package org.gluu.oxauth.register.ws.rs;

import com.codahale.metrics.Timer;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import java.net.URI;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.TimeZone;
import java.util.UUID;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.Path;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.lang.StringUtils;
import org.gluu.model.metric.MetricType;
import org.gluu.oxauth.audit.ApplicationAuditLogger;
import org.gluu.oxauth.ciba.CIBARegisterClientMetadataService;
import org.gluu.oxauth.ciba.CIBARegisterClientResponseService;
import org.gluu.oxauth.ciba.CIBARegisterParamsValidatorService;
import org.gluu.oxauth.client.RegisterRequest;
import org.gluu.oxauth.model.audit.Action;
import org.gluu.oxauth.model.audit.OAuth2AuditLog;
import org.gluu.oxauth.model.common.AuthenticationMethod;
import org.gluu.oxauth.model.common.GrantType;
import org.gluu.oxauth.model.common.ResponseType;
import org.gluu.oxauth.model.common.SoftwareStatementValidationType;
import org.gluu.oxauth.model.common.SubjectType;
import org.gluu.oxauth.model.config.StaticConfiguration;
import org.gluu.oxauth.model.configuration.AppConfiguration;
import org.gluu.oxauth.model.crypto.AbstractCryptoProvider;
import org.gluu.oxauth.model.crypto.signature.AlgorithmFamily;
import org.gluu.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.gluu.oxauth.model.error.ErrorResponseFactory;
import org.gluu.oxauth.model.exception.InvalidJwtException;
import org.gluu.oxauth.model.json.JsonApplier;
import org.gluu.oxauth.model.jwt.Jwt;
import org.gluu.oxauth.model.register.RegisterErrorResponseType;
import org.gluu.oxauth.model.register.RegisterRequestParam;
import org.gluu.oxauth.model.register.RegisterResponseParam;
import org.gluu.oxauth.model.registration.Client;
import org.gluu.oxauth.model.registration.RegisterParamsValidator;
import org.gluu.oxauth.model.token.HandleTokenFactory;
import org.gluu.oxauth.model.util.JwtUtil;
import org.gluu.oxauth.model.util.Pair;
import org.gluu.oxauth.model.util.Util;
import org.gluu.oxauth.service.AttributeService;
import org.gluu.oxauth.service.ClientService;
import org.gluu.oxauth.service.MetricService;
import org.gluu.oxauth.service.ScopeService;
import org.gluu.oxauth.service.common.InumService;
import org.gluu.oxauth.service.external.ExternalDynamicClientRegistrationService;
import org.gluu.oxauth.service.token.TokenService;
import org.gluu.oxauth.util.ServerUtil;
import org.gluu.persist.model.base.CustomAttribute;
import org.gluu.util.StringHelper;
import org.gluu.util.security.StringEncrypter;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;
import org.slf4j.Logger;

@Path("/")
/* loaded from: input_file:org/gluu/oxauth/register/ws/rs/RegisterRestWebServiceImpl.class */
public class RegisterRestWebServiceImpl implements RegisterRestWebService {

    @Inject
    private Logger log;

    @Inject
    private ApplicationAuditLogger applicationAuditLogger;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private ScopeService scopeService;

    @Inject
    private AttributeService attributeService;

    @Inject
    private InumService inumService;

    @Inject
    private ClientService clientService;

    @Inject
    private TokenService tokenService;

    @Inject
    private MetricService metricService;

    @Inject
    private ExternalDynamicClientRegistrationService externalDynamicClientRegistrationService;

    @Inject
    private RegisterParamsValidator registerParamsValidator;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private StaticConfiguration staticConfiguration;

    @Inject
    private AbstractCryptoProvider cryptoProvider;

    @Inject
    private CIBARegisterParamsValidatorService cibaRegisterParamsValidatorService;

    @Inject
    private CIBARegisterClientMetadataService cibaRegisterClientMetadataService;

    @Inject
    private CIBARegisterClientResponseService cibaRegisterClientResponseService;

    @Override // org.gluu.oxauth.register.ws.rs.RegisterRestWebService
    public Response requestRegister(String str, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        Timer.Context time = this.metricService.getTimer(MetricType.DYNAMIC_CLIENT_REGISTRATION_RATE).time();
        try {
            Response registerClientImpl = registerClientImpl(str, httpServletRequest, securityContext);
            time.stop();
            return registerClientImpl;
        } catch (Throwable th) {
            time.stop();
            throw th;
        }
    }

    private Response registerClientImpl(String str, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        RegisterRequest fromJson;
        Response.ResponseBuilder ok = Response.ok();
        OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpServletRequest), Action.CLIENT_REGISTRATION);
        try {
            JSONObject jSONObject = new JSONObject(str);
            JSONObject validateSoftwareStatement = validateSoftwareStatement(httpServletRequest, jSONObject);
            if (validateSoftwareStatement != null) {
                this.log.trace("Override request parameters by software_statement");
                for (String str2 : validateSoftwareStatement.keySet()) {
                    jSONObject.putOpt(str2, validateSoftwareStatement.get(str2));
                }
            }
            fromJson = RegisterRequest.fromJson(jSONObject, this.appConfiguration.getLegacyDynamicRegistrationScopeParam().booleanValue());
            if (jSONObject.has(RegisterRequestParam.SOFTWARE_STATEMENT.toString())) {
                fromJson.setSoftwareStatement(jSONObject.getString(RegisterRequestParam.SOFTWARE_STATEMENT.toString()));
            }
            this.log.info("Attempting to register client: applicationType = {}, clientName = {}, redirectUris = {}, isSecure = {}, sectorIdentifierUri = {}, defaultAcrValues = {}", new Object[]{fromJson.getApplicationType(), fromJson.getClientName(), fromJson.getRedirectUris(), Boolean.valueOf(securityContext.isSecure()), fromJson.getSectorIdentifierUri(), fromJson.getDefaultAcrValues()});
            this.log.trace("Registration request = {}", str);
        } catch (WebApplicationException e) {
            this.log.error(e.getMessage(), e);
            throw e;
        } catch (JSONException e2) {
            ok = internalErrorResponse("Failed to parse JSON.");
            this.log.error(e2.getMessage(), e2);
        } catch (StringEncrypter.EncryptionException e3) {
            ok = internalErrorResponse("Encryption exception occured.");
            this.log.error(e3.getMessage(), e3);
        } catch (Exception e4) {
            ok = internalErrorResponse("Unknown.");
            this.log.error(e4.getMessage(), e4);
        }
        if (!this.appConfiguration.getDynamicRegistrationEnabled().booleanValue()) {
            this.log.info("Dynamic client registration is disabled.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.ACCESS_DENIED, "Dynamic client registration is disabled.");
        }
        if (!this.appConfiguration.getDynamicRegistrationPasswordGrantTypeEnabled().booleanValue() && this.registerParamsValidator.checkIfThereIsPasswordGrantType(fromJson.getGrantTypes())) {
            this.log.info("Password Grant Type is not allowed for Dynamic Client Registration.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.ACCESS_DENIED, "Password Grant Type is not allowed for Dynamic Client Registration.");
        }
        if (fromJson.getSubjectType() == null) {
            SubjectType fromString = SubjectType.fromString(this.appConfiguration.getDefaultSubjectType());
            if (fromString != null) {
                fromJson.setSubjectType(fromString);
            } else if (this.appConfiguration.getSubjectTypesSupported().contains(SubjectType.PUBLIC.toString())) {
                fromJson.setSubjectType(SubjectType.PUBLIC);
            } else if (this.appConfiguration.getSubjectTypesSupported().contains(SubjectType.PAIRWISE.toString())) {
                fromJson.setSubjectType(SubjectType.PAIRWISE);
            }
        }
        this.registerParamsValidator.validateAlgorithms(fromJson);
        if (fromJson.getIdTokenSignedResponseAlg() == null) {
            fromJson.setIdTokenSignedResponseAlg(SignatureAlgorithm.fromString(this.appConfiguration.getDefaultSignatureAlgorithm()));
        }
        if (fromJson.getAccessTokenSigningAlg() == null) {
            fromJson.setAccessTokenSigningAlg(SignatureAlgorithm.fromString(this.appConfiguration.getDefaultSignatureAlgorithm()));
        }
        if (fromJson.getClaimsRedirectUris() != null && !fromJson.getClaimsRedirectUris().isEmpty() && !this.registerParamsValidator.validateRedirectUris(fromJson.getGrantTypes(), fromJson.getResponseTypes(), fromJson.getApplicationType(), fromJson.getSubjectType(), fromJson.getClaimsRedirectUris(), fromJson.getSectorIdentifierUri())) {
            this.log.debug("Value of one or more claims_redirect_uris is invalid, claims_redirect_uris: " + fromJson.getClaimsRedirectUris());
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLAIMS_REDIRECT_URI, "Value of one or more claims_redirect_uris is invalid");
        }
        if (!Strings.isNullOrEmpty(fromJson.getInitiateLoginUri()) && !this.registerParamsValidator.validateInitiateLoginUri(fromJson.getInitiateLoginUri())) {
            this.log.debug("The Initiate Login Uri is invalid. The initiate_login_uri must use the https schema: " + fromJson.getInitiateLoginUri());
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLAIMS_REDIRECT_URI, "The Initiate Login Uri is invalid. The initiate_login_uri must use the https schema.");
        }
        Pair<Boolean, String> validateParamsClientRegister = this.registerParamsValidator.validateParamsClientRegister(fromJson.getApplicationType(), fromJson.getSubjectType(), fromJson.getGrantTypes(), fromJson.getResponseTypes(), fromJson.getRedirectUris());
        if (!((Boolean) validateParamsClientRegister.getFirst()).booleanValue()) {
            this.log.trace("Client parameters are invalid, returns invalid_request error. Reason: " + ((String) validateParamsClientRegister.getSecond()));
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, (String) validateParamsClientRegister.getSecond());
        }
        if (!this.registerParamsValidator.validateRedirectUris(fromJson.getGrantTypes(), fromJson.getResponseTypes(), fromJson.getApplicationType(), fromJson.getSubjectType(), fromJson.getRedirectUris(), fromJson.getSectorIdentifierUri())) {
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_REDIRECT_URI, "Failed to validate redirect uris.");
        }
        if (!this.cibaRegisterParamsValidatorService.validateParams(fromJson.getBackchannelTokenDeliveryMode(), fromJson.getBackchannelClientNotificationEndpoint(), fromJson.getBackchannelAuthenticationRequestSigningAlg(), fromJson.getBackchannelUserCodeParameter(), fromJson.getGrantTypes(), fromJson.getSubjectType(), fromJson.getSectorIdentifierUri(), fromJson.getJwks(), fromJson.getJwksUri())) {
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Invalid Client Metadata registering to use CIBA (Client Initiated Backchannel Authentication).");
        }
        this.registerParamsValidator.validateLogoutUri(fromJson.getFrontChannelLogoutUris(), fromJson.getRedirectUris(), this.errorResponseFactory);
        this.registerParamsValidator.validateLogoutUri(fromJson.getBackchannelLogoutUris(), fromJson.getRedirectUris(), this.errorResponseFactory);
        String clients = this.staticConfiguration.getBaseDn().getClients();
        String generateClientInum = this.inumService.generateClientInum();
        String uuid = UUID.randomUUID().toString();
        Client client = new Client();
        client.setDn("inum=" + generateClientInum + "," + clients);
        client.setClientId(generateClientInum);
        client.setDeletable(true);
        client.setClientSecret(this.clientService.encryptSecret(uuid));
        client.setRegistrationAccessToken(HandleTokenFactory.generateHandleToken());
        client.setIdTokenTokenBindingCnf(fromJson.getIdTokenTokenBindingCnf());
        GregorianCalendar gregorianCalendar = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
        client.setClientIdIssuedAt(gregorianCalendar.getTime());
        if (this.appConfiguration.getDynamicRegistrationExpirationTime() > 0) {
            gregorianCalendar.add(13, this.appConfiguration.getDynamicRegistrationExpirationTime());
            client.setClientSecretExpiresAt(gregorianCalendar.getTime());
            client.setExpirationDate(gregorianCalendar.getTime());
            client.setTtl(Integer.valueOf(this.appConfiguration.getDynamicRegistrationExpirationTime()));
        }
        client.setDeletable(Boolean.valueOf(client.getClientSecretExpiresAt() != null));
        if (StringUtils.isBlank(fromJson.getClientName()) && fromJson.getRedirectUris() != null && !fromJson.getRedirectUris().isEmpty()) {
            try {
                client.setClientName(new URI((String) fromJson.getRedirectUris().get(0)).getHost());
            } catch (Exception e5) {
                this.log.error(e5.getMessage(), e5);
                client.setClientName("Unknown");
            }
        }
        updateClientFromRequestObject(client, fromJson, false);
        if (!(this.externalDynamicClientRegistrationService.isEnabled() ? this.externalDynamicClientRegistrationService.executeExternalCreateClientMethods(fromJson, client) : true)) {
            this.log.trace("Client parameters are invalid, returns invalid_request error. External registration script returned false.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "External registration script returned false.");
        }
        Date time = Calendar.getInstance().getTime();
        client.setLastAccessTime(time);
        client.setLastLogonTime(time);
        Boolean dynamicRegistrationPersistClientAuthorizations = this.appConfiguration.getDynamicRegistrationPersistClientAuthorizations();
        client.setPersistClientAuthorizations(dynamicRegistrationPersistClientAuthorizations != null ? dynamicRegistrationPersistClientAuthorizations.booleanValue() : false);
        this.clientService.persist(client);
        ok.entity(getJSONObject(client).toString(4).replace("\\/", "/"));
        this.log.info("Client registered: clientId = {}, applicationType = {}, clientName = {}, redirectUris = {}, sectorIdentifierUri = {}", new Object[]{client.getClientId(), client.getApplicationType(), client.getClientName(), client.getRedirectUris(), client.getSectorIdentifierUri()});
        oAuth2AuditLog.setClientId(client.getClientId());
        oAuth2AuditLog.setScope(clientScopesToString(client));
        oAuth2AuditLog.setSuccess(true);
        ok.cacheControl(ServerUtil.cacheControl(true, false));
        ok.header("Pragma", "no-cache");
        ok.type(MediaType.APPLICATION_JSON_TYPE);
        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
        return ok.build();
    }

    private JSONObject validateSoftwareStatement(HttpServletRequest httpServletRequest, JSONObject jSONObject) {
        if (!jSONObject.has(RegisterRequestParam.SOFTWARE_STATEMENT.toString())) {
            return null;
        }
        try {
            Jwt parse = Jwt.parse(jSONObject.getString(RegisterRequestParam.SOFTWARE_STATEMENT.toString()));
            SignatureAlgorithm signatureAlgorithm = parse.getHeader().getSignatureAlgorithm();
            SoftwareStatementValidationType fromString = SoftwareStatementValidationType.fromString(this.appConfiguration.getSoftwareStatementValidationType());
            if (fromString == SoftwareStatementValidationType.NONE) {
                this.log.trace("software_statement validation was skipped due to `softwareStatementValidationType` configuration property set to none. (Not recommended.)");
                return parse.getClaims().toJsonObject();
            }
            if (fromString == SoftwareStatementValidationType.SCRIPT) {
                if (!this.externalDynamicClientRegistrationService.isEnabled()) {
                    this.log.error("Server is mis-configured. softwareStatementValidationType=script but there is no any Dynamic Client Registration script enabled.");
                    return null;
                }
                if (AlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily())) {
                    String softwareStatementHmacSecret = this.externalDynamicClientRegistrationService.getSoftwareStatementHmacSecret(httpServletRequest, jSONObject, parse);
                    if (StringUtils.isBlank(softwareStatementHmacSecret)) {
                        this.log.error("No hmacSecret provided in Dynamic Client Registration script (method getSoftwareStatementHmacSecret didn't return actual secret). ");
                        throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_SOFTWARE_STATEMENT, "");
                    }
                    if (this.cryptoProvider.verifySignature(parse.getSigningInput(), parse.getEncodedSignature(), (String) null, (JSONObject) null, softwareStatementHmacSecret, signatureAlgorithm)) {
                        return parse.getClaims().toJsonObject();
                    }
                    throw new InvalidJwtException("Invalid signature in the software statement");
                }
                JSONObject softwareStatementJwks = this.externalDynamicClientRegistrationService.getSoftwareStatementJwks(httpServletRequest, jSONObject, parse);
                if (softwareStatementJwks == null) {
                    this.log.error("No jwks provided in Dynamic Client Registration script (method getSoftwareStatementJwks didn't return actual jwks). ");
                    throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_SOFTWARE_STATEMENT, "");
                }
                if (this.cryptoProvider.verifySignature(parse.getSigningInput(), parse.getEncodedSignature(), parse.getHeader().getKeyId(), softwareStatementJwks, (String) null, signatureAlgorithm)) {
                    return parse.getClaims().toJsonObject();
                }
                throw new InvalidJwtException("Invalid signature in the software statement");
            }
            if ((fromString == SoftwareStatementValidationType.JWKS_URI || fromString == SoftwareStatementValidationType.JWKS) && StringUtils.isBlank(this.appConfiguration.getSoftwareStatementValidationClaimName())) {
                this.log.error("softwareStatementValidationClaimName configuration property is not specified. Please specify claim name from software_statement which points to jwks (or jwks_uri).");
                throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_SOFTWARE_STATEMENT, "Failed to validate software statement");
            }
            String str = null;
            if (fromString == SoftwareStatementValidationType.JWKS_URI) {
                str = parse.getClaims().getClaimAsString(this.appConfiguration.getSoftwareStatementValidationClaimName());
            }
            String str2 = null;
            if (fromString == SoftwareStatementValidationType.JWKS) {
                str2 = parse.getClaims().getClaimAsString(this.appConfiguration.getSoftwareStatementValidationClaimName());
            }
            if (StringUtils.isBlank(str) && StringUtils.isBlank(str2)) {
                String format = String.format("software_statement does not contain `%s` claim and thus is considered as invalid.", this.appConfiguration.getSoftwareStatementValidationClaimName());
                this.log.error(format);
                throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_SOFTWARE_STATEMENT, format);
            }
            if (this.cryptoProvider.verifySignature(parse.getSigningInput(), parse.getEncodedSignature(), parse.getHeader().getKeyId(), Strings.isNullOrEmpty(str) ? new JSONObject(str2) : JwtUtil.getJSONWebKeys(str), (String) null, signatureAlgorithm)) {
                return parse.getClaims().toJsonObject();
            }
            throw new InvalidJwtException("Invalid cryptographic segment in the software statement");
        } catch (Exception e) {
            this.log.error("Invalid software_statement.", e);
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_SOFTWARE_STATEMENT, "Invalid software_statement.");
        }
    }

    private Response.ResponseBuilder internalErrorResponse(String str) {
        return Response.status(Response.Status.INTERNAL_SERVER_ERROR).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_CLIENT_METADATA, str));
    }

    private void updateClientFromRequestObject(Client client, RegisterRequest registerRequest, boolean z) throws JSONException {
        JsonApplier.getInstance().transfer(registerRequest, client);
        JsonApplier.getInstance().transfer(registerRequest, client.getAttributes());
        List redirectUris = registerRequest.getRedirectUris();
        if (redirectUris != null && !redirectUris.isEmpty()) {
            ArrayList arrayList = new ArrayList(new HashSet(redirectUris));
            client.setRedirectUris((String[]) arrayList.toArray(new String[arrayList.size()]));
        }
        List claimsRedirectUris = registerRequest.getClaimsRedirectUris();
        if (claimsRedirectUris != null && !claimsRedirectUris.isEmpty()) {
            ArrayList arrayList2 = new ArrayList(new HashSet(claimsRedirectUris));
            client.setClaimRedirectUris((String[]) arrayList2.toArray(new String[arrayList2.size()]));
        }
        if (registerRequest.getApplicationType() != null) {
            client.setApplicationType(registerRequest.getApplicationType().toString());
        }
        if (StringUtils.isNotBlank(registerRequest.getClientName())) {
            client.setClientName(registerRequest.getClientName());
        }
        if (StringUtils.isNotBlank(registerRequest.getSectorIdentifierUri())) {
            client.setSectorIdentifierUri(registerRequest.getSectorIdentifierUri());
        }
        HashSet hashSet = new HashSet();
        hashSet.addAll(registerRequest.getResponseTypes());
        HashSet hashSet2 = new HashSet();
        hashSet2.addAll(registerRequest.getGrantTypes());
        if (this.appConfiguration.getClientRegDefaultToCodeFlowWithRefresh().booleanValue()) {
            if (hashSet.size() == 0 && hashSet2.size() == 0) {
                hashSet.add(ResponseType.CODE);
            }
            if (hashSet.contains(ResponseType.CODE)) {
                hashSet2.add(GrantType.AUTHORIZATION_CODE);
                hashSet2.add(GrantType.REFRESH_TOKEN);
            }
            if (hashSet2.contains(GrantType.AUTHORIZATION_CODE)) {
                hashSet.add(ResponseType.CODE);
                hashSet2.add(GrantType.REFRESH_TOKEN);
            }
        }
        if (hashSet.contains(ResponseType.TOKEN) || hashSet.contains(ResponseType.ID_TOKEN)) {
            hashSet2.add(GrantType.IMPLICIT);
        }
        if (hashSet2.contains(GrantType.IMPLICIT)) {
            hashSet.add(ResponseType.TOKEN);
        }
        Set responseTypesSupported = this.appConfiguration.getResponseTypesSupported();
        Set grantTypesSupported = this.appConfiguration.getGrantTypesSupported();
        if (!responseTypesSupported.contains(hashSet)) {
            hashSet.clear();
        }
        hashSet2.retainAll(grantTypesSupported);
        hashSet2.retainAll(this.appConfiguration.getDynamicGrantTypeDefault());
        if (!z || registerRequest.getResponseTypes().size() > 0) {
            client.setResponseTypes((ResponseType[]) hashSet.toArray(new ResponseType[hashSet.size()]));
        }
        if (!z) {
            client.setGrantTypes((GrantType[]) hashSet2.toArray(new GrantType[hashSet2.size()]));
        } else if (this.appConfiguration.getEnableClientGrantTypeUpdate().booleanValue() && registerRequest.getGrantTypes().size() > 0) {
            client.setGrantTypes((GrantType[]) hashSet2.toArray(new GrantType[hashSet2.size()]));
        }
        List contacts = registerRequest.getContacts();
        if (contacts != null && !contacts.isEmpty()) {
            ArrayList arrayList3 = new ArrayList(new HashSet(contacts));
            client.setContacts((String[]) arrayList3.toArray(new String[arrayList3.size()]));
        }
        if (StringUtils.isNotBlank(registerRequest.getLogoUri())) {
            client.setLogoUri(registerRequest.getLogoUri());
        }
        if (StringUtils.isNotBlank(registerRequest.getClientUri())) {
            client.setClientUri(registerRequest.getClientUri());
        }
        if (StringUtils.isNotBlank(registerRequest.getPolicyUri())) {
            client.setPolicyUri(registerRequest.getPolicyUri());
        }
        if (StringUtils.isNotBlank(registerRequest.getTosUri())) {
            client.setTosUri(registerRequest.getTosUri());
        }
        if (StringUtils.isNotBlank(registerRequest.getJwksUri())) {
            client.setJwksUri(registerRequest.getJwksUri());
        }
        if (StringUtils.isNotBlank(registerRequest.getJwks())) {
            client.setJwks(registerRequest.getJwks());
        }
        if (registerRequest.getSubjectType() != null) {
            client.setSubjectType(registerRequest.getSubjectType().toString());
        }
        if (registerRequest.getRptAsJwt() != null) {
            client.setRptAsJwt(registerRequest.getRptAsJwt().booleanValue());
        }
        if (registerRequest.getAccessTokenAsJwt() != null) {
            client.setAccessTokenAsJwt(registerRequest.getAccessTokenAsJwt().booleanValue());
        }
        if (registerRequest.getTlsClientAuthSubjectDn() != null) {
            client.getAttributes().setTlsClientAuthSubjectDn(registerRequest.getTlsClientAuthSubjectDn());
        }
        if (registerRequest.getAllowSpontaneousScopes() != null) {
            client.getAttributes().setAllowSpontaneousScopes(registerRequest.getAllowSpontaneousScopes());
        }
        if (registerRequest.getSpontaneousScopes() != null) {
            client.getAttributes().setSpontaneousScopes(registerRequest.getSpontaneousScopes());
        }
        if (registerRequest.getRunIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims() != null) {
            client.getAttributes().setRunIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims(registerRequest.getRunIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims());
        }
        if (registerRequest.getKeepClientAuthorizationAfterExpiration() != null) {
            client.getAttributes().setKeepClientAuthorizationAfterExpiration(registerRequest.getKeepClientAuthorizationAfterExpiration());
        }
        if (registerRequest.getAccessTokenSigningAlg() != null) {
            client.setAccessTokenSigningAlg(registerRequest.getAccessTokenSigningAlg().toString());
        }
        if (registerRequest.getIdTokenSignedResponseAlg() != null) {
            client.setIdTokenSignedResponseAlg(registerRequest.getIdTokenSignedResponseAlg().toString());
        }
        if (registerRequest.getIdTokenEncryptedResponseAlg() != null) {
            client.setIdTokenEncryptedResponseAlg(registerRequest.getIdTokenEncryptedResponseAlg().toString());
        }
        if (registerRequest.getIdTokenEncryptedResponseEnc() != null) {
            client.setIdTokenEncryptedResponseEnc(registerRequest.getIdTokenEncryptedResponseEnc().toString());
        }
        if (registerRequest.getUserInfoSignedResponseAlg() != null) {
            client.setUserInfoSignedResponseAlg(registerRequest.getUserInfoSignedResponseAlg().toString());
        }
        if (registerRequest.getUserInfoEncryptedResponseAlg() != null) {
            client.setUserInfoEncryptedResponseAlg(registerRequest.getUserInfoEncryptedResponseAlg().toString());
        }
        if (registerRequest.getUserInfoEncryptedResponseEnc() != null) {
            client.setUserInfoEncryptedResponseEnc(registerRequest.getUserInfoEncryptedResponseEnc().toString());
        }
        if (registerRequest.getRequestObjectSigningAlg() != null) {
            client.setRequestObjectSigningAlg(registerRequest.getRequestObjectSigningAlg().toString());
        }
        if (registerRequest.getRequestObjectEncryptionAlg() != null) {
            client.setRequestObjectEncryptionAlg(registerRequest.getRequestObjectEncryptionAlg().toString());
        }
        if (registerRequest.getRequestObjectEncryptionEnc() != null) {
            client.setRequestObjectEncryptionEnc(registerRequest.getRequestObjectEncryptionEnc().toString());
        }
        if (registerRequest.getTokenEndpointAuthMethod() != null) {
            client.setTokenEndpointAuthMethod(registerRequest.getTokenEndpointAuthMethod().toString());
        } else {
            client.setTokenEndpointAuthMethod(AuthenticationMethod.CLIENT_SECRET_BASIC.toString());
        }
        if (registerRequest.getTokenEndpointAuthSigningAlg() != null) {
            client.setTokenEndpointAuthSigningAlg(registerRequest.getTokenEndpointAuthSigningAlg().toString());
        }
        if (registerRequest.getDefaultMaxAge() != null) {
            client.setDefaultMaxAge(registerRequest.getDefaultMaxAge());
        }
        if (registerRequest.getRequireAuthTime() != null) {
            client.setRequireAuthTime(registerRequest.getRequireAuthTime().booleanValue());
        }
        List defaultAcrValues = registerRequest.getDefaultAcrValues();
        if (defaultAcrValues != null && !defaultAcrValues.isEmpty()) {
            ArrayList arrayList4 = new ArrayList(new HashSet(defaultAcrValues));
            client.setDefaultAcrValues((String[]) arrayList4.toArray(new String[arrayList4.size()]));
        }
        if (StringUtils.isNotBlank(registerRequest.getInitiateLoginUri())) {
            client.setInitiateLoginUri(registerRequest.getInitiateLoginUri());
        }
        List postLogoutRedirectUris = registerRequest.getPostLogoutRedirectUris();
        if (postLogoutRedirectUris != null && !postLogoutRedirectUris.isEmpty()) {
            ArrayList arrayList5 = new ArrayList(new HashSet(postLogoutRedirectUris));
            client.setPostLogoutRedirectUris((String[]) arrayList5.toArray(new String[arrayList5.size()]));
        }
        if (registerRequest.getFrontChannelLogoutUris() != null && !registerRequest.getFrontChannelLogoutUris().isEmpty()) {
            client.setFrontChannelLogoutUri((String[]) registerRequest.getFrontChannelLogoutUris().toArray(new String[registerRequest.getFrontChannelLogoutUris().size()]));
        }
        client.setFrontChannelLogoutSessionRequired(registerRequest.getFrontChannelLogoutSessionRequired());
        if (registerRequest.getBackchannelLogoutUris() != null && !registerRequest.getBackchannelLogoutUris().isEmpty()) {
            client.getAttributes().setBackchannelLogoutUri(registerRequest.getBackchannelLogoutUris());
        }
        client.getAttributes().setBackchannelLogoutSessionRequired(registerRequest.getBackchannelLogoutSessionRequired());
        List requestUris = registerRequest.getRequestUris();
        if (requestUris != null && !requestUris.isEmpty()) {
            ArrayList arrayList6 = new ArrayList(new HashSet(requestUris));
            client.setRequestUris((String[]) arrayList6.toArray(new String[arrayList6.size()]));
        }
        List authorizedOrigins = registerRequest.getAuthorizedOrigins();
        if (authorizedOrigins != null && !authorizedOrigins.isEmpty()) {
            ArrayList arrayList7 = new ArrayList(new HashSet(authorizedOrigins));
            client.setAuthorizedOrigins((String[]) arrayList7.toArray(new String[arrayList7.size()]));
        }
        List<String> scope = registerRequest.getScope();
        if (hashSet2.contains(GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS) && !this.appConfiguration.getDynamicRegistrationAllowedPasswordGrantScopes().isEmpty()) {
            scope = Lists.newArrayList(scope);
            scope.retainAll(this.appConfiguration.getDynamicRegistrationAllowedPasswordGrantScopes());
        }
        if (scope == null || scope.isEmpty() || this.appConfiguration.getDynamicRegistrationScopesParamEnabled() == null || !this.appConfiguration.getDynamicRegistrationScopesParamEnabled().booleanValue()) {
            List<String> defaultScopesDn = this.scopeService.getDefaultScopesDn();
            client.setScopes((String[]) defaultScopesDn.toArray(new String[defaultScopesDn.size()]));
        } else {
            List<String> defaultScopesDn2 = this.scopeService.getDefaultScopesDn();
            List<String> scopesDn = this.scopeService.getScopesDn(scope);
            HashSet hashSet3 = new HashSet();
            for (String str : scopesDn) {
                if (defaultScopesDn2.contains(str)) {
                    hashSet3.add(str);
                }
            }
            ArrayList arrayList8 = new ArrayList(hashSet3);
            client.setScopes((String[]) arrayList8.toArray(new String[arrayList8.size()]));
        }
        List<String> claims = registerRequest.getClaims();
        if (claims != null && !claims.isEmpty()) {
            List<String> attributesDn = this.attributeService.getAttributesDn(claims);
            client.setClaims((String[]) attributesDn.toArray(new String[attributesDn.size()]));
        }
        if (registerRequest.getJsonObject() != null) {
            putCustomStuffIntoObject(client, registerRequest.getJsonObject());
        }
        if (registerRequest.getAccessTokenLifetime() != null) {
            client.setAccessTokenLifetime(registerRequest.getAccessTokenLifetime());
        }
        if (StringUtils.isNotBlank(registerRequest.getSoftwareId())) {
            client.setSoftwareId(registerRequest.getSoftwareId());
        }
        if (StringUtils.isNotBlank(registerRequest.getSoftwareVersion())) {
            client.setSoftwareVersion(registerRequest.getSoftwareVersion());
        }
        if (StringUtils.isNotBlank(registerRequest.getSoftwareStatement())) {
            client.setSoftwareStatement(registerRequest.getSoftwareStatement());
        }
        this.cibaRegisterClientMetadataService.updateClient(client, registerRequest.getBackchannelTokenDeliveryMode(), registerRequest.getBackchannelClientNotificationEndpoint(), registerRequest.getBackchannelAuthenticationRequestSigningAlg(), registerRequest.getBackchannelUserCodeParameter());
    }

    @Override // org.gluu.oxauth.register.ws.rs.RegisterRestWebService
    public Response requestClientUpdate(String str, String str2, @HeaderParam("Authorization") String str3, @Context HttpServletRequest httpServletRequest, @Context SecurityContext securityContext) {
        RegisterRequest fromJson;
        OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpServletRequest), Action.CLIENT_UPDATE);
        oAuth2AuditLog.setClientId(str2);
        try {
            this.log.debug("Attempting to UPDATE client, client_id: {}, requestParams = {}, isSecure = {}", new Object[]{str2, str, Boolean.valueOf(securityContext.isSecure())});
            String token = this.tokenService.getToken(str3);
            if (StringUtils.isNotBlank(token) && StringUtils.isNotBlank(str2) && StringUtils.isNotBlank(str) && (fromJson = RegisterRequest.fromJson(str, this.appConfiguration.getLegacyDynamicRegistrationScopeParam().booleanValue())) != null) {
                boolean z = true;
                if (fromJson.getRedirectUris() != null && !fromJson.getRedirectUris().isEmpty()) {
                    z = this.registerParamsValidator.validateRedirectUris(fromJson.getGrantTypes(), fromJson.getResponseTypes(), fromJson.getApplicationType(), fromJson.getSubjectType(), fromJson.getRedirectUris(), fromJson.getSectorIdentifierUri());
                }
                if (z) {
                    if (!this.cibaRegisterParamsValidatorService.validateParams(fromJson.getBackchannelTokenDeliveryMode(), fromJson.getBackchannelClientNotificationEndpoint(), fromJson.getBackchannelAuthenticationRequestSigningAlg(), fromJson.getBackchannelUserCodeParameter(), fromJson.getGrantTypes(), fromJson.getSubjectType(), fromJson.getSectorIdentifierUri(), fromJson.getJwks(), fromJson.getJwksUri())) {
                        return Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Invalid Client Metadata registering to use CIBA.")).build();
                    }
                    if (fromJson.getSubjectType() != null && !this.appConfiguration.getSubjectTypesSupported().contains(fromJson.getSubjectType().toString())) {
                        this.log.debug("Client UPDATE : parameter subject_type is invalid. Returns BAD_REQUEST response.");
                        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                        return Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_CLIENT_METADATA, "subject_type is invalid.")).build();
                    }
                    Client client = this.clientService.getClient(str2, token);
                    if (client == null) {
                        this.log.trace("The Access Token is not valid for the Client ID, returns invalid_token error.");
                        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                        return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token is not valid for the Client ID.")).build();
                    }
                    updateClientFromRequestObject(client, fromJson, true);
                    boolean z2 = true;
                    if (this.externalDynamicClientRegistrationService.isEnabled()) {
                        z2 = this.externalDynamicClientRegistrationService.executeExternalUpdateClientMethods(fromJson, client);
                    }
                    if (!z2) {
                        this.log.trace("The Access Token is not valid for the Client ID, returns invalid_token error.");
                        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                        return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "External registration script returned false.")).build();
                    }
                    this.clientService.merge(client);
                    oAuth2AuditLog.setScope(clientScopesToString(client));
                    oAuth2AuditLog.setSuccess(true);
                    this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                    return Response.status(Response.Status.OK).entity(clientAsEntity(client)).build();
                }
            }
            this.log.debug("Client UPDATE : parameters are invalid. Returns BAD_REQUEST response.");
            this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
            return Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Unknown.")).build();
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
            this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
            return internalErrorResponse("Unknown.").build();
        } catch (WebApplicationException e2) {
            this.log.error(e2.getMessage(), e2);
            throw e2;
        }
    }

    @Override // org.gluu.oxauth.register.ws.rs.RegisterRestWebService
    public Response requestClientRead(String str, String str2, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        String token = this.tokenService.getToken(str2);
        this.log.debug("Attempting to read client: clientId = {}, registrationAccessToken = {} isSecure = {}", new Object[]{str, token, Boolean.valueOf(securityContext.isSecure())});
        Response.ResponseBuilder ok = Response.ok();
        OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpServletRequest), Action.CLIENT_READ);
        oAuth2AuditLog.setClientId(str);
        try {
            if (!this.appConfiguration.getDynamicRegistrationEnabled().booleanValue()) {
                throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.ACCESS_DENIED, "Dynamic registration is disabled.");
            }
            if (!this.registerParamsValidator.validateParamsClientRead(str, token)) {
                this.log.trace("Client ID or Access Token is not valid.");
                throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Client ID or Access Token is not valid.");
            }
            Client client = this.clientService.getClient(str, token);
            if (client != null) {
                oAuth2AuditLog.setScope(clientScopesToString(client));
                oAuth2AuditLog.setSuccess(true);
                ok.entity(clientAsEntity(client));
            } else {
                this.log.trace("The Access Token is not valid for the Client ID, returns invalid_token error.");
                ok = Response.status(Response.Status.BAD_REQUEST.getStatusCode()).type(MediaType.APPLICATION_JSON_TYPE);
                ok.entity(this.errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token is not valid for the Client"));
            }
            ok.cacheControl(ServerUtil.cacheControl(true, false));
            ok.header("Pragma", "no-cache");
            this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
            return ok.build();
        } catch (StringEncrypter.EncryptionException e) {
            this.log.error(e.getMessage(), e);
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.INTERNAL_SERVER_ERROR, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Encryption exception occurred.");
        } catch (JSONException e2) {
            this.log.error(e2.getMessage(), e2);
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.INTERNAL_SERVER_ERROR, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Failed to parse json.");
        }
    }

    private String clientAsEntity(Client client) throws JSONException, StringEncrypter.EncryptionException {
        return getJSONObject(client).toString(4).replace("\\/", "/");
    }

    private JSONObject getJSONObject(Client client) throws JSONException, StringEncrypter.EncryptionException {
        JSONObject jSONObject = new JSONObject();
        JsonApplier.getInstance().apply(client, jSONObject);
        JsonApplier.getInstance().apply(client.getAttributes(), jSONObject);
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterResponseParam.CLIENT_ID.toString(), client.getClientId());
        if (this.appConfiguration.getReturnClientSecretOnRead().booleanValue()) {
            Util.addToJSONObjectIfNotNull(jSONObject, RegisterResponseParam.CLIENT_SECRET.toString(), this.clientService.decryptSecret(client.getClientSecret()));
        }
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterResponseParam.REGISTRATION_ACCESS_TOKEN.toString(), client.getRegistrationAccessToken());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterResponseParam.REGISTRATION_CLIENT_URI.toString(), this.appConfiguration.getRegistrationEndpoint() + "?" + RegisterResponseParam.CLIENT_ID.toString() + "=" + client.getClientId());
        jSONObject.put(RegisterResponseParam.CLIENT_ID_ISSUED_AT.toString(), client.getClientIdIssuedAt().getTime() / 1000);
        jSONObject.put(RegisterResponseParam.CLIENT_SECRET_EXPIRES_AT.toString(), (client.getClientSecretExpiresAt() == null || client.getClientSecretExpiresAt().getTime() <= 0) ? 0L : client.getClientSecretExpiresAt().getTime() / 1000);
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.REDIRECT_URIS.toString(), client.getRedirectUris());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.CLAIMS_REDIRECT_URIS.toString(), client.getClaimRedirectUris());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.RESPONSE_TYPES.toString(), ResponseType.toStringArray(client.getResponseTypes()));
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.GRANT_TYPES.toString(), GrantType.toStringArray(client.getGrantTypes()));
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.APPLICATION_TYPE.toString(), client.getApplicationType());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.CONTACTS.toString(), client.getContacts());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.CLIENT_NAME.toString(), client.getClientName());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.LOGO_URI.toString(), client.getLogoUri());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.CLIENT_URI.toString(), client.getClientUri());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.POLICY_URI.toString(), client.getPolicyUri());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.TOS_URI.toString(), client.getTosUri());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.JWKS_URI.toString(), client.getJwksUri());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.SECTOR_IDENTIFIER_URI.toString(), client.getSectorIdentifierUri());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.SUBJECT_TYPE.toString(), client.getSubjectType());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.ID_TOKEN_SIGNED_RESPONSE_ALG.toString(), client.getIdTokenSignedResponseAlg());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.ID_TOKEN_ENCRYPTED_RESPONSE_ALG.toString(), client.getIdTokenEncryptedResponseAlg());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.ID_TOKEN_ENCRYPTED_RESPONSE_ENC.toString(), client.getIdTokenEncryptedResponseEnc());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.USERINFO_SIGNED_RESPONSE_ALG.toString(), client.getUserInfoSignedResponseAlg());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.USERINFO_ENCRYPTED_RESPONSE_ALG.toString(), client.getUserInfoEncryptedResponseAlg());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.USERINFO_ENCRYPTED_RESPONSE_ENC.toString(), client.getUserInfoEncryptedResponseEnc());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.REQUEST_OBJECT_SIGNING_ALG.toString(), client.getRequestObjectSigningAlg());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.REQUEST_OBJECT_ENCRYPTION_ALG.toString(), client.getRequestObjectEncryptionAlg());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.REQUEST_OBJECT_ENCRYPTION_ENC.toString(), client.getRequestObjectEncryptionEnc());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.TOKEN_ENDPOINT_AUTH_METHOD.toString(), client.getTokenEndpointAuthMethod());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.TOKEN_ENDPOINT_AUTH_SIGNING_ALG.toString(), client.getTokenEndpointAuthSigningAlg());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.DEFAULT_MAX_AGE.toString(), client.getDefaultMaxAge());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.REQUIRE_AUTH_TIME.toString(), Boolean.valueOf(client.getRequireAuthTime()));
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.DEFAULT_ACR_VALUES.toString(), client.getDefaultAcrValues());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.INITIATE_LOGIN_URI.toString(), client.getInitiateLoginUri());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.POST_LOGOUT_REDIRECT_URIS.toString(), client.getPostLogoutRedirectUris());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.REQUEST_URIS.toString(), client.getRequestUris());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.AUTHORIZED_ORIGINS.toString(), client.getAuthorizedOrigins());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.RPT_AS_JWT.toString(), Boolean.valueOf(client.isRptAsJwt()));
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.TLS_CLIENT_AUTH_SUBJECT_DN.toString(), client.getAttributes().getTlsClientAuthSubjectDn());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.ALLOW_SPONTANEOUS_SCOPES.toString(), client.getAttributes().getAllowSpontaneousScopes());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.SPONTANEOUS_SCOPES.toString(), client.getAttributes().getSpontaneousScopes());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.RUN_INTROSPECTION_SCRIPT_BEFORE_ACCESS_TOKEN_CREATION_AS_JWT_AND_INCLUDE_CLAIMS.toString(), client.getAttributes().getRunIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.KEEP_CLIENT_AUTHORIZATION_AFTER_EXPIRATION.toString(), client.getAttributes().getKeepClientAuthorizationAfterExpiration());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.ACCESS_TOKEN_AS_JWT.toString(), Boolean.valueOf(client.isAccessTokenAsJwt()));
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.ACCESS_TOKEN_SIGNING_ALG.toString(), client.getAccessTokenSigningAlg());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.ACCESS_TOKEN_LIFETIME.toString(), client.getAccessTokenLifetime());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.SOFTWARE_ID.toString(), client.getSoftwareId());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.SOFTWARE_VERSION.toString(), client.getSoftwareVersion());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.SOFTWARE_STATEMENT.toString(), client.getSoftwareStatement());
        if (!Util.isNullOrEmpty(client.getJwks())) {
            Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.JWKS.toString(), new JSONObject(client.getJwks()));
        }
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.FRONT_CHANNEL_LOGOUT_URI.toString(), client.getFrontChannelLogoutUri());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.FRONT_CHANNEL_LOGOUT_SESSION_REQUIRED.toString(), client.getFrontChannelLogoutSessionRequired());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.BACKCHANNEL_LOGOUT_URI.toString(), client.getAttributes().getBackchannelLogoutUri());
        Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.BACKCHANNEL_LOGOUT_SESSION_REQUIRED.toString(), client.getAttributes().getBackchannelLogoutSessionRequired());
        String[] strArr = null;
        String[] scopes = client.getScopes();
        if (scopes != null) {
            strArr = new String[scopes.length];
            for (int i = 0; i < scopes.length; i++) {
                strArr[i] = this.scopeService.getScopeByDn(scopes[i]).getId();
            }
        }
        if (this.appConfiguration.getLegacyDynamicRegistrationScopeParam().booleanValue()) {
            Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.SCOPES.toString(), strArr);
        } else {
            Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.SCOPE.toString(), org.gluu.oxauth.model.util.StringUtils.implode(strArr, " "));
        }
        String[] strArr2 = null;
        String[] claims = client.getClaims();
        if (claims != null) {
            strArr2 = new String[claims.length];
            for (int i2 = 0; i2 < claims.length; i2++) {
                strArr2[i2] = this.attributeService.getAttributeByDn(claims[i2]).getOxAuthClaimName();
            }
        }
        putCustomAttributesInResponse(client, jSONObject);
        if (strArr2 != null && strArr2.length > 0) {
            Util.addToJSONObjectIfNotNull(jSONObject, RegisterRequestParam.CLAIMS.toString(), org.gluu.oxauth.model.util.StringUtils.implode(strArr2, " "));
        }
        this.cibaRegisterClientResponseService.updateResponse(jSONObject, client);
        return jSONObject;
    }

    private void putCustomAttributesInResponse(Client client, JSONObject jSONObject) {
        List dynamicRegistrationCustomAttributes = this.appConfiguration.getDynamicRegistrationCustomAttributes();
        List<CustomAttribute> customAttributes = client.getCustomAttributes();
        if (dynamicRegistrationCustomAttributes == null || dynamicRegistrationCustomAttributes.isEmpty() || customAttributes == null) {
            return;
        }
        for (CustomAttribute customAttribute : customAttributes) {
            if (dynamicRegistrationCustomAttributes.contains(customAttribute.getName())) {
                if (customAttribute.isMultiValued()) {
                    Util.addToJSONObjectIfNotNull(jSONObject, customAttribute.getName(), customAttribute.getValues());
                } else {
                    Util.addToJSONObjectIfNotNull(jSONObject, customAttribute.getName(), customAttribute.getValue());
                }
            }
        }
    }

    private void putCustomStuffIntoObject(Client client, JSONObject jSONObject) throws JSONException {
        String dynamicRegistrationCustomObjectClass = this.appConfiguration.getDynamicRegistrationCustomObjectClass();
        if (StringUtils.isNotBlank(dynamicRegistrationCustomObjectClass)) {
            client.setCustomObjectClasses(new String[]{dynamicRegistrationCustomObjectClass});
        }
        List<String> dynamicRegistrationCustomAttributes = this.appConfiguration.getDynamicRegistrationCustomAttributes();
        if (dynamicRegistrationCustomAttributes == null || dynamicRegistrationCustomAttributes.isEmpty()) {
            return;
        }
        for (String str : dynamicRegistrationCustomAttributes) {
            if (jSONObject.has(str)) {
                JSONArray optJSONArray = jSONObject.optJSONArray(str);
                List<String> list = optJSONArray != null ? org.gluu.oxauth.model.util.StringUtils.toList(optJSONArray) : Arrays.asList(jSONObject.getString(str));
                if (list != null && !list.isEmpty()) {
                    try {
                        if (!processApplicationAttributes(client, str, list)) {
                            client.getCustomAttributes().add(new CustomAttribute(str, list));
                        }
                    } catch (Exception e) {
                        this.log.debug(e.getMessage(), e);
                    }
                }
            }
        }
    }

    private boolean processApplicationAttributes(Client client, String str, List<String> list) {
        if (StringHelper.equalsIgnoreCase("oxAuthTrustedClient", str)) {
            client.setTrustedClient(StringHelper.toBoolean(list.get(0), false));
            return true;
        }
        if (!StringHelper.equalsIgnoreCase("oxIncludeClaimsInIdToken", str)) {
            return false;
        }
        client.setIncludeClaimsInIdToken(StringHelper.toBoolean(list.get(0), false));
        return true;
    }

    private String clientScopesToString(Client client) {
        String[] scopes = client.getScopes();
        if (scopes == null) {
            return null;
        }
        String[] strArr = new String[scopes.length];
        for (int i = 0; i < scopes.length; i++) {
            strArr[i] = this.scopeService.getScopeByDn(scopes[i]).getId();
        }
        return StringUtils.join(strArr, " ");
    }

    @Override // org.gluu.oxauth.register.ws.rs.RegisterRestWebService
    public Response delete(String str, String str2, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        try {
            String token = this.tokenService.getToken(str2);
            this.log.debug("Attempting to delete client: clientId = {0}, registrationAccessToken = {1} isSecure = {2}", new Object[]{str, token, Boolean.valueOf(securityContext.isSecure())});
            if (!this.appConfiguration.getDynamicRegistrationEnabled().booleanValue()) {
                throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.ACCESS_DENIED, "Dynamic registration is disabled.");
            }
            if (!this.registerParamsValidator.validateParamsClientRead(str, token)) {
                this.log.trace("Client parameters are invalid.");
                throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "");
            }
            Client client = this.clientService.getClient(str, token);
            if (client == null) {
                throw this.errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, RegisterErrorResponseType.INVALID_TOKEN, "");
            }
            this.clientService.remove(client);
            return Response.status(Response.Status.NO_CONTENT).cacheControl(ServerUtil.cacheControl(true, false)).header("Pragma", "no-cache").build();
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.INTERNAL_SERVER_ERROR, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Failed to process request.");
        } catch (WebApplicationException e2) {
            if (e2.getResponse() != null) {
                return e2.getResponse();
            }
            throw e2;
        }
    }
}
