package net.krotscheck.kangaroo.authz.admin.v1.resource;

import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiParam;
import io.swagger.annotations.Authorization;
import io.swagger.annotations.AuthorizationScope;
import java.math.BigInteger;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.DefaultValue;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import net.krotscheck.kangaroo.authz.admin.Scope;
import net.krotscheck.kangaroo.authz.admin.v1.auth.ScopesAllowed;
import net.krotscheck.kangaroo.authz.admin.v1.exception.EntityRequiredException;
import net.krotscheck.kangaroo.authz.admin.v1.exception.InvalidEntityPropertyException;
import net.krotscheck.kangaroo.authz.common.database.entity.Application;
import net.krotscheck.kangaroo.authz.common.database.entity.Client;
import net.krotscheck.kangaroo.authz.common.database.entity.ClientType;
import net.krotscheck.kangaroo.authz.common.database.entity.OAuthToken;
import net.krotscheck.kangaroo.authz.common.database.entity.OAuthTokenType;
import net.krotscheck.kangaroo.authz.common.database.entity.User;
import net.krotscheck.kangaroo.authz.common.database.entity.UserIdentity;
import net.krotscheck.kangaroo.authz.common.database.util.SortUtil;
import net.krotscheck.kangaroo.authz.common.util.ValidationUtil;
import net.krotscheck.kangaroo.common.hibernate.id.IdUtil;
import net.krotscheck.kangaroo.common.hibernate.transaction.Transactional;
import net.krotscheck.kangaroo.common.response.ListResponseBuilder;
import net.krotscheck.kangaroo.common.response.SortOrder;
import org.apache.commons.lang.ObjectUtils;
import org.apache.http.protocol.HTTP;
import org.apache.lucene.analysis.wikipedia.WikipediaTokenizer;
import org.hibernate.Criteria;
import org.hibernate.Session;
import org.hibernate.criterion.Projections;
import org.hibernate.criterion.Restrictions;
import org.hibernate.search.query.dsl.MustJunction;
import org.hibernate.search.query.dsl.QueryBuilder;
import org.jvnet.hk2.annotations.Optional;

@Transactional
@Api(tags = {"Token"}, authorizations = {@Authorization(value = "Kangaroo", scopes = {@AuthorizationScope(scope = Scope.TOKEN, description = "Modify tokens in one application."), @AuthorizationScope(scope = Scope.TOKEN_ADMIN, description = "Modify tokens in all applications.")})})
@Path("/token")
@ScopesAllowed({Scope.TOKEN_ADMIN, Scope.TOKEN})
/* loaded from: input_file:net/krotscheck/kangaroo/authz/admin/v1/resource/OAuthTokenService.class */
public final class OAuthTokenService extends AbstractService {
    @GET
    @Path("/search")
    @ApiOperation("Search tokens")
    @Produces({MediaType.APPLICATION_JSON})
    public Response search(@QueryParam("offset") @DefaultValue("0") Integer num, @QueryParam("limit") @DefaultValue("10") Integer num2, @QueryParam("q") @DefaultValue("") String str, @Optional @QueryParam("owner") @ApiParam(type = "string") BigInteger bigInteger, @Optional @QueryParam("user") @ApiParam(type = "string") BigInteger bigInteger2, @Optional @QueryParam("identity") @ApiParam(type = "string") BigInteger bigInteger3, @Optional @QueryParam("client") @ApiParam(type = "string") BigInteger bigInteger4, @Optional @QueryParam("type") OAuthTokenType oAuthTokenType) {
        QueryBuilder queryBuilder = getSearchFactory().buildQueryBuilder().forEntity(OAuthToken.class).get();
        MustJunction must = queryBuilder.bool().must(queryBuilder.keyword().fuzzy().onFields("identity.remoteId", "identity.claims").matching(str).createQuery());
        User resolveOwnershipFilter = resolveOwnershipFilter(bigInteger);
        if (resolveOwnershipFilter != null) {
            must.must(queryBuilder.keyword().onField("client.application.owner.id").matching(resolveOwnershipFilter.getId()).createQuery());
        }
        User user = (User) resolveFilterEntity(User.class, bigInteger2);
        if (user != null) {
            must.must(queryBuilder.keyword().onField("identity.user.id").matching(user.getId()).createQuery());
        }
        UserIdentity userIdentity = (UserIdentity) resolveFilterEntity(UserIdentity.class, bigInteger3);
        if (userIdentity != null) {
            must.must(queryBuilder.keyword().onField("identity.id").matching(userIdentity.getId()).createQuery());
        }
        Client client = (Client) resolveFilterEntity(Client.class, bigInteger4);
        if (client != null) {
            must.must(queryBuilder.keyword().onField("client.id").matching(client.getId()).createQuery());
        }
        if (oAuthTokenType != null) {
            must.must(queryBuilder.keyword().onField("tokenType").matching(oAuthTokenType).createQuery());
        }
        return executeQuery(OAuthToken.class, getFullTextSession().createFullTextQuery(must.createQuery(), OAuthToken.class), num.intValue(), num2.intValue());
    }

    @GET
    @Produces({MediaType.APPLICATION_JSON})
    @ApiOperation("Browse tokens")
    public Response browse(@QueryParam("offset") @DefaultValue("0") int i, @QueryParam("limit") @DefaultValue("10") int i2, @QueryParam("sort") @DefaultValue("createdDate") String str, @QueryParam("order") @DefaultValue("ASC") SortOrder sortOrder, @Optional @QueryParam("owner") @ApiParam(type = "string") BigInteger bigInteger, @Optional @QueryParam("identity") @ApiParam(type = "string") BigInteger bigInteger2, @Optional @QueryParam("client") @ApiParam(type = "string") BigInteger bigInteger3) {
        User resolveOwnershipFilter = resolveOwnershipFilter(bigInteger);
        UserIdentity userIdentity = (UserIdentity) resolveFilterEntity(UserIdentity.class, bigInteger2);
        Client client = (Client) resolveFilterEntity(Client.class, bigInteger3);
        Criteria projection = getSession().createCriteria(OAuthToken.class).createAlias("client", WikipediaTokenizer.CATEGORY).setProjection(Projections.rowCount());
        Criteria addOrder = getSession().createCriteria(OAuthToken.class).setFirstResult(i).setMaxResults(i2).createAlias("client", WikipediaTokenizer.CATEGORY).addOrder(SortUtil.order(sortOrder, str));
        if (client != null) {
            addOrder.add(Restrictions.eq("c.id", client.getId()));
            projection.add(Restrictions.eq("c.id", client.getId()));
        }
        if (userIdentity != null) {
            addOrder.createAlias(HTTP.IDENTITY_CODING, "i").add(Restrictions.eq("i.id", userIdentity.getId()));
            projection.createAlias(HTTP.IDENTITY_CODING, "i").add(Restrictions.eq("i.id", userIdentity.getId()));
        }
        if (resolveOwnershipFilter != null) {
            addOrder.createAlias("c.application", "a").createAlias("a.owner", "o").add(Restrictions.eq("o.id", resolveOwnershipFilter.getId()));
            projection.createAlias("c.application", "a").createAlias("a.owner", "o").add(Restrictions.eq("o.id", resolveOwnershipFilter.getId()));
        }
        return ListResponseBuilder.builder().offset(Integer.valueOf(i)).limit(Integer.valueOf(i2)).order(sortOrder).sort(str).total(projection.uniqueResult()).addResult(addOrder.list()).build();
    }

    @GET
    @Path("/{id: [a-f0-9]{32}}")
    @ApiOperation("Read token")
    @Produces({MediaType.APPLICATION_JSON})
    public Response getResource(@PathParam("id") @ApiParam(type = "string") BigInteger bigInteger) {
        OAuthToken oAuthToken = (OAuthToken) getSession().get(OAuthToken.class, bigInteger);
        assertCanAccess(oAuthToken, getAdminScope());
        return Response.ok(oAuthToken).build();
    }

    @POST
    @Consumes({MediaType.APPLICATION_JSON})
    @ApiOperation("Create token")
    public Response createResource(OAuthToken oAuthToken) {
        OAuthToken validateInputData = validateInputData(oAuthToken);
        if (validateInputData.getId() != null) {
            throw new InvalidEntityPropertyException("id");
        }
        Client client = validateInputData.getClient();
        if (!getSecurityContext().isUserInRole(getAdminScope())) {
            Application application = client.getApplication();
            if (getCurrentUser() == null || !getCurrentUser().equals(application.getOwner())) {
                throw new BadRequestException();
            }
        }
        Session session = getSession();
        session.save(validateInputData);
        session.getTransaction().commit();
        return Response.created(getUriInfo().getAbsolutePathBuilder().path(OAuthTokenService.class, "getResource").build(IdUtil.toString(validateInputData.getId()))).build();
    }

    @Path("/{id: [a-f0-9]{32}}")
    @Consumes({MediaType.APPLICATION_JSON})
    @ApiOperation("Update token")
    @Produces({MediaType.APPLICATION_JSON})
    @PUT
    public Response updateResource(@PathParam("id") @ApiParam(type = "string") BigInteger bigInteger, OAuthToken oAuthToken) {
        Session session = getSession();
        OAuthToken oAuthToken2 = (OAuthToken) session.get(OAuthToken.class, bigInteger);
        assertCanAccess(oAuthToken2, getAdminScope());
        if (!oAuthToken2.equals(oAuthToken)) {
            throw new InvalidEntityPropertyException("id");
        }
        if (!ObjectUtils.equals(oAuthToken2.getIdentity(), oAuthToken.getIdentity())) {
            throw new InvalidEntityPropertyException(HTTP.IDENTITY_CODING);
        }
        if (!ObjectUtils.equals(oAuthToken2.getClient(), oAuthToken.getClient())) {
            throw new InvalidEntityPropertyException("client");
        }
        if (!oAuthToken2.getTokenType().equals(oAuthToken.getTokenType())) {
            throw new InvalidEntityPropertyException("tokenType");
        }
        if (!ObjectUtils.equals(oAuthToken2.getAuthToken(), oAuthToken.getAuthToken())) {
            throw new InvalidEntityPropertyException("authToken");
        }
        OAuthToken validateInputData = validateInputData(oAuthToken);
        oAuthToken2.setExpiresIn(validateInputData.getExpiresIn());
        oAuthToken2.setRedirect(validateInputData.getRedirect());
        session.update(oAuthToken2);
        return Response.ok(oAuthToken2).build();
    }

    @Path("/{id: [a-f0-9]{32}}")
    @DELETE
    @ApiOperation("Delete token")
    public Response deleteResource(@PathParam("id") @ApiParam(type = "string") BigInteger bigInteger) {
        Session session = getSession();
        OAuthToken oAuthToken = (OAuthToken) session.get(OAuthToken.class, bigInteger);
        assertCanAccess(oAuthToken, getAdminScope());
        session.delete(oAuthToken);
        return Response.status(Response.Status.RESET_CONTENT).build();
    }

    private OAuthToken validateInputData(OAuthToken oAuthToken) {
        if (oAuthToken == null) {
            throw new EntityRequiredException();
        }
        if (oAuthToken.getTokenType() == null) {
            throw new InvalidEntityPropertyException("tokenType");
        }
        if (oAuthToken.getExpiresIn() == null || oAuthToken.getExpiresIn().longValue() < 1) {
            throw new InvalidEntityPropertyException("expiresIn");
        }
        Client client = (Client) resolveEntityInput((Class<Class>) Client.class, (Class) oAuthToken.getClient());
        if (client == null) {
            throw new InvalidEntityPropertyException("client");
        }
        ClientType type = client.getType();
        oAuthToken.setClient(client);
        if (type.equals(ClientType.OwnerCredentials)) {
            if (oAuthToken.getTokenType().equals(OAuthTokenType.Authorization)) {
                throw new InvalidEntityPropertyException("tokenType");
            }
        } else if (type.in(ClientType.ClientCredentials, ClientType.Implicit).booleanValue() && !oAuthToken.getTokenType().equals(OAuthTokenType.Bearer)) {
            throw new InvalidEntityPropertyException("tokenType");
        }
        if (!type.equals(ClientType.ClientCredentials)) {
            UserIdentity userIdentity = (UserIdentity) resolveEntityInput((Class<Class>) UserIdentity.class, (Class) oAuthToken.getIdentity());
            if (userIdentity == null) {
                throw new InvalidEntityPropertyException(HTTP.IDENTITY_CODING);
            }
            if (!userIdentity.getUser().getApplication().equals(client.getApplication())) {
                throw new InvalidEntityPropertyException(HTTP.IDENTITY_CODING);
            }
            oAuthToken.setIdentity(userIdentity);
        } else if (oAuthToken.getIdentity() != null) {
            throw new InvalidEntityPropertyException(HTTP.IDENTITY_CODING);
        }
        if (oAuthToken.getTokenType().equals(OAuthTokenType.Refresh)) {
            OAuthToken oAuthToken2 = (OAuthToken) resolveEntityInput((Class<Class>) OAuthToken.class, (Class) oAuthToken.getAuthToken());
            if (oAuthToken2 == null) {
                throw new InvalidEntityPropertyException("authToken");
            }
            if (!oAuthToken2.getTokenType().equals(OAuthTokenType.Bearer)) {
                throw new InvalidEntityPropertyException("authToken");
            }
            if (!oAuthToken2.getIdentity().equals(oAuthToken.getIdentity())) {
                throw new InvalidEntityPropertyException(HTTP.IDENTITY_CODING);
            }
            oAuthToken.setAuthToken(oAuthToken2);
        } else if (oAuthToken.getAuthToken() != null) {
            throw new InvalidEntityPropertyException("authToken");
        }
        if (oAuthToken.getTokenType().equals(OAuthTokenType.Authorization)) {
            if (ValidationUtil.validateRedirect(oAuthToken.getRedirect(), client.getRedirects()) == null) {
                throw new InvalidEntityPropertyException("redirect");
            }
        } else if (oAuthToken.getRedirect() != null) {
            throw new InvalidEntityPropertyException("redirect");
        }
        return oAuthToken;
    }

    @Override // net.krotscheck.kangaroo.authz.admin.v1.resource.AbstractService
    protected String getAdminScope() {
        return Scope.TOKEN_ADMIN;
    }

    @Override // net.krotscheck.kangaroo.authz.admin.v1.resource.AbstractService
    protected String getAccessScope() {
        return Scope.TOKEN;
    }
}
