package org.xdi.oxauth.service;

import com.unboundid.ldap.sdk.Filter;
import com.unboundid.util.StaticUtils;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import javax.faces.context.FacesContext;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.gluu.site.ldap.persistence.LdapEntryManager;
import org.jboss.seam.Component;
import org.jboss.seam.ScopeType;
import org.jboss.seam.annotations.AutoCreate;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.contexts.Contexts;
import org.jboss.seam.contexts.Lifecycle;
import org.jboss.seam.log.Log;
import org.xdi.oxauth.model.common.Prompt;
import org.xdi.oxauth.model.common.SessionIdState;
import org.xdi.oxauth.model.common.SessionState;
import org.xdi.oxauth.model.config.ConfigurationFactory;
import org.xdi.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.xdi.oxauth.model.jwt.Jwt;
import org.xdi.oxauth.model.jwt.JwtSubClaimObject;
import org.xdi.oxauth.model.token.JwtSigner;
import org.xdi.oxauth.model.util.Util;
import org.xdi.oxauth.service.external.ExternalAuthenticationService;
import org.xdi.util.StringHelper;

@Name("sessionStateService")
@AutoCreate
@Scope(ScopeType.STATELESS)
/* loaded from: input_file:org/xdi/oxauth/service/SessionStateService.class */
public class SessionStateService {
    public static final String SESSION_STATE_COOKIE_NAME = "session_state";
    public static final String SESSION_CUSTOM_STATE = "session_custom_state";

    @Logger
    private Log log;

    @In
    private LdapEntryManager ldapEntryManager;

    @In
    private AuthenticationService authenticationService;

    @In
    private ConfigurationFactory configurationFactory;

    public static SessionStateService instance() {
        if (!Contexts.isEventContextActive() && !Contexts.isApplicationContextActive()) {
            Lifecycle.beginCall();
        }
        return (SessionStateService) Component.getInstance(SessionStateService.class);
    }

    public String getAcr(SessionState sessionState) {
        if (sessionState == null || sessionState.getSessionAttributes() == null) {
            return null;
        }
        String str = sessionState.getSessionAttributes().get("acr");
        if (StringUtils.isBlank(str)) {
            str = sessionState.getSessionAttributes().get("acr_values");
        }
        return str;
    }

    public SessionState assertAuthenticatedSessionCorrespondsToNewRequest(SessionState sessionState, String str) throws AcrChangedException {
        if (sessionState != null && !sessionState.getSessionAttributes().isEmpty() && sessionState.getState() == SessionIdState.AUTHENTICATED) {
            Map<String, String> sessionAttributes = sessionState.getSessionAttributes();
            String acr = getAcr(sessionState);
            if (StringUtils.isBlank(acr)) {
                this.log.error("Failed to fetch acr from session, attributes: " + sessionAttributes, new Object[0]);
                return sessionState;
            }
            if ((str == null || str.equals(acr)) ? false : true) {
                Map<String, Integer> acrToLevelMapping = ExternalAuthenticationService.instance().acrToLevelMapping();
                Integer num = acrToLevelMapping.get(acr);
                Integer num2 = acrToLevelMapping.get(str);
                this.log.info("Acr is changed. Session acr: " + acr + "(level: " + num + "), current acr: " + str + "(level: " + num2 + ")", new Object[0]);
                if (num.intValue() < num2.intValue()) {
                    throw new AcrChangedException();
                }
                return sessionState;
            }
            reinitLogin(sessionState, false);
        }
        return sessionState;
    }

    public void reinitLogin(SessionState sessionState, boolean z) {
        Map<String, String> sessionAttributes = sessionState.getSessionAttributes();
        Map<String, String> currentSessionAttributes = getCurrentSessionAttributes(sessionAttributes);
        if (z || !currentSessionAttributes.equals(sessionAttributes)) {
            sessionAttributes.putAll(currentSessionAttributes);
            sessionAttributes.put("auth_step", "1");
            Iterator<Map.Entry<String, String>> it = currentSessionAttributes.entrySet().iterator();
            while (it.hasNext()) {
                if (it.next().getKey().startsWith("auth_step_passed_")) {
                    it.remove();
                }
            }
            sessionState.setSessionAttributes(currentSessionAttributes);
            if (updateSessionState(sessionState, true, true)) {
                return;
            }
            this.log.debug("Failed to update session entry: '{0}'", new Object[]{sessionState.getId()});
        }
    }

    public void resetToStep(SessionState sessionState, int i) {
        Map<String, String> sessionAttributes = sessionState.getSessionAttributes();
        int integer = sessionAttributes.containsKey("auth_step") ? StringHelper.toInteger(sessionAttributes.get("auth_step"), 1) : 1;
        for (int i2 = i; i2 <= integer; i2++) {
            sessionAttributes.remove(String.format("auth_step_passed_%d", Integer.valueOf(i2)));
        }
        sessionAttributes.put("auth_step", String.valueOf(i));
        if (updateSessionState(sessionState, true, true)) {
            return;
        }
        this.log.debug("Failed to update session entry: '{0}'", new Object[]{sessionState.getId()});
    }

    private Map<String, String> getCurrentSessionAttributes(Map<String, String> map) {
        FacesContext currentInstance = FacesContext.getCurrentInstance();
        if (currentInstance == null) {
            return map;
        }
        HashMap hashMap = new HashMap(map);
        for (Map.Entry<String, String> entry : this.authenticationService.getAllowedParameters(currentInstance.getExternalContext().getRequestParameterMap()).entrySet()) {
            String key = entry.getKey();
            if (!StringHelper.equalsIgnoreCase(key, "auth_step")) {
                hashMap.put(key, entry.getValue());
            }
        }
        return hashMap;
    }

    public String getSessionStateFromCookie(HttpServletRequest httpServletRequest) {
        try {
            Cookie[] cookies = httpServletRequest.getCookies();
            if (cookies != null) {
                for (Cookie cookie : cookies) {
                    if (cookie.getName().equals(SESSION_STATE_COOKIE_NAME)) {
                        this.log.trace("Found session_state cookie: '{0}'", new Object[]{cookie.getValue()});
                        return cookie.getValue();
                    }
                }
            }
            return "";
        } catch (Exception e) {
            this.log.error(e.getMessage(), e, new Object[0]);
            return "";
        }
    }

    public String getSessionStateFromCookie() {
        try {
            FacesContext currentInstance = FacesContext.getCurrentInstance();
            if (currentInstance == null) {
                return null;
            }
            return getSessionStateFromCookie((HttpServletRequest) currentInstance.getExternalContext().getRequest());
        } catch (Exception e) {
            this.log.error(e.getMessage(), e, new Object[0]);
            return null;
        }
    }

    public void createSessionStateCookie(String str) {
        try {
            Object response = FacesContext.getCurrentInstance().getExternalContext().getResponse();
            if (response instanceof HttpServletResponse) {
                ((HttpServletResponse) response).addHeader("Set-Cookie", (("session_state=" + str) + "; Path=/") + "; Secure");
            }
        } catch (Exception e) {
            this.log.error(e.getMessage(), e, new Object[0]);
        }
    }

    public void removeSessionStateCookie() {
        try {
            FacesContext currentInstance = FacesContext.getCurrentInstance();
            if (currentInstance != null && currentInstance.getExternalContext() != null) {
                Object response = currentInstance.getExternalContext().getResponse();
                if (response instanceof HttpServletResponse) {
                    removeSessionStateCookie((HttpServletResponse) response);
                }
            }
        } catch (Exception e) {
            this.log.error(e.getMessage(), e, new Object[0]);
        }
    }

    public void removeSessionStateCookie(HttpServletResponse httpServletResponse) {
        Cookie cookie = new Cookie(SESSION_STATE_COOKIE_NAME, (String) null);
        cookie.setPath("/");
        cookie.setMaxAge(0);
        httpServletResponse.addCookie(cookie);
    }

    public SessionState getSessionState() {
        String sessionStateFromCookie = getSessionStateFromCookie();
        if (StringHelper.isNotEmpty(sessionStateFromCookie)) {
            return getSessionState(sessionStateFromCookie);
        }
        return null;
    }

    public Map<String, String> getSessionAttributes(SessionState sessionState) {
        if (sessionState != null) {
            return sessionState.getSessionAttributes();
        }
        return null;
    }

    public SessionState generateAuthenticatedSessionState(String str) {
        return generateAuthenticatedSessionState(str, "");
    }

    public SessionState generateAuthenticatedSessionState(String str, String str2) {
        HashMap hashMap = new HashMap();
        hashMap.put("prompt", str2);
        return generateSessionState(str, new Date(), SessionIdState.AUTHENTICATED, hashMap, true);
    }

    public SessionState generateAuthenticatedSessionState(String str, Map<String, String> map) {
        return generateSessionState(str, new Date(), SessionIdState.AUTHENTICATED, map, true);
    }

    public SessionState generateSessionState(String str, Date date, SessionIdState sessionIdState, Map<String, String> map, boolean z) {
        String uuid = UUID.randomUUID().toString();
        String dn = dn(uuid);
        if (StringUtils.isBlank(dn)) {
            return null;
        }
        if (SessionIdState.AUTHENTICATED == sessionIdState && StringUtils.isBlank(str)) {
            return null;
        }
        SessionState sessionState = new SessionState();
        sessionState.setId(uuid);
        sessionState.setDn(dn);
        if (StringUtils.isNotBlank(str)) {
            sessionState.setUserDn(str);
        }
        Boolean sessionAsJwt = this.configurationFactory.getConfiguration().getSessionAsJwt();
        sessionState.setIsJwt(Boolean.valueOf(sessionAsJwt != null && sessionAsJwt.booleanValue()));
        if (date != null) {
            sessionState.setAuthenticationTime(date);
        }
        if (sessionIdState != null) {
            sessionState.setState(sessionIdState);
        }
        sessionState.setSessionAttributes(map);
        sessionState.setLastUsedAt(new Date());
        if (sessionState.getIsJwt().booleanValue()) {
            sessionState.setJwt(generateJwt(sessionState, str).asString());
        }
        boolean z2 = false;
        if (z) {
            z2 = persistSessionState(sessionState);
        }
        this.log.trace("Generated new session, id = '{0}', state = '{1}', asJwt = '{2}', persisted = '{3}'", new Object[]{sessionState.getId(), sessionState.getState(), sessionState.getIsJwt(), Boolean.valueOf(z2)});
        return sessionState;
    }

    private Jwt generateJwt(SessionState sessionState, String str) {
        try {
            JwtSigner jwtSigner = new JwtSigner(SignatureAlgorithm.RS512, str);
            Jwt newJwt = jwtSigner.newJwt();
            newJwt.getClaims().setClaim("id", sessionState.getId());
            newJwt.getClaims().setClaim("authentication_time", sessionState.getAuthenticationTime());
            newJwt.getClaims().setClaim("user_dn", sessionState.getUserDn());
            newJwt.getClaims().setClaim("state", sessionState.getState() != null ? sessionState.getState().getValue() : "");
            newJwt.getClaims().setClaim("session_attributes", JwtSubClaimObject.fromMap(sessionState.getSessionAttributes()));
            newJwt.getClaims().setClaim("last_used_at", sessionState.getLastUsedAt());
            newJwt.getClaims().setClaim("permission_granted", sessionState.getPermissionGranted());
            newJwt.getClaims().setClaim("permission_granted_map", JwtSubClaimObject.fromBooleanMap(sessionState.getPermissionGrantedMap().getPermissionGranted()));
            newJwt.getClaims().setClaim("involved_clients_map", JwtSubClaimObject.fromBooleanMap(sessionState.getInvolvedClients().getPermissionGranted()));
            return jwtSigner.sign();
        } catch (Exception e) {
            this.log.error("Failed to sign session jwt! " + e.getMessage(), e, new Object[0]);
            throw new RuntimeException(e);
        }
    }

    public SessionState setSessionStateAuthenticated(SessionState sessionState, String str) {
        sessionState.setUserDn(str);
        sessionState.setAuthenticationTime(new Date());
        sessionState.setState(SessionIdState.AUTHENTICATED);
        this.log.trace("Authenticated session, id = '{0}', state = '{1}', persisted = '{2}'", new Object[]{sessionState.getId(), sessionState.getState(), Boolean.valueOf(updateSessionState(sessionState, true, true))});
        return sessionState;
    }

    public boolean persistSessionState(SessionState sessionState) {
        return persistSessionState(sessionState, false);
    }

    public boolean persistSessionState(SessionState sessionState, boolean z) {
        List<Prompt> promptsFromSessionState = getPromptsFromSessionState(sessionState);
        try {
            if ((ConfigurationFactory.instance().getConfiguration().getSessionIdUnusedLifetime() <= 0 || !isPersisted(promptsFromSessionState)) && !z) {
                return false;
            }
            sessionState.setLastUsedAt(new Date());
            sessionState.setPersisted(true);
            this.log.trace("sessionStateAttributes: " + sessionState.getPermissionGrantedMap(), new Object[0]);
            this.ldapEntryManager.persist(sessionState);
            return true;
        } catch (Exception e) {
            this.log.error(e.getMessage(), e, new Object[0]);
            return false;
        }
    }

    public boolean updateSessionState(SessionState sessionState) {
        return updateSessionState(sessionState, true);
    }

    public boolean updateSessionState(SessionState sessionState, boolean z) {
        return updateSessionState(sessionState, z, false);
    }

    public boolean updateSessionState(SessionState sessionState, boolean z, boolean z2) {
        List<Prompt> promptsFromSessionState = getPromptsFromSessionState(sessionState);
        try {
            if ((ConfigurationFactory.instance().getConfiguration().getSessionIdUnusedLifetime() > 0 && isPersisted(promptsFromSessionState)) || z2) {
                if (z) {
                    sessionState.setLastUsedAt(new Date());
                }
                sessionState.setPersisted(true);
                this.ldapEntryManager.merge(sessionState);
            }
            return true;
        } catch (Exception e) {
            this.log.error(e.getMessage(), e, new Object[0]);
            return false;
        }
    }

    private static boolean isPersisted(List<Prompt> list) {
        if (list == null || !list.contains(Prompt.NONE)) {
            return true;
        }
        Boolean sessionIdPersistOnPromptNone = ConfigurationFactory.instance().getConfiguration().getSessionIdPersistOnPromptNone();
        return sessionIdPersistOnPromptNone != null && sessionIdPersistOnPromptNone.booleanValue();
    }

    private static String dn(String str) {
        String baseDn = getBaseDn();
        StringBuilder sb = new StringBuilder();
        if (Util.allNotBlank(new String[]{str, getBaseDn()})) {
            sb.append("uniqueIdentifier=").append(str).append(",").append(baseDn);
        }
        return sb.toString();
    }

    public SessionState getSessionByDN(String str) {
        try {
            return (SessionState) this.ldapEntryManager.find(SessionState.class, str);
        } catch (Exception e) {
            this.log.trace(e.getMessage(), e, new Object[0]);
            return null;
        }
    }

    public SessionState getSessionState(String str) {
        if (StringHelper.isEmpty(str)) {
            return null;
        }
        String dn = dn(str);
        if (!containsSessionState(dn)) {
            return null;
        }
        try {
            SessionState sessionByDN = getSessionByDN(dn);
            this.log.trace("Try to get session by id: {0} ...", new Object[]{str});
            if (sessionByDN != null) {
                this.log.trace("Session dn: {0}", new Object[]{sessionByDN.getDn()});
                if (isSessionValid(sessionByDN)) {
                    return sessionByDN;
                }
            }
        } catch (Exception e) {
            this.log.trace(e.getMessage(), e, new Object[0]);
        }
        this.log.trace("Failed to get session by id: {0}", new Object[]{str});
        return null;
    }

    public boolean containsSessionState(String str) {
        try {
            return this.ldapEntryManager.contains(SessionState.class, str);
        } catch (Exception e) {
            this.log.trace(e.getMessage(), e, new Object[0]);
            return false;
        }
    }

    private static String getBaseDn() {
        return ConfigurationFactory.instance().getBaseDn().getSessionId();
    }

    public boolean remove(SessionState sessionState) {
        try {
            this.ldapEntryManager.remove(sessionState);
            return true;
        } catch (Exception e) {
            this.log.error(e.getMessage(), e, new Object[0]);
            return false;
        }
    }

    public void remove(List<SessionState> list) {
        Iterator<SessionState> it = list.iterator();
        while (it.hasNext()) {
            remove(it.next());
        }
    }

    public void cleanUpSessions() {
        int sessionIdUnusedLifetime = ConfigurationFactory.instance().getConfiguration().getSessionIdUnusedLifetime();
        remove(getUnauthenticatedIdsOlderThan(ConfigurationFactory.instance().getConfiguration().getSessionIdUnauthenticatedUnusedLifetime()));
        remove(getIdsOlderThan(sessionIdUnusedLifetime));
    }

    public List<SessionState> getUnauthenticatedIdsOlderThan(int i) {
        try {
            String encodeGeneralizedTime = StaticUtils.encodeGeneralizedTime(new Date(new Date().getTime() - TimeUnit.SECONDS.toMillis(i)));
            return this.ldapEntryManager.findEntries(getBaseDn(), SessionState.class, Filter.create(String.format("&(oxLastAccessTime<=%s)(oxState=unauthenticated)", encodeGeneralizedTime, encodeGeneralizedTime)));
        } catch (Exception e) {
            this.log.error(e.getMessage(), e, new Object[0]);
            return Collections.emptyList();
        }
    }

    public List<SessionState> getIdsOlderThan(int i) {
        try {
            String encodeGeneralizedTime = StaticUtils.encodeGeneralizedTime(new Date(new Date().getTime() - TimeUnit.SECONDS.toMillis(i)));
            return this.ldapEntryManager.findEntries(getBaseDn(), SessionState.class, Filter.create(String.format("(oxLastAccessTime<=%s)", encodeGeneralizedTime, encodeGeneralizedTime)));
        } catch (Exception e) {
            this.log.error(e.getMessage(), e, new Object[0]);
            return Collections.emptyList();
        }
    }

    public boolean isSessionValid(SessionState sessionState) {
        if (sessionState == null) {
            return false;
        }
        long millis = TimeUnit.SECONDS.toMillis(ConfigurationFactory.instance().getConfiguration().getSessionIdUnusedLifetime());
        long millis2 = TimeUnit.SECONDS.toMillis(ConfigurationFactory.instance().getConfiguration().getSessionIdUnauthenticatedUnusedLifetime());
        long currentTimeMillis = System.currentTimeMillis() - sessionState.getLastUsedAt().getTime();
        if (currentTimeMillis <= millis || ConfigurationFactory.instance().getConfiguration().getSessionIdUnusedLifetime() == -1) {
            return sessionState.getState() != SessionIdState.UNAUTHENTICATED || currentTimeMillis <= millis2 || ConfigurationFactory.instance().getConfiguration().getSessionIdUnauthenticatedUnusedLifetime() == -1;
        }
        return false;
    }

    private List<Prompt> getPromptsFromSessionState(SessionState sessionState) {
        return Prompt.fromString(sessionState.getSessionAttributes().get("prompt"), " ");
    }
}
