package org.forgerock.openam.oauth2;

import com.sun.identity.shared.debug.Debug;
import org.forgerock.oauth2.core.AccessToken;
import org.forgerock.oauth2.core.OAuth2Request;
import org.forgerock.oauth2.core.OAuth2RequestFactory;
import org.forgerock.oauth2.core.TokenStore;
import org.forgerock.oauth2.core.exceptions.InsufficientScopeException;
import org.forgerock.oauth2.core.exceptions.InvalidGrantException;
import org.forgerock.oauth2.core.exceptions.InvalidTokenException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.restlet.Request;
import org.restlet.Response;
import org.restlet.Restlet;
import org.restlet.data.ChallengeResponse;
import org.restlet.data.Status;
import org.restlet.routing.Filter;

/* loaded from: input_file:org/forgerock/openam/oauth2/AccessTokenProtectionFilter.class */
public class AccessTokenProtectionFilter extends Filter {
    private final Debug debug = Debug.getInstance("UmaProvider");
    private final String requiredScope;
    private final TokenStore tokenStore;
    private final OAuth2RequestFactory requestFactory;

    public AccessTokenProtectionFilter(String str, TokenStore tokenStore, OAuth2RequestFactory oAuth2RequestFactory, Restlet restlet) {
        this.requiredScope = str;
        this.tokenStore = tokenStore;
        this.requestFactory = oAuth2RequestFactory;
        setNext(restlet);
    }

    protected int beforeHandle(Request request, Response response) {
        ChallengeResponse challengeResponse = request.getChallengeResponse();
        Status status = null;
        if (challengeResponse == null) {
            status = new Status(401, new InvalidTokenException());
        } else {
            String rawValue = challengeResponse.getRawValue();
            try {
                OAuth2Request create = this.requestFactory.create(request);
                AccessToken readAccessToken = this.tokenStore.readAccessToken(create, rawValue);
                if (readAccessToken == null || readAccessToken.isExpired()) {
                    status = new Status(401, new InvalidTokenException());
                } else if (this.requiredScope == null || readAccessToken.getScope().contains(this.requiredScope)) {
                    create.setToken(AccessToken.class, readAccessToken);
                } else {
                    status = new Status(403, new InsufficientScopeException(this.requiredScope));
                }
            } catch (InvalidGrantException e) {
                this.debug.message("Error loading token with id: " + rawValue, e);
                status = new Status(401, new InvalidTokenException());
            } catch (NotFoundException e2) {
                this.debug.message("Error loading token with id: " + rawValue, e2);
                status = new Status(404, e2);
            } catch (ServerException e3) {
                status = new Status(500, e3);
            }
        }
        if (status == null) {
            return super.beforeHandle(request, response);
        }
        response.setStatus(status);
        return 2;
    }
}
