package org.apache.cxf.rs.security.oauth2.services;

import java.util.logging.Logger;
import javax.ws.rs.Consumes;
import javax.ws.rs.Encoded;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.SecurityContext;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer;
import org.apache.cxf.rs.security.jose.jwt.JwtException;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.common.TokenIntrospection;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;

@Path("introspect")
/* loaded from: input_file:lib/cxf-rt-rs-security-oauth2-3.4.8.jar:org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.class */
public class TokenIntrospectionService {
    private static final Logger LOG = LogUtils.getL7dLogger(TokenIntrospectionService.class);
    private boolean blockUnsecureRequests;
    private MessageContext mc;
    private OAuthDataProvider dataProvider;
    private JoseJwtConsumer jwtTokenConsumer;
    private boolean blockUnauthorizedRequests = true;
    private boolean reportExtraTokenProperties = true;
    private boolean persistJwtEncoding = true;

    @POST
    @Produces({MediaType.APPLICATION_JSON})
    @Consumes({MediaType.APPLICATION_FORM_URLENCODED})
    public TokenIntrospection getTokenIntrospection(@Encoded MultivaluedMap<String, String> multivaluedMap) {
        checkSecurityContext();
        String first = multivaluedMap.getFirst("token");
        if (!this.persistJwtEncoding) {
            try {
                first = (this.jwtTokenConsumer == null ? new JoseJwtConsumer() : this.jwtTokenConsumer).getJwtToken(first).getClaims().getTokenId();
            } catch (JwtException e) {
                return new TokenIntrospection(false);
            }
        }
        ServerAccessToken accessToken = this.dataProvider.getAccessToken(first);
        if (accessToken == null || OAuthUtils.isExpired(Long.valueOf(accessToken.getIssuedAt()), Long.valueOf(accessToken.getExpiresIn()))) {
            return new TokenIntrospection(false);
        }
        TokenIntrospection tokenIntrospection = new TokenIntrospection(true);
        tokenIntrospection.setClientId(accessToken.getClient().getClientId());
        if (!accessToken.getScopes().isEmpty()) {
            tokenIntrospection.setScope(OAuthUtils.convertPermissionsToScope(accessToken.getScopes()));
        }
        UserSubject subject = accessToken.getSubject();
        if (subject != null) {
            tokenIntrospection.setUsername(accessToken.getSubject().getLogin());
            if (subject.getId() != null) {
                tokenIntrospection.setSub(subject.getId());
            }
        }
        if (!StringUtils.isEmpty(accessToken.getAudiences())) {
            tokenIntrospection.setAud(accessToken.getAudiences());
        }
        if (accessToken.getIssuer() != null) {
            tokenIntrospection.setIss(accessToken.getIssuer());
        }
        tokenIntrospection.setIat(Long.valueOf(accessToken.getIssuedAt()));
        if (accessToken.getExpiresIn() > 0) {
            tokenIntrospection.setExp(Long.valueOf(accessToken.getIssuedAt() + accessToken.getExpiresIn()));
        }
        if (accessToken.getNotBefore() > 0) {
            tokenIntrospection.setNbf(Long.valueOf(accessToken.getNotBefore()));
        }
        tokenIntrospection.setTokenType(accessToken.getTokenType());
        if (this.reportExtraTokenProperties) {
            tokenIntrospection.getExtensions().putAll(accessToken.getExtraProperties());
        }
        return tokenIntrospection;
    }

    private void checkSecurityContext() {
        SecurityContext securityContext = this.mc.getSecurityContext();
        if (!securityContext.isSecure() && this.blockUnsecureRequests) {
            LOG.warning("Unsecure HTTP, Transport Layer Security is recommended");
            ExceptionUtils.toNotAuthorizedException(null, null);
        }
        if (securityContext.getUserPrincipal() == null && this.blockUnauthorizedRequests) {
            LOG.warning("Authenticated Principal is not available");
            ExceptionUtils.toNotAuthorizedException(null, null);
        }
    }

    public void setBlockUnsecureRequests(boolean z) {
        this.blockUnsecureRequests = z;
    }

    public void setBlockUnauthorizedRequests(boolean z) {
        this.blockUnauthorizedRequests = z;
    }

    public void setDataProvider(OAuthDataProvider oAuthDataProvider) {
        this.dataProvider = oAuthDataProvider;
    }

    @Context
    public void setMessageContext(MessageContext messageContext) {
        this.mc = messageContext;
    }

    public void setReportExtraTokenProperties(boolean z) {
        this.reportExtraTokenProperties = z;
    }

    public JoseJwtConsumer getJwtTokenConsumer() {
        return this.jwtTokenConsumer;
    }

    public void setJwtTokenConsumer(JoseJwtConsumer joseJwtConsumer) {
        this.jwtTokenConsumer = joseJwtConsumer;
    }

    public boolean isPersistJwtEncoding() {
        return this.persistJwtEncoding;
    }

    public void setPersistJwtEncoding(boolean z) {
        this.persistJwtEncoding = z;
    }
}
