package org.xdi.oxauth.authorize.ws.rs;

import java.io.UnsupportedEncodingException;
import java.net.ConnectException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.net.UnknownHostException;
import java.security.SignatureException;
import java.util.Collection;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.TimeZone;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.lang.StringUtils;
import org.jboss.resteasy.client.ClientRequest;
import org.jboss.resteasy.client.ClientResponse;
import org.jboss.seam.Component;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.log.Log;
import org.jboss.seam.security.Identity;
import org.xdi.oxauth.auth.Authenticator;
import org.xdi.oxauth.model.authorize.AuthorizeErrorResponseType;
import org.xdi.oxauth.model.authorize.AuthorizeParamsValidator;
import org.xdi.oxauth.model.authorize.Claim;
import org.xdi.oxauth.model.authorize.JwtAuthorizationRequest;
import org.xdi.oxauth.model.common.AccessToken;
import org.xdi.oxauth.model.common.AuthorizationCode;
import org.xdi.oxauth.model.common.AuthorizationGrant;
import org.xdi.oxauth.model.common.AuthorizationGrantList;
import org.xdi.oxauth.model.common.GluuAttribute;
import org.xdi.oxauth.model.common.IdToken;
import org.xdi.oxauth.model.common.Parameters;
import org.xdi.oxauth.model.common.Prompt;
import org.xdi.oxauth.model.common.ResponseType;
import org.xdi.oxauth.model.common.Scope;
import org.xdi.oxauth.model.common.SessionId;
import org.xdi.oxauth.model.common.User;
import org.xdi.oxauth.model.config.ClaimMappingConfiguration;
import org.xdi.oxauth.model.config.ConfigurationFactory;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.exception.InvalidClaimException;
import org.xdi.oxauth.model.exception.InvalidJwtException;
import org.xdi.oxauth.model.registration.Client;
import org.xdi.oxauth.model.util.JwtUtil;
import org.xdi.oxauth.model.util.Util;
import org.xdi.oxauth.service.AttributeService;
import org.xdi.oxauth.service.AuthenticationFilterService;
import org.xdi.oxauth.service.AuthenticationService;
import org.xdi.oxauth.service.ClientService;
import org.xdi.oxauth.service.FederationDataService;
import org.xdi.oxauth.service.RedirectionUriService;
import org.xdi.oxauth.service.ScopeService;
import org.xdi.oxauth.service.SessionIdService;
import org.xdi.oxauth.service.UserGroupService;
import org.xdi.oxauth.service.UserService;
import org.xdi.oxauth.util.QueryStringDecoder;
import org.xdi.oxauth.util.RedirectUtil;
import org.xdi.oxauth.util.ServerUtil;
import org.xdi.util.StringHelper;
import org.xdi.util.security.StringEncrypter;

@Name("requestAuthorizationRestWebService")
/* loaded from: input_file:org/xdi/oxauth/authorize/ws/rs/AuthorizeRestWebServiceImpl.class */
public class AuthorizeRestWebServiceImpl implements AuthorizeRestWebService {

    @Logger
    private Log log;

    @In
    private AuthenticationService authenticationService;

    @In
    private ErrorResponseFactory errorResponseFactory;

    @In
    private RedirectionUriService redirectionUriService;

    @In
    private AuthorizationGrantList authorizationGrantList;

    @In
    private ClientService clientService;

    @In
    private UserService userService;

    @In
    private UserGroupService userGroupService;

    @In
    private FederationDataService federationDataService;

    @In
    private ScopeService scopeService;

    @In
    private AttributeService attributeService;

    @In
    private Identity identity;

    @In
    private AuthenticationFilterService authenticationFilterService;

    @In
    private SessionIdService sessionIdService;

    @In
    private SessionId sessionUser;

    @Override // org.xdi.oxauth.authorize.ws.rs.AuthorizeRestWebService
    public Response requestAuthorizationGet(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, Integer num, String str9, String str10, String str11, String str12, String str13, String str14, String str15, String str16, String str17, String str18, String str19, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        return requestAuthorization(str, str2, str3, str4, str5, str6, str7, str8, num, str9, str10, str11, str12, str13, str14, str15, str16, str17, str18, str19, "GET", httpServletRequest, securityContext);
    }

    @Override // org.xdi.oxauth.authorize.ws.rs.AuthorizeRestWebService
    public Response requestAuthorizationPost(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, Integer num, String str9, String str10, String str11, String str12, String str13, String str14, String str15, String str16, String str17, String str18, String str19, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        return requestAuthorization(str, str2, str3, str4, str5, str6, str7, str8, num, str9, str10, str11, str12, str13, str14, str15, str16, str17, str18, str19, "POST", httpServletRequest, securityContext);
    }

    public Response requestAuthorization(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, Integer num, String str9, String str10, String str11, String str12, String str13, String str14, String str15, String str16, String str17, String str18, String str19, String str20, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        Response.ResponseBuilder status;
        Claim claim;
        String urlDecode = ServerUtil.urlDecode(str);
        this.log.debug("Attempting to request authorization: responseType = {0}, clientId = {1}, scope = {2}, redirectUri = {3}, nonce = {4}, state = {5}, request = {6}, isSecure = {7}, requestSessionId = {8}, sessionId = {9}", new Object[]{str2, str3, urlDecode, str4, str6, str5, str13, Boolean.valueOf(securityContext.isSecure()), str15, str16});
        this.log.debug("Attempting to request authorization: authLevel = {0}, authMode = {1}", new Object[]{str18, str19});
        Response.ok();
        List<String> list = null;
        if (StringUtils.isNotBlank(str9)) {
            list = Util.splittedStringAsList(str9, " ");
        }
        List<ResponseType> fromString = ResponseType.fromString(str2, " ");
        List<Prompt> fromString2 = Prompt.fromString(str8, " ");
        List splittedStringAsList = Util.splittedStringAsList(urlDecode, " ");
        List<String> splittedStringAsList2 = Util.splittedStringAsList(str12, " ");
        User userByDn = (this.sessionUser == null || !StringUtils.isNotBlank(this.sessionUser.getUserDn())) ? null : this.userService.getUserByDn(this.sessionUser.getUserDn());
        try {
            if (AuthorizeParamsValidator.validateParams(str2, str3, fromString2, str6, str13, str14)) {
                Client client = this.clientService.getClient(str3);
                JwtAuthorizationRequest jwtAuthorizationRequest = null;
                if (client != null) {
                    String validateRedirectionUri = this.redirectionUriService.validateRedirectionUri(str3, str4);
                    boolean z = validateRedirectionUri != null;
                    if (!AuthorizeParamsValidator.validateResponseTypes(fromString, client)) {
                        status = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
                        status.entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.UNSUPPORTED_RESPONSE_TYPE, str5));
                    } else if (!z) {
                        status = error(Response.Status.BAD_REQUEST, AuthorizeErrorResponseType.INVALID_REQUEST_REDIRECT_URI, str5);
                    } else {
                        if (ConfigurationFactory.getConfiguration().getFederationEnabled().booleanValue() && !this.federationDataService.hasAnyActiveTrust(client)) {
                            this.log.debug("Forbid authorization. Client is not in any trust relationship however federation is enabled for server. Client id: {0}, client redirectUris: {1}", new Object[]{client.getClientId(), client.getRedirectUris()});
                            return error(Response.Status.UNAUTHORIZED, AuthorizeErrorResponseType.UNAUTHORIZED_CLIENT, str5).build();
                        }
                        if (StringUtils.isNotBlank(str17)) {
                            AuthorizationGrant authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str17);
                            if (authorizationGrantByAccessToken == null) {
                                StringBuilder sb = new StringBuilder(validateRedirectionUri);
                                sb.append("#").append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.ACCESS_DENIED, str5));
                                return RedirectUtil.getRedirectResponseBuilder(sb.toString(), httpServletRequest).build();
                            }
                            userByDn = this.userService.getUser(authorizationGrantByAccessToken.getUserId());
                            this.sessionUser = this.sessionIdService.generateSessionId(userByDn.getDn());
                            this.sessionUser.setAuthenticationTime(new Date());
                            this.sessionIdService.updateSessionLastUsedDate(this.sessionUser);
                        }
                        if (StringUtils.isNotBlank(str14)) {
                            boolean z2 = false;
                            try {
                                URI uri = new URI(str14);
                                String fragment = uri.getFragment();
                                ClientRequest clientRequest = new ClientRequest(uri.getScheme() + ":" + uri.getSchemeSpecificPart());
                                clientRequest.setHttpMethod("GET");
                                ClientResponse clientResponse = clientRequest.get(String.class);
                                if (clientResponse.getStatus() == 200) {
                                    str13 = (String) clientResponse.getEntity(String.class);
                                    z2 = StringUtils.isBlank(fragment) ? true : StringUtils.equals(fragment, JwtUtil.base64urlencode(JwtUtil.getMessageDigestSHA256(str13)));
                                }
                                if (!z2) {
                                    StringBuilder sb2 = new StringBuilder(validateRedirectionUri);
                                    sb2.append("#").append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.INVALID_REQUEST_URI, str5));
                                    return RedirectUtil.getRedirectResponseBuilder(sb2.toString(), httpServletRequest).build();
                                }
                                str14 = null;
                            } catch (ConnectException e) {
                                this.log.error(e.getMessage(), e, new Object[0]);
                            } catch (URISyntaxException e2) {
                                this.log.error(e2.getMessage(), e2, new Object[0]);
                            } catch (UnknownHostException e3) {
                                this.log.error(e3.getMessage(), e3, new Object[0]);
                            } catch (Exception e4) {
                                this.log.error(e4.getMessage(), e4, new Object[0]);
                            }
                        }
                        boolean z3 = false;
                        if (StringUtils.isNotBlank(str13)) {
                            try {
                                jwtAuthorizationRequest = new JwtAuthorizationRequest(str13, client);
                                if (!jwtAuthorizationRequest.getResponseTypes().containsAll(fromString) || !fromString.containsAll(jwtAuthorizationRequest.getResponseTypes())) {
                                    throw new InvalidJwtException("The responseType parameter is not the same in the JWT");
                                }
                                if (jwtAuthorizationRequest.getClientId() != null && !jwtAuthorizationRequest.getClientId().equals(str3)) {
                                    throw new InvalidJwtException("The clientId parameter is not the same in the JWT");
                                }
                                if (!jwtAuthorizationRequest.getScopes().containsAll(splittedStringAsList) || !splittedStringAsList.containsAll(jwtAuthorizationRequest.getScopes())) {
                                    throw new InvalidJwtException("The scope parameter is not the same in the JWT");
                                }
                                if (jwtAuthorizationRequest.getRedirectUri() != null && !jwtAuthorizationRequest.getRedirectUri().equals(validateRedirectionUri)) {
                                    throw new InvalidJwtException("The redirectUri parameter is not the same in the JWT");
                                }
                                if (jwtAuthorizationRequest.getState() != null && StringUtils.isNotBlank(str5) && !jwtAuthorizationRequest.getState().equals(str5)) {
                                    throw new InvalidJwtException("The state parameter is not the same in the JWT");
                                }
                                if (jwtAuthorizationRequest.getNonce() != null && StringUtils.isNotBlank(str6) && !jwtAuthorizationRequest.getNonce().equals(str6)) {
                                    throw new InvalidJwtException("The nonce parameter is not the same in the JWT");
                                }
                                if (jwtAuthorizationRequest.getDisplay() != null && StringUtils.isNotBlank(str7) && !jwtAuthorizationRequest.getDisplay().getParamName().equals(str7)) {
                                    throw new InvalidJwtException("The display parameter is not the same in the JWT");
                                }
                                if (!jwtAuthorizationRequest.getPrompts().isEmpty() && !fromString2.isEmpty() && !jwtAuthorizationRequest.getPrompts().containsAll(fromString2)) {
                                    throw new InvalidJwtException("The prompt parameter is not the same in the JWT");
                                }
                                if (jwtAuthorizationRequest.getIdTokenMember().getMaxAge() != null && num != null && !jwtAuthorizationRequest.getIdTokenMember().getMaxAge().equals(num)) {
                                    throw new InvalidJwtException("The maxAge parameter is not the same in the JWT");
                                }
                            } catch (InvalidJwtException e5) {
                                z3 = true;
                                this.log.debug("Invalid JWT authorization request. Exception = {0}, Message = {1}", e5, new Object[]{e5.getClass().getName(), e5.getMessage()});
                            } catch (Exception e6) {
                                z3 = true;
                                this.log.debug("Invalid JWT authorization request. Exception = {0}, Message = {1}", e6, new Object[]{e6.getClass().getName(), e6.getMessage()});
                            }
                        }
                        if (z3) {
                            StringBuilder sb3 = new StringBuilder(validateRedirectionUri);
                            sb3.append("#").append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.INVALID_OPENID_REQUEST_OBJECT, str5));
                            status = RedirectUtil.getRedirectResponseBuilder(sb3.toString(), httpServletRequest);
                        } else {
                            StringBuilder sb4 = new StringBuilder(validateRedirectionUri);
                            AuthorizationGrant authorizationGrant = null;
                            if (fromString.contains(ResponseType.TOKEN) || fromString.contains(ResponseType.ID_TOKEN)) {
                                if (sb4.toString().contains("#")) {
                                    sb4.append("&");
                                } else {
                                    sb4.append("#");
                                }
                            } else if (sb4.toString().contains("?")) {
                                sb4.append("&");
                            } else {
                                sb4.append("?");
                            }
                            if (jwtAuthorizationRequest != null && jwtAuthorizationRequest.getIdTokenMember() != null && (claim = jwtAuthorizationRequest.getIdTokenMember().getClaim("sub")) != null && claim.getClaimValue() != null && claim.getClaimValue().getValue() != null) {
                                String value = claim.getClaimValue().getValue();
                                if (userByDn != null && !userByDn.getUserId().equalsIgnoreCase(value)) {
                                    sb4.append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.USER_MISMATCHED, str5));
                                    return RedirectUtil.getRedirectResponseBuilder(sb4.toString(), httpServletRequest).build();
                                }
                            }
                            if (userByDn == null) {
                                this.identity.logout();
                                if (!fromString2.contains(Prompt.NONE)) {
                                    if (fromString2.contains(Prompt.LOGIN)) {
                                        this.identity.logout();
                                        this.sessionUser.setUserDn(null);
                                        this.sessionUser.setAuthenticationTime(null);
                                        fromString2.remove(Prompt.LOGIN);
                                    }
                                    return RedirectUtil.getRedirectResponseBuilder(redirectToAuthorizationPage(fromString, urlDecode, str3, validateRedirectionUri, str5, str6, str7, fromString2, num, list, str10, str11, splittedStringAsList2, str13, str14).toString(), httpServletRequest).build();
                                }
                                if (!this.authenticationFilterService.isEnabled()) {
                                    sb4.append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.LOGIN_REQUIRED, str5));
                                    return RedirectUtil.getRedirectResponseBuilder(sb4.toString(), httpServletRequest).build();
                                }
                                new HashMap();
                                String processAuthenticationFilters = this.authenticationFilterService.processAuthenticationFilters(str20.equals("GET") ? QueryStringDecoder.decode(httpServletRequest.getQueryString()) : httpServletRequest.getParameterMap());
                                if (processAuthenticationFilters == null) {
                                    sb4.append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.LOGIN_REQUIRED, str5));
                                    return RedirectUtil.getRedirectResponseBuilder(sb4.toString(), httpServletRequest).build();
                                }
                                this.sessionUser = this.sessionIdService.generateSessionId(processAuthenticationFilters);
                                this.sessionUser.setAuthenticationTime(new Date());
                                this.sessionIdService.updateSessionLastUsedDate(this.sessionUser);
                                userByDn = this.userService.getUserByDn(this.sessionUser.getUserDn());
                                ((Authenticator) Component.getInstance(Authenticator.class, true)).authenticateExternallyWebService(userByDn.getUserId());
                                this.identity.addRole("user");
                            }
                            if (fromString2.contains(Prompt.NONE) && Boolean.parseBoolean(client.getTrustedClient())) {
                                this.sessionUser.setPermissionGranted(true);
                            }
                            if (fromString2.contains(Prompt.LOGIN)) {
                                this.identity.logout();
                                this.sessionUser.setUserDn(null);
                                this.sessionUser.setAuthenticationTime(null);
                                fromString2.remove(Prompt.LOGIN);
                                return RedirectUtil.getRedirectResponseBuilder(redirectToAuthorizationPage(fromString, urlDecode, str3, validateRedirectionUri, str5, str6, str7, fromString2, num, list, str10, str11, splittedStringAsList2, str13, str14).toString(), httpServletRequest).build();
                            }
                            if (fromString2.contains(Prompt.CONSENT) && !this.sessionUser.isPermissionGranted().booleanValue()) {
                                fromString2.remove(Prompt.CONSENT);
                                return RedirectUtil.getRedirectResponseBuilder(redirectToAuthorizationPage(fromString, urlDecode, str3, validateRedirectionUri, str5, str6, str7, fromString2, num, list, str10, str11, splittedStringAsList2, str13, str14).toString(), httpServletRequest).build();
                            }
                            boolean z4 = true;
                            Integer num2 = null;
                            if (num != null) {
                                num2 = num;
                            } else if (!z3 && jwtAuthorizationRequest != null && jwtAuthorizationRequest.getIdTokenMember().getMaxAge() != null) {
                                num2 = jwtAuthorizationRequest.getIdTokenMember().getMaxAge();
                            }
                            GregorianCalendar gregorianCalendar = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
                            GregorianCalendar gregorianCalendar2 = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
                            gregorianCalendar2.setTime(this.sessionUser.getAuthenticationTime());
                            if (num2 != null) {
                                gregorianCalendar2.add(13, num2.intValue());
                                z4 = gregorianCalendar2.after(gregorianCalendar);
                            } else if (client.getDefaultMaxAge() != null) {
                                gregorianCalendar2.add(13, client.getDefaultMaxAge().intValue());
                                z4 = gregorianCalendar2.after(gregorianCalendar);
                            }
                            if (!z4) {
                                this.identity.logout();
                                this.sessionUser.setUserDn(null);
                                this.sessionUser.setAuthenticationTime(null);
                                return RedirectUtil.getRedirectResponseBuilder(redirectToAuthorizationPage(fromString, urlDecode, str3, validateRedirectionUri, str5, str6, str7, fromString2, num, list, str10, str11, splittedStringAsList2, str13, str14).toString(), httpServletRequest).build();
                            }
                            if (checkUserGroups(userByDn, client)) {
                                AuthorizationCode authorizationCode = null;
                                if (fromString.contains(ResponseType.CODE)) {
                                    authorizationGrant = this.authorizationGrantList.createAuthorizationCodeGrant(userByDn, client, this.sessionUser.getAuthenticationTime());
                                    authorizationGrant.setJwtAuthorizationRequest(jwtAuthorizationRequest);
                                    authorizationGrant.setAuthLevel(str18);
                                    authorizationGrant.setAuthMode(str19);
                                    authorizationGrant.save();
                                    authorizationCode = authorizationGrant.getAuthorizationCode();
                                    if (sb4.toString().contains("?") && !sb4.toString().endsWith("?") && !sb4.toString().endsWith("&")) {
                                        sb4.append("&");
                                    }
                                    sb4.append("code=").append(authorizationCode.getCode());
                                }
                                AccessToken accessToken = null;
                                if (fromString.contains(ResponseType.TOKEN)) {
                                    if (authorizationGrant == null) {
                                        authorizationGrant = this.authorizationGrantList.createImplicitGrant(userByDn, client, this.sessionUser.getAuthenticationTime());
                                        authorizationGrant.setJwtAuthorizationRequest(jwtAuthorizationRequest);
                                        authorizationGrant.setAuthLevel(str18);
                                        authorizationGrant.setAuthMode(str19);
                                        authorizationGrant.save();
                                    }
                                    accessToken = authorizationGrant.createAccessToken();
                                    if (sb4.toString().contains("#") && !sb4.toString().endsWith("#")) {
                                        sb4.append("&");
                                    }
                                    sb4.append("access_token=").append(accessToken.getCode());
                                    sb4.append("&token_type=").append(accessToken.getTokenType());
                                    sb4.append("&expires_in=").append(accessToken.getExpiresIn());
                                }
                                if (fromString.contains(ResponseType.ID_TOKEN)) {
                                    if (authorizationGrant == null) {
                                        authorizationGrant = this.authorizationGrantList.createAuthorizationGrant(userByDn, client, this.sessionUser.getAuthenticationTime());
                                        authorizationGrant.setJwtAuthorizationRequest(jwtAuthorizationRequest);
                                        authorizationGrant.setAuthLevel(str18);
                                        authorizationGrant.setAuthMode(str19);
                                        authorizationGrant.save();
                                    }
                                    IdToken createIdToken = authorizationGrant.createIdToken(str6, authorizationCode, accessToken, getClaims(userByDn, authorizationGrant, splittedStringAsList));
                                    if (sb4.toString().contains("#") && !sb4.toString().endsWith("#")) {
                                        sb4.append("&");
                                    }
                                    sb4.append("id_token=").append(createIdToken.getCode());
                                }
                                if (authorizationGrant != null && StringHelper.isNotEmpty(str18) && StringHelper.isNotEmpty(str19)) {
                                    sb4.append("&auth_level=").append(str18);
                                    sb4.append("&auth_mode=").append(str19);
                                }
                                if (this.sessionUser.getId() == null) {
                                    String generateId = this.sessionIdService.generateId(this.sessionUser.getUserDn());
                                    this.sessionUser.setId(generateId);
                                    this.log.trace("newSessionId = {0}", new Object[]{generateId});
                                }
                                sb4.append(Parameters.SESSION_ID.nameToAppend()).append(this.sessionUser.getId());
                                if (str5 != null && !str5.isEmpty()) {
                                    sb4.append("&state=").append(str5);
                                }
                                if (urlDecode != null && !urlDecode.isEmpty()) {
                                    try {
                                        sb4.append("&scope=").append(URLEncoder.encode(authorizationGrant.checkScopesPolicy(urlDecode), "UTF-8"));
                                    } catch (UnsupportedEncodingException e7) {
                                        this.log.trace(e7.getMessage(), e7, new Object[0]);
                                    }
                                }
                                status = RedirectUtil.getRedirectResponseBuilder(sb4.toString(), httpServletRequest);
                            } else {
                                sb4.append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.UNAUTHORIZED_CLIENT, str5));
                                status = RedirectUtil.getRedirectResponseBuilder(sb4.toString(), httpServletRequest);
                            }
                        }
                    }
                } else {
                    status = error(Response.Status.UNAUTHORIZED, AuthorizeErrorResponseType.UNAUTHORIZED_CLIENT, str5);
                }
            } else if (str3 == null || str4 == null || this.redirectionUriService.validateRedirectionUri(str3, str4) == null) {
                status = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
                status.entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, str5));
            } else {
                StringBuilder sb5 = new StringBuilder(str4);
                if (fromString.contains(ResponseType.TOKEN) || fromString.contains(ResponseType.ID_TOKEN)) {
                    if (sb5.toString().contains("#")) {
                        sb5.append("&");
                    } else {
                        sb5.append("#");
                    }
                } else if (sb5.toString().contains("?")) {
                    sb5.append("&");
                } else {
                    sb5.append("?");
                }
                sb5.append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.INVALID_REQUEST, str5));
                status = RedirectUtil.getRedirectResponseBuilder(sb5.toString(), httpServletRequest);
            }
        } catch (StringEncrypter.EncryptionException e8) {
            status = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
            this.log.error(e8.getMessage(), e8, new Object[0]);
        } catch (InvalidJwtException e9) {
            status = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
            this.log.error(e9.getMessage(), e9, new Object[0]);
        } catch (SignatureException e10) {
            status = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
            this.log.error(e10.getMessage(), e10, new Object[0]);
        } catch (Exception e11) {
            status = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
            this.log.error(e11.getMessage(), e11, new Object[0]);
        }
        return status.build();
    }

    private Response.ResponseBuilder error(Response.Status status, AuthorizeErrorResponseType authorizeErrorResponseType, String str) {
        return Response.status(status.getStatusCode()).entity(this.errorResponseFactory.getErrorAsJson(authorizeErrorResponseType, str));
    }

    private StringBuilder redirectToAuthorizationPage(List<ResponseType> list, String str, String str2, String str3, String str4, String str5, String str6, List<Prompt> list2, Integer num, List<String> list3, String str7, String str8, List<String> list4, String str9, String str10) {
        StringBuilder sb = new StringBuilder(ConfigurationFactory.getConfiguration().getAuthorizationPage());
        try {
            String implode = org.xdi.oxauth.model.util.StringUtils.implode(list, " ");
            if (StringUtils.isNotBlank(implode)) {
                sb.append("?").append("response_type").append("=").append(URLEncoder.encode(implode, "UTF-8"));
            }
            if (StringUtils.isNotBlank(str)) {
                sb.append("&").append("scope").append("=").append(URLEncoder.encode(str, "UTF-8"));
            }
            if (StringUtils.isNotBlank(str2)) {
                sb.append("&").append("client_id").append("=").append(URLEncoder.encode(str2, "UTF-8"));
            }
            if (StringUtils.isNotBlank(str3)) {
                sb.append("&").append("redirect_uri").append("=").append(URLEncoder.encode(str3, "UTF-8"));
            }
            if (StringUtils.isNotBlank(str4)) {
                sb.append("&").append("state").append("=").append(URLEncoder.encode(str4, "UTF-8"));
            }
            if (StringUtils.isNotBlank(str5)) {
                sb.append("&").append("nonce").append("=").append(URLEncoder.encode(str5, "UTF-8"));
            }
            if (StringUtils.isNotBlank(str6)) {
                sb.append("&").append("display").append("=").append(URLEncoder.encode(str6, "UTF-8"));
            }
            String implode2 = org.xdi.oxauth.model.util.StringUtils.implode(list2, " ");
            if (StringUtils.isNotBlank(implode2)) {
                sb.append("&").append("prompt").append("=").append(URLEncoder.encode(implode2, "UTF-8"));
            }
            if (num != null) {
                sb.append("&").append("max_age").append("=").append(num);
            }
            String implode3 = org.xdi.oxauth.model.util.StringUtils.implode(list3, " ");
            if (StringUtils.isNotBlank(implode3)) {
                sb.append("&").append("ui_locales").append("=").append(URLEncoder.encode(implode3, "UTF-8"));
            }
            if (StringUtils.isNotBlank(str7)) {
                sb.append("&").append("id_token_hint").append("=").append(URLEncoder.encode(str7, "UTF-8"));
            }
            if (StringUtils.isNotBlank(str8)) {
                sb.append("&").append("login_hint").append("=").append(URLEncoder.encode(str8, "UTF-8"));
            }
            String implode4 = org.xdi.oxauth.model.util.StringUtils.implode(list4, " ");
            if (StringUtils.isNotBlank(implode4)) {
                sb.append("&").append("acr_values").append("=").append(URLEncoder.encode(implode4, "UTF-8"));
            }
            if (StringUtils.isNotBlank(str9)) {
                sb.append("&").append("request").append("=").append(URLEncoder.encode(str9, "UTF-8"));
            }
            if (StringUtils.isNotBlank(str10)) {
                sb.append("&").append("request_uri").append("=").append(URLEncoder.encode(str10, "UTF-8"));
            }
        } catch (UnsupportedEncodingException e) {
            this.log.error(e.getMessage(), e, new Object[0]);
        }
        return sb;
    }

    private boolean checkUserGroups(User user, Client client) {
        if (client == null || !client.hasUserGroups()) {
            return true;
        }
        return this.userGroupService.isInAnyGroup(client.getUserGroups(), user.getDn());
    }

    public Map<String, String> getClaims(User user, AuthorizationGrant authorizationGrant, Collection<String> collection) throws InvalidClaimException {
        HashMap hashMap = new HashMap();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            Scope scopeByDisplayName = this.scopeService.getScopeByDisplayName(it.next());
            if (scopeByDisplayName != null && scopeByDisplayName.getOxAuthClaims() != null) {
                Iterator<String> it2 = scopeByDisplayName.getOxAuthClaims().iterator();
                while (it2.hasNext()) {
                    GluuAttribute scopeByDn = this.attributeService.getScopeByDn(it2.next());
                    String name = scopeByDn.getName();
                    String userId = name.equals("uid") ? user.getUserId() : user.getAttribute(scopeByDn.getName(), true);
                    ClaimMappingConfiguration mappingByLdap = ClaimMappingConfiguration.getMappingByLdap(name);
                    if (mappingByLdap != null) {
                        name = mappingByLdap.getClaim();
                    }
                    if (name != null && userId != null) {
                        hashMap.put(name, userId.toString());
                    }
                }
            }
        }
        if (authorizationGrant.getAuthMode() != null) {
            hashMap.put("amr", authorizationGrant.getAuthMode());
        }
        if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember() != null) {
            for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getIdTokenMember().getClaims()) {
                String name2 = claim.getName();
                ClaimMappingConfiguration mappingByClaim = ClaimMappingConfiguration.getMappingByClaim(name2);
                String ldap = mappingByClaim != null ? mappingByClaim.getLdap() : null;
                if (ldap == null) {
                    ldap = name2;
                }
                Object attribute = user.getAttribute(ldap, true);
                if (claim != null && attribute != null) {
                    hashMap.put(claim.getName(), attribute.toString());
                }
            }
        }
        return hashMap;
    }
}
