package org.xdi.oxauth.authorize.ws.rs;

import com.wordnik.swagger.annotations.Api;
import java.net.ConnectException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.UnknownHostException;
import java.security.SignatureException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.GregorianCalendar;
import java.util.HashMap;
import java.util.List;
import java.util.TimeZone;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.lang.StringUtils;
import org.gluu.site.ldap.persistence.exception.EntryPersistenceException;
import org.jboss.resteasy.client.ClientRequest;
import org.jboss.resteasy.client.ClientResponse;
import org.jboss.seam.Component;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.log.Log;
import org.jboss.seam.security.Identity;
import org.xdi.oxauth.auth.Authenticator;
import org.xdi.oxauth.model.authorize.AuthorizeErrorResponseType;
import org.xdi.oxauth.model.authorize.AuthorizeParamsValidator;
import org.xdi.oxauth.model.authorize.Claim;
import org.xdi.oxauth.model.authorize.JwtAuthorizationRequest;
import org.xdi.oxauth.model.authorize.ScopeChecker;
import org.xdi.oxauth.model.common.AccessToken;
import org.xdi.oxauth.model.common.AuthorizationCode;
import org.xdi.oxauth.model.common.AuthorizationGrant;
import org.xdi.oxauth.model.common.AuthorizationGrantList;
import org.xdi.oxauth.model.common.Parameters;
import org.xdi.oxauth.model.common.Prompt;
import org.xdi.oxauth.model.common.ResponseMode;
import org.xdi.oxauth.model.common.ResponseType;
import org.xdi.oxauth.model.common.SessionId;
import org.xdi.oxauth.model.common.User;
import org.xdi.oxauth.model.config.ConfigurationFactory;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.exception.InvalidJwtException;
import org.xdi.oxauth.model.ldap.ClientAuthorizations;
import org.xdi.oxauth.model.registration.Client;
import org.xdi.oxauth.model.util.JwtUtil;
import org.xdi.oxauth.model.util.Util;
import org.xdi.oxauth.service.AcrChangedException;
import org.xdi.oxauth.service.AttributeService;
import org.xdi.oxauth.service.AuthenticationFilterService;
import org.xdi.oxauth.service.ClientAuthorizationsService;
import org.xdi.oxauth.service.ClientService;
import org.xdi.oxauth.service.FederationDataService;
import org.xdi.oxauth.service.RedirectionUriService;
import org.xdi.oxauth.service.ScopeService;
import org.xdi.oxauth.service.SessionIdService;
import org.xdi.oxauth.service.UserGroupService;
import org.xdi.oxauth.service.UserService;
import org.xdi.oxauth.util.QueryStringDecoder;
import org.xdi.oxauth.util.RedirectUri;
import org.xdi.oxauth.util.RedirectUtil;
import org.xdi.oxauth.util.ServerUtil;
import org.xdi.util.StringHelper;
import org.xdi.util.security.StringEncrypter;

@Name("requestAuthorizationRestWebService")
@Api(value = "/oxauth/authorize", description = "Authorization Endpoint")
/* loaded from: input_file:org/xdi/oxauth/authorize/ws/rs/AuthorizeRestWebServiceImpl.class */
public class AuthorizeRestWebServiceImpl implements AuthorizeRestWebService {

    @Logger
    private Log log;

    @In
    private ErrorResponseFactory errorResponseFactory;

    @In
    private RedirectionUriService redirectionUriService;

    @In
    private AuthorizationGrantList authorizationGrantList;

    @In
    private ClientService clientService;

    @In
    private UserService userService;

    @In
    private UserGroupService userGroupService;

    @In
    private FederationDataService federationDataService;

    @In
    private ScopeService scopeService;

    @In
    private AttributeService attributeService;

    @In
    private Identity identity;

    @In
    private AuthenticationFilterService authenticationFilterService;

    @In
    private SessionIdService sessionIdService;

    @In
    private ScopeChecker scopeChecker;

    @In
    private SessionId sessionUser;

    @In
    private ClientAuthorizationsService clientAuthorizationsService;

    @Override // org.xdi.oxauth.authorize.ws.rs.AuthorizeRestWebService
    public Response requestAuthorizationGet(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, Integer num, String str10, String str11, String str12, String str13, String str14, String str15, String str16, String str17, String str18, String str19, String str20, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        return requestAuthorization(str, str2, str3, str4, str5, str6, str7, str8, str9, num, str10, str11, str12, str13, str14, str15, str16, str17, str18, str19, "GET", str20, httpServletRequest, httpServletResponse, securityContext);
    }

    @Override // org.xdi.oxauth.authorize.ws.rs.AuthorizeRestWebService
    public Response requestAuthorizationPost(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, Integer num, String str10, String str11, String str12, String str13, String str14, String str15, String str16, String str17, String str18, String str19, String str20, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        return requestAuthorization(str, str2, str3, str4, str5, str6, str7, str8, str9, num, str10, str11, str12, str13, str14, str15, str16, str17, str18, str19, "POST", str20, httpServletRequest, httpServletResponse, securityContext);
    }

    public Response requestAuthorization(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, Integer num, String str10, String str11, String str12, String str13, String str14, String str15, String str16, String str17, String str18, String str19, String str20, String str21, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        Response.ResponseBuilder status;
        Claim claim;
        String urlDecode = ServerUtil.urlDecode(str);
        this.log.debug("Attempting to request authorization: responseType = {0}, clientId = {1}, scope = {2}, redirectUri = {3}, nonce = {4}, state = {5}, request = {6}, isSecure = {7}, requestSessionId = {8}, sessionId = {9}", new Object[]{str2, str3, urlDecode, str4, str7, str5, str15, Boolean.valueOf(securityContext.isSecure()), str17, str18});
        this.log.debug("Attempting to request authorization: acrValues = {0}, amrValues = {1}, originHeaders = {4}", new Object[]{str13, str14, str21});
        Response.ok();
        List<String> list = null;
        if (StringUtils.isNotBlank(str10)) {
            list = Util.splittedStringAsList(str10, " ");
        }
        List<ResponseType> fromString = ResponseType.fromString(str2, " ");
        List<Prompt> fromString2 = Prompt.fromString(str9, " ");
        List<String> splittedStringAsList = Util.splittedStringAsList(str13, " ");
        List<String> splittedStringAsList2 = Util.splittedStringAsList(str14, " ");
        ResponseMode byValue = ResponseMode.getByValue(str6);
        User userByDn = (this.sessionUser == null || !StringUtils.isNotBlank(this.sessionUser.getUserDn())) ? null : this.userService.getUserByDn(this.sessionUser.getUserDn());
        try {
            this.sessionIdService.updateSessionIfNeeded(this.sessionUser, str4, str13);
            if (AuthorizeParamsValidator.validateParams(str2, str3, fromString2, str7, str15, str16)) {
                Client client = this.clientService.getClient(str3);
                JwtAuthorizationRequest jwtAuthorizationRequest = null;
                if (client != null) {
                    ArrayList arrayList = new ArrayList();
                    if (StringHelper.isNotEmpty(urlDecode)) {
                        arrayList.addAll(this.scopeChecker.checkScopesPolicy(client, urlDecode));
                    }
                    String validateRedirectionUri = this.redirectionUriService.validateRedirectionUri(str3, str4);
                    boolean z = validateRedirectionUri != null;
                    if (!AuthorizeParamsValidator.validateResponseTypes(fromString, client)) {
                        status = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
                        status.entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.UNSUPPORTED_RESPONSE_TYPE, str5));
                    } else if (!z) {
                        status = error(Response.Status.BAD_REQUEST, AuthorizeErrorResponseType.INVALID_REQUEST_REDIRECT_URI, str5);
                    } else {
                        if (ConfigurationFactory.instance().getConfiguration().getFederationEnabled().booleanValue() && !this.federationDataService.hasAnyActiveTrust(client)) {
                            this.log.debug("Forbid authorization. Client is not in any trust relationship however federation is enabled for server. Client id: {0}, client redirectUris: {1}", new Object[]{client.getClientId(), client.getRedirectUris()});
                            return error(Response.Status.UNAUTHORIZED, AuthorizeErrorResponseType.UNAUTHORIZED_CLIENT, str5).build();
                        }
                        if (StringUtils.isNotBlank(str19)) {
                            AuthorizationGrant authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str19);
                            if (authorizationGrantByAccessToken == null) {
                                RedirectUri redirectUri = new RedirectUri(validateRedirectionUri, fromString, byValue);
                                redirectUri.parseQueryString(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.ACCESS_DENIED, str5));
                                return RedirectUtil.getRedirectResponseBuilder(redirectUri, httpServletRequest).build();
                            }
                            userByDn = this.userService.getUser(authorizationGrantByAccessToken.getUserId(), new String[0]);
                            this.sessionUser = this.sessionIdService.generateAuthenticatedSessionId(userByDn.getDn(), str9);
                        }
                        if (StringUtils.isNotBlank(str16)) {
                            boolean z2 = false;
                            try {
                                URI uri = new URI(str16);
                                String fragment = uri.getFragment();
                                ClientRequest clientRequest = new ClientRequest(uri.getScheme() + ":" + uri.getSchemeSpecificPart());
                                clientRequest.setHttpMethod("GET");
                                ClientResponse clientResponse = clientRequest.get(String.class);
                                if (clientResponse.getStatus() == 200) {
                                    str15 = (String) clientResponse.getEntity(String.class);
                                    z2 = StringUtils.isBlank(fragment) ? true : StringUtils.equals(fragment, JwtUtil.base64urlencode(JwtUtil.getMessageDigestSHA256(str15)));
                                }
                                if (!z2) {
                                    RedirectUri redirectUri2 = new RedirectUri(validateRedirectionUri, fromString, byValue);
                                    redirectUri2.parseQueryString(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.INVALID_REQUEST_URI, str5));
                                    return RedirectUtil.getRedirectResponseBuilder(redirectUri2, httpServletRequest).build();
                                }
                                str16 = null;
                            } catch (ConnectException e) {
                                this.log.error(e.getMessage(), e, new Object[0]);
                            } catch (URISyntaxException e2) {
                                this.log.error(e2.getMessage(), e2, new Object[0]);
                            } catch (UnknownHostException e3) {
                                this.log.error(e3.getMessage(), e3, new Object[0]);
                            } catch (Exception e4) {
                                this.log.error(e4.getMessage(), e4, new Object[0]);
                            }
                        }
                        boolean z3 = false;
                        if (StringUtils.isNotBlank(str15)) {
                            try {
                                jwtAuthorizationRequest = new JwtAuthorizationRequest(str15, client);
                                if (!jwtAuthorizationRequest.getResponseTypes().containsAll(fromString) || !fromString.containsAll(jwtAuthorizationRequest.getResponseTypes())) {
                                    throw new InvalidJwtException("The responseType parameter is not the same in the JWT");
                                }
                                if (jwtAuthorizationRequest.getClientId() != null && !jwtAuthorizationRequest.getClientId().equals(str3)) {
                                    throw new InvalidJwtException("The clientId parameter is not the same in the JWT");
                                }
                                if (!jwtAuthorizationRequest.getScopes().containsAll(arrayList) || !arrayList.containsAll(jwtAuthorizationRequest.getScopes())) {
                                    throw new InvalidJwtException("The scope parameter is not the same in the JWT");
                                }
                                if (jwtAuthorizationRequest.getRedirectUri() != null && !jwtAuthorizationRequest.getRedirectUri().equals(validateRedirectionUri)) {
                                    throw new InvalidJwtException("The redirectUri parameter is not the same in the JWT");
                                }
                                if (jwtAuthorizationRequest.getState() != null && StringUtils.isNotBlank(str5) && !jwtAuthorizationRequest.getState().equals(str5)) {
                                    throw new InvalidJwtException("The state parameter is not the same in the JWT");
                                }
                                if (jwtAuthorizationRequest.getNonce() != null && StringUtils.isNotBlank(str7) && !jwtAuthorizationRequest.getNonce().equals(str7)) {
                                    throw new InvalidJwtException("The nonce parameter is not the same in the JWT");
                                }
                                if (jwtAuthorizationRequest.getDisplay() != null && StringUtils.isNotBlank(str8) && !jwtAuthorizationRequest.getDisplay().getParamName().equals(str8)) {
                                    throw new InvalidJwtException("The display parameter is not the same in the JWT");
                                }
                                if (!jwtAuthorizationRequest.getPrompts().isEmpty() && !fromString2.isEmpty() && !jwtAuthorizationRequest.getPrompts().containsAll(fromString2)) {
                                    throw new InvalidJwtException("The prompt parameter is not the same in the JWT");
                                }
                                if (jwtAuthorizationRequest.getIdTokenMember() != null && jwtAuthorizationRequest.getIdTokenMember().getMaxAge() != null && num != null && !jwtAuthorizationRequest.getIdTokenMember().getMaxAge().equals(num)) {
                                    throw new InvalidJwtException("The maxAge parameter is not the same in the JWT");
                                }
                            } catch (InvalidJwtException e5) {
                                z3 = true;
                                this.log.debug("Invalid JWT authorization request. Exception = {0}, Message = {1}", e5, new Object[]{e5.getClass().getName(), e5.getMessage()});
                            } catch (Exception e6) {
                                z3 = true;
                                this.log.debug("Invalid JWT authorization request. Exception = {0}, Message = {1}", e6, new Object[]{e6.getClass().getName(), e6.getMessage()});
                            }
                        }
                        if (z3) {
                            RedirectUri redirectUri3 = new RedirectUri(validateRedirectionUri, fromString, byValue);
                            redirectUri3.parseQueryString(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.INVALID_OPENID_REQUEST_OBJECT, str5));
                            status = RedirectUtil.getRedirectResponseBuilder(redirectUri3, httpServletRequest);
                        } else {
                            AuthorizationGrant authorizationGrant = null;
                            RedirectUri redirectUri4 = new RedirectUri(validateRedirectionUri, fromString, byValue);
                            if (jwtAuthorizationRequest != null && jwtAuthorizationRequest.getIdTokenMember() != null && (claim = jwtAuthorizationRequest.getIdTokenMember().getClaim("sub")) != null && claim.getClaimValue() != null && claim.getClaimValue().getValue() != null) {
                                String value = claim.getClaimValue().getValue();
                                if (userByDn != null && !userByDn.getUserId().equalsIgnoreCase(value)) {
                                    redirectUri4.parseQueryString(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.USER_MISMATCHED, str5));
                                    return RedirectUtil.getRedirectResponseBuilder(redirectUri4, httpServletRequest).build();
                                }
                            }
                            if (userByDn == null) {
                                this.identity.logout();
                                if (!fromString2.contains(Prompt.NONE)) {
                                    if (fromString2.contains(Prompt.LOGIN)) {
                                        endSession(str18, httpServletRequest, httpServletResponse);
                                        fromString2.remove(Prompt.LOGIN);
                                    }
                                    redirectToAuthorizationPage(redirectUri4, fromString, urlDecode, str3, validateRedirectionUri, str5, byValue, str7, str8, fromString2, num, list, str11, str12, splittedStringAsList, splittedStringAsList2, str15, str16, str21);
                                    return RedirectUtil.getRedirectResponseBuilder(redirectUri4, httpServletRequest).build();
                                }
                                if (!this.authenticationFilterService.isEnabled()) {
                                    redirectUri4.parseQueryString(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.LOGIN_REQUIRED, str5));
                                    return RedirectUtil.getRedirectResponseBuilder(redirectUri4, httpServletRequest).build();
                                }
                                new HashMap();
                                String processAuthenticationFilters = this.authenticationFilterService.processAuthenticationFilters(str20.equals("GET") ? QueryStringDecoder.decode(httpServletRequest.getQueryString()) : httpServletRequest.getParameterMap());
                                if (processAuthenticationFilters == null) {
                                    redirectUri4.parseQueryString(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.LOGIN_REQUIRED, str5));
                                    return RedirectUtil.getRedirectResponseBuilder(redirectUri4, httpServletRequest).build();
                                }
                                this.sessionUser = this.sessionIdService.generateAuthenticatedSessionId(processAuthenticationFilters, str9);
                                userByDn = this.userService.getUserByDn(this.sessionUser.getUserDn());
                                ((Authenticator) Component.getInstance(Authenticator.class, true)).authenticateExternallyWebService(userByDn.getUserId());
                                this.identity.addRole("user");
                            }
                            ClientAuthorizations findClientAuthorizations = this.clientAuthorizationsService.findClientAuthorizations(userByDn.getAttribute("inum"), client.getClientId());
                            if (findClientAuthorizations != null && findClientAuthorizations.getScopes() != null && Arrays.asList(findClientAuthorizations.getScopes()).containsAll(arrayList)) {
                                this.sessionUser.addPermission(str3, true);
                            }
                            if (fromString2.contains(Prompt.NONE) && Boolean.parseBoolean(client.getTrustedClient())) {
                                this.sessionUser.addPermission(str3, true);
                            }
                            if (fromString2.contains(Prompt.LOGIN)) {
                                endSession(str18, httpServletRequest, httpServletResponse);
                                fromString2.remove(Prompt.LOGIN);
                                redirectToAuthorizationPage(redirectUri4, fromString, urlDecode, str3, validateRedirectionUri, str5, byValue, str7, str8, fromString2, num, list, str11, str12, splittedStringAsList, splittedStringAsList2, str15, str16, str21);
                                return RedirectUtil.getRedirectResponseBuilder(redirectUri4, httpServletRequest).build();
                            }
                            if (fromString2.contains(Prompt.CONSENT) && !this.sessionUser.isPermissionGrantedForClient(str3).booleanValue()) {
                                fromString2.remove(Prompt.CONSENT);
                                redirectToAuthorizationPage(redirectUri4, fromString, urlDecode, str3, validateRedirectionUri, str5, byValue, str7, str8, fromString2, num, list, str11, str12, splittedStringAsList, splittedStringAsList2, str15, str16, str21);
                                return RedirectUtil.getRedirectResponseBuilder(redirectUri4, httpServletRequest).build();
                            }
                            boolean z4 = true;
                            Integer num2 = null;
                            if (num != null) {
                                num2 = num;
                            } else if (!z3 && jwtAuthorizationRequest != null && jwtAuthorizationRequest.getIdTokenMember() != null && jwtAuthorizationRequest.getIdTokenMember().getMaxAge() != null) {
                                num2 = jwtAuthorizationRequest.getIdTokenMember().getMaxAge();
                            }
                            GregorianCalendar gregorianCalendar = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
                            GregorianCalendar gregorianCalendar2 = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
                            gregorianCalendar2.setTime(this.sessionUser.getAuthenticationTime());
                            if (num2 != null) {
                                gregorianCalendar2.add(13, num2.intValue());
                                z4 = gregorianCalendar2.after(gregorianCalendar);
                            } else if (client.getDefaultMaxAge() != null) {
                                gregorianCalendar2.add(13, client.getDefaultMaxAge().intValue());
                                z4 = gregorianCalendar2.after(gregorianCalendar);
                            }
                            if (!z4) {
                                endSession(str18, httpServletRequest, httpServletResponse);
                                redirectToAuthorizationPage(redirectUri4, fromString, urlDecode, str3, validateRedirectionUri, str5, byValue, str7, str8, fromString2, num, list, str11, str12, splittedStringAsList, splittedStringAsList2, str15, str16, str21);
                                return RedirectUtil.getRedirectResponseBuilder(redirectUri4, httpServletRequest).build();
                            }
                            if (checkUserGroups(userByDn, client)) {
                                AuthorizationCode authorizationCode = null;
                                if (fromString.contains(ResponseType.CODE)) {
                                    authorizationGrant = this.authorizationGrantList.createAuthorizationCodeGrant(userByDn, client, this.sessionUser.getAuthenticationTime());
                                    authorizationGrant.setNonce(str7);
                                    authorizationGrant.setJwtAuthorizationRequest(jwtAuthorizationRequest);
                                    authorizationGrant.setScopes(arrayList);
                                    authorizationGrant.setAcrValues(str13);
                                    authorizationGrant.save();
                                    authorizationCode = authorizationGrant.getAuthorizationCode();
                                    redirectUri4.addResponseParameter("code", authorizationCode.getCode());
                                }
                                AccessToken accessToken = null;
                                if (fromString.contains(ResponseType.TOKEN)) {
                                    if (authorizationGrant == null) {
                                        authorizationGrant = this.authorizationGrantList.createImplicitGrant(userByDn, client, this.sessionUser.getAuthenticationTime());
                                        authorizationGrant.setNonce(str7);
                                        authorizationGrant.setJwtAuthorizationRequest(jwtAuthorizationRequest);
                                        authorizationGrant.setScopes(arrayList);
                                        authorizationGrant.setAcrValues(str13);
                                        authorizationGrant.save();
                                    }
                                    accessToken = authorizationGrant.createAccessToken();
                                    redirectUri4.addResponseParameter("access_token", accessToken.getCode());
                                    redirectUri4.addResponseParameter("token_type", accessToken.getTokenType().toString());
                                    redirectUri4.addResponseParameter("expires_in", accessToken.getExpiresIn() + "");
                                }
                                if (fromString.contains(ResponseType.ID_TOKEN)) {
                                    if (authorizationGrant == null) {
                                        authorizationGrant = this.authorizationGrantList.createAuthorizationGrant(userByDn, client, this.sessionUser.getAuthenticationTime());
                                        authorizationGrant.setNonce(str7);
                                        authorizationGrant.setJwtAuthorizationRequest(jwtAuthorizationRequest);
                                        authorizationGrant.setScopes(arrayList);
                                        authorizationGrant.setAcrValues(str13);
                                        authorizationGrant.save();
                                    }
                                    redirectUri4.addResponseParameter("id_token", authorizationGrant.createIdToken(str7, authorizationCode, accessToken, authorizationGrant.getAcrValues()).getCode());
                                }
                                if (authorizationGrant != null && StringHelper.isNotEmpty(str13)) {
                                    redirectUri4.addResponseParameter("acr_values", str13);
                                }
                                if (this.sessionUser.getId() == null) {
                                    String id = this.sessionIdService.generateAuthenticatedSessionId(this.sessionUser.getUserDn(), str9).getId();
                                    this.sessionUser.setId(id);
                                    this.log.trace("newSessionId = {0}", new Object[]{id});
                                }
                                redirectUri4.addResponseParameter(Parameters.SESSION_ID.getParamName(), this.sessionUser.getId());
                                redirectUri4.addResponseParameter("state", str5);
                                if (urlDecode != null && !urlDecode.isEmpty()) {
                                    redirectUri4.addResponseParameter("scope", authorizationGrant.checkScopesPolicy(urlDecode));
                                }
                                this.clientService.updatAccessTime(client, false);
                                status = RedirectUtil.getRedirectResponseBuilder(redirectUri4, httpServletRequest);
                            } else {
                                redirectUri4.parseQueryString(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.UNAUTHORIZED_CLIENT, str5));
                                status = RedirectUtil.getRedirectResponseBuilder(redirectUri4, httpServletRequest);
                            }
                        }
                    }
                } else {
                    status = error(Response.Status.UNAUTHORIZED, AuthorizeErrorResponseType.UNAUTHORIZED_CLIENT, str5);
                }
            } else if (str3 == null || str4 == null || this.redirectionUriService.validateRedirectionUri(str3, str4) == null) {
                status = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
                status.entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, str5));
            } else {
                RedirectUri redirectUri5 = new RedirectUri(str4, fromString, byValue);
                redirectUri5.parseQueryString(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.INVALID_REQUEST, str5));
                status = RedirectUtil.getRedirectResponseBuilder(redirectUri5, httpServletRequest);
            }
        } catch (AcrChangedException e7) {
            status = Response.status(Response.Status.UNAUTHORIZED).entity("Session already exist with ACR that is different than the one send with this authorization request. Please perform logout in order to login with another ACR. ACR: " + str13);
            this.log.error(e7.getMessage(), e7, new Object[0]);
        } catch (Exception e8) {
            status = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
            this.log.error(e8.getMessage(), e8, new Object[0]);
        } catch (InvalidJwtException e9) {
            status = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
            this.log.error(e9.getMessage(), e9, new Object[0]);
        } catch (SignatureException e10) {
            status = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
            this.log.error(e10.getMessage(), e10, new Object[0]);
        } catch (EntryPersistenceException e11) {
            status = error(Response.Status.UNAUTHORIZED, AuthorizeErrorResponseType.UNAUTHORIZED_CLIENT, str5);
            this.log.error(e11.getMessage(), e11, new Object[0]);
        } catch (StringEncrypter.EncryptionException e12) {
            status = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
            this.log.error(e12.getMessage(), e12, new Object[0]);
        }
        return status.build();
    }

    private Response.ResponseBuilder error(Response.Status status, AuthorizeErrorResponseType authorizeErrorResponseType, String str) {
        return Response.status(status.getStatusCode()).entity(this.errorResponseFactory.getErrorAsJson(authorizeErrorResponseType, str));
    }

    private void redirectToAuthorizationPage(RedirectUri redirectUri, List<ResponseType> list, String str, String str2, String str3, String str4, ResponseMode responseMode, String str5, String str6, List<Prompt> list2, Integer num, List<String> list3, String str7, String str8, List<String> list4, List<String> list5, String str9, String str10, String str11) {
        redirectUri.setBaseRedirectUri(ConfigurationFactory.instance().getConfiguration().getAuthorizationPage());
        redirectUri.setResponseMode(ResponseMode.QUERY);
        String implode = org.xdi.oxauth.model.util.StringUtils.implode(list, " ");
        if (StringUtils.isNotBlank(implode)) {
            redirectUri.addResponseParameter("response_type", implode);
        }
        if (StringUtils.isNotBlank(str)) {
            redirectUri.addResponseParameter("scope", str);
        }
        if (StringUtils.isNotBlank(str2)) {
            redirectUri.addResponseParameter("client_id", str2);
        }
        if (StringUtils.isNotBlank(str3)) {
            redirectUri.addResponseParameter("redirect_uri", str3);
        }
        if (StringUtils.isNotBlank(str4)) {
            redirectUri.addResponseParameter("state", str4);
        }
        if (responseMode != null) {
            redirectUri.addResponseParameter("response_mode", responseMode.getParamName());
        }
        if (StringUtils.isNotBlank(str5)) {
            redirectUri.addResponseParameter("nonce", str5);
        }
        if (StringUtils.isNotBlank(str6)) {
            redirectUri.addResponseParameter("display", str6);
        }
        String implode2 = org.xdi.oxauth.model.util.StringUtils.implode(list2, " ");
        if (StringUtils.isNotBlank(implode2)) {
            redirectUri.addResponseParameter("prompt", implode2);
        }
        if (num != null) {
            redirectUri.addResponseParameter("max_age", num.toString());
        }
        String implode3 = org.xdi.oxauth.model.util.StringUtils.implode(list3, " ");
        if (StringUtils.isNotBlank(implode3)) {
            redirectUri.addResponseParameter("ui_locales", implode3);
        }
        if (StringUtils.isNotBlank(str7)) {
            redirectUri.addResponseParameter("id_token_hint", str7);
        }
        if (StringUtils.isNotBlank(str8)) {
            redirectUri.addResponseParameter("login_hint", str8);
        }
        String implode4 = org.xdi.oxauth.model.util.StringUtils.implode(list4, " ");
        if (StringUtils.isNotBlank(implode4)) {
            redirectUri.addResponseParameter("acr_values", implode4);
        }
        String implode5 = org.xdi.oxauth.model.util.StringUtils.implode(list5, " ");
        if (StringUtils.isNotBlank(implode5)) {
            redirectUri.addResponseParameter("amr_values", implode5);
        }
        if (StringUtils.isNotBlank(str9)) {
            redirectUri.addResponseParameter("request", str9);
        }
        if (StringUtils.isNotBlank(str10)) {
            redirectUri.addResponseParameter("request_uri", str10);
        }
        if (StringUtils.isNotBlank(str10)) {
            redirectUri.addResponseParameter("request_uri", str10);
        }
        if (StringUtils.isNotBlank(str11)) {
            redirectUri.addResponseParameter("origin_headers", str11);
        }
    }

    private boolean checkUserGroups(User user, Client client) {
        if (client == null || !client.hasUserGroups()) {
            return true;
        }
        return this.userGroupService.isInAnyGroup(client.getUserGroups(), user.getDn());
    }

    private void endSession(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        this.identity.logout();
        this.sessionUser.setUserDn(null);
        this.sessionUser.setAuthenticationTime(null);
        String str2 = str;
        if (StringHelper.isEmpty(str2)) {
            str2 = this.sessionIdService.getSessionIdFromCookie(httpServletRequest);
        }
        if (StringHelper.isNotEmpty(str2)) {
            SessionId sessionId = this.sessionIdService.getSessionId(str2);
            if (sessionId == null) {
                this.log.error("Failed to load session from LDAP by session_id: '{0}'", new Object[]{str2});
            } else if (!this.sessionIdService.remove(sessionId)) {
                this.log.error("Failed to remove session_id '{0}' from LDAP", new Object[]{str2});
            }
        }
        this.sessionIdService.removeSessionIdCookie(httpServletResponse);
    }
}
