package org.apereo.cas.oidc.web.controllers.dynareg;

import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.DefaultAuthenticationBuilder;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.oidc.OidcClientRegistrationProperties;
import org.apereo.cas.oidc.OidcConfigurationContext;
import org.apereo.cas.oidc.OidcConstants;
import org.apereo.cas.oidc.web.controllers.BaseOidcController;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20TokenGeneratedResult;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRequestContext;
import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20AccessTokenResponseResult;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.util.RandomUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.pac4j.core.client.BaseClient;
import org.pac4j.core.credentials.extractor.BasicAuthExtractor;
import org.pac4j.core.credentials.password.SpringSecurityPasswordEncoder;
import org.pac4j.core.profile.CommonProfile;
import org.pac4j.core.profile.service.InMemoryProfileService;
import org.pac4j.http.client.direct.HeaderClient;
import org.pac4j.jee.context.JEEContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.view.json.MappingJackson2JsonView;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oidc-core-api-6.6.15.jar:org/apereo/cas/oidc/web/controllers/dynareg/OidcInitialAccessTokenController.class */
public class OidcInitialAccessTokenController extends BaseOidcController {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OidcInitialAccessTokenController.class);
    private final BaseClient accessTokenClient;

    public OidcInitialAccessTokenController(OidcConfigurationContext oidcConfigurationContext) {
        super(oidcConfigurationContext);
        this.accessTokenClient = new HeaderClient();
        if (getConfigurationContext().getCasProperties().getAuthn().getOidc().getRegistration().getDynamicClientRegistrationMode().isProtected()) {
            CommonProfile commonProfile = new CommonProfile();
            OidcClientRegistrationProperties registration = getConfigurationContext().getCasProperties().getAuthn().getOidc().getRegistration();
            commonProfile.setId((String) StringUtils.defaultIfBlank(registration.getInitialAccessTokenUser(), RandomUtils.randomAlphabetic(8)));
            commonProfile.addAttribute("username", commonProfile.getId());
            this.accessTokenClient.setCredentialsExtractor(new BasicAuthExtractor());
            InMemoryProfileService inMemoryProfileService = new InMemoryProfileService(objArr -> {
                return commonProfile;
            });
            inMemoryProfileService.setPasswordEncoder(new SpringSecurityPasswordEncoder(NoOpPasswordEncoder.getInstance()));
            inMemoryProfileService.create(commonProfile, (String) StringUtils.defaultIfBlank(registration.getInitialAccessTokenPassword(), RandomUtils.randomAlphabetic(8)));
            this.accessTokenClient.setAuthenticator(inMemoryProfileService);
            this.accessTokenClient.setName(UUID.randomUUID().toString());
            this.accessTokenClient.init();
        }
    }

    @GetMapping(value = {"/oidc/initToken", "/**/initToken"}, produces = {"application/json"})
    public ModelAndView handleRequestInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        JEEContext jEEContext = new JEEContext(httpServletRequest, httpServletResponse);
        if (!getConfigurationContext().getIssuerService().validateIssuer(jEEContext, OidcConstants.REGISTRATION_INITIAL_TOKEN_URL)) {
            ModelAndView modelAndView = new ModelAndView(new MappingJackson2JsonView(), (Map<String, ?>) OAuth20Utils.getErrorResponseBody("invalid_request", "Invalid issuer"));
            modelAndView.setStatus(HttpStatus.BAD_REQUEST);
            return modelAndView;
        }
        CasConfigurationProperties casProperties = getConfigurationContext().getCasProperties();
        if (casProperties.getAuthn().getOidc().getRegistration().getDynamicClientRegistrationMode().isProtected()) {
            return (ModelAndView) this.accessTokenClient.getCredentials(jEEContext, getConfigurationContext().getSessionStore()).map(credentials -> {
                Principal createPrincipal = PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(credentials.getUserProfile().getId());
                AccessTokenRequestContext build = AccessTokenRequestContext.builder().authentication(DefaultAuthenticationBuilder.newInstance().setPrincipal(createPrincipal).build()).service(getConfigurationContext().getWebApplicationServiceServiceFactory().createService(casProperties.getServer().getPrefix())).grantType(OAuth20GrantTypes.NONE).responseType(OAuth20ResponseTypes.NONE).scopes(Set.of(OidcConstants.StandardScopes.OPENID.getScope(), OidcConstants.CLIENT_REGISTRATION_SCOPE)).build();
                return (ModelAndView) generateInitialAccessToken(build).map(oAuth20AccessToken -> {
                    return getConfigurationContext().getAccessTokenResponseGenerator().generate(OAuth20AccessTokenResponseResult.builder().registeredService(build.getRegisteredService()).service(build.getService()).accessTokenTimeout(oAuth20AccessToken.getExpiresIn()).responseType(oAuth20AccessToken.getResponseType()).casProperties(getConfigurationContext().getCasProperties()).generatedToken(OAuth20TokenGeneratedResult.builder().registeredService(build.getRegisteredService()).accessToken(oAuth20AccessToken).grantType(build.getGrantType()).responseType(build.getResponseType()).build()).grantType(oAuth20AccessToken.getGrantType()).userProfile(credentials.getUserProfile()).build());
                }).orElseGet(() -> {
                    return getBadRequestResponseEntity(HttpStatus.BAD_REQUEST);
                });
            }).orElseGet(() -> {
                return getBadRequestResponseEntity(HttpStatus.UNAUTHORIZED);
            });
        }
        LOGGER.warn("Dynamic client registration mode is not configured as protected.");
        return getBadRequestResponseEntity(HttpStatus.NOT_ACCEPTABLE);
    }

    protected ModelAndView getBadRequestResponseEntity(HttpStatus httpStatus) {
        ModelAndView modelAndView = new ModelAndView(new MappingJackson2JsonView());
        modelAndView.setStatus(httpStatus);
        return modelAndView;
    }

    protected Optional<OAuth20AccessToken> generateInitialAccessToken(AccessTokenRequestContext accessTokenRequestContext) {
        return (Optional) FunctionUtils.doAndHandle(() -> {
            OAuth20AccessToken oAuth20AccessToken = getConfigurationContext().getAccessTokenGenerator().generate(accessTokenRequestContext).getAccessToken().get();
            getConfigurationContext().getTicketRegistry().addTicket(oAuth20AccessToken);
            return Optional.of(oAuth20AccessToken);
        }, th -> {
            return Optional.empty();
        }).get();
    }
}
