package edu.uiuc.ncsa.myproxy.oa4mp.oauth2.claims;

import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.flows.FlowStates;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet.OA2DiscoveryServlet;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.state.OA2ClientConfiguration;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.state.OA2ClientConfigurationFactory;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.clients.OA2Client;
import edu.uiuc.ncsa.myproxy.oa4mp.server.admin.adminClient.AdminClient;
import edu.uiuc.ncsa.security.core.Identifier;
import edu.uiuc.ncsa.security.core.util.DebugUtil;
import edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError;
import edu.uiuc.ncsa.security.oauth_2_0.server.claims.ClaimSource;
import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import net.sf.json.JSONObject;

/* loaded from: input_file:edu/uiuc/ncsa/myproxy/oa4mp/oauth2/claims/OA2ClaimsUtil.class */
public class OA2ClaimsUtil {
    protected OA2ServiceTransaction transaction;
    OA2SE oa2se;
    boolean deepDebugOn = true;
    OA2ClientConfiguration cc = null;
    OA2FunctorFactory ff = null;

    public OA2ClaimsUtil(OA2SE oa2se, OA2ServiceTransaction oA2ServiceTransaction) {
        this.oa2se = oa2se;
        this.transaction = oA2ServiceTransaction;
    }

    public JSONObject setAccountingInformation(HttpServletRequest httpServletRequest, JSONObject jSONObject) {
        dbg(this, "Starting to process basic claims");
        if (this.transaction.hasAuthTime()) {
            jSONObject.put("auth_time", Long.toString(this.transaction.getAuthTime().getTime() / 1000));
        }
        jSONObject.put("exp", Long.valueOf((System.currentTimeMillis() / 1000) + 900));
        jSONObject.put("iat", Long.valueOf(System.currentTimeMillis() / 1000));
        if (this.transaction.hasAuthTime()) {
            jSONObject.put("auth_time", Long.toString(this.transaction.getAuthTime().getTime() / 1000));
        }
        if (this.transaction.getNonce() != null && 0 < this.transaction.getNonce().length()) {
            jSONObject.put("nonce", this.transaction.getNonce());
        }
        return jSONObject;
    }

    public JSONObject initializeClaims(HttpServletRequest httpServletRequest, JSONObject jSONObject) {
        dbg(this, "Starting to process basic claims");
        String str = null;
        Iterator it = this.oa2se.getPermissionStore().getAdmins(this.transaction.getClient().getIdentifier()).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            AdminClient adminClient = (AdminClient) this.oa2se.getAdminClientStore().get((Identifier) it.next());
            if (adminClient != null && adminClient.getIssuer() != null) {
                str = adminClient.getIssuer();
                break;
            }
        }
        if (str == null) {
            str = ((OA2Client) this.transaction.getClient()).getIssuer();
        }
        if (str == null) {
            str = OA2DiscoveryServlet.getIssuer(httpServletRequest);
        }
        jSONObject.put("iss", str);
        jSONObject.put("sub", this.transaction.getUsername());
        jSONObject.put("aud", this.transaction.getClient().getIdentifierString());
        return setAccountingInformation(httpServletRequest, jSONObject);
    }

    protected void checkRequiredScopes(HttpServletRequest httpServletRequest, OA2ServiceTransaction oA2ServiceTransaction) throws Throwable {
        if (this.oa2se.isOIDCEnabled() && !oA2ServiceTransaction.getScopes().contains("openid")) {
            throw new OA2GeneralError("invalid_scope", "invalid scope: no open id scope", 401);
        }
    }

    public JSONObject processAuthorizationClaims(HttpServletRequest httpServletRequest, OA2ServiceTransaction oA2ServiceTransaction) throws Throwable {
        JSONObject claims = this.transaction.getClaims();
        if (claims == null) {
            claims = new JSONObject();
        }
        JSONObject initializeClaims = initializeClaims(httpServletRequest, claims);
        this.transaction.setClaims(initializeClaims);
        OA2Client oA2Client = getOA2Client();
        checkRequiredScopes(httpServletRequest, oA2ServiceTransaction);
        if (getCC().isSaved()) {
            dbg(this, "*NOT* saving updated client " + oA2Client.getIdentifierString());
        } else {
            dbg(this, "Saving updated client " + oA2Client.getIdentifierString());
            getCC().setSaved(true);
            this.oa2se.getClientStore().save(oA2Client);
        }
        dbg(this, "Done with basic claims = " + initializeClaims.toString(1));
        if (this.transaction.getOA2Client().isPublicClient()) {
            this.oa2se.getTransactionStore().save(this.transaction);
            return initializeClaims;
        }
        dbg(this, "Starting to process server default claims");
        if (this.oa2se == null || this.oa2se.getClaimSource() == null || !this.oa2se.getClaimSource().isEnabled() || !this.oa2se.getClaimSource().isRunAtAuthorization()) {
            dbg(this, "Service environment has a claims no source enabled during authorization");
        } else {
            DebugUtil.dbg(this, "Service environment has a claims source enabled=" + this.oa2se.getClaimSource());
            this.oa2se.getClaimSource().process(initializeClaims, httpServletRequest, this.transaction);
        }
        dbg(this, "Starting to process Client runtime and sources at authorization.");
        if (oA2Client.getConfig() == null || oA2Client.getConfig().isEmpty()) {
            return initializeClaims;
        }
        dbg(this, "executing runtime");
        getCC().executeRuntime();
        dbg(this, "processing flows");
        FlowStates flowStates = new FlowStates(getCC().getRuntime().getFunctorMap());
        this.transaction.setFlowStates(flowStates);
        if (flowStates.getClaims) {
            dbg(this, "Doing preprocessing");
            dbg(this, "Claims allowed, creating sources from configuration");
            OA2ClientConfigurationFactory oA2ClientConfigurationFactory = new OA2ClientConfigurationFactory(getFF());
            OA2ClientConfiguration cc = getCC();
            oA2ClientConfigurationFactory.createClaimSource(cc, oA2Client.getConfig());
            doPreProcessing();
            List<ClaimSource> claimSource = cc.getClaimSource();
            if (cc.hasClaimSource()) {
                for (int i = 0; i < claimSource.size(); i++) {
                    ClaimSource claimSource2 = claimSource.get(i);
                    if (claimSource2.isRunAtAuthorization()) {
                        claimSource2.process(initializeClaims, httpServletRequest, this.transaction);
                    }
                    if (claimSource2.getPostProcessor() != null) {
                        flowStates.updateValues(claimSource2.getPostProcessor().getFunctorMap());
                    }
                    if (!flowStates.acceptRequests) {
                        this.transaction.setClaims(initializeClaims);
                        this.transaction.setFlowStates(flowStates);
                        this.oa2se.getTransactionStore().save(this.transaction);
                        throw new OA2GeneralError("access_denied", "access denied", 401);
                    }
                    dbg(this, "user info for claim source #" + claimSource2 + " = " + initializeClaims.toString(1));
                }
            }
        }
        this.transaction.setClaims(initializeClaims);
        this.transaction.setFlowStates(flowStates);
        this.oa2se.getTransactionStore().save(this.transaction);
        return initializeClaims;
    }

    protected OA2Client getOA2Client() {
        return this.transaction.getOA2Client();
    }

    protected OA2FunctorFactory getFF() {
        if (this.ff == null) {
            this.ff = new OA2FunctorFactory(this.transaction.getClaims(), this.transaction.getScopes());
        }
        return this.ff;
    }

    protected OA2ClientConfiguration getCC() {
        if (this.cc == null && null != getOA2Client().getConfig()) {
            this.cc = new OA2ClientConfigurationFactory(getFF()).m35newInstance(getOA2Client().getConfig());
        }
        return this.cc;
    }

    public JSONObject processClaims() throws Throwable {
        JSONObject claims = this.transaction.getClaims();
        if (claims == null) {
            claims = new JSONObject();
        }
        if (this.transaction.getOA2Client().isPublicClient()) {
            return claims;
        }
        FlowStates flowStates = this.transaction.getFlowStates();
        if (!flowStates.acceptRequests) {
            throw new OA2GeneralError("access_denied", "access denied", 401);
        }
        OA2Client oA2Client = getOA2Client();
        if (oA2Client.getConfig() == null || oA2Client.getConfig().isEmpty()) {
            return claims;
        }
        OA2ClientConfiguration cc = getCC();
        dbg(this, "BEFORE invoking claim sources, claims are = " + claims.toString(1));
        if (flowStates.getClaims) {
            DebugUtil.trace(this, "Claims allowed, creating sources from configuration");
            new OA2ClientConfigurationFactory(getFF()).createClaimSource(cc, oA2Client.getConfig());
            List<ClaimSource> claimSource = cc.getClaimSource();
            if (cc.hasClaimSource()) {
                for (int i = 0; i < claimSource.size(); i++) {
                    ClaimSource claimSource2 = claimSource.get(i);
                    if (!claimSource2.isRunAtAuthorization()) {
                        if (claimSource2 instanceof BasicClaimsSourceImpl) {
                            BasicClaimsSourceImpl basicClaimsSourceImpl = (BasicClaimsSourceImpl) claimSource2;
                            if (basicClaimsSourceImpl.getOa2SE() == null) {
                                basicClaimsSourceImpl.setOa2SE(this.oa2se);
                            }
                        }
                        DebugUtil.trace(this, "Before invoking claim source, new claims = " + claims.toString(1));
                        claimSource2.process(claims, this.transaction);
                        DebugUtil.trace(this, "After invoking claim source, new claims = " + claims.toString(1));
                    }
                }
            }
        }
        dbg(this, "Ready for post-processing");
        doPostProcessing();
        FlowStates flowStates2 = this.transaction.getFlowStates();
        flowStates2.updateValues(cc.getPostProcessing().getFunctorMap());
        this.transaction.setFlowStates(flowStates2);
        checkRequiredClaims(claims);
        this.transaction.setClaims(claims);
        this.oa2se.getTransactionStore().save(this.transaction);
        dbg(this, "Done with special claims=" + claims.toString(1));
        if (flowStates2.acceptRequests) {
            return claims;
        }
        dbg(this, "Access denied for user name = " + this.transaction.getUsername());
        throw new OA2GeneralError("access_denied", "access denied", 401);
    }

    protected void checkClaim(JSONObject jSONObject, String str) {
        if (!jSONObject.containsKey(str)) {
            throw new OA2GeneralError("server_error", "Missing " + str + " claim", 500);
        }
        if (isEmpty(jSONObject.getString(str))) {
            throw new OA2GeneralError("server_error", "Missing " + str + " claim", 500);
        }
    }

    protected void checkRequiredClaims(JSONObject jSONObject) {
        if (this.oa2se.isOIDCEnabled()) {
            checkClaim(jSONObject, "sub");
        }
    }

    protected boolean isEmpty(String str) {
        return str == null || 0 == str.length();
    }

    public void doPostProcessing() throws Throwable {
        dbg(this, ".doPostProcessing: has post-processing?" + getCC().hasPostProcessing());
        if (getCC().hasPostProcessing()) {
            DebugUtil.dbg(this, ".doPostProcessing: has post-processing?" + getCC().getPostProcessing());
            new OA2ClientConfigurationFactory(getFF()).setupPostProcessing(getCC(), getOA2Client().getConfig());
            getCC().executePostProcessing();
            dbg(this, ".doPostProcessing: executed post-processing, functor map=" + getCC().getPostProcessing().getFunctorMap());
        }
    }

    public void doPreProcessing() throws Throwable {
        if (getCC().hasPreProcessing()) {
            new OA2ClientConfigurationFactory(getFF()).setupPreProcessing(getCC(), getOA2Client().getConfig());
            getCC().executePreProcessing();
        }
    }

    protected void dbg(Object obj, String str) {
        if (this.deepDebugOn) {
            DebugUtil.trace(obj, str);
        }
    }
}
