package org.xdi.oxauth.service.uma;

import java.net.URI;
import java.net.URISyntaxException;
import java.util.List;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.gluu.site.ldap.persistence.exception.EntryPersistenceException;
import org.jboss.seam.ScopeType;
import org.jboss.seam.annotations.AutoCreate;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.log.Log;
import org.xdi.oxauth.model.common.AuthorizationGrant;
import org.xdi.oxauth.model.common.AuthorizationGrantList;
import org.xdi.oxauth.model.common.uma.UmaRPT;
import org.xdi.oxauth.model.config.ConfigurationFactory;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.federation.FederationTrust;
import org.xdi.oxauth.model.federation.FederationTrustStatus;
import org.xdi.oxauth.model.registration.Client;
import org.xdi.oxauth.model.uma.UmaErrorResponseType;
import org.xdi.oxauth.model.uma.UmaPermission;
import org.xdi.oxauth.model.uma.UmaScopeType;
import org.xdi.oxauth.model.uma.persistence.ResourceSet;
import org.xdi.oxauth.model.uma.persistence.ResourceSetPermission;
import org.xdi.oxauth.service.FederationDataService;
import org.xdi.oxauth.service.token.TokenService;
import org.xdi.util.StringHelper;

@Name("umaValidationService")
@AutoCreate
@Scope(ScopeType.STATELESS)
/* loaded from: input_file:org/xdi/oxauth/service/uma/UmaValidationService.class */
public class UmaValidationService {

    @Logger
    private Log log;

    @In
    private ErrorResponseFactory errorResponseFactory;

    @In
    private TokenService tokenService;

    @In
    private AuthorizationGrantList authorizationGrantList;

    @In
    private ResourceSetService resourceSetService;

    @In
    private ScopeService umaScopeService;

    @In
    private FederationDataService federationDataService;

    public String validateAmHost(String str) {
        if (StringHelper.isEmpty(str)) {
            this.log.error("AM host is invalid", new Object[0]);
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.INVALID_REQUEST)).build());
        }
        try {
            new URI(str);
            try {
                if (StringHelper.equalsIgnoreCase(str, new URI(ConfigurationFactory.instance().getConfiguration().getBaseEndpoint()).getHost())) {
                    return StringHelper.toLowerCase(str).trim();
                }
                this.log.error("Get request for another AM: '{0}'", new Object[]{str});
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.INVALID_REQUEST)).build());
            } catch (URISyntaxException e) {
                this.log.error("Failed to parse AM host: '{0}'", e, new Object[]{str});
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.INVALID_REQUEST)).build());
            }
        } catch (URISyntaxException e2) {
            this.log.error("Failed to parse AM host: '{0}'", e2, new Object[]{str});
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.INVALID_REQUEST)).build());
        }
    }

    public String validateHost(String str) {
        if (StringHelper.isEmpty(str)) {
            this.log.error("Host is invalid", new Object[0]);
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.INVALID_REQUEST)).build());
        }
        try {
            new URI(str);
            return StringHelper.toLowerCase(str).trim();
        } catch (URISyntaxException e) {
            this.log.error("Failed to parse host: '{0}'", e, new Object[]{str});
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.INVALID_REQUEST)).build());
        }
    }

    public AuthorizationGrant assertHasProtectionScope(String str) {
        return validateAuthorization(str, UmaScopeType.PROTECTION);
    }

    public AuthorizationGrant assertHasAuthorizationScope(String str) {
        return validateAuthorization(str, UmaScopeType.AUTHORIZATION);
    }

    private AuthorizationGrant validateAuthorization(String str, UmaScopeType umaScopeType) {
        List<FederationTrust> trustByClient;
        this.log.trace("Validate authorization: {0}", new Object[]{str});
        if (StringHelper.isEmpty(str)) {
            throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.UNAUTHORIZED_CLIENT)).build());
        }
        String tokenFromAuthorizationParameter = this.tokenService.getTokenFromAuthorizationParameter(str);
        if (StringHelper.isEmpty(tokenFromAuthorizationParameter)) {
            this.log.debug("Token is invalid", new Object[0]);
            throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.UNAUTHORIZED_CLIENT)).build());
        }
        AuthorizationGrant authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(tokenFromAuthorizationParameter);
        if (authorizationGrantByAccessToken == null) {
            throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.ACCESS_DENIED)).build());
        }
        if (!authorizationGrantByAccessToken.isValid()) {
            throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.INVALID_TOKEN)).build());
        }
        Client client = authorizationGrantByAccessToken.getClient();
        if (ConfigurationFactory.instance().getConfiguration().getFederationEnabled().booleanValue() && ((trustByClient = this.federationDataService.getTrustByClient(client, FederationTrustStatus.ACTIVE)) == null || trustByClient.isEmpty())) {
            this.log.error("Client is not in any federation trust, client: {0}", new Object[]{client.getDn()});
            throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.CLIENT_NOT_IN_FEDERATED_TRUST)).build());
        }
        if (authorizationGrantByAccessToken.getScopes().contains(umaScopeType.getValue())) {
            return authorizationGrantByAccessToken;
        }
        throw new WebApplicationException(Response.status(Response.Status.NOT_ACCEPTABLE).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.INVALID_CLIENT_SCOPE)).build());
    }

    public void validateRPT(UmaRPT umaRPT) {
        if (umaRPT == null) {
            throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.NOT_AUTHORIZED_PERMISSION)).build());
        }
        umaRPT.checkExpired();
        if (!umaRPT.isValid()) {
            throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.NOT_AUTHORIZED_PERMISSION)).build());
        }
    }

    public void validateResourceSetPermission(ResourceSetPermission resourceSetPermission) {
        if (resourceSetPermission == null || "invalidated".equalsIgnoreCase(resourceSetPermission.getAmHost())) {
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.INVALID_TICKET)).build());
        }
        resourceSetPermission.checkExpired();
        if (!resourceSetPermission.isValid()) {
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.EXPIRED_TICKET)).build());
        }
    }

    public void validateResourceSet(UmaPermission umaPermission) {
        String resourceSetId = umaPermission.getResourceSetId();
        if (StringHelper.isEmpty(resourceSetId)) {
            this.log.error("Resource set id is empty", new Object[0]);
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.INVALID_RESOURCE_SET_ID)).build());
        }
        try {
            ResourceSet resourceSet = new ResourceSet();
            resourceSet.setDn(this.resourceSetService.getBaseDnForResourceSet());
            resourceSet.setId(resourceSetId);
            List<ResourceSet> findResourceSets = this.resourceSetService.findResourceSets(resourceSet);
            if (findResourceSets.size() != 1) {
                this.log.error("Resource set isn't registered or there are two resource set with same Id", new Object[0]);
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.INVALID_RESOURCE_SET_ID)).build());
            }
            if (this.umaScopeService.getScopeUrlsByDns(findResourceSets.get(0).getScopes()).containsAll(umaPermission.getScopes())) {
                return;
            }
            this.log.error("At least one of the scope isn't registered", new Object[0]);
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.INVALID_RESOURCE_SET_SCOPE)).build());
        } catch (EntryPersistenceException e) {
            this.log.error("Resource set isn't registered", new Object[0]);
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getUmaJsonErrorResponse(UmaErrorResponseType.INVALID_RESOURCE_SET_ID)).build());
        }
    }
}
