package org.xdi.oxauth.userinfo.ws.rs;

import java.io.UnsupportedEncodingException;
import java.security.PublicKey;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Path;
import javax.ws.rs.core.CacheControl;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.lang.StringUtils;
import org.codehaus.jettison.json.JSONArray;
import org.codehaus.jettison.json.JSONObject;
import org.gluu.site.ldap.persistence.exception.EntryPersistenceException;
import org.slf4j.Logger;
import org.xdi.model.GluuAttribute;
import org.xdi.model.GluuAttributeDataType;
import org.xdi.oxauth.audit.ApplicationAuditLogger;
import org.xdi.oxauth.model.audit.Action;
import org.xdi.oxauth.model.audit.OAuth2AuditLog;
import org.xdi.oxauth.model.authorize.Claim;
import org.xdi.oxauth.model.common.AbstractToken;
import org.xdi.oxauth.model.common.AuthorizationGrant;
import org.xdi.oxauth.model.common.AuthorizationGrantList;
import org.xdi.oxauth.model.common.AuthorizationGrantType;
import org.xdi.oxauth.model.common.DefaultScope;
import org.xdi.oxauth.model.common.Scope;
import org.xdi.oxauth.model.common.ScopeType;
import org.xdi.oxauth.model.common.SubjectType;
import org.xdi.oxauth.model.common.UnmodifiableAuthorizationGrant;
import org.xdi.oxauth.model.common.User;
import org.xdi.oxauth.model.config.WebKeysConfiguration;
import org.xdi.oxauth.model.configuration.AppConfiguration;
import org.xdi.oxauth.model.crypto.AbstractCryptoProvider;
import org.xdi.oxauth.model.crypto.CryptoProviderFactory;
import org.xdi.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm;
import org.xdi.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm;
import org.xdi.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.exception.InvalidClaimException;
import org.xdi.oxauth.model.exception.InvalidJweException;
import org.xdi.oxauth.model.jwe.Jwe;
import org.xdi.oxauth.model.jwe.JweEncrypterImpl;
import org.xdi.oxauth.model.jwk.Algorithm;
import org.xdi.oxauth.model.jwk.JSONWebKeySet;
import org.xdi.oxauth.model.jwk.Use;
import org.xdi.oxauth.model.jwt.Jwt;
import org.xdi.oxauth.model.jwt.JwtSubClaimObject;
import org.xdi.oxauth.model.jwt.JwtType;
import org.xdi.oxauth.model.ldap.PairwiseIdentifier;
import org.xdi.oxauth.model.token.JsonWebResponse;
import org.xdi.oxauth.model.userinfo.UserInfoErrorResponseType;
import org.xdi.oxauth.model.userinfo.UserInfoParamsValidator;
import org.xdi.oxauth.model.util.JwtUtil;
import org.xdi.oxauth.service.AttributeService;
import org.xdi.oxauth.service.ClientService;
import org.xdi.oxauth.service.PairwiseIdentifierService;
import org.xdi.oxauth.service.ScopeService;
import org.xdi.oxauth.service.UserService;
import org.xdi.oxauth.service.external.ExternalDynamicScopeService;
import org.xdi.oxauth.service.external.context.DynamicScopeExternalContext;
import org.xdi.oxauth.util.ServerUtil;
import org.xdi.util.security.StringEncrypter;

@Path("/")
/* loaded from: input_file:org/xdi/oxauth/userinfo/ws/rs/UserInfoRestWebServiceImpl.class */
public class UserInfoRestWebServiceImpl implements UserInfoRestWebService {

    @Inject
    private Logger log;

    @Inject
    private ApplicationAuditLogger applicationAuditLogger;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private ClientService clientService;

    @Inject
    private ScopeService scopeService;

    @Inject
    private AttributeService attributeService;

    @Inject
    private UserService userService;

    @Inject
    private ExternalDynamicScopeService externalDynamicScopeService;

    @Inject
    private PairwiseIdentifierService pairwiseIdentifierService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private WebKeysConfiguration webKeysConfiguration;

    @Override // org.xdi.oxauth.userinfo.ws.rs.UserInfoRestWebService
    public Response requestUserInfoGet(String str, String str2, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        return requestUserInfo(str, str2, httpServletRequest, securityContext);
    }

    @Override // org.xdi.oxauth.userinfo.ws.rs.UserInfoRestWebService
    public Response requestUserInfoPost(String str, String str2, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        return requestUserInfo(str, str2, httpServletRequest, securityContext);
    }

    public Response requestUserInfo(String str, String str2, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        if (str2 != null && !str2.isEmpty() && str2.startsWith("Bearer ")) {
            str = str2.substring(7);
        }
        this.log.debug("Attempting to request User Info, Access token = {}, Is Secure = {}", str, Boolean.valueOf(securityContext.isSecure()));
        Response.ResponseBuilder ok = Response.ok();
        OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpServletRequest), Action.USER_INFO);
        try {
            try {
                if (UserInfoParamsValidator.validateParams(str)) {
                    AuthorizationGrant authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str);
                    if (authorizationGrantByAccessToken == null) {
                        this.log.trace("Failed to find authorization grant by access_token: " + str);
                        Response response = response(400, UserInfoErrorResponseType.INVALID_TOKEN);
                        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                        return response;
                    }
                    AbstractToken accessToken = authorizationGrantByAccessToken.getAccessToken(str);
                    if (accessToken == null || !accessToken.isValid()) {
                        Logger logger = this.log;
                        Object[] objArr = new Object[3];
                        objArr[0] = str;
                        objArr[1] = Boolean.valueOf(accessToken == null);
                        objArr[2] = Boolean.valueOf(accessToken.isValid());
                        logger.trace("Invalid access token object, access_token: {}, isNull: {}, isValid: {}", objArr);
                        Response response2 = response(400, UserInfoErrorResponseType.INVALID_TOKEN);
                        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                        return response2;
                    }
                    if (authorizationGrantByAccessToken.getAuthorizationGrantType() == AuthorizationGrantType.CLIENT_CREDENTIALS) {
                        ok = Response.status(403);
                        ok.entity(this.errorResponseFactory.getErrorAsJson(UserInfoErrorResponseType.INSUFFICIENT_SCOPE));
                    } else if (this.appConfiguration.getOpenidScopeBackwardCompatibility().booleanValue() && !authorizationGrantByAccessToken.getScopes().contains(DefaultScope.OPEN_ID.toString()) && !authorizationGrantByAccessToken.getScopes().contains(DefaultScope.PROFILE.toString())) {
                        ok = Response.status(403);
                        ok.entity(this.errorResponseFactory.getErrorAsJson(UserInfoErrorResponseType.INSUFFICIENT_SCOPE));
                        oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrantByAccessToken, false);
                    } else if (this.appConfiguration.getOpenidScopeBackwardCompatibility().booleanValue() || authorizationGrantByAccessToken.getScopes().contains(DefaultScope.OPEN_ID.toString())) {
                        oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrantByAccessToken, true);
                        CacheControl cacheControl = new CacheControl();
                        cacheControl.setPrivate(true);
                        cacheControl.setNoTransform(false);
                        cacheControl.setNoStore(true);
                        ok.cacheControl(cacheControl);
                        ok.header("Pragma", "no-cache");
                        User user = authorizationGrantByAccessToken.getUser();
                        try {
                            user = this.userService.getUserByDn(authorizationGrantByAccessToken.getUserDn(), new String[0]);
                        } catch (EntryPersistenceException e) {
                            this.log.warn("Failed to reload user entry: '{}'", authorizationGrantByAccessToken.getUserDn());
                        }
                        if (authorizationGrantByAccessToken.getClient() != null && authorizationGrantByAccessToken.getClient().getUserInfoEncryptedResponseAlg() != null && authorizationGrantByAccessToken.getClient().getUserInfoEncryptedResponseEnc() != null) {
                            KeyEncryptionAlgorithm fromName = KeyEncryptionAlgorithm.fromName(authorizationGrantByAccessToken.getClient().getUserInfoEncryptedResponseAlg());
                            BlockEncryptionAlgorithm fromName2 = BlockEncryptionAlgorithm.fromName(authorizationGrantByAccessToken.getClient().getUserInfoEncryptedResponseEnc());
                            ok.type("application/jwt");
                            ok.entity(getJweResponse(fromName, fromName2, user, authorizationGrantByAccessToken, authorizationGrantByAccessToken.getScopes()));
                        } else if (authorizationGrantByAccessToken.getClient() == null || authorizationGrantByAccessToken.getClient().getUserInfoSignedResponseAlg() == null) {
                            ok.type("application/json;charset=UTF-8");
                            ok.entity(getJSonResponse(user, authorizationGrantByAccessToken, authorizationGrantByAccessToken.getScopes()));
                        } else {
                            SignatureAlgorithm fromString = SignatureAlgorithm.fromString(authorizationGrantByAccessToken.getClient().getUserInfoSignedResponseAlg());
                            ok.type("application/jwt");
                            ok.entity(getJwtResponse(fromString, user, authorizationGrantByAccessToken, authorizationGrantByAccessToken.getScopes()));
                        }
                    } else {
                        ok = Response.status(403);
                        ok.entity(this.errorResponseFactory.getErrorAsJson(UserInfoErrorResponseType.INSUFFICIENT_SCOPE));
                        oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrantByAccessToken, false);
                    }
                } else {
                    ok = Response.status(400);
                    ok.entity(this.errorResponseFactory.getErrorAsJson(UserInfoErrorResponseType.INVALID_REQUEST));
                }
                this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
            } catch (Throwable th) {
                this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                throw th;
            }
        } catch (Exception e2) {
            this.log.error(e2.getMessage(), e2);
            ok = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
            this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
        }
        return ok.build();
    }

    private Response response(int i, UserInfoErrorResponseType userInfoErrorResponseType) {
        return Response.status(i).entity(this.errorResponseFactory.getErrorAsJson(userInfoErrorResponseType)).build();
    }

    public String getJwtResponse(SignatureAlgorithm signatureAlgorithm, User user, AuthorizationGrant authorizationGrant, Collection<String> collection) throws Exception {
        Object attribute;
        this.log.trace("Building JWT reponse with next scopes {0} for user {1} and user custom attributes {0}", new Object[]{collection, user.getUserId(), user.getCustomAttributes()});
        Jwt jwt = new Jwt();
        AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(this.appConfiguration);
        jwt.getHeader().setType(JwtType.JWT);
        jwt.getHeader().setAlgorithm(signatureAlgorithm);
        String keyId = cryptoProvider.getKeyId(this.webKeysConfiguration, Algorithm.fromString(signatureAlgorithm.getName()), Use.SIGNATURE);
        if (keyId != null) {
            jwt.getHeader().setKeyId(keyId);
        }
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            Scope scopeByDisplayName = this.scopeService.getScopeByDisplayName(it.next());
            if (ScopeType.DYNAMIC == scopeByDisplayName.getScopeType()) {
                arrayList.add(scopeByDisplayName);
            } else if (scopeByDisplayName.getOxAuthClaims() != null) {
                Iterator<String> it2 = scopeByDisplayName.getOxAuthClaims().iterator();
                while (it2.hasNext()) {
                    GluuAttribute attributeByDn = this.attributeService.getAttributeByDn(it2.next());
                    String oxAuthClaimName = attributeByDn.getOxAuthClaimName();
                    String name = attributeByDn.getName();
                    if (StringUtils.isNotBlank(oxAuthClaimName) && StringUtils.isNotBlank(name)) {
                        Object userId = name.equals("uid") ? user.getUserId() : user.getAttribute(attributeByDn.getName(), true);
                        if (userId != null) {
                            if (userId instanceof JSONArray) {
                                JSONArray jSONArray = (JSONArray) userId;
                                ArrayList arrayList2 = new ArrayList();
                                for (int i = 0; i < jSONArray.length(); i++) {
                                    String optString = jSONArray.optString(i);
                                    if (optString != null) {
                                        arrayList2.add(optString);
                                    }
                                }
                                jwt.getClaims().setClaim(oxAuthClaimName, arrayList2);
                            } else {
                                jwt.getClaims().setClaim(oxAuthClaimName, userId.toString());
                            }
                        }
                    }
                }
            }
        }
        if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember() != null) {
            for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember().getClaims()) {
                GluuAttribute byClaimName = this.attributeService.getByClaimName(claim.getName());
                if (byClaimName != null && validateRequesteClaim(byClaimName, authorizationGrant.getClient().getClaims(), collection) && (attribute = user.getAttribute(byClaimName.getName(), true)) != null) {
                    if (attribute instanceof JSONArray) {
                        JSONArray jSONArray2 = (JSONArray) attribute;
                        ArrayList arrayList3 = new ArrayList();
                        for (int i2 = 0; i2 < jSONArray2.length(); i2++) {
                            String optString2 = jSONArray2.optString(i2);
                            if (optString2 != null) {
                                arrayList3.add(optString2);
                            }
                        }
                        jwt.getClaims().setClaim(claim.getName(), arrayList3);
                    } else {
                        jwt.getClaims().setClaim(claim.getName(), attribute.toString());
                    }
                }
            }
        }
        if (authorizationGrant.getClient().getSubjectType() == null || !SubjectType.fromString(authorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
            jwt.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute(this.appConfiguration.getOpenidSubAttribute()));
        } else {
            String sectorIdentifierUri = StringUtils.isNotBlank(authorizationGrant.getClient().getSectorIdentifierUri()) ? authorizationGrant.getClient().getSectorIdentifierUri() : authorizationGrant.getClient().getRedirectUris()[0];
            String attribute2 = authorizationGrant.getUser().getAttribute("inum");
            String clientId = authorizationGrant.getClientId();
            PairwiseIdentifier findPairWiseIdentifier = this.pairwiseIdentifierService.findPairWiseIdentifier(attribute2, sectorIdentifierUri, clientId);
            if (findPairWiseIdentifier == null) {
                findPairWiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri, clientId);
                findPairWiseIdentifier.setId(UUID.randomUUID().toString());
                findPairWiseIdentifier.setDn(this.pairwiseIdentifierService.getDnForPairwiseIdentifier(findPairWiseIdentifier.getId(), attribute2));
                this.pairwiseIdentifierService.addPairwiseIdentifier(attribute2, findPairWiseIdentifier);
            }
            jwt.getClaims().setSubjectIdentifier(findPairWiseIdentifier.getId());
        }
        jwt.getClaims().setIssuer(this.appConfiguration.getIssuer());
        jwt.getClaims().setAudience(authorizationGrant.getClientId());
        if (arrayList.size() > 0 && this.externalDynamicScopeService.isEnabled()) {
            this.externalDynamicScopeService.executeExternalUpdateMethods(new DynamicScopeExternalContext(arrayList, jwt, new UnmodifiableAuthorizationGrant(authorizationGrant)));
        }
        jwt.setEncodedSignature(cryptoProvider.sign(jwt.getSigningInput(), jwt.getHeader().getKeyId(), this.clientService.decryptSecret(authorizationGrant.getClient().getClientSecret()), signatureAlgorithm));
        return jwt.toString();
    }

    public String getJweResponse(KeyEncryptionAlgorithm keyEncryptionAlgorithm, BlockEncryptionAlgorithm blockEncryptionAlgorithm, User user, AuthorizationGrant authorizationGrant, Collection<String> collection) throws Exception {
        Object attribute;
        this.log.trace("Building JWE reponse with next scopes {0} for user {1} and user custom attributes {0}", new Object[]{collection, user.getUserId(), user.getCustomAttributes()});
        Jwe jwe = new Jwe();
        jwe.getHeader().setType(JwtType.JWT);
        jwe.getHeader().setAlgorithm(keyEncryptionAlgorithm);
        jwe.getHeader().setEncryptionMethod(blockEncryptionAlgorithm);
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            Scope scopeByDisplayName = this.scopeService.getScopeByDisplayName(it.next());
            if (ScopeType.DYNAMIC == scopeByDisplayName.getScopeType()) {
                arrayList.add(scopeByDisplayName);
            } else if (scopeByDisplayName.getOxAuthClaims() != null) {
                Iterator<String> it2 = scopeByDisplayName.getOxAuthClaims().iterator();
                while (it2.hasNext()) {
                    GluuAttribute attributeByDn = this.attributeService.getAttributeByDn(it2.next());
                    String oxAuthClaimName = attributeByDn.getOxAuthClaimName();
                    String name = attributeByDn.getName();
                    if (StringUtils.isNotBlank(oxAuthClaimName) && StringUtils.isNotBlank(name)) {
                        Object userId = name.equals("uid") ? user.getUserId() : user.getAttribute(attributeByDn.getName(), true);
                        if (userId != null) {
                            if (userId instanceof JSONArray) {
                                JSONArray jSONArray = (JSONArray) userId;
                                ArrayList arrayList2 = new ArrayList();
                                for (int i = 0; i < jSONArray.length(); i++) {
                                    String optString = jSONArray.optString(i);
                                    if (optString != null) {
                                        arrayList2.add(optString);
                                    }
                                }
                                jwe.getClaims().setClaim(oxAuthClaimName, arrayList2);
                            } else {
                                jwe.getClaims().setClaim(oxAuthClaimName, userId.toString());
                            }
                        }
                    }
                }
            }
        }
        if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember() != null) {
            for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember().getClaims()) {
                GluuAttribute byClaimName = this.attributeService.getByClaimName(claim.getName());
                if (byClaimName != null && validateRequesteClaim(byClaimName, authorizationGrant.getClient().getClaims(), collection) && (attribute = user.getAttribute(byClaimName.getName(), true)) != null) {
                    if (attribute instanceof JSONArray) {
                        JSONArray jSONArray2 = (JSONArray) attribute;
                        ArrayList arrayList3 = new ArrayList();
                        for (int i2 = 0; i2 < jSONArray2.length(); i2++) {
                            String optString2 = jSONArray2.optString(i2);
                            if (optString2 != null) {
                                arrayList3.add(optString2);
                            }
                        }
                        jwe.getClaims().setClaim(claim.getName(), arrayList3);
                    } else {
                        jwe.getClaims().setClaim(claim.getName(), attribute.toString());
                    }
                }
            }
        }
        if (authorizationGrant.getClient().getSubjectType() == null || !SubjectType.fromString(authorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
            jwe.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute(this.appConfiguration.getOpenidSubAttribute()));
        } else {
            String sectorIdentifierUri = StringUtils.isNotBlank(authorizationGrant.getClient().getSectorIdentifierUri()) ? authorizationGrant.getClient().getSectorIdentifierUri() : authorizationGrant.getClient().getRedirectUris()[0];
            String attribute2 = authorizationGrant.getUser().getAttribute("inum");
            String clientId = authorizationGrant.getClientId();
            PairwiseIdentifier findPairWiseIdentifier = this.pairwiseIdentifierService.findPairWiseIdentifier(attribute2, sectorIdentifierUri, clientId);
            if (findPairWiseIdentifier == null) {
                findPairWiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri, clientId);
                findPairWiseIdentifier.setId(UUID.randomUUID().toString());
                findPairWiseIdentifier.setDn(this.pairwiseIdentifierService.getDnForPairwiseIdentifier(findPairWiseIdentifier.getId(), attribute2));
                this.pairwiseIdentifierService.addPairwiseIdentifier(attribute2, findPairWiseIdentifier);
            }
            jwe.getClaims().setSubjectIdentifier(findPairWiseIdentifier.getId());
        }
        if (arrayList.size() > 0 && this.externalDynamicScopeService.isEnabled()) {
            this.externalDynamicScopeService.executeExternalUpdateMethods(new DynamicScopeExternalContext(arrayList, jwe, new UnmodifiableAuthorizationGrant(authorizationGrant)));
        }
        if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5) {
            JSONObject jSONWebKeys = JwtUtil.getJSONWebKeys(authorizationGrant.getClient().getJwksUri());
            AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(this.appConfiguration);
            PublicKey publicKey = cryptoProvider.getPublicKey(cryptoProvider.getKeyId(JSONWebKeySet.fromJSONObject(jSONWebKeys), Algorithm.fromString(keyEncryptionAlgorithm.getName()), Use.ENCRYPTION), jSONWebKeys);
            if (publicKey == null) {
                throw new InvalidJweException("The public key is not valid");
            }
            jwe = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, publicKey).encrypt(jwe);
        } else if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A128KW || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A256KW) {
            try {
                jwe = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, this.clientService.decryptSecret(authorizationGrant.getClient().getClientSecret()).getBytes("UTF-8")).encrypt(jwe);
            } catch (UnsupportedEncodingException e) {
                throw new InvalidJweException(e);
            } catch (StringEncrypter.EncryptionException e2) {
                throw new InvalidJweException(e2);
            } catch (Exception e3) {
                throw new InvalidJweException(e3);
            }
        }
        return jwe.toString();
    }

    public String getJSonResponse(User user, AuthorizationGrant authorizationGrant, Collection<String> collection) throws Exception {
        Object attribute;
        Object attribute2;
        this.log.trace("Building JSON reponse with next scopes {0} for user {1} and user custom attributes {0}", new Object[]{collection, user.getUserId(), user.getCustomAttributes()});
        JsonWebResponse jsonWebResponse = new JsonWebResponse();
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            Scope scopeByDisplayName = this.scopeService.getScopeByDisplayName(it.next());
            if (scopeByDisplayName == null || ScopeType.DYNAMIC != scopeByDisplayName.getScopeType()) {
                Map<String, Object> claims = getClaims(user, scopeByDisplayName);
                if (scopeByDisplayName.getIsOxAuthGroupClaims()) {
                    JwtSubClaimObject jwtSubClaimObject = new JwtSubClaimObject();
                    jwtSubClaimObject.setName(scopeByDisplayName.getDisplayName());
                    for (Map.Entry<String, Object> entry : claims.entrySet()) {
                        String key = entry.getKey();
                        Object value = entry.getValue();
                        if (value instanceof List) {
                            jwtSubClaimObject.setClaim(key, (List) value);
                        } else {
                            jwtSubClaimObject.setClaim(key, (String) value);
                        }
                    }
                    jsonWebResponse.getClaims().setClaim(scopeByDisplayName.getDisplayName(), jwtSubClaimObject);
                } else {
                    for (Map.Entry<String, Object> entry2 : claims.entrySet()) {
                        String key2 = entry2.getKey();
                        Object value2 = entry2.getValue();
                        if (value2 instanceof List) {
                            jsonWebResponse.getClaims().setClaim(key2, (List) value2);
                        } else if (value2 instanceof Boolean) {
                            jsonWebResponse.getClaims().setClaim(key2, (Boolean) value2);
                        } else if (value2 instanceof Date) {
                            jsonWebResponse.getClaims().setClaim(key2, Long.valueOf(((Date) value2).getTime()));
                        } else {
                            jsonWebResponse.getClaims().setClaim(key2, (String) value2);
                        }
                    }
                }
                jsonWebResponse.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute("inum"));
            } else {
                arrayList.add(scopeByDisplayName);
            }
        }
        if (authorizationGrant.getClaims() != null) {
            JSONObject jSONObject = new JSONObject(authorizationGrant.getClaims());
            if (jSONObject.has("userinfo")) {
                Iterator keys = jSONObject.getJSONObject("userinfo").keys();
                while (keys.hasNext()) {
                    String str = (String) keys.next();
                    GluuAttribute byClaimName = this.attributeService.getByClaimName(str);
                    if (byClaimName != null && (attribute2 = user.getAttribute(byClaimName.getName(), true)) != null) {
                        if (attribute2 instanceof JSONArray) {
                            JSONArray jSONArray = (JSONArray) attribute2;
                            ArrayList arrayList2 = new ArrayList();
                            for (int i = 0; i < jSONArray.length(); i++) {
                                String optString = jSONArray.optString(i);
                                if (optString != null) {
                                    arrayList2.add(optString);
                                }
                            }
                            jsonWebResponse.getClaims().setClaim(str, arrayList2);
                        } else {
                            jsonWebResponse.getClaims().setClaim(str, (String) attribute2);
                        }
                    }
                }
            }
        }
        if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember() != null) {
            for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember().getClaims()) {
                GluuAttribute byClaimName2 = this.attributeService.getByClaimName(claim.getName());
                if (byClaimName2 != null && validateRequesteClaim(byClaimName2, authorizationGrant.getClient().getClaims(), collection) && (attribute = user.getAttribute(byClaimName2.getName(), true)) != null) {
                    if (attribute instanceof JSONArray) {
                        JSONArray jSONArray2 = (JSONArray) attribute;
                        ArrayList arrayList3 = new ArrayList();
                        for (int i2 = 0; i2 < jSONArray2.length(); i2++) {
                            String optString2 = jSONArray2.optString(i2);
                            if (optString2 != null) {
                                arrayList3.add(optString2);
                            }
                        }
                        jsonWebResponse.getClaims().setClaim(claim.getName(), arrayList3);
                    } else {
                        jsonWebResponse.getClaims().setClaim(claim.getName(), (String) attribute);
                    }
                }
            }
        }
        if (authorizationGrant.getClient().getSubjectType() == null || !SubjectType.fromString(authorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
            jsonWebResponse.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute(this.appConfiguration.getOpenidSubAttribute()));
        } else {
            String sectorIdentifierUri = StringUtils.isNotBlank(authorizationGrant.getClient().getSectorIdentifierUri()) ? authorizationGrant.getClient().getSectorIdentifierUri() : authorizationGrant.getClient().getRedirectUris()[0];
            String attribute3 = authorizationGrant.getUser().getAttribute("inum");
            String clientId = authorizationGrant.getClientId();
            PairwiseIdentifier findPairWiseIdentifier = this.pairwiseIdentifierService.findPairWiseIdentifier(attribute3, sectorIdentifierUri, clientId);
            if (findPairWiseIdentifier == null) {
                findPairWiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri, clientId);
                findPairWiseIdentifier.setId(UUID.randomUUID().toString());
                findPairWiseIdentifier.setDn(this.pairwiseIdentifierService.getDnForPairwiseIdentifier(findPairWiseIdentifier.getId(), attribute3));
                this.pairwiseIdentifierService.addPairwiseIdentifier(attribute3, findPairWiseIdentifier);
            }
            jsonWebResponse.getClaims().setSubjectIdentifier(findPairWiseIdentifier.getId());
        }
        if (arrayList.size() > 0 && this.externalDynamicScopeService.isEnabled()) {
            this.externalDynamicScopeService.executeExternalUpdateMethods(new DynamicScopeExternalContext(arrayList, jsonWebResponse, new UnmodifiableAuthorizationGrant(authorizationGrant)));
        }
        return jsonWebResponse.toString();
    }

    public boolean validateRequesteClaim(GluuAttribute gluuAttribute, String[] strArr, Collection<String> collection) {
        if (gluuAttribute == null) {
            return false;
        }
        if (strArr != null) {
            for (String str : strArr) {
                if (gluuAttribute.getDn().equals(str)) {
                    return true;
                }
            }
        }
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            Scope scopeByDisplayName = this.scopeService.getScopeByDisplayName(it.next());
            if (scopeByDisplayName != null && scopeByDisplayName.getOxAuthClaims() != null) {
                Iterator<String> it2 = scopeByDisplayName.getOxAuthClaims().iterator();
                while (it2.hasNext()) {
                    if (gluuAttribute.getDisplayName().equals(this.attributeService.getAttributeByDn(it2.next()).getDisplayName())) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    public Map<String, Object> getClaims(User user, Scope scope) throws InvalidClaimException, ParseException {
        HashMap hashMap = new HashMap();
        if (scope != null && scope.getOxAuthClaims() != null) {
            Iterator<String> it = scope.getOxAuthClaims().iterator();
            while (it.hasNext()) {
                GluuAttribute attributeByDn = this.attributeService.getAttributeByDn(it.next());
                String oxAuthClaimName = attributeByDn.getOxAuthClaimName();
                String name = attributeByDn.getName();
                Object obj = null;
                if (StringUtils.isNotBlank(oxAuthClaimName) && StringUtils.isNotBlank(name)) {
                    if (name.equals("uid")) {
                        obj = user.getUserId();
                    } else if (GluuAttributeDataType.BOOLEAN.equals(attributeByDn.getDataType())) {
                        obj = Boolean.valueOf(Boolean.parseBoolean((String) user.getAttribute(attributeByDn.getName(), true)));
                    } else if (GluuAttributeDataType.DATE.equals(attributeByDn.getDataType())) {
                        SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyyMMddHHmmss.SSS'Z'");
                        Object attribute = user.getAttribute(attributeByDn.getName(), true);
                        if (attribute != null) {
                            obj = simpleDateFormat.parse(attribute.toString());
                        }
                    } else {
                        obj = user.getAttribute(attributeByDn.getName(), true);
                    }
                    if (obj != null) {
                        if (obj instanceof JSONArray) {
                            JSONArray jSONArray = (JSONArray) obj;
                            ArrayList arrayList = new ArrayList();
                            for (int i = 0; i < jSONArray.length(); i++) {
                                String optString = jSONArray.optString(i);
                                if (optString != null) {
                                    arrayList.add(optString);
                                }
                            }
                            hashMap.put(oxAuthClaimName, arrayList);
                        } else {
                            hashMap.put(oxAuthClaimName, obj);
                        }
                    }
                }
            }
        }
        return hashMap;
    }
}
