package org.apereo.cas.support.oauth.web.endpoints;

import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.OAuth20Constants;
import org.apereo.cas.support.oauth.profile.OAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.validator.OAuth20Validator;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.TicketState;
import org.apereo.cas.ticket.accesstoken.AccessToken;
import org.apereo.cas.ticket.accesstoken.AccessTokenFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.web.support.CookieRetrievingCookieGenerator;
import org.hjson.JsonValue;
import org.hjson.Stringify;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.bind.annotation.GetMapping;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oauth-5.1.2.jar:org/apereo/cas/support/oauth/web/endpoints/OAuth20UserProfileControllerController.class */
public class OAuth20UserProfileControllerController extends BaseOAuth20Controller {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OAuth20UserProfileControllerController.class);
    private static final String ID = "id";
    private static final String ATTRIBUTES = "attributes";

    public OAuth20UserProfileControllerController(ServicesManager servicesManager, TicketRegistry ticketRegistry, OAuth20Validator oAuth20Validator, AccessTokenFactory accessTokenFactory, PrincipalFactory principalFactory, ServiceFactory<WebApplicationService> serviceFactory, OAuth20ProfileScopeToAttributesFilter oAuth20ProfileScopeToAttributesFilter, CasConfigurationProperties casConfigurationProperties, CookieRetrievingCookieGenerator cookieRetrievingCookieGenerator) {
        super(servicesManager, ticketRegistry, oAuth20Validator, accessTokenFactory, principalFactory, serviceFactory, oAuth20ProfileScopeToAttributesFilter, casConfigurationProperties, cookieRetrievingCookieGenerator);
    }

    @GetMapping(path = {"/oauth2.0/profile"}, produces = {"application/json"})
    public ResponseEntity<String> handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        httpServletResponse.setContentType("application/json");
        String accessTokenFromRequest = getAccessTokenFromRequest(httpServletRequest);
        if (StringUtils.isBlank(accessTokenFromRequest)) {
            LOGGER.error("Missing [{}]", "access_token");
            return buildUnauthorizedResponseEntity(OAuth20Constants.MISSING_ACCESS_TOKEN);
        }
        AccessToken accessToken = (AccessToken) this.ticketRegistry.getTicket(accessTokenFromRequest, AccessToken.class);
        if (accessToken == null || accessToken.isExpired()) {
            LOGGER.error("Expired/Missing access token: [{}]", accessTokenFromRequest);
            return buildUnauthorizedResponseEntity(OAuth20Constants.EXPIRED_ACCESS_TOKEN);
        }
        TicketGrantingTicket grantingTicket = accessToken.getGrantingTicket();
        if (grantingTicket == null || grantingTicket.isExpired()) {
            LOGGER.error("Ticket granting ticket [{}] parenting access token [{}] has expired or is not found", grantingTicket, accessToken);
            this.ticketRegistry.deleteTicket(accessTokenFromRequest);
            return buildUnauthorizedResponseEntity(OAuth20Constants.EXPIRED_ACCESS_TOKEN);
        }
        updateAccessTokenUsage(accessToken);
        String jsonify = OAuth20Utils.jsonify(writeOutProfileResponse(accessToken));
        LOGGER.debug("Final user profile is [{}]", JsonValue.readHjson(jsonify).toString(Stringify.FORMATTED));
        return new ResponseEntity<>(jsonify, HttpStatus.OK);
    }

    private void updateAccessTokenUsage(AccessToken accessToken) {
        ((TicketState) TicketState.class.cast(accessToken)).update();
        if (accessToken.isExpired()) {
            this.ticketRegistry.deleteTicket(accessToken.getId());
        } else {
            this.ticketRegistry.updateTicket(accessToken);
        }
    }

    protected String getAccessTokenFromRequest(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("access_token");
        if (StringUtils.isBlank(parameter)) {
            String header = httpServletRequest.getHeader("Authorization");
            if (StringUtils.isNotBlank(header) && header.toLowerCase().startsWith(OAuth20Constants.BEARER_TOKEN.toLowerCase() + ' ')) {
                parameter = header.substring(OAuth20Constants.BEARER_TOKEN.length() + 1);
            }
        }
        LOGGER.debug("[{}]: [{}]", "access_token", parameter);
        return parameter;
    }

    protected Map<String, Object> writeOutProfileResponse(AccessToken accessToken) throws IOException {
        Principal principal = accessToken.getAuthentication().getPrincipal();
        LOGGER.debug("Preparing user profile response based on CAS principal [{}]", principal);
        HashMap hashMap = new HashMap();
        hashMap.put("id", principal.getId());
        hashMap.put("attributes", principal.getAttributes());
        return hashMap;
    }

    private static ResponseEntity buildUnauthorizedResponseEntity(String str) {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap(1);
        linkedMultiValueMap.add("error", str);
        return new ResponseEntity(OAuth20Utils.jsonify(linkedMultiValueMap), HttpStatus.UNAUTHORIZED);
    }
}
