString(obj);
        return Response.status(statusType).header("Content-Length", Integer.valueOf(writeValueAsString.getBytes("UTF-8").length)).type("application/json; charset=UTF-8").entity(writeValueAsString).build();
    }

    protected void checkPermission(String str) {
        if (!hasPermission(str)) {
            throw new WebSecurityException("You do not have permissions to perform this operation.");
        }
    }

    protected boolean hasPermission(String str) {
        NuxeoPrincipal principal = getContext().getCoreSession().getPrincipal();
        return principal.isAdministrator() || (str != null && str.equals(principal.getName()));
    }

    protected void checkNotAnonymousUser() {
        if (getContext().getCoreSession().getPrincipal().isAnonymous()) {
            throw new WebSecurityException("You do not have permissions to perform this operation.");
        }
    }
}
