package org.xdi.oxauth.service.uma.authorization;

import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.jboss.seam.ScopeType;
import org.jboss.seam.annotations.AutoCreate;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.log.Log;
import org.xdi.model.custom.script.conf.CustomScriptConfiguration;
import org.xdi.oxauth.model.common.AuthorizationGrant;
import org.xdi.oxauth.model.common.UnmodifiableAuthorizationGrant;
import org.xdi.oxauth.model.common.uma.UmaRPT;
import org.xdi.oxauth.model.uma.ClaimTokenList;
import org.xdi.oxauth.model.uma.persistence.ResourceSetPermission;
import org.xdi.oxauth.model.uma.persistence.ScopeDescription;
import org.xdi.oxauth.service.external.ExternalUmaAuthorizationPolicyService;
import org.xdi.oxauth.service.uma.ScopeService;
import org.xdi.oxauth.util.ServerUtil;

@Name("umaAuthorizationService")
@AutoCreate
@Scope(ScopeType.STATELESS)
/* loaded from: input_file:org/xdi/oxauth/service/uma/authorization/AuthorizationService.class */
public class AuthorizationService {

    @Logger
    private Log log;

    @In
    private ScopeService umaScopeService;

    @In
    private ExternalUmaAuthorizationPolicyService externalUmaAuthorizationPolicyService;

    public boolean allowToAddPermission(AuthorizationGrant authorizationGrant, UmaRPT umaRPT, ResourceSetPermission resourceSetPermission, HttpServletRequest httpServletRequest, ClaimTokenList claimTokenList) {
        this.log.trace("Check policies for permission, id: '{0}'", new Object[]{resourceSetPermission.getDn()});
        return allowToAddPermission(authorizationGrant, umaRPT, this.umaScopeService.getScopesByDns(resourceSetPermission.getScopeDns()), resourceSetPermission, httpServletRequest, claimTokenList);
    }

    public boolean allowToAddPermissionForGat(AuthorizationGrant authorizationGrant, UmaRPT umaRPT, List<String> list, HttpServletRequest httpServletRequest, ClaimTokenList claimTokenList) {
        return allowToAddPermission(authorizationGrant, umaRPT, this.umaScopeService.getScopesByUrls(list), new ResourceSetPermission(), httpServletRequest, claimTokenList);
    }

    public boolean allowToAddPermission(AuthorizationGrant authorizationGrant, UmaRPT umaRPT, List<ScopeDescription> list, ResourceSetPermission resourceSetPermission, HttpServletRequest httpServletRequest, ClaimTokenList claimTokenList) {
        this.log.trace("Check policies for scopes: '{0}'", new Object[]{list});
        Set<String> authorizationPolicies = getAuthorizationPolicies(list);
        if (authorizationPolicies == null || authorizationPolicies.isEmpty()) {
            this.log.trace("No policies protection, allowed to grant permission.", new Object[0]);
            return true;
        }
        AuthorizationContext authorizationContext = new AuthorizationContext(umaRPT, resourceSetPermission, new UnmodifiableAuthorizationGrant(authorizationGrant), httpServletRequest, claimTokenList);
        for (String str : authorizationPolicies) {
            if (!applyPolicy(str, authorizationContext)) {
                this.log.trace("Reject access. Policy dn: '{0}'", new Object[]{str});
                return false;
            }
        }
        this.log.trace("All policies are ok, grant access.", new Object[0]);
        return true;
    }

    private Set<String> getAuthorizationPolicies(List<ScopeDescription> list) {
        HashSet hashSet = new HashSet();
        Iterator<ScopeDescription> it = list.iterator();
        while (it.hasNext()) {
            List authorizationPolicies = it.next().getAuthorizationPolicies();
            if (authorizationPolicies != null) {
                hashSet.addAll(authorizationPolicies);
            }
        }
        return hashSet;
    }

    private boolean applyPolicy(String str, AuthorizationContext authorizationContext) {
        this.log.trace("Apply policy dn: '{0}' ...", new Object[]{str});
        CustomScriptConfiguration authorizationPolicyByDn = this.externalUmaAuthorizationPolicyService.getAuthorizationPolicyByDn(str);
        if (authorizationPolicyByDn == null) {
            this.log.error("Unable to load custom script dn: '{0}'", new Object[]{str});
            return false;
        }
        boolean executeExternalAuthorizeMethod = this.externalUmaAuthorizationPolicyService.executeExternalAuthorizeMethod(authorizationPolicyByDn, authorizationContext);
        this.log.trace("Policy '{0}' result: {1}", new Object[]{str, Boolean.valueOf(executeExternalAuthorizeMethod)});
        if (!executeExternalAuthorizeMethod && (authorizationContext.getNeedInfoAuthenticationContext() != null || authorizationContext.getNeedInfoRequestingPartyClaims() != null)) {
            throwForbiddenException(NeedInfoResponseBuilder.entityForResponse(authorizationContext.getNeedInfoAuthenticationContext(), authorizationContext.getNeedInfoRequestingPartyClaims()));
        }
        return executeExternalAuthorizeMethod;
    }

    private static void throwForbiddenException(String str) {
        throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(str).build());
    }

    public static AuthorizationService instance() {
        return (AuthorizationService) ServerUtil.instance(AuthorizationService.class);
    }
}
