package org.apereo.cas.support.oauth.web.response.accesstoken.ext;

import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.DefaultAuthenticationResult;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.configuration.model.support.oauth.OAuthProperties;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.authenticator.OAuth20CasAuthenticationBuilder;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.web.support.WebUtils;
import org.pac4j.core.context.J2EContext;
import org.pac4j.core.profile.UserProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oauth-5.1.5.jar:org/apereo/cas/support/oauth/web/response/accesstoken/ext/AccessTokenPasswordGrantRequestExtractor.class */
public class AccessTokenPasswordGrantRequestExtractor extends BaseAccessTokenGrantRequestExtractor {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) AccessTokenPasswordGrantRequestExtractor.class);
    private final OAuth20CasAuthenticationBuilder authenticationBuilder;

    public AccessTokenPasswordGrantRequestExtractor(ServicesManager servicesManager, TicketRegistry ticketRegistry, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth20CasAuthenticationBuilder oAuth20CasAuthenticationBuilder, CentralAuthenticationService centralAuthenticationService, OAuthProperties oAuthProperties) {
        super(servicesManager, ticketRegistry, httpServletRequest, httpServletResponse, centralAuthenticationService, oAuthProperties);
        this.authenticationBuilder = oAuth20CasAuthenticationBuilder;
    }

    @Override // org.apereo.cas.support.oauth.web.response.accesstoken.ext.BaseAccessTokenGrantRequestExtractor
    public AccessTokenRequestDataHolder extract() {
        String parameter = this.request.getParameter("client_id");
        LOGGER.debug("Locating OAuth registered service by client id [{}]", parameter);
        OAuthRegisteredService registeredOAuthService = OAuth20Utils.getRegisteredOAuthService(this.servicesManager, parameter);
        LOGGER.debug("Located OAuth registered service [{}]", registeredOAuthService);
        J2EContext pac4jJ2EContext = WebUtils.getPac4jJ2EContext(this.request, this.response);
        Optional optional = WebUtils.getPac4jProfileManager(this.request, this.response).get(true);
        if (!optional.isPresent()) {
            throw new UnauthorizedServiceException("OAuth user profile cannot be determined");
        }
        LOGGER.debug("Creating matching service request based on [{}]", registeredOAuthService);
        boolean isRequireServiceHeader = this.oAuthProperties.getGrants().getResourceOwner().isRequireServiceHeader();
        if (isRequireServiceHeader) {
            LOGGER.debug("Using request headers to identify and build the target service url");
        }
        Service buildService = this.authenticationBuilder.buildService(registeredOAuthService, pac4jJ2EContext, isRequireServiceHeader);
        LOGGER.debug("Authenticating the OAuth request indicated by [{}]", buildService);
        Authentication build = this.authenticationBuilder.build((UserProfile) optional.get(), registeredOAuthService, pac4jJ2EContext, buildService);
        RegisteredServiceAccessStrategyUtils.ensurePrincipalAccessIsAllowedForService(buildService, registeredOAuthService, build);
        return new AccessTokenRequestDataHolder(buildService, build, registeredOAuthService, this.centralAuthenticationService.createTicketGrantingTicket(new DefaultAuthenticationResult(build, isRequireServiceHeader ? buildService : null)), isAllowedToGenerateRefreshToken(registeredOAuthService));
    }

    protected boolean isAllowedToGenerateRefreshToken(OAuthRegisteredService oAuthRegisteredService) {
        return oAuthRegisteredService != null && oAuthRegisteredService.isGenerateRefreshToken().booleanValue();
    }

    @Override // org.apereo.cas.support.oauth.web.response.accesstoken.ext.BaseAccessTokenGrantRequestExtractor
    public boolean supports(HttpServletRequest httpServletRequest) {
        return OAuth20Utils.isGrantType(httpServletRequest.getParameter("grant_type"), OAuth20GrantTypes.PASSWORD);
    }
}
