package gluu.scim2.client;

import gluu.scim2.client.exception.ScimInitializationException;
import java.util.List;
import java.util.concurrent.locks.ReentrantLock;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.StringUtils;
import org.jboss.resteasy.client.core.BaseClientResponse;
import org.xdi.oxauth.client.TokenRequest;
import org.xdi.oxauth.client.uma.UmaClientFactory;
import org.xdi.oxauth.model.common.AuthenticationMethod;
import org.xdi.oxauth.model.common.GrantType;
import org.xdi.oxauth.model.crypto.OxAuthCryptoProvider;
import org.xdi.oxauth.model.token.ClientAssertionType;
import org.xdi.oxauth.model.uma.UmaMetadata;
import org.xdi.oxauth.model.uma.UmaTokenResponse;
import org.xdi.util.StringHelper;

/* loaded from: input_file:gluu/scim2/client/UmaScimClient.class */
public class UmaScimClient extends AbstractScimClient {
    private static final long serialVersionUID = 7099883500099353832L;
    private String rpt;
    private String umaAatClientId;
    private String umaAatClientKeyId;
    private String umaAatClientJksPath;
    private String umaAatClientJksPassword;
    private long umaAatAccessTokenExpiration;
    private final ReentrantLock lock;

    public UmaScimClient(String str, String str2, String str3, String str4, String str5) {
        super(str);
        this.umaAatAccessTokenExpiration = 0L;
        this.lock = new ReentrantLock();
        this.umaAatClientId = str2;
        this.umaAatClientJksPath = str3;
        this.umaAatClientJksPassword = str4;
        this.umaAatClientKeyId = str5;
    }

    @Override // gluu.scim2.client.AbstractScimClient
    protected void prepareRequest() {
    }

    @Override // gluu.scim2.client.AbstractScimClient
    protected String getAuthenticationHeader() {
        if (StringHelper.isEmpty(this.rpt)) {
            return null;
        }
        return "Bearer " + this.rpt;
    }

    @Override // gluu.scim2.client.AbstractScimClient
    protected boolean authorize(BaseClientResponse baseClientResponse) {
        if (baseClientResponse.getStatus() != Response.Status.UNAUTHORIZED.getStatusCode()) {
            return false;
        }
        try {
            String str = null;
            String str2 = null;
            String[] split = StringHelper.split(baseClientResponse.getResponseHeader("WWW-Authenticate").toString(), ",");
            for (int i = 0; i < split.length; i++) {
                if (split[i].startsWith("ticket=")) {
                    str = split[i].substring(7);
                }
                if (split[i].startsWith("as_uri=")) {
                    str2 = split[i].substring(7);
                }
            }
            if (StringHelper.isEmpty(str2) || StringHelper.isEmpty(str)) {
                return false;
            }
            return obtainAuthorizedRpt(str2, str);
        } catch (Exception e) {
            throw new ScimInitializationException("UMA permissions response is invalid", e);
        }
    }

    private TokenRequest getAuthorizationTokerRequest(UmaMetadata umaMetadata) {
        try {
            if (StringHelper.isEmpty(this.umaAatClientJksPath) || StringHelper.isEmpty(this.umaAatClientJksPassword)) {
                throw new ScimInitializationException("UMA JKS keystore path or password is empty");
            }
            try {
                OxAuthCryptoProvider oxAuthCryptoProvider = new OxAuthCryptoProvider(this.umaAatClientJksPath, this.umaAatClientJksPassword, (String) null);
                String str = this.umaAatClientKeyId;
                if (StringHelper.isEmpty(str)) {
                    List keyAliases = oxAuthCryptoProvider.getKeyAliases();
                    if (keyAliases.size() > 0) {
                        str = (String) keyAliases.get(0);
                    }
                }
                if (StringHelper.isEmpty(str)) {
                    throw new ScimInitializationException("UMA keyId is empty");
                }
                TokenRequest tokenRequest = new TokenRequest(GrantType.CLIENT_CREDENTIALS);
                tokenRequest.setAuthenticationMethod(AuthenticationMethod.PRIVATE_KEY_JWT);
                tokenRequest.setAuthUsername(this.umaAatClientId);
                tokenRequest.setCryptoProvider(oxAuthCryptoProvider);
                tokenRequest.setAlgorithm(oxAuthCryptoProvider.getSignatureAlgorithm(str));
                tokenRequest.setKeyId(str);
                tokenRequest.setAudience(umaMetadata.getTokenEndpoint());
                return tokenRequest;
            } catch (Exception e) {
                throw new ScimInitializationException("Failed to initialize crypto provider");
            }
        } catch (Exception e2) {
            throw new ScimInitializationException("Failed to get client token", e2);
        }
    }

    private String getAuthorizedRpt(String str, String str2) {
        try {
            UmaMetadata metadata = UmaClientFactory.instance().createMetadataService(str).getMetadata();
            if (metadata == null) {
                throw new ScimInitializationException(String.format("Failed to load valid UMA metadata configuration from: %s", str));
            }
            UmaTokenResponse requestJwtAuthorizationRpt = UmaClientFactory.instance().createTokenService(metadata).requestJwtAuthorizationRpt(ClientAssertionType.JWT_BEARER.toString(), getAuthorizationTokerRequest(metadata).getClientAssertion(), GrantType.OXAUTH_UMA_TICKET.getValue(), str2, (String) null, (String) null, (String) null, (String) null, (String) null);
            if (requestJwtAuthorizationRpt == null) {
                throw new ScimInitializationException("UMA RPT token response is invalid");
            }
            if (StringUtils.isBlank(requestJwtAuthorizationRpt.getAccessToken())) {
                throw new ScimInitializationException("UMA RPT is invalid");
            }
            this.rpt = requestJwtAuthorizationRpt.getAccessToken();
            return this.rpt;
        } catch (Exception e) {
            throw new ScimInitializationException(e.getMessage(), e);
        }
    }

    private boolean obtainAuthorizedRpt(String str, String str2) {
        try {
            return StringUtils.isNotBlank(getAuthorizedRpt(str, str2));
        } catch (Exception e) {
            throw new ScimInitializationException(e.getMessage(), e);
        }
    }
}
