package org.xdi.oxauth.authorize.ws.rs;

import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import javax.faces.context.ExternalContext;
import javax.faces.context.FacesContext;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.StringUtils;
import org.codehaus.jettison.json.JSONException;
import org.jboss.seam.Component;
import org.jboss.seam.ScopeType;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Observer;
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.annotations.web.RequestParameter;
import org.jboss.seam.faces.FacesManager;
import org.jboss.seam.international.LocaleSelector;
import org.jboss.seam.log.Log;
import org.jboss.seam.security.Identity;
import org.xdi.model.AuthenticationScriptUsageType;
import org.xdi.model.custom.script.conf.CustomScriptConfiguration;
import org.xdi.oxauth.auth.Authenticator;
import org.xdi.oxauth.model.authorize.AuthorizeErrorResponseType;
import org.xdi.oxauth.model.authorize.AuthorizeParamsValidator;
import org.xdi.oxauth.model.common.Prompt;
import org.xdi.oxauth.model.common.SessionId;
import org.xdi.oxauth.model.common.User;
import org.xdi.oxauth.model.config.ConfigurationFactory;
import org.xdi.oxauth.model.config.Constants;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.federation.FederationTrust;
import org.xdi.oxauth.model.federation.FederationTrustStatus;
import org.xdi.oxauth.model.registration.Client;
import org.xdi.oxauth.model.util.LocaleUtil;
import org.xdi.oxauth.model.util.Util;
import org.xdi.oxauth.service.AuthenticationService;
import org.xdi.oxauth.service.ClientService;
import org.xdi.oxauth.service.FederationDataService;
import org.xdi.oxauth.service.RedirectionUriService;
import org.xdi.oxauth.service.ScopeService;
import org.xdi.oxauth.service.SessionIdService;
import org.xdi.oxauth.service.UserGroupService;
import org.xdi.oxauth.service.UserService;
import org.xdi.oxauth.service.external.ExternalAuthenticationService;
import org.xdi.util.StringHelper;

@Name("authorizeAction")
@Scope(ScopeType.EVENT)
/* loaded from: input_file:org/xdi/oxauth/authorize/ws/rs/AuthorizeAction.class */
public class AuthorizeAction {
    public static final List<String> ALLOWED_PARAMETER = Collections.unmodifiableList(Arrays.asList("scope", "response_type", "client_id", "redirect_uri", "state", "nonce", "display", "prompt", "max_age", "ui_locales", "id_token_hint", "login_hint", "acr_values", "amr_values", "session_id", "request", "request_uri"));

    @Logger
    private Log log;

    @In
    private ClientService clientService;

    @In
    private ErrorResponseFactory errorResponseFactory;

    @In
    private UserGroupService userGroupService;

    @In
    private FederationDataService federationDataService;

    @In
    private SessionIdService sessionIdService;

    @In
    private UserService userService;

    @In
    private RedirectionUriService redirectionUriService;

    @In
    private AuthenticationService authenticationService;

    @In
    private ExternalAuthenticationService externalAuthenticationService;

    @In
    private SessionId sessionUser;

    @In("org.jboss.seam.international.localeSelector")
    private LocaleSelector localeSelector;

    @RequestParameter("auth_level")
    private String authLevel;

    @RequestParameter("auth_mode")
    private String authMode;

    @In
    private Identity identity;
    private String scope;
    private String responseType;
    private String clientId;
    private String redirectUri;
    private String state;
    private String nonce;
    private String display;
    private String prompt;
    private Integer maxAge;
    private String uiLocales;
    private String idTokenHint;
    private String loginHint;
    private String acrValues;
    private String amrValues;
    private String request;
    private String requestUri;
    private String sessionId;

    public void checkUiLocales() {
        if (StringUtils.isNotBlank(this.uiLocales)) {
            List splittedStringAsList = Util.splittedStringAsList(this.uiLocales, " ");
            FacesContext currentInstance = FacesContext.getCurrentInstance();
            ArrayList arrayList = new ArrayList();
            Iterator supportedLocales = currentInstance.getApplication().getSupportedLocales();
            while (supportedLocales.hasNext()) {
                arrayList.add(supportedLocales.next());
            }
            Locale localeMatch = LocaleUtil.localeMatch(splittedStringAsList, arrayList);
            if (localeMatch != null) {
                this.localeSelector.setLocale(localeMatch);
            }
        }
    }

    private SessionId getSession() {
        initSessionId();
        if (!this.identity.isLoggedIn()) {
            ((Authenticator) Component.getInstance(Authenticator.class, true)).authenticateBySessionId(this.sessionId);
        }
        SessionId sessionId = this.sessionIdService.getSessionId(this.sessionId);
        if (sessionId == null) {
            this.identity.logout();
        }
        return sessionId;
    }

    public void checkPermissionGranted() {
        Client client;
        ExternalContext externalContext = FacesContext.getCurrentInstance().getExternalContext();
        SessionId session = getSession();
        this.authenticationService.storeRequestHeadersInSession((HttpServletRequest) externalContext.getRequest());
        if (session == null || session.getUserDn() == null) {
            Map requestParameterMap = externalContext.getRequestParameterMap();
            String str = "/login.xhtml";
            if (this.externalAuthenticationService.isEnabled(AuthenticationScriptUsageType.INTERACTIVE)) {
                try {
                    List<String> jsonArrayStringAsList = Util.jsonArrayStringAsList(this.acrValues);
                    CustomScriptConfiguration determineCustomScriptConfiguration = (jsonArrayStringAsList == null || jsonArrayStringAsList.isEmpty()) ? this.externalAuthenticationService.determineCustomScriptConfiguration(AuthenticationScriptUsageType.INTERACTIVE, 1, this.authLevel, this.authMode) : this.externalAuthenticationService.determineCustomScriptConfiguration(AuthenticationScriptUsageType.INTERACTIVE, jsonArrayStringAsList);
                    if (determineCustomScriptConfiguration == null) {
                        this.log.error("Failed to get CustomScriptConfiguration. auth_step: {0}, auth_mode: {1}, auth_level: {2}", new Object[]{1, this.authMode, this.authLevel});
                        permissionDenied();
                        return;
                    }
                    this.authMode = determineCustomScriptConfiguration.getName();
                    requestParameterMap = new HashMap(requestParameterMap);
                    requestParameterMap.remove("auth_level");
                    requestParameterMap.put("auth_mode", this.authMode);
                    requestParameterMap.put("auth_step", Integer.toString(1));
                    String executeExternalGetPageForStep = this.externalAuthenticationService.executeExternalGetPageForStep(determineCustomScriptConfiguration, 1);
                    if (StringHelper.isNotEmpty(executeExternalGetPageForStep)) {
                        this.log.trace("Redirect to person authentication login page: {0}", new Object[]{executeExternalGetPageForStep});
                        str = executeExternalGetPageForStep;
                    }
                } catch (JSONException e) {
                    invalidRequest();
                    return;
                }
            }
            FacesManager.instance().redirect(str, requestParameterMap, false);
            return;
        }
        if (this.clientId == null || this.clientId.isEmpty() || (client = this.clientService.getClient(this.clientId)) == null) {
            return;
        }
        if (StringUtils.isBlank(this.redirectionUriService.validateRedirectionUri(this.clientId, this.redirectUri))) {
            permissionDenied();
        }
        User userByDn = this.userService.getUserByDn(session.getUserDn());
        this.log.trace("checkPermissionGranted, user = " + userByDn, new Object[0]);
        if (userByDn != null && client.hasUserGroups() && !this.userGroupService.isInAnyGroup(client.getUserGroups(), userByDn.getDn())) {
            permissionDenied();
        }
        if (ConfigurationFactory.getConfiguration().getFederationEnabled().booleanValue()) {
            List<FederationTrust> trustByClient = this.federationDataService.getTrustByClient(client, FederationTrustStatus.ACTIVE);
            if (trustByClient == null || trustByClient.isEmpty()) {
                this.log.trace("Deny authorization, client is not in any federation trust, client: {0}", new Object[]{client.getDn()});
                permissionDenied();
            } else if (FederationDataService.skipAuthorization(trustByClient)) {
                this.log.trace("Skip authorization (permissions granted), client is in federation trust where skip is allowed, client: {1}", new Object[]{client.getDn()});
                permissionGranted();
            }
        }
        List fromString = Prompt.fromString(this.prompt, " ");
        if (!AuthorizeParamsValidator.validatePrompt(fromString)) {
            invalidRequest();
            return;
        }
        if (!ConfigurationFactory.getConfiguration().getTrustedClientEnabled().booleanValue()) {
            consentRequired();
        } else {
            if (!Boolean.parseBoolean(client.getTrustedClient()) || fromString.contains(Prompt.CONSENT)) {
                return;
            }
            permissionGranted();
        }
    }

    private void initSessionId() {
        if (StringUtils.isBlank(this.sessionId)) {
            try {
                this.sessionId = SessionIdService.instance().getSessionIdFromCookie((HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest());
            } catch (Exception e) {
                this.log.error(e.getMessage(), e, new Object[0]);
            }
        }
    }

    @Observer({Constants.EVENT_OXAUTH_CUSTOM_LOGIN_SUCCESSFUL})
    public void onSuccessfulLogin(String str, Map<String, String> map) {
        onSuccessfulLoginImpl(str, map);
    }

    @Observer({"org.jboss.seam.security.loginSuccessful"})
    public void onSuccessfulLogin() {
        onSuccessfulLoginImpl(null, null);
    }

    public void onSuccessfulLoginImpl(String str, Map<String, String> map) {
        this.log.info("Attempting to redirect user. SessionUser: {0}", new Object[]{this.sessionUser});
        User userByDn = (this.sessionUser == null || !StringUtils.isNotBlank(this.sessionUser.getUserDn())) ? null : this.userService.getUserByDn(this.sessionUser.getUserDn());
        if (this.sessionUser != null) {
            this.sessionUser.setAuthenticationTime(new Date());
        }
        this.sessionIdService.updateSessionWithLastUsedDate(this.sessionUser, Prompt.fromString(this.prompt, " "));
        this.log.info("Attempting to redirect user. User: {0}", new Object[]{userByDn});
        if (userByDn != null) {
            Map<String, Object> parametersForRedirect = map == null ? parametersForRedirect(userByDn) : parametersForRedirect(userByDn, map);
            addAuthModeParameters(parametersForRedirect, str);
            this.log.trace("Logged in successfully! User: {0}, page: /authorize.xhtml, map: {1}", new Object[]{userByDn, parametersForRedirect});
            FacesManager.instance().redirect("/authorize.xhtml", parametersForRedirect, false);
        }
    }

    private Map<String, Object> parametersForRedirect(User user) {
        return parametersForRedirect(user, FacesContext.getCurrentInstance().getExternalContext().getRequestParameterMap());
    }

    private Map<String, Object> parametersForRedirect(User user, Map<String, String> map) {
        HashMap hashMap = new HashMap();
        if (map != null && !map.isEmpty()) {
            for (Map.Entry<String, String> entry : map.entrySet()) {
                if (ALLOWED_PARAMETER.contains(entry.getKey())) {
                    hashMap.put(entry.getKey(), entry.getValue());
                }
            }
        }
        if (!hashMap.isEmpty()) {
            if (this.sessionUser == null || this.sessionUser.getId() == null) {
                this.sessionUser = this.sessionIdService.generateSessionIdInteractive(user.getDn());
            }
            hashMap.put("session_id", this.sessionUser.getId());
        }
        return hashMap;
    }

    public void addAuthModeParameters(Map<String, Object> map, String str) {
        CustomScriptConfiguration customScriptConfiguration;
        if (!StringHelper.isNotEmpty(str) || (customScriptConfiguration = this.externalAuthenticationService.getCustomScriptConfiguration(AuthenticationScriptUsageType.INTERACTIVE, str)) == null) {
            return;
        }
        map.put("auth_mode", customScriptConfiguration.getName());
        map.put("auth_level", Integer.valueOf(customScriptConfiguration.getLevel()));
    }

    public List<org.xdi.oxauth.model.common.Scope> getScopes() {
        ArrayList arrayList = new ArrayList();
        ScopeService instance = ScopeService.instance();
        if (this.scope != null && !this.scope.isEmpty()) {
            for (String str : this.scope.split(" ")) {
                org.xdi.oxauth.model.common.Scope scopeByDisplayName = instance.getScopeByDisplayName(str);
                if (scopeByDisplayName != null && scopeByDisplayName.getDescription() != null) {
                    arrayList.add(scopeByDisplayName);
                }
            }
        }
        return arrayList;
    }

    public String getScope() {
        return this.scope;
    }

    public void setScope(String str) {
        this.scope = str;
    }

    public String getResponseType() {
        return this.responseType;
    }

    public void setResponseType(String str) {
        this.responseType = str;
    }

    public String getClientId() {
        return this.clientId;
    }

    public void setClientId(String str) {
        this.clientId = str;
    }

    public String getRedirectUri() {
        return this.redirectUri;
    }

    public void setRedirectUri(String str) {
        this.redirectUri = str;
    }

    public String getState() {
        return this.state;
    }

    public void setState(String str) {
        this.state = str;
    }

    public String getNonce() {
        return this.nonce;
    }

    public void setNonce(String str) {
        this.nonce = str;
    }

    public String getDisplay() {
        return this.display;
    }

    public void setDisplay(String str) {
        this.display = str;
    }

    public String getPrompt() {
        return this.prompt;
    }

    public void setPrompt(String str) {
        this.prompt = str;
    }

    public Integer getMaxAge() {
        return this.maxAge;
    }

    public void setMaxAge(Integer num) {
        this.maxAge = num;
    }

    public String getUiLocales() {
        return this.uiLocales;
    }

    public void setUiLocales(String str) {
        this.uiLocales = str;
    }

    public String getIdTokenHint() {
        return this.idTokenHint;
    }

    public void setIdTokenHint(String str) {
        this.idTokenHint = str;
    }

    public String getLoginHint() {
        return this.loginHint;
    }

    public void setLoginHint(String str) {
        this.loginHint = str;
    }

    public String getAcrValues() {
        return this.acrValues;
    }

    public void setAcrValues(String str) {
        this.acrValues = str;
    }

    public String getAmrValues() {
        return this.amrValues;
    }

    public void setAmrValues(String str) {
        this.amrValues = str;
    }

    public String getRequest() {
        return this.request;
    }

    public void setRequest(String str) {
        this.request = str;
    }

    public String getRequestUri() {
        return this.requestUri;
    }

    public void setRequestUri(String str) {
        this.requestUri = str;
    }

    public String getSessionId() {
        return this.sessionId;
    }

    public void setSessionId(String str) {
        this.sessionId = str;
    }

    public void permissionGranted() {
        try {
            SessionId session = getSession();
            session.addPermission(this.clientId, true);
            this.sessionIdService.updateSessionWithLastUsedDate(session, Prompt.fromString(this.prompt, " "));
            SessionIdService.instance().createSessionIdCookie(this.sessionId);
            String str = "seam/resource/restv1/oxauth/authorize?" + this.authenticationService.parametersAsString();
            this.log.trace("permissionGranted, redirectTo: {0}", new Object[]{str});
            FacesManager.instance().redirectToExternalURL(str);
        } catch (UnsupportedEncodingException e) {
            this.log.trace(e.getMessage(), e, new Object[0]);
        }
    }

    public void permissionDenied() {
        this.log.trace("permissionDenied", new Object[0]);
        StringBuilder sb = new StringBuilder();
        sb.append(this.redirectUri);
        if (this.redirectUri == null || !this.redirectUri.contains("?")) {
            sb.append("?");
        } else {
            sb.append("&");
        }
        sb.append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.ACCESS_DENIED, getState()));
        FacesManager.instance().redirectToExternalURL(sb.toString());
    }

    public void invalidRequest() {
        this.log.trace("invalidRequest", new Object[0]);
        StringBuilder sb = new StringBuilder();
        sb.append(this.redirectUri);
        if (this.redirectUri == null || !this.redirectUri.contains("?")) {
            sb.append("?");
        } else {
            sb.append("&");
        }
        sb.append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.INVALID_REQUEST, getState()));
        FacesManager.instance().redirectToExternalURL(sb.toString());
    }

    public void consentRequired() {
        StringBuilder sb = new StringBuilder();
        sb.append(this.redirectUri);
        if (this.redirectUri == null || !this.redirectUri.contains("?")) {
            sb.append("?");
        } else {
            sb.append("&");
        }
        sb.append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.CONSENT_REQUIRED, getState()));
        FacesManager.instance().redirectToExternalURL(sb.toString());
    }
}
