package org.gluu.oxtrust.service;

import java.io.Serializable;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Arrays;
import java.util.Calendar;
import java.util.concurrent.locks.ReentrantLock;
import javax.ws.rs.core.Response;
import org.gluu.oxtrust.exception.UmaProtectionException;
import org.gluu.oxtrust.ldap.service.AppInitializer;
import org.gluu.oxtrust.ldap.service.ClientService;
import org.gluu.oxtrust.model.OxAuthClient;
import org.gluu.oxtrust.util.OxTrustConstants;
import org.gluu.site.ldap.persistence.exception.EntryPersistenceException;
import org.jboss.resteasy.client.ClientResponseFailure;
import org.jboss.seam.ScopeType;
import org.jboss.seam.annotations.AutoCreate;
import org.jboss.seam.annotations.Create;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Logger;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.log.Log;
import org.xdi.config.oxtrust.ApplicationConfiguration;
import org.xdi.oxauth.client.TokenRequest;
import org.xdi.oxauth.client.uma.PermissionRegistrationService;
import org.xdi.oxauth.client.uma.RptStatusService;
import org.xdi.oxauth.client.uma.UmaClientFactory;
import org.xdi.oxauth.client.uma.wrapper.UmaClient;
import org.xdi.oxauth.model.common.AuthenticationMethod;
import org.xdi.oxauth.model.common.GrantType;
import org.xdi.oxauth.model.crypto.signature.ECDSAPrivateKey;
import org.xdi.oxauth.model.crypto.signature.RSAPrivateKey;
import org.xdi.oxauth.model.uma.PermissionTicket;
import org.xdi.oxauth.model.uma.RptIntrospectionResponse;
import org.xdi.oxauth.model.uma.UmaConfiguration;
import org.xdi.oxauth.model.uma.UmaPermission;
import org.xdi.oxauth.model.uma.wrapper.Token;
import org.xdi.oxauth.model.util.JwtUtil;
import org.xdi.service.JsonService;
import org.xdi.util.StringHelper;

@Name("umaProtectionService")
@AutoCreate
@Scope(ScopeType.APPLICATION)
/* loaded from: input_file:org/gluu/oxtrust/service/UmaProtectionService.class */
public class UmaProtectionService implements Serializable {
    private static final long serialVersionUID = -1147131971095468865L;

    @Logger
    private Log log;

    @In(required = false)
    private UmaConfiguration umaMetadataConfiguration;

    @In("#{oxTrustConfiguration.applicationConfiguration}")
    private ApplicationConfiguration applicationConfiguration;

    @In
    private JsonService jsonService;

    @In
    private AppInitializer appInitializer;

    @In
    private ClientService clientService;
    private Token umaPat;
    private long umaPatAccessTokenExpiration = 0;
    private final ReentrantLock lock = new ReentrantLock();
    private PermissionRegistrationService resourceSetPermissionRegistrationService;
    private RptStatusService rptStatusService;

    @Create
    public void init() {
        if (this.umaMetadataConfiguration != null) {
            this.resourceSetPermissionRegistrationService = UmaClientFactory.instance().createResourceSetPermissionRegistrationService(this.umaMetadataConfiguration);
            this.rptStatusService = UmaClientFactory.instance().createRptStatusService(this.umaMetadataConfiguration);
        }
    }

    public Token getPatToken() throws UmaProtectionException {
        if (isValidPatToken(this.umaPat, this.umaPatAccessTokenExpiration)) {
            return this.umaPat;
        }
        this.lock.lock();
        try {
            if (isValidPatToken(this.umaPat, this.umaPatAccessTokenExpiration)) {
                Token token = this.umaPat;
                this.lock.unlock();
                return token;
            }
            retrievePatToken();
            this.lock.unlock();
            return this.umaPat;
        } catch (Throwable th) {
            this.lock.unlock();
            throw th;
        }
    }

    public boolean isEnabledUmaAuthentication() {
        return this.umaMetadataConfiguration != null && isExistPatToken();
    }

    public boolean isExistPatToken() {
        try {
            return getPatToken() != null;
        } catch (UmaProtectionException e) {
            this.log.error("Failed to check UMA PAT token status", e, new Object[0]);
            return false;
        }
    }

    public boolean isRptHasPermissions(RptIntrospectionResponse rptIntrospectionResponse) {
        return (rptIntrospectionResponse.getPermissions() == null || rptIntrospectionResponse.getPermissions().isEmpty()) ? false : true;
    }

    public RptIntrospectionResponse getStatusResponse(Token token, String str) {
        RptIntrospectionResponse rptIntrospectionResponse = null;
        try {
            rptIntrospectionResponse = this.rptStatusService.requestRptStatus("Bearer " + token.getAccessToken(), str, "");
        } catch (Exception e) {
            this.log.error("Failed to determine RPT status", e, new Object[0]);
        }
        if (rptIntrospectionResponse == null || !rptIntrospectionResponse.getActive()) {
            return null;
        }
        return rptIntrospectionResponse;
    }

    public String registerUmaPermissions(Token token, String str, String str2) {
        String str3 = "Bearer " + token.getAccessToken();
        UmaPermission umaPermission = new UmaPermission();
        umaPermission.setResourceSetId(str);
        umaPermission.setScopes(Arrays.asList(str2));
        PermissionTicket permissionTicket = null;
        try {
            permissionTicket = this.resourceSetPermissionRegistrationService.registerResourceSetPermission(str3, getHost(this.umaMetadataConfiguration.getIssuer()), umaPermission);
        } catch (MalformedURLException e) {
            this.log.error("Failed to determine host by URI", e, new Object[0]);
        } catch (ClientResponseFailure e2) {
            this.log.error("Failed to register permissions for resource set: '{0}'", e2, new Object[]{str});
        }
        if (permissionTicket != null && !StringHelper.isEmpty(permissionTicket.getTicket())) {
            return permissionTicket.getTicket();
        }
        this.log.error("Resource set permission ticket is invalid", new Object[0]);
        return null;
    }

    public Response prepareRegisterUmaPermissionsResponse(Token token, String str, String str2) {
        String registerUmaPermissions = registerUmaPermissions(token, str, str2);
        if (StringHelper.isEmpty(registerUmaPermissions)) {
            return null;
        }
        String str3 = null;
        try {
            str3 = this.jsonService.objectToJson(new PermissionTicket(registerUmaPermissions));
        } catch (Exception e) {
            this.log.error("Failed to prepare response", e, new Object[0]);
        }
        if (str3 == null) {
            return null;
        }
        this.log.debug("Construct response: HTTP 403 (Forbidden), entity: '{0}'", new Object[]{str3});
        Response response = null;
        try {
            response = Response.status(Response.Status.FORBIDDEN).header("host_id", getHost(this.applicationConfiguration.getIdpUrl())).header("as_uri", this.appInitializer.getUmaConfigurationEndpoint()).header(OxTrustConstants.OXAUTH_ERROR, "insufficient_scope").entity(str3).build();
        } catch (MalformedURLException e2) {
            this.log.error("Failed to determine host by URI", e2, new Object[0]);
        }
        return response;
    }

    private String getHost(String str) throws MalformedURLException {
        return new URL(str).getHost();
    }

    private void retrievePatToken() throws UmaProtectionException {
        this.umaPat = null;
        if (this.umaMetadataConfiguration == null) {
            return;
        }
        try {
            OxAuthClient clientByInum = this.clientService.getClientByInum(this.applicationConfiguration.getUmaClientId(), OxTrustConstants.inum, "oxAuthJwks");
            ECDSAPrivateKey privateKey = JwtUtil.getPrivateKey((String) null, clientByInum.getJwks(), this.applicationConfiguration.getUmaClientKeyId());
            if (privateKey == null) {
                throw new UmaProtectionException("There is no keyId in JWKS");
            }
            try {
                String inum = clientByInum.getInum();
                TokenRequest build = TokenRequest.builder().pat(new String[0]).grantType(GrantType.CLIENT_CREDENTIALS).build();
                if (privateKey instanceof ECDSAPrivateKey) {
                    build.setEcPrivateKey(privateKey);
                } else if (privateKey instanceof RSAPrivateKey) {
                    build.setRsaPrivateKey((RSAPrivateKey) privateKey);
                }
                build.setAuthenticationMethod(AuthenticationMethod.PRIVATE_KEY_JWT);
                build.setAuthUsername(inum);
                build.setAlgorithm(privateKey.getSignatureAlgorithm());
                build.setKeyId(privateKey.getKeyId());
                build.setAudience(this.umaMetadataConfiguration.getTokenEndpoint());
                this.umaPat = UmaClient.request(this.umaMetadataConfiguration.getTokenEndpoint(), build);
                this.umaPatAccessTokenExpiration = computeAccessTokenExpirationTime(this.umaPat.getExpiresIn());
                if (this.umaPat == null || this.umaPat.getAccessToken() == null) {
                    throw new UmaProtectionException("Failed to obtain valid UMA PAT token");
                }
            } catch (Exception e) {
                throw new UmaProtectionException("Failed to obtain valid UMA PAT token", e);
            }
        } catch (EntryPersistenceException e2) {
            throw new UmaProtectionException("Failed to load UMA client", e2);
        }
    }

    protected long computeAccessTokenExpirationTime(Integer num) {
        Calendar calendar = Calendar.getInstance();
        if (num != null) {
            calendar.add(13, num.intValue());
            calendar.add(13, -10);
        }
        return calendar.getTimeInMillis();
    }

    private boolean isValidPatToken(Token token, long j) {
        return (token == null || token.getAccessToken() == null || j <= System.currentTimeMillis()) ? false : true;
    }
}
