package org.gluu.oxauth.model.token;

import com.google.common.base.Function;
import com.google.common.collect.Lists;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import javax.ejb.Stateless;
import javax.inject.Inject;
import javax.inject.Named;
import org.apache.commons.lang.StringUtils;
import org.apache.logging.log4j.util.Strings;
import org.gluu.model.GluuAttribute;
import org.gluu.model.attribute.AttributeDataType;
import org.gluu.model.custom.script.conf.CustomScriptConfiguration;
import org.gluu.model.custom.script.type.auth.PersonAuthenticationType;
import org.gluu.oxauth.claims.Audience;
import org.gluu.oxauth.model.authorize.Claim;
import org.gluu.oxauth.model.authorize.JwtAuthorizationRequest;
import org.gluu.oxauth.model.common.AbstractToken;
import org.gluu.oxauth.model.common.AccessToken;
import org.gluu.oxauth.model.common.AuthorizationCode;
import org.gluu.oxauth.model.common.CIBAGrant;
import org.gluu.oxauth.model.common.IAuthorizationGrant;
import org.gluu.oxauth.model.common.RefreshToken;
import org.gluu.oxauth.model.common.ScopeType;
import org.gluu.oxauth.model.common.SessionId;
import org.gluu.oxauth.model.common.UnmodifiableAuthorizationGrant;
import org.gluu.oxauth.model.common.User;
import org.gluu.oxauth.model.configuration.AppConfiguration;
import org.gluu.oxauth.model.exception.InvalidClaimException;
import org.gluu.oxauth.model.jwt.JwtSubClaimObject;
import org.gluu.oxauth.model.registration.Client;
import org.gluu.oxauth.service.AttributeService;
import org.gluu.oxauth.service.ScopeService;
import org.gluu.oxauth.service.SessionIdService;
import org.gluu.oxauth.service.external.ExternalAuthenticationService;
import org.gluu.oxauth.service.external.ExternalDynamicScopeService;
import org.gluu.oxauth.service.external.context.DynamicScopeExternalContext;
import org.json.JSONArray;
import org.oxauth.persistence.model.Scope;

@Stateless
@Named
/* loaded from: input_file:org/gluu/oxauth/model/token/IdTokenFactory.class */
public class IdTokenFactory {

    @Inject
    private ExternalDynamicScopeService externalDynamicScopeService;

    @Inject
    private ExternalAuthenticationService externalAuthenticationService;

    @Inject
    private ScopeService scopeService;

    @Inject
    private AttributeService attributeService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private JwrService jwrService;

    @Inject
    private SessionIdService sessionIdService;

    private void setAmrClaim(JsonWebResponse jsonWebResponse, String str) {
        Map authenticationMethodClaims;
        ArrayList newArrayList = Lists.newArrayList();
        CustomScriptConfiguration customScriptConfigurationByName = this.externalAuthenticationService.getCustomScriptConfigurationByName(str);
        if (customScriptConfigurationByName != null) {
            newArrayList.add(Integer.toString(customScriptConfigurationByName.getLevel()));
            PersonAuthenticationType externalType = customScriptConfigurationByName.getExternalType();
            if (externalType.getApiVersion() > 3 && (authenticationMethodClaims = externalType.getAuthenticationMethodClaims(customScriptConfigurationByName.getConfigurationAttributes())) != null) {
                for (String str2 : authenticationMethodClaims.keySet()) {
                    newArrayList.add(str2 + ":" + ((String) authenticationMethodClaims.get(str2)));
                }
            }
        }
        jsonWebResponse.getClaims().setClaim("amr", newArrayList);
    }

    private void fillClaims(JsonWebResponse jsonWebResponse, IAuthorizationGrant iAuthorizationGrant, String str, AuthorizationCode authorizationCode, AccessToken accessToken, RefreshToken refreshToken, String str2, Set<String> set, boolean z, Function<JsonWebResponse, Void> function) throws Exception {
        jsonWebResponse.getClaims().setIssuer(this.appConfiguration.getIssuer());
        Audience.setAudience(jsonWebResponse.getClaims(), iAuthorizationGrant.getClient());
        int idTokenLifetime = this.appConfiguration.getIdTokenLifetime();
        Calendar calendar = Calendar.getInstance();
        Date time = calendar.getTime();
        calendar.add(13, idTokenLifetime);
        jsonWebResponse.getClaims().setExpirationTime(calendar.getTime());
        jsonWebResponse.getClaims().setIssuedAt(time);
        jsonWebResponse.setClaim("code", UUID.randomUUID().toString());
        if (function != null) {
            function.apply(jsonWebResponse);
        }
        SessionId sessionByDn = this.sessionIdService.getSessionByDn(iAuthorizationGrant.getSessionDn());
        if (sessionByDn != null) {
            jsonWebResponse.setClaim("sid", sessionByDn.getOutsideSid());
        }
        if (iAuthorizationGrant.getAcrValues() != null) {
            jsonWebResponse.setClaim("acr", iAuthorizationGrant.getAcrValues());
            setAmrClaim(jsonWebResponse, iAuthorizationGrant.getAcrValues());
        }
        if (StringUtils.isNotBlank(str)) {
            jsonWebResponse.setClaim("nonce", str);
        }
        if (iAuthorizationGrant.getAuthenticationTime() != null) {
            jsonWebResponse.getClaims().setClaim("auth_time", iAuthorizationGrant.getAuthenticationTime());
        }
        if (authorizationCode != null) {
            jsonWebResponse.setClaim("c_hash", AbstractToken.getHash(authorizationCode.getCode(), jsonWebResponse.getHeader().getSignatureAlgorithm()));
        }
        if (accessToken != null) {
            jsonWebResponse.setClaim("at_hash", AbstractToken.getHash(accessToken.getCode(), jsonWebResponse.getHeader().getSignatureAlgorithm()));
        }
        if (Strings.isNotBlank(str2)) {
            jsonWebResponse.setClaim("s_hash", AbstractToken.getHash(str2, jsonWebResponse.getHeader().getSignatureAlgorithm()));
        }
        if (iAuthorizationGrant.getGrantType() != null) {
            jsonWebResponse.setClaim("grant", iAuthorizationGrant.getGrantType().getValue());
        }
        jsonWebResponse.setClaim("oxOpenIDConnectVersion", this.appConfiguration.getOxOpenIdConnectVersion());
        User user = iAuthorizationGrant.getUser();
        ArrayList arrayList = new ArrayList();
        if (z && iAuthorizationGrant.getClient().isIncludeClaimsInIdToken()) {
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                Scope scopeById = this.scopeService.getScopeById(it.next());
                if (scopeById != null) {
                    if (ScopeType.DYNAMIC == scopeById.getScopeType()) {
                        arrayList.add(scopeById);
                    } else {
                        Map<String, Object> claims = getClaims(user, scopeById);
                        if (Boolean.TRUE.equals(scopeById.isOxAuthGroupClaims())) {
                            JwtSubClaimObject jwtSubClaimObject = new JwtSubClaimObject();
                            jwtSubClaimObject.setName(scopeById.getId());
                            for (Map.Entry<String, Object> entry : claims.entrySet()) {
                                String key = entry.getKey();
                                Object value = entry.getValue();
                                if (value instanceof List) {
                                    jwtSubClaimObject.setClaim(key, (List) value);
                                } else {
                                    jwtSubClaimObject.setClaim(key, (String) value);
                                }
                            }
                            jsonWebResponse.getClaims().setClaim(scopeById.getId(), jwtSubClaimObject);
                        } else {
                            for (Map.Entry<String, Object> entry2 : claims.entrySet()) {
                                String key2 = entry2.getKey();
                                Object value2 = entry2.getValue();
                                if (value2 instanceof List) {
                                    jsonWebResponse.getClaims().setClaim(key2, (List) value2);
                                } else if (value2 instanceof Boolean) {
                                    jsonWebResponse.getClaims().setClaim(key2, (Boolean) value2);
                                } else if (value2 instanceof Date) {
                                    jsonWebResponse.getClaims().setClaim(key2, Long.valueOf(((Date) value2).getTime()));
                                } else {
                                    jsonWebResponse.setClaim(key2, (String) value2);
                                }
                            }
                        }
                        jsonWebResponse.getClaims().setSubjectIdentifier(iAuthorizationGrant.getUser().getAttribute("inum"));
                    }
                }
            }
        }
        setClaimsFromJwtAuthorizationRequest(jsonWebResponse, iAuthorizationGrant, set);
        this.jwrService.setSubjectIdentifier(jsonWebResponse, iAuthorizationGrant);
        if (arrayList.size() > 0 && this.externalDynamicScopeService.isEnabled()) {
            this.externalDynamicScopeService.executeExternalUpdateMethods(new DynamicScopeExternalContext(arrayList, jsonWebResponse, new UnmodifiableAuthorizationGrant(iAuthorizationGrant)));
        }
        processCiba(jsonWebResponse, iAuthorizationGrant, refreshToken);
    }

    private void processCiba(JsonWebResponse jsonWebResponse, IAuthorizationGrant iAuthorizationGrant, RefreshToken refreshToken) {
        if (iAuthorizationGrant instanceof CIBAGrant) {
            jsonWebResponse.setClaim("urn:openid:params:jwt:claim:rt_hash", AbstractToken.getHash(refreshToken.getCode(), null));
            jsonWebResponse.setClaim("urn:openid:params:jwt:claim:auth_req_id", ((CIBAGrant) iAuthorizationGrant).getAuthReqId());
        }
    }

    private void setClaimsFromJwtAuthorizationRequest(JsonWebResponse jsonWebResponse, IAuthorizationGrant iAuthorizationGrant, Set<String> set) throws InvalidClaimException {
        JwtAuthorizationRequest jwtAuthorizationRequest = iAuthorizationGrant.getJwtAuthorizationRequest();
        if (jwtAuthorizationRequest == null || jwtAuthorizationRequest.getIdTokenMember() == null) {
            return;
        }
        for (Claim claim : jwtAuthorizationRequest.getIdTokenMember().getClaims()) {
            GluuAttribute byClaimName = this.attributeService.getByClaimName(claim.getName());
            if (byClaimName != null && validateRequesteClaim(byClaimName, iAuthorizationGrant.getClient().getClaims(), set)) {
                jsonWebResponse.getClaims().setClaimFromJsonObject(claim.getName(), iAuthorizationGrant.getUser().getAttribute(byClaimName.getName(), true, byClaimName.getOxMultiValuedAttribute().booleanValue()));
            }
        }
    }

    public JsonWebResponse createJwr(IAuthorizationGrant iAuthorizationGrant, String str, AuthorizationCode authorizationCode, AccessToken accessToken, RefreshToken refreshToken, String str2, Set<String> set, boolean z, Function<JsonWebResponse, Void> function) throws Exception {
        Client client = iAuthorizationGrant.getClient();
        JsonWebResponse createJwr = this.jwrService.createJwr(client);
        fillClaims(createJwr, iAuthorizationGrant, str, authorizationCode, accessToken, refreshToken, str2, set, z, function);
        return this.jwrService.encode(createJwr, client);
    }

    private boolean validateRequesteClaim(GluuAttribute gluuAttribute, String[] strArr, Collection<String> collection) {
        if (gluuAttribute == null) {
            return false;
        }
        if (strArr != null) {
            for (String str : strArr) {
                if (gluuAttribute.getDn().equals(str)) {
                    return true;
                }
            }
        }
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            Scope scopeById = this.scopeService.getScopeById(it.next());
            if (scopeById != null && scopeById.getOxAuthClaims() != null) {
                Iterator it2 = scopeById.getOxAuthClaims().iterator();
                while (it2.hasNext()) {
                    if (gluuAttribute.getDisplayName().equals(this.attributeService.getAttributeByDn((String) it2.next()).getDisplayName())) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    public Map<String, Object> getClaims(User user, Scope scope) throws InvalidClaimException, ParseException {
        HashMap hashMap = new HashMap();
        if (scope == null || scope.getOxAuthClaims() == null) {
            return hashMap;
        }
        Iterator it = scope.getOxAuthClaims().iterator();
        while (it.hasNext()) {
            GluuAttribute attributeByDn = this.attributeService.getAttributeByDn((String) it.next());
            String oxAuthClaimName = attributeByDn.getOxAuthClaimName();
            String name = attributeByDn.getName();
            Object obj = null;
            if (StringUtils.isNotBlank(oxAuthClaimName) && StringUtils.isNotBlank(name)) {
                if (name.equals("uid")) {
                    obj = user.getUserId();
                } else if (AttributeDataType.BOOLEAN.equals(attributeByDn.getDataType())) {
                    obj = Boolean.valueOf(Boolean.parseBoolean(String.valueOf(user.getAttribute(attributeByDn.getName(), true, attributeByDn.getOxMultiValuedAttribute().booleanValue()))));
                } else if (AttributeDataType.DATE.equals(attributeByDn.getDataType())) {
                    SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyyMMddHHmmss.SSS'Z'");
                    Object attribute = user.getAttribute(attributeByDn.getName(), true, attributeByDn.getOxMultiValuedAttribute().booleanValue());
                    if (attribute != null) {
                        obj = simpleDateFormat.parse(attribute.toString());
                    }
                } else {
                    obj = user.getAttribute(attributeByDn.getName(), true, attributeByDn.getOxMultiValuedAttribute().booleanValue());
                }
                if (obj != null) {
                    if (obj instanceof JSONArray) {
                        JSONArray jSONArray = (JSONArray) obj;
                        ArrayList arrayList = new ArrayList();
                        for (int i = 0; i < jSONArray.length(); i++) {
                            String optString = jSONArray.optString(i);
                            if (optString != null) {
                                arrayList.add(optString);
                            }
                        }
                        hashMap.put(oxAuthClaimName, arrayList);
                    } else {
                        hashMap.put(oxAuthClaimName, obj);
                    }
                }
            }
        }
        return hashMap;
    }
}
