package org.xdi.oxauth.authorize.ws.rs;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import javax.enterprise.context.RequestScoped;
import javax.faces.application.FacesMessage;
import javax.faces.context.ExternalContext;
import javax.faces.context.FacesContext;
import javax.inject.Inject;
import javax.inject.Named;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.StringUtils;
import org.gluu.jsf2.message.FacesMessages;
import org.gluu.jsf2.service.FacesService;
import org.gluu.site.ldap.persistence.exception.EntryPersistenceException;
import org.jboss.resteasy.client.ClientRequest;
import org.jboss.resteasy.client.ClientResponse;
import org.slf4j.Logger;
import org.xdi.model.AuthenticationScriptUsageType;
import org.xdi.model.custom.script.conf.CustomScriptConfiguration;
import org.xdi.oxauth.auth.Authenticator;
import org.xdi.oxauth.i18n.LanguageBean;
import org.xdi.oxauth.model.auth.AuthenticationMode;
import org.xdi.oxauth.model.authorize.AuthorizeErrorResponseType;
import org.xdi.oxauth.model.authorize.AuthorizeParamsValidator;
import org.xdi.oxauth.model.authorize.Claim;
import org.xdi.oxauth.model.authorize.JwtAuthorizationRequest;
import org.xdi.oxauth.model.authorize.ScopeChecker;
import org.xdi.oxauth.model.common.Prompt;
import org.xdi.oxauth.model.common.Scope;
import org.xdi.oxauth.model.common.SessionId;
import org.xdi.oxauth.model.common.SessionIdState;
import org.xdi.oxauth.model.common.SubjectType;
import org.xdi.oxauth.model.common.User;
import org.xdi.oxauth.model.config.Constants;
import org.xdi.oxauth.model.configuration.AppConfiguration;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.exception.AcrChangedException;
import org.xdi.oxauth.model.exception.InvalidJweException;
import org.xdi.oxauth.model.exception.InvalidJwtException;
import org.xdi.oxauth.model.ldap.ClientAuthorizations;
import org.xdi.oxauth.model.registration.Client;
import org.xdi.oxauth.model.util.Base64Util;
import org.xdi.oxauth.model.util.JwtUtil;
import org.xdi.oxauth.model.util.LocaleUtil;
import org.xdi.oxauth.model.util.Util;
import org.xdi.oxauth.service.AuthorizeService;
import org.xdi.oxauth.service.ClientAuthorizationsService;
import org.xdi.oxauth.service.ClientService;
import org.xdi.oxauth.service.ErrorHandlerService;
import org.xdi.oxauth.service.RedirectionUriService;
import org.xdi.oxauth.service.RequestParameterService;
import org.xdi.oxauth.service.SessionIdService;
import org.xdi.oxauth.service.UserService;
import org.xdi.oxauth.service.external.ExternalAuthenticationService;
import org.xdi.oxauth.service.external.ExternalConsentGatheringService;
import org.xdi.oxauth.util.ServerUtil;
import org.xdi.service.net.NetworkService;
import org.xdi.util.StringHelper;

@RequestScoped
@Named
/* loaded from: input_file:org/xdi/oxauth/authorize/ws/rs/AuthorizeAction.class */
public class AuthorizeAction {

    @Inject
    private Logger log;

    @Inject
    private ClientService clientService;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private UserService userService;

    @Inject
    private RedirectionUriService redirectionUriService;

    @Inject
    private ClientAuthorizationsService clientAuthorizationsService;

    @Inject
    private ExternalAuthenticationService externalAuthenticationService;

    @Inject
    private ExternalConsentGatheringService externalConsentGatheringService;

    @Inject
    private AuthenticationMode defaultAuthenticationMode;

    @Inject
    private LanguageBean languageBean;

    @Inject
    private NetworkService networkService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private FacesService facesService;

    @Inject
    private FacesMessages facesMessages;

    @Inject
    private FacesContext facesContext;

    @Inject
    private ExternalContext externalContext;

    @Inject
    private ConsentGathererService consentGatherer;

    @Inject
    private AuthorizeService authorizeService;

    @Inject
    private RequestParameterService requestParameterService;

    @Inject
    private ScopeChecker scopeChecker;

    @Inject
    private ErrorHandlerService errorHandlerService;
    private String scope;
    private String responseType;
    private String clientId;
    private String redirectUri;
    private String state;
    private String responseMode;
    private String nonce;
    private String display;
    private String prompt;
    private Integer maxAge;
    private String uiLocales;
    private String idTokenHint;
    private String loginHint;
    private String acrValues;
    private String amrValues;
    private String request;
    private String requestUri;
    private String codeChallenge;
    private String codeChallengeMethod;
    private String claims;
    private String sessionId;
    private String allowedScope;

    public void checkUiLocales() {
        if (!StringUtils.isNotBlank(this.uiLocales)) {
            Locale defaultLocale = this.facesContext.getApplication().getDefaultLocale();
            if (defaultLocale != null) {
                this.languageBean.setLocaleCode(defaultLocale.getLanguage());
                return;
            }
            return;
        }
        List splittedStringAsList = Util.splittedStringAsList(this.uiLocales, " ");
        ArrayList arrayList = new ArrayList();
        Iterator supportedLocales = this.facesContext.getApplication().getSupportedLocales();
        while (supportedLocales.hasNext()) {
            arrayList.add(supportedLocales.next());
        }
        Locale localeMatch = LocaleUtil.localeMatch(splittedStringAsList, arrayList);
        if (localeMatch != null) {
            this.languageBean.setLocaleCode(localeMatch.getLanguage());
        }
    }

    public void checkPermissionGranted() throws IOException {
        if (this.clientId == null || this.clientId.isEmpty()) {
            this.log.error("Permission denied. client_id should be not empty.");
            permissionDenied();
            return;
        }
        try {
            Client client = this.clientService.getClient(this.clientId);
            if (client == null) {
                this.log.error("Permission denied. Failed to find client_id '{}' in LDAP.", this.clientId);
                permissionDenied();
                return;
            }
            this.allowedScope = org.xdi.oxauth.model.util.StringUtils.implode(this.scopeChecker.checkScopesPolicy(client, this.scope), " ");
            SessionId session = getSession();
            List<Prompt> fromString = Prompt.fromString(this.prompt, " ");
            try {
                session = this.sessionIdService.assertAuthenticatedSessionCorrespondsToNewRequest(session, this.acrValues);
            } catch (AcrChangedException e) {
                this.log.debug("There is already existing session which has another acr then {}, session: {}", this.acrValues, session.getId());
                if (!e.isForceReAuthentication()) {
                    this.log.error("ACR is changed, please provide a supported and enabled acr value");
                    permissionDenied();
                    return;
                }
                session = handleAcrChange(session, fromString);
            }
            if (session != null && !StringUtils.isBlank(session.getUserDn()) && SessionIdState.AUTHENTICATED == session.getState()) {
                if (StringUtils.isBlank(this.redirectionUriService.validateRedirectionUri(this.clientId, this.redirectUri))) {
                    ExternalContext externalContext = this.facesContext.getExternalContext();
                    externalContext.setResponseStatus(400);
                    externalContext.setResponseContentType("application/json");
                    externalContext.getResponseOutputWriter().write(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_REDIRECT_URI, this.state));
                    this.facesContext.responseComplete();
                }
                User userByDn = this.userService.getUserByDn(session.getUserDn(), new String[0]);
                this.log.trace("checkPermissionGranted, user = " + userByDn);
                if (!AuthorizeParamsValidator.noNonePrompt(fromString)) {
                    invalidRequest();
                } else {
                    if (this.appConfiguration.getTrustedClientEnabled().booleanValue() && client.getTrustedClient() && !fromString.contains(Prompt.CONSENT)) {
                        permissionGranted(session);
                        return;
                    }
                    if (ServerUtil.isTrue(this.appConfiguration.getSkipAuthorizationForOpenIdScopeAndPairwiseId()) && SubjectType.PAIRWISE.toString().equals(client.getSubjectType()) && hasOnlyOpenidScope()) {
                        permissionGranted(session);
                        return;
                    }
                    ClientAuthorizations findClientAuthorizations = this.clientAuthorizationsService.findClientAuthorizations(userByDn.getAttribute("inum"), client.getClientId(), client.getPersistClientAuthorizations());
                    if (findClientAuthorizations != null && findClientAuthorizations.getScopes() != null && Arrays.asList(findClientAuthorizations.getScopes()).containsAll(org.xdi.oxauth.model.util.StringUtils.spaceSeparatedToList(this.scope))) {
                        permissionGranted(session);
                        return;
                    }
                }
                if (this.externalConsentGatheringService.isEnabled()) {
                    if (this.consentGatherer.isConsentGathered()) {
                        this.log.trace("Consent-gathered flow passed successfully");
                        permissionGranted(session);
                        return;
                    }
                    this.log.trace("Starting external consent-gathering flow");
                    if (this.consentGatherer.configure(session.getUserDn(), this.clientId, this.state)) {
                        return;
                    }
                    this.log.error("Failed to initialize external consent-gathering flow.");
                    permissionDenied();
                    return;
                }
                return;
            }
            Map<String, String> allowedParameters = this.requestParameterService.getAllowedParameters(this.externalContext.getRequestParameterMap());
            String str = "/login.xhtml";
            if (this.externalAuthenticationService.isEnabled(AuthenticationScriptUsageType.INTERACTIVE)) {
                List<String> acrValuesList = this.sessionIdService.acrValuesList(this.acrValues);
                if (acrValuesList.isEmpty()) {
                    if (StringHelper.isNotEmpty(this.defaultAuthenticationMode.getName())) {
                        acrValuesList = Arrays.asList(this.defaultAuthenticationMode.getName());
                    } else {
                        CustomScriptConfiguration defaultExternalAuthenticator = this.externalAuthenticationService.getDefaultExternalAuthenticator(AuthenticationScriptUsageType.INTERACTIVE);
                        if (defaultExternalAuthenticator != null) {
                            acrValuesList = Arrays.asList(defaultExternalAuthenticator.getName());
                        }
                    }
                }
                CustomScriptConfiguration determineCustomScriptConfiguration = this.externalAuthenticationService.determineCustomScriptConfiguration(AuthenticationScriptUsageType.INTERACTIVE, acrValuesList);
                if (determineCustomScriptConfiguration == null) {
                    this.log.error("Failed to get CustomScriptConfiguration. auth_step: {}, acr_values: {}", 1, this.acrValues);
                    permissionDenied();
                    return;
                }
                allowedParameters.put("acr", determineCustomScriptConfiguration.getName());
                allowedParameters.put("auth_step", Integer.toString(1));
                String executeExternalGetPageForStep = this.externalAuthenticationService.executeExternalGetPageForStep(determineCustomScriptConfiguration, 1);
                if (StringHelper.isNotEmpty(executeExternalGetPageForStep)) {
                    this.log.trace("Redirect to person authentication login page: {}", executeExternalGetPageForStep);
                    str = executeExternalGetPageForStep;
                }
            }
            allowedParameters.put(Constants.REMOTE_IP, this.networkService.getRemoteIp());
            SessionId generateUnauthenticatedSessionId = this.sessionIdService.generateUnauthenticatedSessionId(null, new Date(), SessionIdState.UNAUTHENTICATED, allowedParameters, false);
            generateUnauthenticatedSessionId.setSessionAttributes(allowedParameters);
            generateUnauthenticatedSessionId.addPermission(this.clientId, false);
            if (session != null && session.getPermissionGrantedMap() != null && session.getPermissionGrantedMap().getPermissionGranted() != null) {
                for (Map.Entry<String, Boolean> entry : session.getPermissionGrantedMap().getPermissionGranted().entrySet()) {
                    generateUnauthenticatedSessionId.addPermission(entry.getKey(), entry.getValue());
                }
                this.sessionIdService.remove(session);
            }
            if (this.sessionIdService.persistSessionId(generateUnauthenticatedSessionId, !fromString.contains(Prompt.NONE)) && this.log.isTraceEnabled()) {
                this.log.trace("Session '{}' persisted to LDAP", generateUnauthenticatedSessionId.getId());
            }
            this.sessionId = generateUnauthenticatedSessionId.getId();
            this.sessionIdService.createSessionIdCookie(this.sessionId, generateUnauthenticatedSessionId.getSessionState(), generateUnauthenticatedSessionId.getOPBrowserState(), false);
            this.sessionIdService.creatRpOriginIdCookie(this.redirectUri);
            HashMap hashMap = new HashMap();
            if (allowedParameters.containsKey("login_hint")) {
                hashMap.put("login_hint", allowedParameters.get("login_hint"));
            }
            this.facesService.redirectWithExternal(str, hashMap);
        } catch (EntryPersistenceException e2) {
            this.log.error("Permission denied. Failed to find client by inum '{}' in LDAP.", this.clientId, e2);
            permissionDenied();
        }
    }

    private SessionId handleAcrChange(SessionId sessionId, List<Prompt> list) {
        if (sessionId != null && sessionId.getState() == SessionIdState.AUTHENTICATED) {
            if (!list.contains(Prompt.LOGIN)) {
                list.add(Prompt.LOGIN);
            }
            sessionId.getSessionAttributes().put("prompt", org.xdi.oxauth.model.util.StringUtils.implode(list, " "));
            sessionId.setState(SessionIdState.UNAUTHENTICATED);
            sessionId.getSessionAttributes().put(Constants.REMOTE_IP, this.networkService.getRemoteIp());
            this.sessionIdService.updateSessionId(sessionId);
            this.sessionIdService.reinitLogin(sessionId, false);
        }
        return sessionId;
    }

    private SessionId getSession() {
        return this.authorizeService.getSession(this.sessionId);
    }

    public List<Scope> getScopes() {
        return this.authorizeService.getScopes(this.allowedScope);
    }

    public String getScope() {
        return this.scope;
    }

    public void setScope(String str) {
        this.scope = str;
    }

    public List<String> getRequestedClaims() {
        HashSet hashSet = new HashSet();
        String str = this.request;
        if (StringUtils.isBlank(str) && StringUtils.isNotBlank(this.requestUri)) {
            try {
                URI uri = new URI(this.requestUri);
                String fragment = uri.getFragment();
                ClientRequest clientRequest = new ClientRequest(uri.getScheme() + ":" + uri.getSchemeSpecificPart());
                clientRequest.setHttpMethod("GET");
                ClientResponse clientResponse = clientRequest.get(String.class);
                if (clientResponse.getStatus() == 200) {
                    String str2 = (String) clientResponse.getEntity(String.class);
                    if (StringUtils.isBlank(fragment)) {
                        str = str2;
                    } else if (StringUtils.equals(fragment, Base64Util.base64urlencode(JwtUtil.getMessageDigestSHA256(str2)))) {
                        str = str2;
                    }
                }
            } catch (UnsupportedEncodingException e) {
                this.log.error(e.getMessage(), e);
            } catch (URISyntaxException e2) {
                this.log.error(e2.getMessage(), e2);
            } catch (NoSuchAlgorithmException e3) {
                this.log.error(e3.getMessage(), e3);
            } catch (NoSuchProviderException e4) {
                this.log.error(e4.getMessage(), e4);
            } catch (Exception e5) {
                this.log.error(e5.getMessage(), e5);
            }
        }
        if (StringUtils.isNotBlank(str)) {
            try {
                Client client = this.clientService.getClient(this.clientId);
                if (client != null) {
                    JwtAuthorizationRequest jwtAuthorizationRequest = new JwtAuthorizationRequest(this.appConfiguration, this.request, client);
                    if (jwtAuthorizationRequest.getUserInfoMember() != null) {
                        Iterator<Claim> it = jwtAuthorizationRequest.getUserInfoMember().getClaims().iterator();
                        while (it.hasNext()) {
                            hashSet.add(it.next().getName());
                        }
                    }
                    if (jwtAuthorizationRequest.getIdTokenMember() != null) {
                        Iterator<Claim> it2 = jwtAuthorizationRequest.getIdTokenMember().getClaims().iterator();
                        while (it2.hasNext()) {
                            hashSet.add(it2.next().getName());
                        }
                    }
                }
            } catch (InvalidJwtException e6) {
                this.log.error(e6.getMessage(), e6);
            } catch (InvalidJweException e7) {
                this.log.error(e7.getMessage(), e7);
            } catch (EntryPersistenceException e8) {
                this.log.error(e8.getMessage(), e8);
            }
        }
        return new ArrayList(hashSet);
    }

    public String getResponseType() {
        return this.responseType;
    }

    public void setResponseType(String str) {
        this.responseType = str;
    }

    public String getClientId() {
        return this.clientId;
    }

    public void setClientId(String str) {
        this.clientId = str;
    }

    public String getRedirectUri() {
        return this.redirectUri;
    }

    public void setRedirectUri(String str) {
        this.redirectUri = str;
    }

    public String getState() {
        return this.state;
    }

    public void setState(String str) {
        this.state = str;
    }

    public String getResponseMode() {
        return this.responseMode;
    }

    public void setResponseMode(String str) {
        this.responseMode = str;
    }

    public String getNonce() {
        return this.nonce;
    }

    public void setNonce(String str) {
        this.nonce = str;
    }

    public String getDisplay() {
        return this.display;
    }

    public void setDisplay(String str) {
        this.display = str;
    }

    public String getPrompt() {
        return this.prompt;
    }

    public void setPrompt(String str) {
        this.prompt = str;
    }

    public Integer getMaxAge() {
        return this.maxAge;
    }

    public void setMaxAge(Integer num) {
        this.maxAge = num;
    }

    public String getUiLocales() {
        return this.uiLocales;
    }

    public void setUiLocales(String str) {
        this.uiLocales = str;
    }

    public String getIdTokenHint() {
        return this.idTokenHint;
    }

    public void setIdTokenHint(String str) {
        this.idTokenHint = str;
    }

    public String getLoginHint() {
        return this.loginHint;
    }

    public void setLoginHint(String str) {
        this.loginHint = str;
    }

    public String getAcrValues() {
        return this.acrValues;
    }

    public void setAcrValues(String str) {
        this.acrValues = str;
    }

    public String getAmrValues() {
        return this.amrValues;
    }

    public void setAmrValues(String str) {
        this.amrValues = str;
    }

    public String getRequest() {
        return this.request;
    }

    public void setRequest(String str) {
        this.request = str;
    }

    public String getRequestUri() {
        return this.requestUri;
    }

    public void setRequestUri(String str) {
        this.requestUri = str;
    }

    public String getSessionId() {
        return this.sessionId;
    }

    public void setSessionId(String str) {
        this.sessionId = str;
    }

    public void permissionGranted() {
        permissionGranted(getSession());
    }

    public void permissionGranted(SessionId sessionId) {
        this.authorizeService.permissionGranted((HttpServletRequest) this.externalContext.getRequest(), sessionId);
    }

    public void permissionDenied() {
        this.authorizeService.permissionDenied(getSession());
    }

    private void authenticationFailedSessionInvalid() {
        this.facesMessages.add(FacesMessage.SEVERITY_ERROR, Authenticator.INVALID_SESSION_MESSAGE);
        this.facesService.redirect("/error.xhtml");
    }

    public void invalidRequest() {
        this.log.trace("invalidRequest");
        StringBuilder sb = new StringBuilder();
        sb.append(this.redirectUri);
        if (this.redirectUri == null || !this.redirectUri.contains("?")) {
            sb.append("?");
        } else {
            sb.append("&");
        }
        sb.append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.INVALID_REQUEST, getState()));
        this.facesService.redirectToExternalURL(sb.toString());
    }

    public void consentRequired() {
        StringBuilder sb = new StringBuilder();
        sb.append(this.redirectUri);
        if (this.redirectUri == null || !this.redirectUri.contains("?")) {
            sb.append("?");
        } else {
            sb.append("&");
        }
        sb.append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.CONSENT_REQUIRED, getState()));
        this.facesService.redirectToExternalURL(sb.toString());
    }

    public String getCodeChallenge() {
        return this.codeChallenge;
    }

    public void setCodeChallenge(String str) {
        this.codeChallenge = str;
    }

    public String getCodeChallengeMethod() {
        return this.codeChallengeMethod;
    }

    public void setCodeChallengeMethod(String str) {
        this.codeChallengeMethod = str;
    }

    public String getClaims() {
        return this.claims;
    }

    public void setClaims(String str) {
        this.claims = str;
    }

    public String encodeParameters(String str, Map<String, Object> map) {
        if (map.isEmpty()) {
            return str;
        }
        StringBuilder sb = new StringBuilder(str);
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            String key = entry.getKey();
            if (!containsParameter(str, key)) {
                Object value = entry.getValue();
                if (value instanceof Iterable) {
                    for (Object obj : (Iterable) value) {
                        sb.append('&').append(key).append('=');
                        if (obj != null) {
                            sb.append(encode(obj));
                        }
                    }
                } else {
                    sb.append('&').append(key).append('=');
                    if (value != null) {
                        sb.append(encode(value));
                    }
                }
            }
        }
        if (str.indexOf(63) < 0) {
            sb.setCharAt(str.length(), '?');
        }
        return sb.toString();
    }

    private boolean containsParameter(String str, String str2) {
        return str.indexOf(new StringBuilder().append('?').append(str2).append('=').toString()) > 0 || str.indexOf(new StringBuilder().append('&').append(str2).append('=').toString()) > 0;
    }

    private String encode(Object obj) {
        try {
            return URLEncoder.encode(String.valueOf(obj), "UTF-8");
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    private boolean hasOnlyOpenidScope() {
        return getScopes() != null && getScopes().size() == 1 && getScopes().get(0).getDisplayName().equals(Constants.OX_AUTH_SCOPE_TYPE_OPENID);
    }

    protected void handleSessionInvalid() {
        this.errorHandlerService.handleError(Authenticator.INVALID_SESSION_MESSAGE, AuthorizeErrorResponseType.AUTHENTICATION_SESSION_INVALID, "Create authorization request to start new authentication session.");
    }

    protected void handleScriptError(String str) {
        this.errorHandlerService.handleError(Authenticator.AUTHENTICATION_ERROR_MESSAGE, AuthorizeErrorResponseType.INVALID_AUTHENTICATION_METHOD, "Contact administrator to fix specific ACR method issue.");
    }
}
