package org.xdi.oxauth.authorize.ws.rs;

import com.google.common.collect.Sets;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import javax.faces.context.ExternalContext;
import javax.faces.context.FacesContext;
import org.apache.commons.lang.StringUtils;
import org.codehaus.jettison.json.JSONException;
import org.gluu.site.ldap.persistence.exception.EntryPersistenceException;
import org.jboss.seam.Component;
import org.jboss.seam.ScopeType;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.faces.FacesManager;
import org.jboss.seam.international.LocaleSelector;
import org.jboss.seam.log.Log;
import org.jboss.seam.security.Identity;
import org.xdi.model.AuthenticationScriptUsageType;
import org.xdi.model.custom.script.conf.CustomScriptConfiguration;
import org.xdi.oxauth.auth.Authenticator;
import org.xdi.oxauth.model.authorize.AuthorizeErrorResponseType;
import org.xdi.oxauth.model.authorize.AuthorizeParamsValidator;
import org.xdi.oxauth.model.common.Prompt;
import org.xdi.oxauth.model.common.SessionId;
import org.xdi.oxauth.model.common.SessionIdState;
import org.xdi.oxauth.model.common.User;
import org.xdi.oxauth.model.config.Constants;
import org.xdi.oxauth.model.configuration.AppConfiguration;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.ldap.ClientAuthorizations;
import org.xdi.oxauth.model.registration.Client;
import org.xdi.oxauth.model.util.LocaleUtil;
import org.xdi.oxauth.model.util.Util;
import org.xdi.oxauth.service.AcrChangedException;
import org.xdi.oxauth.service.AppInitializer;
import org.xdi.oxauth.service.AuthenticationService;
import org.xdi.oxauth.service.ClientAuthorizationsService;
import org.xdi.oxauth.service.ClientService;
import org.xdi.oxauth.service.RedirectionUriService;
import org.xdi.oxauth.service.ScopeService;
import org.xdi.oxauth.service.SessionIdService;
import org.xdi.oxauth.service.UserService;
import org.xdi.oxauth.service.external.ExternalAuthenticationService;
import org.xdi.service.net.NetworkService;
import org.xdi.util.StringHelper;

@Name("authorizeAction")
@Scope(ScopeType.EVENT)
/* loaded from: input_file:org/xdi/oxauth/authorize/ws/rs/AuthorizeAction.class */
public class AuthorizeAction {

    @Logger
    private Log log;

    @In
    private ClientService clientService;

    @In
    private ErrorResponseFactory errorResponseFactory;

    @In
    private SessionIdService sessionIdService;

    @In
    private UserService userService;

    @In
    private RedirectionUriService redirectionUriService;

    @In
    private AuthenticationService authenticationService;

    @In
    private ClientAuthorizationsService clientAuthorizationsService;

    @In
    private ExternalAuthenticationService externalAuthenticationService;

    @In(value = AppInitializer.DEFAULT_ACR_VALUES, required = false)
    private String defaultAuthenticationMethod;

    @In("org.jboss.seam.international.localeSelector")
    private LocaleSelector localeSelector;

    @In
    private NetworkService networkService;

    @In
    private Identity identity;

    @In
    private AppConfiguration appConfiguration;

    @In(required = false)
    private FacesContext facesContext;

    @In(value = "#{facesContext.externalContext}", required = false)
    private ExternalContext externalContext;
    private String scope;
    private String responseType;
    private String clientId;
    private String redirectUri;
    private String state;
    private String responseMode;
    private String nonce;
    private String display;
    private String prompt;
    private Integer maxAge;
    private String uiLocales;
    private String idTokenHint;
    private String loginHint;
    private String acrValues;
    private String amrValues;
    private String request;
    private String requestUri;
    private String codeChallenge;
    private String codeChallengeMethod;
    private String sessionId;

    public void checkUiLocales() {
        if (StringUtils.isNotBlank(this.uiLocales)) {
            List splittedStringAsList = Util.splittedStringAsList(this.uiLocales, " ");
            ArrayList arrayList = new ArrayList();
            Iterator supportedLocales = this.facesContext.getApplication().getSupportedLocales();
            while (supportedLocales.hasNext()) {
                arrayList.add(supportedLocales.next());
            }
            Locale localeMatch = LocaleUtil.localeMatch(splittedStringAsList, arrayList);
            if (localeMatch != null) {
                this.localeSelector.setLocale(localeMatch);
            }
        }
    }

    public void checkPermissionGranted() {
        ClientAuthorizations findClientAuthorizations;
        if (this.clientId == null || this.clientId.isEmpty()) {
            this.log.error("Permission denied. client_id should be not empty.", new Object[0]);
            permissionDenied();
            return;
        }
        try {
            Client client = this.clientService.getClient(this.clientId);
            if (client == null) {
                this.log.error("Permission denied. Failed to find client_id '{0}' in LDAP.", new Object[]{this.clientId});
                permissionDenied();
                return;
            }
            SessionId session = getSession();
            List<Prompt> fromString = Prompt.fromString(this.prompt, " ");
            try {
                session = this.sessionIdService.assertAuthenticatedSessionCorrespondsToNewRequest(session, this.acrValues);
            } catch (AcrChangedException e) {
                this.log.debug("There is already existing session which has another acr then {0}, session: {1}", new Object[]{this.acrValues, session.getId()});
                if (!fromString.contains(Prompt.LOGIN)) {
                    this.log.error("Please provide prompt=login to force login with new ACR or otherwise perform logout and re-authenticate.", new Object[0]);
                    permissionDenied();
                    return;
                }
                session = handleAcrChange(session, fromString);
            }
            if (session != null && !StringUtils.isBlank(session.getUserDn()) && SessionIdState.AUTHENTICATED == session.getState()) {
                if (StringUtils.isBlank(this.redirectionUriService.validateRedirectionUri(this.clientId, this.redirectUri))) {
                    permissionDenied();
                }
                User userByDn = this.userService.getUserByDn(session.getUserDn(), new String[0]);
                this.log.trace("checkPermissionGranted, user = " + userByDn, new Object[0]);
                if (!AuthorizeParamsValidator.noNonePrompt(fromString)) {
                    invalidRequest();
                    return;
                }
                if (this.appConfiguration.getTrustedClientEnabled().booleanValue() && client.getTrustedClient() && !fromString.contains(Prompt.CONSENT)) {
                    permissionGranted(session);
                    return;
                } else {
                    if (!client.getPersistClientAuthorizations() || (findClientAuthorizations = this.clientAuthorizationsService.findClientAuthorizations(userByDn.getAttribute("inum"), client.getClientId())) == null || findClientAuthorizations.getScopes() == null || !Arrays.asList(findClientAuthorizations.getScopes()).containsAll(org.xdi.oxauth.model.util.StringUtils.spaceSeparatedToList(this.scope))) {
                        return;
                    }
                    permissionGranted(session);
                    return;
                }
            }
            Map<String, String> allowedParameters = this.authenticationService.getAllowedParameters(this.externalContext.getRequestParameterMap());
            String str = "/login.xhtml";
            if (this.externalAuthenticationService.isEnabled(AuthenticationScriptUsageType.INTERACTIVE)) {
                List<String> acrValuesList = acrValuesList();
                if (acrValuesList.isEmpty()) {
                    if (StringHelper.isNotEmpty(this.defaultAuthenticationMethod)) {
                        acrValuesList = Arrays.asList(this.defaultAuthenticationMethod);
                    } else {
                        CustomScriptConfiguration defaultExternalAuthenticator = this.externalAuthenticationService.getDefaultExternalAuthenticator(AuthenticationScriptUsageType.INTERACTIVE);
                        if (defaultExternalAuthenticator != null) {
                            acrValuesList = Arrays.asList(defaultExternalAuthenticator.getName());
                        }
                    }
                }
                CustomScriptConfiguration determineCustomScriptConfiguration = this.externalAuthenticationService.determineCustomScriptConfiguration(AuthenticationScriptUsageType.INTERACTIVE, acrValuesList);
                if (determineCustomScriptConfiguration == null) {
                    this.log.error("Failed to get CustomScriptConfiguration. auth_step: {0}, acr_values: {1}", new Object[]{1, this.acrValues});
                    permissionDenied();
                    return;
                }
                allowedParameters.put("acr", determineCustomScriptConfiguration.getName());
                allowedParameters.put("auth_step", Integer.toString(1));
                String executeExternalGetPageForStep = this.externalAuthenticationService.executeExternalGetPageForStep(determineCustomScriptConfiguration, 1);
                if (StringHelper.isNotEmpty(executeExternalGetPageForStep)) {
                    this.log.trace("Redirect to person authentication login page: {0}", new Object[]{executeExternalGetPageForStep});
                    str = executeExternalGetPageForStep;
                }
            }
            allowedParameters.put(Constants.REMOTE_IP, this.networkService.getRemoteIp());
            SessionId generateUnauthenticatedSessionId = this.sessionIdService.generateUnauthenticatedSessionId(null, new Date(), SessionIdState.UNAUTHENTICATED, allowedParameters, false);
            generateUnauthenticatedSessionId.setSessionAttributes(allowedParameters);
            generateUnauthenticatedSessionId.addPermission(this.clientId, false);
            if (this.sessionIdService.persistSessionId(generateUnauthenticatedSessionId, !fromString.contains(Prompt.NONE)) && this.log.isTraceEnabled()) {
                this.log.trace("Session '{0}' persisted to LDAP", new Object[]{generateUnauthenticatedSessionId.getId()});
            }
            this.sessionId = generateUnauthenticatedSessionId.getId();
            this.sessionIdService.createSessionIdCookie(this.sessionId, generateUnauthenticatedSessionId.getSessionState());
            HashMap hashMap = new HashMap();
            if (allowedParameters.containsKey("login_hint")) {
                hashMap.put("login_hint", allowedParameters.get("login_hint"));
            }
            FacesManager.instance().redirect(str, hashMap, false);
        } catch (EntryPersistenceException e2) {
            this.log.error("Permission denied. Failed to find client by inum '{0}' in LDAP.", new Object[]{this.clientId, e2});
            permissionDenied();
        }
    }

    private SessionId handleAcrChange(SessionId sessionId, List<Prompt> list) {
        if (sessionId != null && list.contains(Prompt.LOGIN) && sessionId.getState() == SessionIdState.AUTHENTICATED) {
            sessionId.getSessionAttributes().put("prompt", this.prompt);
            sessionId.setState(SessionIdState.UNAUTHENTICATED);
            sessionId.getSessionAttributes().put(Constants.REMOTE_IP, this.networkService.getRemoteIp());
            this.sessionIdService.updateSessionId(sessionId);
            this.sessionIdService.reinitLogin(sessionId, false);
        }
        return sessionId;
    }

    private List<String> acrValuesList() {
        List<String> splittedStringAsList;
        try {
            splittedStringAsList = Util.jsonArrayStringAsList(this.acrValues);
        } catch (JSONException e) {
            splittedStringAsList = Util.splittedStringAsList(this.acrValues, " ");
        }
        return splittedStringAsList;
    }

    private SessionId getSession() {
        if (StringUtils.isBlank(this.sessionId)) {
            this.sessionId = this.sessionIdService.getSessionIdFromCookie();
            if (StringUtils.isBlank(this.sessionId)) {
                return null;
            }
        }
        if (!this.identity.isLoggedIn()) {
            ((Authenticator) Component.getInstance(Authenticator.class, true)).authenticateBySessionId(this.sessionId);
        }
        SessionId sessionId = this.sessionIdService.getSessionId(this.sessionId);
        if (sessionId == null) {
            this.identity.logout();
        }
        return sessionId;
    }

    public List<org.xdi.oxauth.model.common.Scope> getScopes() {
        ArrayList arrayList = new ArrayList();
        ScopeService instance = ScopeService.instance();
        if (this.scope != null && !this.scope.isEmpty()) {
            for (String str : this.scope.split(" ")) {
                org.xdi.oxauth.model.common.Scope scopeByDisplayName = instance.getScopeByDisplayName(str);
                if (scopeByDisplayName != null && scopeByDisplayName.getDescription() != null) {
                    arrayList.add(scopeByDisplayName);
                }
            }
        }
        return arrayList;
    }

    public String getScope() {
        return this.scope;
    }

    public void setScope(String str) {
        this.scope = str;
    }

    public String getResponseType() {
        return this.responseType;
    }

    public void setResponseType(String str) {
        this.responseType = str;
    }

    public String getClientId() {
        return this.clientId;
    }

    public void setClientId(String str) {
        this.clientId = str;
    }

    public String getRedirectUri() {
        return this.redirectUri;
    }

    public void setRedirectUri(String str) {
        this.redirectUri = str;
    }

    public String getState() {
        return this.state;
    }

    public void setState(String str) {
        this.state = str;
    }

    public String getResponseMode() {
        return this.responseMode;
    }

    public void setResponseMode(String str) {
        this.responseMode = str;
    }

    public String getNonce() {
        return this.nonce;
    }

    public void setNonce(String str) {
        this.nonce = str;
    }

    public String getDisplay() {
        return this.display;
    }

    public void setDisplay(String str) {
        this.display = str;
    }

    public String getPrompt() {
        return this.prompt;
    }

    public void setPrompt(String str) {
        this.prompt = str;
    }

    public Integer getMaxAge() {
        return this.maxAge;
    }

    public void setMaxAge(Integer num) {
        this.maxAge = num;
    }

    public String getUiLocales() {
        return this.uiLocales;
    }

    public void setUiLocales(String str) {
        this.uiLocales = str;
    }

    public String getIdTokenHint() {
        return this.idTokenHint;
    }

    public void setIdTokenHint(String str) {
        this.idTokenHint = str;
    }

    public String getLoginHint() {
        return this.loginHint;
    }

    public void setLoginHint(String str) {
        this.loginHint = str;
    }

    public String getAcrValues() {
        return this.acrValues;
    }

    public void setAcrValues(String str) {
        this.acrValues = str;
    }

    public String getAmrValues() {
        return this.amrValues;
    }

    public void setAmrValues(String str) {
        this.amrValues = str;
    }

    public String getRequest() {
        return this.request;
    }

    public void setRequest(String str) {
        this.request = str;
    }

    public String getRequestUri() {
        return this.requestUri;
    }

    public void setRequestUri(String str) {
        this.requestUri = str;
    }

    public String getSessionId() {
        return this.sessionId;
    }

    public void setSessionId(String str) {
        this.sessionId = str;
    }

    public void permissionGranted() {
        permissionGranted(getSession());
    }

    public void permissionGranted(SessionId sessionId) {
        try {
            User userByDn = this.userService.getUserByDn(sessionId.getUserDn(), new String[0]);
            if (userByDn == null) {
                this.log.error("Permission denied. Failed to find session user: userDn = " + sessionId.getUserDn() + ".", new Object[0]);
                permissionDenied();
                return;
            }
            if (this.clientId == null) {
                this.clientId = sessionId.getSessionAttributes().get("client_id");
            }
            Client client = this.clientService.getClient(this.clientId);
            if (this.scope == null) {
                this.scope = sessionId.getSessionAttributes().get("scope");
            }
            if (client.getPersistClientAuthorizations() && !client.getTrustedClient()) {
                this.clientAuthorizationsService.add(userByDn.getAttribute("inum"), client.getClientId(), Sets.newHashSet(org.xdi.oxauth.model.util.StringUtils.spaceSeparatedToList(this.scope)));
            }
            sessionId.addPermission(this.clientId, true);
            this.sessionIdService.updateSessionId(sessionId);
            SessionIdService.instance().createSessionIdCookie(this.sessionId, sessionId.getSessionState());
            Map<String, String> allowedParameters = this.authenticationService.getAllowedParameters(sessionId.getSessionAttributes());
            if (allowedParameters.containsKey("prompt")) {
                List fromString = Prompt.fromString(allowedParameters.get("prompt"), " ");
                fromString.remove(Prompt.CONSENT);
                allowedParameters.put("prompt", org.xdi.oxauth.model.util.StringUtils.implodeEnum(fromString, " "));
            }
            String str = "seam/resource/restv1/oxauth/authorize?" + this.authenticationService.parametersAsString(allowedParameters);
            this.log.trace("permissionGranted, redirectTo: {0}", new Object[]{str});
            FacesManager.instance().redirectToExternalURL(str);
        } catch (UnsupportedEncodingException e) {
            this.log.trace(e.getMessage(), e, new Object[0]);
        }
    }

    public void permissionDenied() {
        this.log.trace("permissionDenied", new Object[0]);
        SessionId session = getSession();
        StringBuilder sb = new StringBuilder();
        if (this.redirectUri == null) {
            this.redirectUri = session.getSessionAttributes().get("redirect_uri");
        }
        if (this.state == null) {
            this.state = session.getSessionAttributes().get("state");
        }
        sb.append(this.redirectUri);
        if (this.redirectUri == null || !this.redirectUri.contains("?")) {
            sb.append("?");
        } else {
            sb.append("&");
        }
        sb.append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.ACCESS_DENIED, getState()));
        FacesManager.instance().redirectToExternalURL(sb.toString());
    }

    public void invalidRequest() {
        this.log.trace("invalidRequest", new Object[0]);
        StringBuilder sb = new StringBuilder();
        sb.append(this.redirectUri);
        if (this.redirectUri == null || !this.redirectUri.contains("?")) {
            sb.append("?");
        } else {
            sb.append("&");
        }
        sb.append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.INVALID_REQUEST, getState()));
        FacesManager.instance().redirectToExternalURL(sb.toString());
    }

    public void consentRequired() {
        StringBuilder sb = new StringBuilder();
        sb.append(this.redirectUri);
        if (this.redirectUri == null || !this.redirectUri.contains("?")) {
            sb.append("?");
        } else {
            sb.append("&");
        }
        sb.append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.CONSENT_REQUIRED, getState()));
        FacesManager.instance().redirectToExternalURL(sb.toString());
    }

    public String getCodeChallenge() {
        return this.codeChallenge;
    }

    public void setCodeChallenge(String str) {
        this.codeChallenge = str;
    }

    public String getCodeChallengeMethod() {
        return this.codeChallengeMethod;
    }

    public void setCodeChallengeMethod(String str) {
        this.codeChallengeMethod = str;
    }
}
