package com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.rest;

import com.atlassian.bitbucket.jenkins.internal.applink.oauth.OAuthConverter;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.exception.InvalidTokenException;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.token.ServiceProviderToken;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.token.ServiceProviderTokenFactory;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.token.ServiceProviderTokenStore;
import com.atlassian.bitbucket.jenkins.internal.applink.oauth.util.OAuthProblemUtils;
import java.io.IOException;
import java.time.Clock;
import java.util.logging.Logger;
import javax.inject.Inject;
import javax.inject.Singleton;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.oauth.OAuth;
import net.oauth.OAuthMessage;
import net.oauth.OAuthProblemException;
import net.oauth.OAuthValidator;
import net.oauth.server.OAuthServlet;
import org.apache.http.protocol.HTTP;

@Singleton
/* loaded from: input_file:WEB-INF/lib/atlassian-bitbucket-server-integration.jar:com/atlassian/bitbucket/jenkins/internal/applink/oauth/serviceprovider/rest/AccessTokenRestEndpoint.class */
public class AccessTokenRestEndpoint {
    public static final String OAUTH_SESSION_HANDLE = "oauth_session_handle";
    public static final String OAUTH_EXPIRES_IN = "oauth_expires_in";
    public static final String OAUTH_AUTHORIZATION_EXPIRES_IN = "oauth_authorization_expires_in";
    public static final String ACCESS_TOKEN_PATH_END = "access-token";
    private static final Logger LOGGER = Logger.getLogger(AccessTokenRestEndpoint.class.getName());
    private OAuthValidator oAuthValidator;
    private ServiceProviderTokenFactory tokenFactory;
    private ServiceProviderTokenStore tokenStore;
    private Clock clock;

    @Inject
    public AccessTokenRestEndpoint(OAuthValidator oAuthValidator, ServiceProviderTokenFactory serviceProviderTokenFactory, ServiceProviderTokenStore serviceProviderTokenStore, Clock clock) {
        this.oAuthValidator = oAuthValidator;
        this.tokenFactory = serviceProviderTokenFactory;
        this.tokenStore = serviceProviderTokenStore;
        this.clock = clock;
    }

    public void handleAccessToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        try {
            OAuthMessage message = OAuthServlet.getMessage(httpServletRequest, null);
            message.requireParameters("oauth_token");
            try {
                ServiceProviderToken orElseThrow = this.tokenStore.get(message.getToken()).orElseThrow(() -> {
                    return new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
                });
                if (orElseThrow.isRequestToken()) {
                    checkRequestToken(message, orElseThrow);
                } else {
                    checkAccessToken(message, orElseThrow);
                }
                try {
                    this.oAuthValidator.validateMessage(message, OAuthConverter.createOAuthAccessor(orElseThrow));
                    ServiceProviderToken put = this.tokenStore.put(this.tokenFactory.generateAccessToken(orElseThrow));
                    this.tokenStore.remove(orElseThrow.getToken());
                    httpServletResponse.setContentType(HTTP.PLAIN_TEXT_TYPE);
                    OAuth.formEncode(OAuth.newList("oauth_token", put.getToken(), OAuth.OAUTH_TOKEN_SECRET, put.getTokenSecret(), OAUTH_EXPIRES_IN, Long.toString(put.getTimeToLive() / 1000), OAUTH_SESSION_HANDLE, put.getSession().getHandle(), OAUTH_AUTHORIZATION_EXPIRES_IN, Long.toString(put.getSession().getTimeToLive() / 1000)), httpServletResponse.getOutputStream());
                } catch (OAuthProblemException e) {
                    OAuthProblemUtils.logOAuthProblem(message, e, LOGGER);
                    throw e;
                }
            } catch (InvalidTokenException e2) {
                throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
            }
        } catch (Exception e3) {
            OAuthServlet.handleException(httpServletResponse, e3, httpServletRequest.getRequestURL().toString(), true);
        }
    }

    private void checkRequestToken(OAuthMessage oAuthMessage, ServiceProviderToken serviceProviderToken) throws Exception {
        if (serviceProviderToken.hasExpired(this.clock)) {
            throw new OAuthProblemException(OAuth.Problems.TOKEN_EXPIRED);
        }
        if (serviceProviderToken.getAuthorization() == ServiceProviderToken.Authorization.NONE) {
            throw new OAuthProblemException(OAuth.Problems.PERMISSION_UNKNOWN);
        }
        if (serviceProviderToken.getAuthorization() == ServiceProviderToken.Authorization.DENIED) {
            throw new OAuthProblemException(OAuth.Problems.PERMISSION_DENIED);
        }
        if (!serviceProviderToken.getConsumer().getKey().equals(oAuthMessage.getConsumerKey())) {
            throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
        }
        oAuthMessage.requireParameters(OAuth.OAUTH_VERIFIER);
        if (!serviceProviderToken.getVerifier().equals(oAuthMessage.getParameter(OAuth.OAUTH_VERIFIER))) {
            throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
        }
    }

    private void checkAccessToken(OAuthMessage oAuthMessage, ServiceProviderToken serviceProviderToken) throws Exception {
        if (serviceProviderToken.getSession() == null) {
            throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
        }
        oAuthMessage.requireParameters(OAUTH_SESSION_HANDLE);
        if (!serviceProviderToken.getSession().getHandle().equals(oAuthMessage.getParameter(OAUTH_SESSION_HANDLE))) {
            throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
        }
        if (serviceProviderToken.getSession().hasExpired(this.clock)) {
            throw new OAuthProblemException(OAuth.Problems.PERMISSION_DENIED);
        }
    }
}
