package org.gluu.oxauth.service;

import com.google.common.collect.Sets;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.enterprise.context.RequestScoped;
import javax.faces.application.FacesMessage;
import javax.faces.context.ExternalContext;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.gluu.jsf2.message.FacesMessages;
import org.gluu.jsf2.service.FacesService;
import org.gluu.oxauth.auth.Authenticator;
import org.gluu.oxauth.ciba.CIBAPingCallbackService;
import org.gluu.oxauth.ciba.CIBAPushErrorService;
import org.gluu.oxauth.model.authorize.AuthorizeErrorResponseType;
import org.gluu.oxauth.model.ciba.PushErrorResponseType;
import org.gluu.oxauth.model.common.AuthorizationGrantList;
import org.gluu.oxauth.model.common.BackchannelTokenDeliveryMode;
import org.gluu.oxauth.model.common.CibaRequestCacheControl;
import org.gluu.oxauth.model.common.CibaRequestStatus;
import org.gluu.oxauth.model.common.DeviceAuthorizationCacheControl;
import org.gluu.oxauth.model.common.DeviceAuthorizationStatus;
import org.gluu.oxauth.model.common.Prompt;
import org.gluu.oxauth.model.common.ResponseMode;
import org.gluu.oxauth.model.common.ResponseType;
import org.gluu.oxauth.model.common.SessionId;
import org.gluu.oxauth.model.common.User;
import org.gluu.oxauth.model.configuration.AppConfiguration;
import org.gluu.oxauth.model.error.ErrorResponseFactory;
import org.gluu.oxauth.model.registration.Client;
import org.gluu.oxauth.security.Identity;
import org.gluu.oxauth.service.ciba.CibaRequestService;
import org.gluu.oxauth.util.RedirectUri;
import org.gluu.oxauth.util.ServerUtil;
import org.oxauth.persistence.model.Scope;
import org.slf4j.Logger;

@RequestScoped
/* loaded from: input_file:org/gluu/oxauth/service/AuthorizeService.class */
public class AuthorizeService {

    @Inject
    private Logger log;

    @Inject
    private ClientService clientService;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private CookieService cookieService;

    @Inject
    private ClientAuthorizationsService clientAuthorizationsService;

    @Inject
    private Identity identity;

    @Inject
    private Authenticator authenticator;

    @Inject
    private FacesService facesService;

    @Inject
    private FacesMessages facesMessages;

    @Inject
    private ExternalContext externalContext;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private ScopeService scopeService;

    @Inject
    private RequestParameterService requestParameterService;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private CIBAPingCallbackService cibaPingCallbackService;

    @Inject
    private CIBAPushErrorService cibaPushErrorService;

    @Inject
    private CibaRequestService cibaRequestService;

    @Inject
    private DeviceAuthorizationService deviceAuthorizationService;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.gluu.oxauth.service.AuthorizeService$1, reason: invalid class name */
    /* loaded from: input_file:org/gluu/oxauth/service/AuthorizeService$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$gluu$oxauth$model$common$BackchannelTokenDeliveryMode = new int[BackchannelTokenDeliveryMode.values().length];

        static {
            try {
                $SwitchMap$org$gluu$oxauth$model$common$BackchannelTokenDeliveryMode[BackchannelTokenDeliveryMode.POLL.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$gluu$oxauth$model$common$BackchannelTokenDeliveryMode[BackchannelTokenDeliveryMode.PING.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$gluu$oxauth$model$common$BackchannelTokenDeliveryMode[BackchannelTokenDeliveryMode.PUSH.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public SessionId getSession() {
        return getSession(null);
    }

    public SessionId getSession(String str) {
        if (StringUtils.isBlank(str)) {
            str = this.cookieService.getSessionIdFromCookie();
            if (StringUtils.isBlank(str)) {
                return null;
            }
        }
        if (!this.identity.isLoggedIn()) {
            this.authenticator.authenticateBySessionId(str);
        }
        SessionId sessionId = this.sessionIdService.getSessionId(str);
        if (sessionId == null) {
            this.identity.logout();
        }
        return sessionId;
    }

    public void permissionGranted(HttpServletRequest httpServletRequest, SessionId sessionId) {
        this.log.trace("permissionGranted");
        try {
            User user = this.sessionIdService.getUser(sessionId);
            if (user == null) {
                this.log.debug("Permission denied. Failed to find session user: userDn = " + sessionId.getUserDn() + ".");
                permissionDenied(sessionId);
                return;
            }
            String str = sessionId.getSessionAttributes().get("client_id");
            Client client = this.clientService.getClient(str);
            String str2 = sessionId.getSessionAttributes().get("scope");
            boolean z = ServerUtil.isFalse(this.appConfiguration.getUseCacheForAllImplicitFlowObjects()) || !ResponseType.isImplicitFlow(sessionId.getSessionAttributes().get("response_type"));
            if (!client.getTrustedClient() && z && client.getPersistClientAuthorizations()) {
                this.clientAuthorizationsService.add(user.getAttribute("inum"), client.getClientId(), Sets.newHashSet(org.gluu.oxauth.model.util.StringUtils.spaceSeparatedToList(str2)));
            }
            sessionId.addPermission(str, true);
            this.sessionIdService.updateSessionId(sessionId);
            this.identity.setSessionId(sessionId);
            if (!this.appConfiguration.getInvalidateSessionCookiesAfterAuthorizationFlow().booleanValue()) {
                this.cookieService.createSessionIdCookie(sessionId, false);
            }
            Map<String, String> allowedParameters = this.requestParameterService.getAllowedParameters(sessionId.getSessionAttributes());
            if (allowedParameters.containsKey("prompt")) {
                List fromString = Prompt.fromString(allowedParameters.get("prompt"), " ");
                fromString.remove(Prompt.CONSENT);
                allowedParameters.put("prompt", org.gluu.oxauth.model.util.StringUtils.implodeEnum(fromString, " "));
            }
            String str3 = httpServletRequest.getContextPath() + "/restv1/authorize?" + this.requestParameterService.parametersAsString(allowedParameters);
            this.log.trace("permissionGranted, redirectTo: {}", str3);
            if (invalidateSessionCookiesIfNeeded() && !str3.contains(CookieService.SESSION_ID_COOKIE_NAME) && this.appConfiguration.getSessionIdRequestParameterEnabled().booleanValue()) {
                str3 = str3 + "&session_id=" + sessionId.getId();
            }
            this.facesService.redirectToExternalURL(str3);
        } catch (UnsupportedEncodingException e) {
            this.log.trace(e.getMessage(), e);
        }
    }

    public void permissionDenied(SessionId sessionId) {
        String str;
        CibaRequestCacheControl cibaRequest;
        this.log.trace("permissionDenied");
        invalidateSessionCookiesIfNeeded();
        if (sessionId == null) {
            authenticationFailedSessionInvalid();
            return;
        }
        String str2 = sessionId.getSessionAttributes().get("redirect_uri");
        String str3 = sessionId.getSessionAttributes().get("state");
        RedirectUri redirectUri = new RedirectUri(str2, ResponseType.fromString(sessionId.getSessionAttributes().get("response_type"), " "), ResponseMode.fromString(sessionId.getSessionAttributes().get("response_mode")));
        redirectUri.parseQueryString(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.ACCESS_DENIED, str3));
        Map<String, String> allowedParameters = this.requestParameterService.getAllowedParameters(sessionId.getSessionAttributes());
        if (allowedParameters.containsKey("auth_req_id") && (cibaRequest = this.cibaRequestService.getCibaRequest((str = allowedParameters.get("auth_req_id")))) != null && cibaRequest.getClient() != null) {
            if (cibaRequest.getStatus() == CibaRequestStatus.PENDING) {
                this.cibaRequestService.removeCibaRequest(str);
            }
            switch (AnonymousClass1.$SwitchMap$org$gluu$oxauth$model$common$BackchannelTokenDeliveryMode[cibaRequest.getClient().getBackchannelTokenDeliveryMode().ordinal()]) {
                case 1:
                    cibaRequest.setStatus(CibaRequestStatus.DENIED);
                    cibaRequest.setTokensDelivered(false);
                    this.cibaRequestService.update(cibaRequest);
                    break;
                case 2:
                    cibaRequest.setStatus(CibaRequestStatus.DENIED);
                    cibaRequest.setTokensDelivered(false);
                    this.cibaRequestService.update(cibaRequest);
                    this.cibaPingCallbackService.pingCallback(cibaRequest.getAuthReqId(), cibaRequest.getClient().getBackchannelClientNotificationEndpoint(), cibaRequest.getClientNotificationToken());
                    break;
                case 3:
                    this.cibaPushErrorService.pushError(cibaRequest.getAuthReqId(), cibaRequest.getClient().getBackchannelClientNotificationEndpoint(), cibaRequest.getClientNotificationToken(), PushErrorResponseType.ACCESS_DENIED, "The end-user denied the authorization request.");
                    break;
            }
        }
        if (allowedParameters.containsKey(DeviceAuthorizationService.SESSION_USER_CODE)) {
            processDeviceAuthDeniedResponse(allowedParameters);
        }
        this.facesService.redirectToExternalURL(redirectUri.toString());
    }

    private void authenticationFailedSessionInvalid() {
        this.facesMessages.add(FacesMessage.SEVERITY_ERROR, Authenticator.INVALID_SESSION_MESSAGE);
        this.facesService.redirect("/error.xhtml");
    }

    public List<Scope> getScopes() {
        return getScopes(getSession().getSessionAttributes().get("scope"));
    }

    public List<Scope> getScopes(String str) {
        ArrayList arrayList = new ArrayList();
        if (str != null && !str.isEmpty()) {
            for (String str2 : str.split(" ")) {
                Scope scopeById = this.scopeService.getScopeById(str2);
                if (scopeById != null && scopeById.getDescription() != null) {
                    arrayList.add(scopeById);
                }
            }
        }
        return arrayList;
    }

    private boolean invalidateSessionCookiesIfNeeded() {
        if (this.appConfiguration.getInvalidateSessionCookiesAfterAuthorizationFlow().booleanValue()) {
            return invalidateSessionCookies();
        }
        return false;
    }

    private boolean invalidateSessionCookies() {
        try {
            if (!(this.externalContext.getResponse() instanceof HttpServletResponse)) {
                return false;
            }
            HttpServletResponse httpServletResponse = (HttpServletResponse) this.externalContext.getResponse();
            this.log.trace("Invalidated {} cookie.", CookieService.SESSION_ID_COOKIE_NAME);
            httpServletResponse.addHeader("Set-Cookie", "session_id=deleted; Path=/; Secure; HttpOnly; Expires=Thu, 01 Jan 1970 00:00:01 GMT;");
            this.log.trace("Invalidated {} cookie.", CookieService.CONSENT_SESSION_ID_COOKIE_NAME);
            httpServletResponse.addHeader("Set-Cookie", "consent_session_id=deleted; Path=/; Secure; HttpOnly; Expires=Thu, 01 Jan 1970 00:00:01 GMT;");
            return true;
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
            return false;
        }
    }

    private void processDeviceAuthDeniedResponse(Map<String, String> map) {
        String str = map.get(DeviceAuthorizationService.SESSION_USER_CODE);
        DeviceAuthorizationCacheControl deviceAuthzByUserCode = this.deviceAuthorizationService.getDeviceAuthzByUserCode(str);
        if (deviceAuthzByUserCode == null || deviceAuthzByUserCode.getStatus() != DeviceAuthorizationStatus.PENDING) {
            return;
        }
        deviceAuthzByUserCode.setStatus(DeviceAuthorizationStatus.DENIED);
        this.deviceAuthorizationService.saveInCache(deviceAuthzByUserCode, true, false);
        this.deviceAuthorizationService.removeDeviceAuthRequestInCache(str, null);
    }
}
