package org.gluu.oxauth.uma.service;

import com.google.common.base.Preconditions;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.UUID;
import javax.ejb.Stateless;
import javax.inject.Inject;
import javax.inject.Named;
import org.apache.commons.lang.ArrayUtils;
import org.gluu.oxauth.model.config.StaticConfiguration;
import org.gluu.oxauth.model.config.WebKeysConfiguration;
import org.gluu.oxauth.model.configuration.AppConfiguration;
import org.gluu.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.gluu.oxauth.model.jwt.Jwt;
import org.gluu.oxauth.model.registration.Client;
import org.gluu.oxauth.model.token.JwtSigner;
import org.gluu.oxauth.model.uma.persistence.UmaPermission;
import org.gluu.oxauth.service.ClientService;
import org.gluu.oxauth.uma.authorization.UmaPCT;
import org.gluu.oxauth.uma.authorization.UmaRPT;
import org.gluu.oxauth.util.ServerUtil;
import org.gluu.oxauth.util.TokenHashUtil;
import org.gluu.persist.PersistenceEntryManager;
import org.gluu.persist.model.base.SimpleBranch;
import org.gluu.util.INumGenerator;
import org.gluu.util.StringHelper;
import org.json.JSONArray;
import org.json.JSONException;
import org.slf4j.Logger;

@Stateless
@Named
/* loaded from: input_file:org/gluu/oxauth/uma/service/UmaRptService.class */
public class UmaRptService {
    private static final String ORGUNIT_OF_RPT = "uma_rpt";
    public static final int DEFAULT_RPT_LIFETIME = 3600;

    @Inject
    private Logger log;

    @Inject
    private PersistenceEntryManager ldapEntryManager;

    @Inject
    private WebKeysConfiguration webKeysConfiguration;

    @Inject
    private UmaPctService pctService;

    @Inject
    private UmaScopeService umaScopeService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private StaticConfiguration staticConfiguration;

    @Inject
    private ClientService clientService;
    private boolean containsBranch = false;

    public String createDn(String str) {
        return String.format("tknCde=%s,%s", TokenHashUtil.hash(str), branchDn());
    }

    public String branchDn() {
        return String.format("ou=%s,%s", ORGUNIT_OF_RPT, this.staticConfiguration.getBaseDn().getTokens());
    }

    public void persist(UmaRPT umaRPT) {
        try {
            Preconditions.checkNotNull(umaRPT.getClientId());
            addBranchIfNeeded();
            umaRPT.setDn(createDn(umaRPT.getNotHashedCode()));
            umaRPT.setCode(TokenHashUtil.hash(umaRPT.getNotHashedCode()));
            this.ldapEntryManager.persist(umaRPT);
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
        }
    }

    public UmaRPT getRPTByCode(String str) {
        try {
            UmaRPT umaRPT = (UmaRPT) this.ldapEntryManager.find(UmaRPT.class, createDn(str));
            if (umaRPT != null) {
                return umaRPT;
            }
            this.log.error("Failed to find RPT by code: " + str);
            return null;
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
            return null;
        }
    }

    public void deleteByCode(String str) {
        try {
            UmaRPT rPTByCode = getRPTByCode(str);
            if (rPTByCode != null) {
                this.ldapEntryManager.remove(rPTByCode);
            }
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
        }
    }

    public boolean addPermissionToRPT(UmaRPT umaRPT, Collection<UmaPermission> collection) {
        return addPermissionToRPT(umaRPT, (UmaPermission[]) collection.toArray(new UmaPermission[collection.size()]));
    }

    public boolean addPermissionToRPT(UmaRPT umaRPT, UmaPermission... umaPermissionArr) {
        if (ArrayUtils.isEmpty(umaPermissionArr)) {
            return true;
        }
        List<String> permissionDns = getPermissionDns(Arrays.asList(umaPermissionArr));
        if (umaRPT.getPermissions() != null) {
            permissionDns.addAll(umaRPT.getPermissions());
        }
        umaRPT.setPermissions(permissionDns);
        try {
            this.ldapEntryManager.merge(umaRPT);
            this.log.trace("Persisted RPT: " + umaRPT);
            return true;
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
            return false;
        }
    }

    public static List<String> getPermissionDns(Collection<UmaPermission> collection) {
        ArrayList arrayList = new ArrayList();
        if (collection != null) {
            Iterator<UmaPermission> it = collection.iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().getDn());
            }
        }
        return arrayList;
    }

    public List<UmaPermission> getRptPermissions(UmaRPT umaRPT) {
        ArrayList arrayList = new ArrayList();
        if (umaRPT != null) {
            try {
                if (umaRPT.getPermissions() != null) {
                    Iterator<String> it = umaRPT.getPermissions().iterator();
                    while (it.hasNext()) {
                        UmaPermission umaPermission = (UmaPermission) this.ldapEntryManager.find(UmaPermission.class, it.next());
                        if (umaPermission != null) {
                            arrayList.add(umaPermission);
                        }
                    }
                }
            } catch (Exception e) {
                this.log.error(e.getMessage(), e);
            }
        }
        return arrayList;
    }

    public Date rptExpirationDate() {
        int umaRptLifetime = this.appConfiguration.getUmaRptLifetime();
        if (umaRptLifetime <= 0) {
            umaRptLifetime = 3600;
        }
        Calendar calendar = Calendar.getInstance();
        calendar.add(13, umaRptLifetime);
        return calendar.getTime();
    }

    public UmaRPT createRPTAndPersist(Client client, List<UmaPermission> list) {
        try {
            Date date = new Date();
            Date rptExpirationDate = rptExpirationDate();
            UmaRPT umaRPT = new UmaRPT(client.isRptAsJwt() ? createRptJwt(client, list, date, rptExpirationDate) : UUID.randomUUID().toString() + "_" + INumGenerator.generate(8), date, rptExpirationDate, null, client.getClientId());
            umaRPT.setPermissions(getPermissionDns(list));
            persist(umaRPT);
            return umaRPT;
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
            throw new RuntimeException("Failed to generate RPT, clientId: " + client.getClientId(), e);
        }
    }

    public void merge(UmaRPT umaRPT) {
        this.ldapEntryManager.merge(umaRPT);
    }

    private String createRptJwt(Client client, List<UmaPermission> list, Date date, Date date2) throws Exception {
        SignatureAlgorithm fromString = SignatureAlgorithm.fromString(this.appConfiguration.getDefaultSignatureAlgorithm());
        if (client.getAccessTokenSigningAlg() != null && SignatureAlgorithm.fromString(client.getAccessTokenSigningAlg()) != null) {
            fromString = SignatureAlgorithm.fromString(client.getAccessTokenSigningAlg());
        }
        JwtSigner jwtSigner = new JwtSigner(this.appConfiguration, this.webKeysConfiguration, fromString, client.getClientId(), this.clientService.decryptSecret(client.getClientSecret()));
        Jwt newJwt = jwtSigner.newJwt();
        newJwt.getClaims().setClaim("client_id", client.getClientId());
        newJwt.getClaims().setExpirationTime(date2);
        newJwt.getClaims().setIssuedAt(date);
        newJwt.getClaims().setAudience(client.getClientId());
        if (list != null && !list.isEmpty()) {
            String str = (String) list.iterator().next().getAttributes().get("pct");
            if (StringHelper.isNotEmpty(str)) {
                UmaPCT byCode = this.pctService.getByCode(str);
                if (byCode != null) {
                    newJwt.getClaims().setClaim("pct_claims", byCode.getClaims().toJsonObject());
                } else {
                    this.log.error("Failed to find PCT with code: " + str + " which is taken from permission object: " + list.iterator().next().getDn());
                }
            }
            newJwt.getClaims().setClaim("permissions", buildPermissionsJSONObject(list));
        }
        return jwtSigner.sign().toString();
    }

    public JSONArray buildPermissionsJSONObject(List<UmaPermission> list) throws IOException, JSONException {
        ArrayList arrayList = new ArrayList();
        for (UmaPermission umaPermission : list) {
            umaPermission.checkExpired();
            umaPermission.isValid();
            if (umaPermission.isValid()) {
                org.gluu.oxauth.model.uma.UmaPermission convert = ServerUtil.convert(umaPermission, this.umaScopeService);
                if (convert != null) {
                    arrayList.add(convert);
                }
            } else {
                this.log.debug("Ignore permission, skip it in response because permission is not valid. Permission dn: {}", umaPermission.getDn());
            }
        }
        return new JSONArray(ServerUtil.asJson(arrayList));
    }

    public void addBranch() {
        SimpleBranch simpleBranch = new SimpleBranch();
        simpleBranch.setOrganizationalUnitName(ORGUNIT_OF_RPT);
        simpleBranch.setDn(branchDn());
        this.ldapEntryManager.persist(simpleBranch);
    }

    public void addBranchIfNeeded() {
        if (containsBranch() || this.containsBranch) {
            this.containsBranch = true;
        } else {
            addBranch();
        }
    }

    public boolean containsBranch() {
        return this.ldapEntryManager.contains(branchDn(), SimpleBranch.class);
    }
}
