package org.gluu.oxauth.authorize.ws.rs;

import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import java.net.URI;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.Path;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.gluu.oxauth.audit.ApplicationAuditLogger;
import org.gluu.oxauth.ciba.CIBAPingCallbackService;
import org.gluu.oxauth.ciba.CIBAPushTokenDeliveryService;
import org.gluu.oxauth.model.audit.Action;
import org.gluu.oxauth.model.audit.OAuth2AuditLog;
import org.gluu.oxauth.model.authorize.AuthorizeErrorResponseType;
import org.gluu.oxauth.model.authorize.AuthorizeParamsValidator;
import org.gluu.oxauth.model.authorize.Claim;
import org.gluu.oxauth.model.authorize.IdTokenMember;
import org.gluu.oxauth.model.authorize.JwtAuthorizationRequest;
import org.gluu.oxauth.model.authorize.ScopeChecker;
import org.gluu.oxauth.model.common.AbstractAuthorizationGrant;
import org.gluu.oxauth.model.common.AccessToken;
import org.gluu.oxauth.model.common.AuthorizationCode;
import org.gluu.oxauth.model.common.AuthorizationGrantList;
import org.gluu.oxauth.model.common.BackchannelTokenDeliveryMode;
import org.gluu.oxauth.model.common.CIBAGrant;
import org.gluu.oxauth.model.common.CibaRequestCacheControl;
import org.gluu.oxauth.model.common.CibaRequestStatus;
import org.gluu.oxauth.model.common.DeviceAuthorizationCacheControl;
import org.gluu.oxauth.model.common.DeviceAuthorizationStatus;
import org.gluu.oxauth.model.common.ExecutionContext;
import org.gluu.oxauth.model.common.GrantType;
import org.gluu.oxauth.model.common.IdToken;
import org.gluu.oxauth.model.common.Prompt;
import org.gluu.oxauth.model.common.RefreshToken;
import org.gluu.oxauth.model.common.ResponseMode;
import org.gluu.oxauth.model.common.ResponseType;
import org.gluu.oxauth.model.common.SessionId;
import org.gluu.oxauth.model.common.SessionIdState;
import org.gluu.oxauth.model.common.User;
import org.gluu.oxauth.model.config.ConfigurationFactory;
import org.gluu.oxauth.model.config.Constants;
import org.gluu.oxauth.model.configuration.AppConfiguration;
import org.gluu.oxauth.model.crypto.AbstractCryptoProvider;
import org.gluu.oxauth.model.crypto.binding.TokenBindingMessage;
import org.gluu.oxauth.model.error.ErrorResponseFactory;
import org.gluu.oxauth.model.exception.AcrChangedException;
import org.gluu.oxauth.model.exception.InvalidSessionStateException;
import org.gluu.oxauth.model.ldap.ClientAuthorization;
import org.gluu.oxauth.model.registration.Client;
import org.gluu.oxauth.model.token.JwrService;
import org.gluu.oxauth.model.util.Util;
import org.gluu.oxauth.security.Identity;
import org.gluu.oxauth.service.AuthenticationFilterService;
import org.gluu.oxauth.service.ClientAuthorizationsService;
import org.gluu.oxauth.service.ClientService;
import org.gluu.oxauth.service.CookieService;
import org.gluu.oxauth.service.DeviceAuthorizationService;
import org.gluu.oxauth.service.RedirectUriResponse;
import org.gluu.oxauth.service.RequestParameterService;
import org.gluu.oxauth.service.SessionIdService;
import org.gluu.oxauth.service.UserService;
import org.gluu.oxauth.service.ciba.CibaRequestService;
import org.gluu.oxauth.service.external.ExternalPostAuthnService;
import org.gluu.oxauth.service.external.context.ExternalPostAuthnContext;
import org.gluu.oxauth.service.external.session.SessionEvent;
import org.gluu.oxauth.service.external.session.SessionEventType;
import org.gluu.oxauth.util.QueryStringDecoder;
import org.gluu.oxauth.util.RedirectUri;
import org.gluu.oxauth.util.RedirectUtil;
import org.gluu.oxauth.util.ServerUtil;
import org.gluu.persist.exception.EntryPersistenceException;
import org.gluu.util.StringHelper;
import org.slf4j.Logger;

@Path("/")
/* loaded from: input_file:org/gluu/oxauth/authorize/ws/rs/AuthorizeRestWebServiceImpl.class */
public class AuthorizeRestWebServiceImpl implements AuthorizeRestWebService {

    @Inject
    private Logger log;

    @Inject
    private ApplicationAuditLogger applicationAuditLogger;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private ClientService clientService;

    @Inject
    private UserService userService;

    @Inject
    private Identity identity;

    @Inject
    private AuthenticationFilterService authenticationFilterService;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    CookieService cookieService;

    @Inject
    private ScopeChecker scopeChecker;

    @Inject
    private ClientAuthorizationsService clientAuthorizationsService;

    @Inject
    private RequestParameterService requestParameterService;

    @Inject
    private AppConfiguration appConfiguration;

    /* renamed from: сonfigurationFactory, reason: contains not printable characters */
    @Inject
    private ConfigurationFactory f0onfigurationFactory;

    @Inject
    private AbstractCryptoProvider cryptoProvider;

    @Inject
    private AuthorizeRestWebServiceValidator authorizeRestWebServiceValidator;

    @Inject
    private CIBAPushTokenDeliveryService cibaPushTokenDeliveryService;

    @Inject
    private CIBAPingCallbackService cibaPingCallbackService;

    @Inject
    private ExternalPostAuthnService externalPostAuthnService;

    @Inject
    private CibaRequestService cibaRequestService;

    @Inject
    private DeviceAuthorizationService deviceAuthorizationService;

    @Context
    private HttpServletRequest servletRequest;

    @Override // org.gluu.oxauth.authorize.ws.rs.AuthorizeRestWebService
    public Response requestAuthorizationGet(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, Integer num, String str10, String str11, String str12, String str13, String str14, String str15, String str16, String str17, String str18, String str19, String str20, String str21, String str22, String str23, String str24, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        return requestAuthorization(str, str2, str3, str4, str5, str6, str7, str8, str9, num, str10, str11, str12, str13, str14, str15, str16, str17, str18, "GET", str19, str20, str21, str22, str23, str24, httpServletRequest, httpServletResponse, securityContext);
    }

    @Override // org.gluu.oxauth.authorize.ws.rs.AuthorizeRestWebService
    public Response requestAuthorizationPost(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, Integer num, String str10, String str11, String str12, String str13, String str14, String str15, String str16, String str17, String str18, String str19, String str20, String str21, String str22, String str23, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        return requestAuthorization(str, str2, str3, str4, str5, str6, str7, str8, str9, num, str10, str11, str12, str13, str14, str15, str16, str17, str18, "POST", str19, str20, str21, str22, str23, null, httpServletRequest, httpServletResponse, securityContext);
    }

    private Response requestAuthorization(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, Integer num, String str10, String str11, String str12, String str13, String str14, String str15, String str16, String str17, String str18, String str19, String str20, String str21, String str22, String str23, String str24, String str25, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        Response.ResponseBuilder type;
        Map jsonObjectArrayStringAsMap;
        Client validateClient;
        String userCodeFromSession;
        String validateRedirectUri;
        RedirectUriResponse redirectUriResponse;
        Set<String> checkScopesPolicy;
        JwtAuthorizationRequest jwtAuthorizationRequest;
        String urlDecode = ServerUtil.urlDecode(str);
        String header = httpServletRequest.getHeader("Sec-Token-Binding");
        OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpServletRequest), Action.USER_AUTHORIZATION);
        oAuth2AuditLog.setClientId(str3);
        oAuth2AuditLog.setScope(urlDecode);
        this.log.debug("Attempting to request authorization: responseType = {}, clientId = {}, scope = {}, redirectUri = {}, nonce = {}, state = {}, request = {}, isSecure = {}, requestSessionId = {}, sessionId = {}", new Object[]{str2, str3, urlDecode, str4, str7, str5, str15, Boolean.valueOf(securityContext.isSecure()), str17, str18});
        this.log.debug("Attempting to request authorization: acrValues = {}, amrValues = {}, originHeaders = {}, codeChallenge = {}, codeChallengeMethod = {}, customRespHeaders = {}, claims = {}, tokenBindingHeader = {}", new Object[]{str13, str14, str20, str21, str22, str23, str24, header});
        Response.ok();
        List<String> splittedStringAsList = Util.splittedStringAsList(str10, " ");
        List<ResponseType> fromString = ResponseType.fromString(str2, " ");
        List<Prompt> fromString2 = Prompt.fromString(str9, " ");
        List<String> splittedStringAsList2 = Util.splittedStringAsList(str13, " ");
        List<String> splittedStringAsList3 = Util.splittedStringAsList(str14, " ");
        ResponseMode byValue = ResponseMode.getByValue(str6);
        Map<String, String> customParameters = this.requestParameterService.getCustomParameters(QueryStringDecoder.decode(httpServletRequest.getQueryString()));
        SessionId sessionId = this.identity.getSessionId();
        User user = this.sessionIdService.getUser(sessionId);
        try {
            jsonObjectArrayStringAsMap = Util.jsonObjectArrayStringAsMap(str23);
            updateSessionForROPC(httpServletRequest, sessionId);
            validateClient = this.authorizeRestWebServiceValidator.validateClient(str3, str5);
            userCodeFromSession = this.deviceAuthorizationService.getUserCodeFromSession(httpServletRequest);
            validateRedirectUri = this.authorizeRestWebServiceValidator.validateRedirectUri(validateClient, str4, str5, userCodeFromSession, httpServletRequest);
            checkAcrChanged(str13, fromString2, sessionId);
            redirectUriResponse = new RedirectUriResponse(new RedirectUri(validateRedirectUri, fromString, byValue), str5, httpServletRequest, this.errorResponseFactory);
            redirectUriResponse.setFapiCompatible(this.appConfiguration.getFapiCompatibility().booleanValue());
            checkScopesPolicy = this.scopeChecker.checkScopesPolicy(validateClient, urlDecode);
            jwtAuthorizationRequest = null;
            if (StringUtils.isNotBlank(str15) || StringUtils.isNotBlank(str16)) {
                try {
                    jwtAuthorizationRequest = JwtAuthorizationRequest.createJwtRequest(str15, str16, validateClient, redirectUriResponse, this.cryptoProvider, this.appConfiguration);
                    if (jwtAuthorizationRequest == null) {
                        throw createInvalidJwtRequestException(redirectUriResponse, "Failed to parse jwt.");
                    }
                    if (StringUtils.isNotBlank(jwtAuthorizationRequest.getState())) {
                        str5 = jwtAuthorizationRequest.getState();
                        redirectUriResponse.setState(str5);
                    }
                    if (this.appConfiguration.getFapiCompatibility().booleanValue() && StringUtils.isBlank(jwtAuthorizationRequest.getState())) {
                        str5 = "";
                        redirectUriResponse.setState("");
                    }
                    this.authorizeRestWebServiceValidator.validateRequestObject(jwtAuthorizationRequest, redirectUriResponse);
                    if (!jwtAuthorizationRequest.getResponseTypes().containsAll(fromString) || !fromString.containsAll(jwtAuthorizationRequest.getResponseTypes())) {
                        throw createInvalidJwtRequestException(redirectUriResponse, "The responseType parameter is not the same in the JWT");
                    }
                    if (StringUtils.isBlank(jwtAuthorizationRequest.getClientId()) || !jwtAuthorizationRequest.getClientId().equals(str3)) {
                        throw createInvalidJwtRequestException(redirectUriResponse, "The clientId parameter is not the same in the JWT");
                    }
                    if (!jwtAuthorizationRequest.getScopes().isEmpty()) {
                        if (!checkScopesPolicy.contains(Constants.OX_AUTH_SCOPE_TYPE_OPENID)) {
                            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_SCOPE, str5, "scope parameter does not contain openid value which is required.")).build());
                        }
                        checkScopesPolicy = this.scopeChecker.checkScopesPolicy(validateClient, Lists.newArrayList(jwtAuthorizationRequest.getScopes()));
                    }
                    if (jwtAuthorizationRequest.getRedirectUri() != null && !jwtAuthorizationRequest.getRedirectUri().equals(validateRedirectUri)) {
                        throw createInvalidJwtRequestException(redirectUriResponse, "The redirect_uri parameter is not the same in the JWT");
                    }
                    if (StringUtils.isNotBlank(jwtAuthorizationRequest.getNonce())) {
                        str7 = jwtAuthorizationRequest.getNonce();
                    }
                    if (jwtAuthorizationRequest.getDisplay() != null && StringUtils.isNotBlank(jwtAuthorizationRequest.getDisplay().getParamName())) {
                        str8 = jwtAuthorizationRequest.getDisplay().getParamName();
                    }
                    if (!jwtAuthorizationRequest.getPrompts().isEmpty()) {
                        fromString2 = Lists.newArrayList(jwtAuthorizationRequest.getPrompts());
                    }
                    IdTokenMember idTokenMember = jwtAuthorizationRequest.getIdTokenMember();
                    if (idTokenMember != null) {
                        if (idTokenMember.getMaxAge() != null) {
                            num = idTokenMember.getMaxAge();
                        }
                        Claim claim = idTokenMember.getClaim("acr");
                        if (claim != null && claim.getClaimValue() != null) {
                            str13 = claim.getClaimValue().getValueAsString();
                            splittedStringAsList2 = Util.splittedStringAsList(str13, " ");
                        }
                        Claim claim2 = idTokenMember.getClaim("sub");
                        if (claim2 != null && claim2.getClaimValue() != null && claim2.getClaimValue().getValue() != null) {
                            String value = claim2.getClaimValue().getValue();
                            if (user != null && !user.getUserId().equalsIgnoreCase(value)) {
                                Response.ResponseBuilder createErrorBuilder = redirectUriResponse.createErrorBuilder(AuthorizeErrorResponseType.USER_MISMATCHED);
                                this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                                return createErrorBuilder.build();
                            }
                        }
                    }
                    this.requestParameterService.getCustomParameters(jwtAuthorizationRequest, customParameters);
                } catch (WebApplicationException e) {
                    throw e;
                } catch (Exception e2) {
                    this.log.error("Invalid JWT authorization request. Message : " + e2.getMessage(), e2);
                    throw createInvalidJwtRequestException(redirectUriResponse, "Invalid JWT authorization request");
                }
            }
            if (!this.cibaRequestService.hasCibaCompatibility(validateClient)) {
                if (this.appConfiguration.getFapiCompatibility().booleanValue() && jwtAuthorizationRequest == null) {
                    throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST);
                }
                this.authorizeRestWebServiceValidator.validateRequestJwt(str15, str16, redirectUriResponse);
            }
            this.authorizeRestWebServiceValidator.validate(fromString, fromString2, str7, str5, validateRedirectUri, httpServletRequest, validateClient, byValue);
            if (CollectionUtils.isEmpty(splittedStringAsList2) && !ArrayUtils.isEmpty(validateClient.getDefaultAcrValues())) {
                splittedStringAsList2 = Lists.newArrayList(validateClient.getDefaultAcrValues());
            }
            if (checkScopesPolicy.contains("offline_access") && !validateClient.getTrustedClient()) {
                if (!fromString.contains(ResponseType.CODE)) {
                    this.log.trace("Removed (ignored) offline_scope. Can't find `code` in response_type which is required.");
                    checkScopesPolicy.remove("offline_access");
                }
                if (checkScopesPolicy.contains("offline_access") && !fromString2.contains(Prompt.CONSENT)) {
                    this.log.error("Removed offline_access. Can't find prompt=consent. Consent is required for offline_access.");
                    checkScopesPolicy.remove("offline_access");
                }
            }
        } catch (AcrChangedException e3) {
            this.log.error("ACR is changed, please provide a supported and enabled acr value");
            this.log.error(e3.getMessage(), e3);
            RedirectUri redirectUri = new RedirectUri(str4, fromString, byValue);
            redirectUri.parseQueryString(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.SESSION_SELECTION_REQUIRED, str5));
            redirectUri.addResponseParameter("hint", "Use prompt=login in order to alter existing session.");
            this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
            return RedirectUtil.getRedirectResponseBuilder(redirectUri, httpServletRequest).build();
        } catch (InvalidSessionStateException e4) {
            throw e4;
        } catch (Exception e5) {
            type = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
            this.log.error(e5.getMessage(), e5);
        } catch (WebApplicationException e6) {
            this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
            this.log.error(e6.getMessage(), e6);
            throw e6;
        } catch (EntryPersistenceException e7) {
            type = Response.status(Response.Status.UNAUTHORIZED.getStatusCode()).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.UNAUTHORIZED_CLIENT, str5, "")).type(MediaType.APPLICATION_JSON_TYPE);
            this.log.error(e7.getMessage(), e7);
        }
        if (!(AuthorizeParamsValidator.validateResponseTypes(fromString, validateClient) && AuthorizeParamsValidator.validateGrantType(fromString, validateClient.getGrantTypes(), this.appConfiguration.getGrantTypesSupported()))) {
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.UNSUPPORTED_RESPONSE_TYPE, str5, "")).build());
        }
        AbstractAuthorizationGrant abstractAuthorizationGrant = null;
        if (user == null) {
            this.identity.logout();
            if (!fromString2.contains(Prompt.NONE)) {
                if (fromString2.contains(Prompt.LOGIN)) {
                    unauthenticateSession(str18, httpServletRequest);
                    str18 = null;
                    fromString2.remove(Prompt.LOGIN);
                }
                return redirectToAuthorizationPage(redirectUriResponse.getRedirectUri(), fromString, urlDecode, str3, validateRedirectUri, str5, byValue, str7, str8, fromString2, num, splittedStringAsList, str11, str12, splittedStringAsList2, splittedStringAsList3, str15, str16, str20, str21, str22, str18, str24, str25, customParameters, oAuth2AuditLog, httpServletRequest);
            }
            if (!this.authenticationFilterService.isEnabled()) {
                Response.ResponseBuilder createErrorBuilder2 = redirectUriResponse.createErrorBuilder(AuthorizeErrorResponseType.LOGIN_REQUIRED);
                this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                return createErrorBuilder2.build();
            }
            String processAuthenticationFilters = this.authenticationFilterService.processAuthenticationFilters(str19.equals("GET") ? QueryStringDecoder.decode(httpServletRequest.getQueryString()) : getGenericRequestMap(httpServletRequest));
            if (processAuthenticationFilters == null) {
                Response.ResponseBuilder createErrorBuilder3 = redirectUriResponse.createErrorBuilder(AuthorizeErrorResponseType.LOGIN_REQUIRED);
                this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                return createErrorBuilder3.build();
            }
            Map<String, String> allowedParameters = this.requestParameterService.getAllowedParameters(Maps.newHashMap(getGenericRequestMap(httpServletRequest)));
            sessionId = this.sessionIdService.generateAuthenticatedSessionId(httpServletRequest, processAuthenticationFilters, str9);
            sessionId.setSessionAttributes(allowedParameters);
            this.cookieService.createSessionIdCookie(sessionId, httpServletRequest, httpServletResponse, false);
            this.sessionIdService.updateSessionId(sessionId);
            user = this.userService.getUserByDn(sessionId.getUserDn(), new String[0]);
        }
        if (!this.authorizeRestWebServiceValidator.validateAuthnMaxAge(num, sessionId, validateClient)) {
            unauthenticateSession(str18, httpServletRequest);
            return redirectToAuthorizationPage(redirectUriResponse.getRedirectUri(), fromString, urlDecode, str3, validateRedirectUri, str5, byValue, str7, str8, fromString2, num, splittedStringAsList, str11, str12, splittedStringAsList2, splittedStringAsList3, str15, str16, str20, str21, str22, null, str24, str25, customParameters, oAuth2AuditLog, httpServletRequest);
        }
        oAuth2AuditLog.setUsername(user.getUserId());
        ExternalPostAuthnContext externalPostAuthnContext = new ExternalPostAuthnContext(validateClient, sessionId, httpServletRequest, httpServletResponse);
        if (this.externalPostAuthnService.externalForceReAuthentication(validateClient, externalPostAuthnContext)) {
            unauthenticateSession(str18, httpServletRequest);
            return redirectToAuthorizationPage(redirectUriResponse.getRedirectUri(), fromString, urlDecode, str3, validateRedirectUri, str5, byValue, str7, str8, fromString2, num, splittedStringAsList, str11, str12, splittedStringAsList2, splittedStringAsList3, str15, str16, str20, str21, str22, null, str24, str25, customParameters, oAuth2AuditLog, httpServletRequest);
        }
        if (this.externalPostAuthnService.externalForceAuthorization(validateClient, externalPostAuthnContext)) {
            return redirectToAuthorizationPage(redirectUriResponse.getRedirectUri(), fromString, urlDecode, str3, validateRedirectUri, str5, byValue, str7, str8, fromString2, num, splittedStringAsList, str11, str12, splittedStringAsList2, splittedStringAsList3, str15, str16, str20, str21, str22, str18, str24, str25, customParameters, oAuth2AuditLog, httpServletRequest);
        }
        ClientAuthorization clientAuthorization = null;
        boolean z = false;
        if (checkScopesPolicy.size() > 0) {
            if (fromString2.contains(Prompt.CONSENT)) {
                return redirectToAuthorizationPage(redirectUriResponse.getRedirectUri(), fromString, urlDecode, str3, validateRedirectUri, str5, byValue, str7, str8, fromString2, num, splittedStringAsList, str11, str12, splittedStringAsList2, splittedStringAsList3, str15, str16, str20, str21, str22, str18, str24, str25, customParameters, oAuth2AuditLog, httpServletRequest);
            }
            if (validateClient.getTrustedClient()) {
                sessionId.addPermission(str3, true);
                this.sessionIdService.updateSessionId(sessionId);
            } else {
                clientAuthorization = this.clientAuthorizationsService.find(user.getAttribute("inum"), validateClient.getClientId());
                z = true;
                if (clientAuthorization != null && clientAuthorization.getScopes() != null) {
                    this.log.trace("ClientAuthorization - scope: " + urlDecode + ", dn: " + clientAuthorization.getDn() + ", requestedScope: " + checkScopesPolicy);
                    if (!Arrays.asList(clientAuthorization.getScopes()).containsAll(checkScopesPolicy)) {
                        return redirectToAuthorizationPage(redirectUriResponse.getRedirectUri(), fromString, urlDecode, str3, validateRedirectUri, str5, byValue, str7, str8, fromString2, num, splittedStringAsList, str11, str12, splittedStringAsList2, splittedStringAsList3, str15, str16, str20, str21, str22, str18, str24, str25, customParameters, oAuth2AuditLog, httpServletRequest);
                    }
                    sessionId.addPermission(str3, true);
                    this.sessionIdService.updateSessionId(sessionId);
                }
            }
        }
        if (fromString2.contains(Prompt.LOGIN)) {
            if (this.identity.getSessionId().getState() == SessionIdState.AUTHENTICATED) {
                unauthenticateSession(str18, httpServletRequest);
            }
            fromString2.remove(Prompt.LOGIN);
            return redirectToAuthorizationPage(redirectUriResponse.getRedirectUri(), fromString, urlDecode, str3, validateRedirectUri, str5, byValue, str7, str8, fromString2, num, splittedStringAsList, str11, str12, splittedStringAsList2, splittedStringAsList3, str15, str16, str20, str21, str22, null, str24, str25, customParameters, oAuth2AuditLog, httpServletRequest);
        }
        if (fromString2.contains(Prompt.CONSENT) || !sessionId.isPermissionGrantedForClient(str3).booleanValue()) {
            if (!z) {
                clientAuthorization = this.clientAuthorizationsService.find(user.getAttribute("inum"), validateClient.getClientId());
            }
            this.clientAuthorizationsService.clearAuthorizations(clientAuthorization, validateClient.getPersistClientAuthorizations());
            fromString2.remove(Prompt.CONSENT);
            return redirectToAuthorizationPage(redirectUriResponse.getRedirectUri(), fromString, urlDecode, str3, validateRedirectUri, str5, byValue, str7, str8, fromString2, num, splittedStringAsList, str11, str12, splittedStringAsList2, splittedStringAsList3, str15, str16, str20, str21, str22, str18, str24, str25, customParameters, oAuth2AuditLog, httpServletRequest);
        }
        if (fromString2.contains(Prompt.SELECT_ACCOUNT)) {
            return redirectToSelectAccountPage(redirectUriResponse.getRedirectUri(), fromString, urlDecode, str3, validateRedirectUri, str5, byValue, str7, str8, fromString2, num, splittedStringAsList, str11, str12, splittedStringAsList2, splittedStringAsList3, str15, str16, str20, str21, str22, str18, str24, str25, customParameters, oAuth2AuditLog, httpServletRequest);
        }
        AuthorizationCode authorizationCode = null;
        if (fromString.contains(ResponseType.CODE)) {
            abstractAuthorizationGrant = this.authorizationGrantList.createAuthorizationCodeGrant(user, validateClient, sessionId.getAuthenticationTime());
            abstractAuthorizationGrant.setNonce(str7);
            abstractAuthorizationGrant.setJwtAuthorizationRequest(jwtAuthorizationRequest);
            abstractAuthorizationGrant.setTokenBindingHash(TokenBindingMessage.getTokenBindingIdHashFromTokenBindingMessage(header, validateClient.getIdTokenTokenBindingCnf()));
            abstractAuthorizationGrant.setScopes(checkScopesPolicy);
            abstractAuthorizationGrant.setCodeChallenge(str21);
            abstractAuthorizationGrant.setCodeChallengeMethod(str22);
            abstractAuthorizationGrant.setClaims(str24);
            abstractAuthorizationGrant.setAcrValues(getAcrForGrant(str13, sessionId));
            abstractAuthorizationGrant.setSessionDn(sessionId.getDn());
            abstractAuthorizationGrant.save();
            authorizationCode = abstractAuthorizationGrant.getAuthorizationCode();
            redirectUriResponse.getRedirectUri().addResponseParameter("code", authorizationCode.getCode());
        }
        AccessToken accessToken = null;
        if (fromString.contains(ResponseType.TOKEN)) {
            if (abstractAuthorizationGrant == null) {
                abstractAuthorizationGrant = this.authorizationGrantList.createImplicitGrant(user, validateClient, sessionId.getAuthenticationTime());
                abstractAuthorizationGrant.setNonce(str7);
                abstractAuthorizationGrant.setJwtAuthorizationRequest(jwtAuthorizationRequest);
                abstractAuthorizationGrant.setScopes(checkScopesPolicy);
                abstractAuthorizationGrant.setClaims(str24);
                abstractAuthorizationGrant.setAcrValues(getAcrForGrant(str13, sessionId));
                abstractAuthorizationGrant.setSessionDn(sessionId.getDn());
                abstractAuthorizationGrant.save();
            }
            accessToken = abstractAuthorizationGrant.createAccessToken(httpServletRequest.getHeader("X-ClientCert"), new ExecutionContext(httpServletRequest, httpServletResponse));
            redirectUriResponse.getRedirectUri().addResponseParameter("access_token", accessToken.getCode());
            redirectUriResponse.getRedirectUri().addResponseParameter("token_type", accessToken.getTokenType().toString());
            redirectUriResponse.getRedirectUri().addResponseParameter("expires_in", accessToken.getExpiresIn() + "");
        }
        if (fromString.contains(ResponseType.ID_TOKEN)) {
            boolean equals = Boolean.TRUE.equals(this.appConfiguration.getLegacyIdTokenClaims());
            if (abstractAuthorizationGrant == null) {
                equals = true;
                abstractAuthorizationGrant = this.authorizationGrantList.createImplicitGrant(user, validateClient, sessionId.getAuthenticationTime());
                abstractAuthorizationGrant.setNonce(str7);
                abstractAuthorizationGrant.setJwtAuthorizationRequest(jwtAuthorizationRequest);
                abstractAuthorizationGrant.setScopes(checkScopesPolicy);
                abstractAuthorizationGrant.setClaims(str24);
                abstractAuthorizationGrant.setAcrValues(getAcrForGrant(str13, sessionId));
                abstractAuthorizationGrant.setSessionDn(sessionId.getDn());
                abstractAuthorizationGrant.save();
            }
            redirectUriResponse.getRedirectUri().addResponseParameter("id_token", abstractAuthorizationGrant.createIdToken(str7, authorizationCode, accessToken, null, str5, abstractAuthorizationGrant, equals, JwrService.wrapWithSidFunction(TokenBindingMessage.createIdTokenTokingBindingPreprocessing(header, validateClient.getIdTokenTokenBindingCnf()), sessionId.getOutsideSid())).getCode());
        }
        if (abstractAuthorizationGrant != null && StringHelper.isNotEmpty(str13) && !this.appConfiguration.getFapiCompatibility().booleanValue()) {
            redirectUriResponse.getRedirectUri().addResponseParameter("acr_values", str13);
        }
        if (sessionId.getId() == null) {
            String id = this.sessionIdService.generateAuthenticatedSessionId(httpServletRequest, sessionId.getUserDn(), str9).getId();
            sessionId.setId(id);
            this.log.trace("newSessionId = {}", id);
        }
        if (!this.appConfiguration.getFapiCompatibility().booleanValue()) {
            redirectUriResponse.getRedirectUri().addResponseParameter(CookieService.SESSION_ID_COOKIE_NAME, sessionId.getId());
        }
        redirectUriResponse.getRedirectUri().addResponseParameter("sid", sessionId.getOutsideSid());
        redirectUriResponse.getRedirectUri().addResponseParameter("session_state", this.sessionIdService.computeSessionState(sessionId, str3, validateRedirectUri));
        redirectUriResponse.getRedirectUri().addResponseParameter("state", str5);
        if (urlDecode != null && !urlDecode.isEmpty() && abstractAuthorizationGrant != null && !this.appConfiguration.getFapiCompatibility().booleanValue()) {
            redirectUriResponse.getRedirectUri().addResponseParameter("scope", abstractAuthorizationGrant.checkScopesPolicy(urlDecode));
        }
        this.clientService.updateAccessTime(validateClient, false);
        oAuth2AuditLog.setSuccess(true);
        type = RedirectUtil.getRedirectResponseBuilder(redirectUriResponse.getRedirectUri(), httpServletRequest);
        if (this.appConfiguration.getCustomHeadersWithAuthorizationResponse().booleanValue()) {
            for (String str26 : jsonObjectArrayStringAsMap.keySet()) {
                type.header(str26, jsonObjectArrayStringAsMap.get(str26));
            }
        }
        if (StringUtils.isNotBlank(str25)) {
            runCiba(str25, httpServletRequest, httpServletResponse);
        }
        if (StringUtils.isNotBlank(userCodeFromSession)) {
            processDeviceAuthorization(userCodeFromSession, user);
        }
        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
        return type.build();
    }

    private String getAcrForGrant(String str, SessionId sessionId) {
        String acr = this.sessionIdService.getAcr(sessionId);
        return StringUtils.isNotBlank(acr) ? acr : str;
    }

    private void runCiba(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        CibaRequestCacheControl cibaRequest = this.cibaRequestService.getCibaRequest(str);
        if (cibaRequest == null || cibaRequest.getStatus() == CibaRequestStatus.EXPIRED) {
            this.log.trace("User responded too late and the grant {} has expired, {}", str, cibaRequest);
            return;
        }
        this.cibaRequestService.removeCibaRequest(str);
        CIBAGrant createCIBAGrant = this.authorizationGrantList.createCIBAGrant(cibaRequest);
        RefreshToken createRefreshToken = createCIBAGrant.createRefreshToken();
        this.log.debug("Issuing refresh token: {}", createRefreshToken.getCode());
        AccessToken createAccessToken = createCIBAGrant.createAccessToken(httpServletRequest.getHeader("X-ClientCert"), new ExecutionContext(httpServletRequest, httpServletResponse));
        this.log.debug("Issuing access token: {}", createAccessToken.getCode());
        IdToken createIdToken = createCIBAGrant.createIdToken(null, null, createAccessToken, createRefreshToken, null, createCIBAGrant, false, null);
        createCIBAGrant.setTokensDelivered(true);
        createCIBAGrant.save();
        if (cibaRequest.getClient().getBackchannelTokenDeliveryMode() == BackchannelTokenDeliveryMode.PUSH) {
            this.cibaPushTokenDeliveryService.pushTokenDelivery(createCIBAGrant.getAuthReqId(), createCIBAGrant.getClient().getBackchannelClientNotificationEndpoint(), cibaRequest.getClientNotificationToken(), createAccessToken.getCode(), createRefreshToken.getCode(), createIdToken.getCode(), Integer.valueOf(createAccessToken.getExpiresIn()));
            return;
        }
        if (createCIBAGrant.getClient().getBackchannelTokenDeliveryMode() == BackchannelTokenDeliveryMode.PING) {
            createCIBAGrant.setTokensDelivered(false);
            createCIBAGrant.save();
            this.cibaPingCallbackService.pingCallback(createCIBAGrant.getAuthReqId(), createCIBAGrant.getClient().getBackchannelClientNotificationEndpoint(), cibaRequest.getClientNotificationToken());
        } else if (createCIBAGrant.getClient().getBackchannelTokenDeliveryMode() == BackchannelTokenDeliveryMode.POLL) {
            createCIBAGrant.setTokensDelivered(false);
            createCIBAGrant.save();
        }
    }

    private WebApplicationException createInvalidJwtRequestException(RedirectUriResponse redirectUriResponse, String str) {
        if (!this.appConfiguration.getFapiCompatibility().booleanValue()) {
            return redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT, str);
        }
        this.log.debug(str);
        return redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
    }

    private void updateSessionForROPC(HttpServletRequest httpServletRequest, SessionId sessionId) {
        if (sessionId == null) {
            return;
        }
        Map<String, String> sessionAttributes = sessionId.getSessionAttributes();
        String str = sessionId.getSessionAttributes().get(Constants.AUTHORIZED_GRANT);
        if (StringHelper.isNotEmpty(str) && GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS == GrantType.fromString(str)) {
            sessionAttributes.remove(Constants.AUTHORIZED_GRANT);
            sessionAttributes.putAll(this.requestParameterService.getAllowedParameters(getGenericRequestMap(httpServletRequest)));
            this.sessionIdService.updateSessionId(sessionId, true, true, true);
        }
    }

    private void checkAcrChanged(String str, List<Prompt> list, SessionId sessionId) throws AcrChangedException {
        try {
            this.sessionIdService.assertAuthenticatedSessionCorrespondsToNewRequest(sessionId, str);
        } catch (AcrChangedException e) {
            if (!e.isForceReAuthentication()) {
                throw e;
            }
            if (list.contains(Prompt.LOGIN)) {
                return;
            }
            this.log.info("ACR is changed, adding prompt=login to prompts");
            list.add(Prompt.LOGIN);
            sessionId.setState(SessionIdState.UNAUTHENTICATED);
            sessionId.getSessionAttributes().put("prompt", org.gluu.oxauth.model.util.StringUtils.implode(list, " "));
            this.sessionIdService.persistSessionId(sessionId);
            this.sessionIdService.externalEvent(new SessionEvent(SessionEventType.UNAUTHENTICATED, sessionId));
        }
    }

    private Map<String, String> getGenericRequestMap(HttpServletRequest httpServletRequest) {
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : httpServletRequest.getParameterMap().entrySet()) {
            hashMap.put(entry.getKey(), ((String[]) entry.getValue())[0]);
        }
        return hashMap;
    }

    private Response redirectToAuthorizationPage(RedirectUri redirectUri, List<ResponseType> list, String str, String str2, String str3, String str4, ResponseMode responseMode, String str5, String str6, List<Prompt> list2, Integer num, List<String> list3, String str7, String str8, List<String> list4, List<String> list5, String str9, String str10, String str11, String str12, String str13, String str14, String str15, String str16, Map<String, String> map, OAuth2AuditLog oAuth2AuditLog, HttpServletRequest httpServletRequest) {
        return redirectTo("/authorize", redirectUri, list, str, str2, str3, str4, responseMode, str5, str6, list2, num, list3, str7, str8, list4, list5, str9, str10, str11, str12, str13, str14, str15, str16, map, oAuth2AuditLog, httpServletRequest);
    }

    private Response redirectToSelectAccountPage(RedirectUri redirectUri, List<ResponseType> list, String str, String str2, String str3, String str4, ResponseMode responseMode, String str5, String str6, List<Prompt> list2, Integer num, List<String> list3, String str7, String str8, List<String> list4, List<String> list5, String str9, String str10, String str11, String str12, String str13, String str14, String str15, String str16, Map<String, String> map, OAuth2AuditLog oAuth2AuditLog, HttpServletRequest httpServletRequest) {
        return redirectTo("/selectAccount", redirectUri, list, str, str2, str3, str4, responseMode, str5, str6, list2, num, list3, str7, str8, list4, list5, str9, str10, str11, str12, str13, str14, str15, str16, map, oAuth2AuditLog, httpServletRequest);
    }

    private Response redirectTo(String str, RedirectUri redirectUri, List<ResponseType> list, String str2, String str3, String str4, String str5, ResponseMode responseMode, String str6, String str7, List<Prompt> list2, Integer num, List<String> list3, String str8, String str9, List<String> list4, List<String> list5, String str10, String str11, String str12, String str13, String str14, String str15, String str16, String str17, Map<String, String> map, OAuth2AuditLog oAuth2AuditLog, HttpServletRequest httpServletRequest) {
        redirectUri.setBaseRedirectUri(URI.create(this.appConfiguration.getIssuer()).resolve(this.servletRequest.getContextPath() + str + this.f0onfigurationFactory.getFacesMapping()).toString());
        redirectUri.setResponseMode(ResponseMode.QUERY);
        String implode = org.gluu.oxauth.model.util.StringUtils.implode(list, " ");
        if (StringUtils.isNotBlank(implode)) {
            redirectUri.addResponseParameter("response_type", implode);
        }
        if (StringUtils.isNotBlank(str2)) {
            redirectUri.addResponseParameter("scope", str2);
        }
        if (StringUtils.isNotBlank(str3)) {
            redirectUri.addResponseParameter("client_id", str3);
        }
        if (StringUtils.isNotBlank(str4)) {
            redirectUri.addResponseParameter("redirect_uri", str4);
        }
        if (StringUtils.isNotBlank(str5)) {
            redirectUri.addResponseParameter("state", str5);
        }
        if (responseMode != null) {
            redirectUri.addResponseParameter("response_mode", responseMode.getParamName());
        }
        if (StringUtils.isNotBlank(str6)) {
            redirectUri.addResponseParameter("nonce", str6);
        }
        if (StringUtils.isNotBlank(str7)) {
            redirectUri.addResponseParameter("display", str7);
        }
        String implode2 = org.gluu.oxauth.model.util.StringUtils.implode(list2, " ");
        if (StringUtils.isNotBlank(implode2)) {
            redirectUri.addResponseParameter("prompt", implode2);
        }
        if (num != null) {
            redirectUri.addResponseParameter("max_age", num.toString());
        }
        String implode3 = org.gluu.oxauth.model.util.StringUtils.implode(list3, " ");
        if (StringUtils.isNotBlank(implode3)) {
            redirectUri.addResponseParameter("ui_locales", implode3);
        }
        if (StringUtils.isNotBlank(str8)) {
            redirectUri.addResponseParameter("id_token_hint", str8);
        }
        if (StringUtils.isNotBlank(str9)) {
            redirectUri.addResponseParameter("login_hint", str9);
        }
        String implode4 = org.gluu.oxauth.model.util.StringUtils.implode(list4, " ");
        if (StringUtils.isNotBlank(implode4)) {
            redirectUri.addResponseParameter("acr_values", implode4);
        }
        String implode5 = org.gluu.oxauth.model.util.StringUtils.implode(list5, " ");
        if (StringUtils.isNotBlank(implode5)) {
            redirectUri.addResponseParameter("amr_values", implode5);
        }
        if (StringUtils.isNotBlank(str10)) {
            redirectUri.addResponseParameter("request", str10);
        }
        if (StringUtils.isNotBlank(str11)) {
            redirectUri.addResponseParameter("request_uri", str11);
        }
        if (StringUtils.isNotBlank(str13)) {
            redirectUri.addResponseParameter("code_challenge", str13);
        }
        if (StringUtils.isNotBlank(str14)) {
            redirectUri.addResponseParameter("code_challenge_method", str14);
        }
        if (StringUtils.isNotBlank(str15) && this.appConfiguration.getSessionIdRequestParameterEnabled().booleanValue()) {
            redirectUri.addResponseParameter(CookieService.SESSION_ID_COOKIE_NAME, str15);
        }
        if (StringUtils.isNotBlank(str16)) {
            redirectUri.addResponseParameter("claims", str16);
        }
        if (StringUtils.isNotBlank(str17)) {
            redirectUri.addResponseParameter("auth_req_id", str17);
        }
        if (StringUtils.isNotBlank(str12)) {
            redirectUri.addResponseParameter("origin_headers", str12);
        }
        if (map != null && map.size() > 0) {
            for (Map.Entry<String, String> entry : map.entrySet()) {
                redirectUri.addResponseParameter(entry.getKey(), entry.getValue());
            }
        }
        Response.ResponseBuilder redirectResponseBuilder = RedirectUtil.getRedirectResponseBuilder(redirectUri, httpServletRequest);
        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
        return redirectResponseBuilder.build();
    }

    private void unauthenticateSession(String str, HttpServletRequest httpServletRequest) {
        this.identity.logout();
        SessionId sessionId = this.identity.getSessionId();
        if (sessionId != null) {
            sessionId.setUserDn(null);
            sessionId.setUser(null);
            sessionId.setAuthenticationTime(null);
        }
        if (StringHelper.isEmpty(str)) {
            str = this.cookieService.getSessionIdFromCookie(httpServletRequest);
        }
        SessionId sessionId2 = this.sessionIdService.getSessionId(str);
        if (sessionId2 == null) {
            this.log.error("Failed to load session from LDAP by session_id: '{}'", str);
            return;
        }
        sessionId2.setState(SessionIdState.UNAUTHENTICATED);
        sessionId2.setUserDn(null);
        sessionId2.setUser(null);
        sessionId2.setAuthenticationTime(null);
        boolean updateSessionId = this.sessionIdService.updateSessionId(sessionId2);
        this.sessionIdService.externalEvent(new SessionEvent(SessionEventType.UNAUTHENTICATED, sessionId2).setHttpRequest(httpServletRequest));
        if (updateSessionId) {
            return;
        }
        this.log.error("Failed to update session_id '{}'", str);
    }

    private void processDeviceAuthorization(String str, User user) {
        DeviceAuthorizationCacheControl deviceAuthzByUserCode = this.deviceAuthorizationService.getDeviceAuthzByUserCode(str);
        if (deviceAuthzByUserCode == null || deviceAuthzByUserCode.getStatus() == DeviceAuthorizationStatus.EXPIRED) {
            this.log.trace("User responded too late and the authorization {} has expired, {}", str, deviceAuthzByUserCode);
            return;
        }
        this.deviceAuthorizationService.removeDeviceAuthRequestInCache(str, deviceAuthzByUserCode.getDeviceCode());
        this.log.info("Granted device authorization request, user_code: {}, device_code: {}, grant_id: {}", new Object[]{str, deviceAuthzByUserCode.getDeviceCode(), this.authorizationGrantList.createDeviceGrant(deviceAuthzByUserCode, user).getGrantId()});
    }
}
