package edu.uiuc.ncsa.myproxy.oa4mp.oauth2.cm.oidc_cm;

import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.cm.util.permissions.AddClientRequest;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.cm.util.permissions.PermissionServer;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.cm.util.permissions.RemoveClientRequest;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet.HeaderUtils;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.state.OA2ClientConfigurationUtil;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.clients.OA2Client;
import edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.clients.OA2ClientKeys;
import edu.uiuc.ncsa.myproxy.oa4mp.server.admin.adminClient.AdminClient;
import edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.EnvServlet;
import edu.uiuc.ncsa.security.core.Identifier;
import edu.uiuc.ncsa.security.core.exceptions.GeneralException;
import edu.uiuc.ncsa.security.core.util.BasicIdentifier;
import edu.uiuc.ncsa.security.core.util.DebugUtil;
import edu.uiuc.ncsa.security.delegation.server.storage.ClientApproval;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Constants;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Errors;
import edu.uiuc.ncsa.security.oauth_2_0.OA2GeneralError;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Scopes;
import edu.uiuc.ncsa.security.oauth_2_0.server.config.ClientConfigurationUtil;
import edu.uiuc.ncsa.security.servlet.ServletDebugUtil;
import java.io.BufferedReader;
import java.io.IOException;
import java.security.SecureRandom;
import java.sql.SQLException;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.sf.json.JSON;
import net.sf.json.JSONArray;
import net.sf.json.JSONObject;
import net.sf.json.JSONSerializer;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.DigestUtils;

/* loaded from: input_file:WEB-INF/lib/oa4mp-server-loader-oauth2-4.3.jar:edu/uiuc/ncsa/myproxy/oa4mp/oauth2/cm/oidc_cm/OIDCCMServlet.class */
public class OIDCCMServlet extends EnvServlet {
    PermissionServer permissionServer = null;
    SecureRandom random = new SecureRandom();

    @Override // edu.uiuc.ncsa.myproxy.oa4mp.server.servlet.EnvServlet
    public void storeUpdates() throws IOException, SQLException {
        if (storeUpdatesDone) {
            return;
        }
        storeUpdatesDone = true;
        processStoreCheck(getOA2SE().getAdminClientStore());
        processStoreCheck(getOA2SE().getPermissionStore());
    }

    protected OA2SE getOA2SE() {
        return (OA2SE) getEnvironment();
    }

    @Override // edu.uiuc.ncsa.security.servlet.AbstractServlet, javax.servlet.http.HttpServlet
    public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        printAllParameters(httpServletRequest);
        if (doPing(httpServletRequest, httpServletResponse)) {
            return;
        }
        if (!getOA2SE().getCmConfigs().hasRFC7591Config()) {
            throw new IllegalAccessError("Error: RFC 7591 not supported on this server. Request rejected.");
        }
        try {
            getAndCheckAdminClient(httpServletRequest);
            String firstParameterValue = getFirstParameterValue(httpServletRequest, "client_id");
            if (firstParameterValue == null || firstParameterValue.isEmpty()) {
                throw new GeneralException("Missing client id. Cannot process request");
            }
            OA2Client oA2Client = (OA2Client) getOA2SE().getClientStore().get(BasicIdentifier.newID(firstParameterValue));
            if (oA2Client == null) {
                throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "no such client", 400);
            }
            writeOK(httpServletResponse, toJSONObject(oA2Client));
        } catch (Throwable th) {
            handleException(th, httpServletRequest, httpServletResponse);
        }
    }

    protected JSONObject toJSONObject(OA2Client oA2Client) {
        JSONObject jSONObject = new JSONObject();
        jSONObject.put(OIDCCMConstants.REGISTRATION_CLIENT_URI, getOA2SE().getCmConfigs().getRFC7591Config().uri.toString() + "?client_id=" + oA2Client.getIdentifierString());
        jSONObject.put("client_id", oA2Client.getIdentifierString());
        jSONObject.put(OIDCCMConstants.CLIENT_NAME, oA2Client.getName());
        JSONArray jSONArray = new JSONArray();
        jSONArray.addAll(oA2Client.getCallbackURIs());
        jSONObject.put(OIDCCMConstants.REDIRECT_URIS, jSONArray);
        JSONArray jSONArray2 = new JSONArray();
        jSONArray2.add(OA2Constants.AUTHORIZATION_CODE_VALUE);
        if (oA2Client.isRTLifetimeEnabled()) {
            jSONArray2.add(OA2Constants.REFRESH_TOKEN);
        }
        jSONObject.put(OIDCCMConstants.GRANT_TYPES, jSONArray2);
        JSONArray jSONArray3 = new JSONArray();
        jSONArray3.addAll(oA2Client.getScopes());
        jSONObject.put("scope", jSONArray3);
        jSONObject.put(OIDCCMConstants.CLIENT_URI, oA2Client.getHomeUri());
        jSONObject.put("error_uri", oA2Client.getErrorUri());
        jSONObject.put("email", oA2Client.getEmail());
        jSONObject.put(OIDCCMConstants.CLIENT_ID_ISSUED_AT, Long.valueOf(oA2Client.getCreationTS().getTime() / 1000));
        jSONObject.putAll(ClientConfigurationUtil.getExtraAttributes(oA2Client.getConfig()));
        return jSONObject;
    }

    @Override // javax.servlet.http.HttpServlet
    protected void doDelete(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        printAllParameters(httpServletRequest);
        if (!getOA2SE().getCmConfigs().hasRFC7592Config()) {
            throw new IllegalAccessError("Error: RFC 7592 not supported on this server. Request rejected.");
        }
        try {
            AdminClient andCheckAdminClient = getAndCheckAdminClient(httpServletRequest);
            String parameter = httpServletRequest.getParameter("client_id");
            if (parameter == null || parameter.isEmpty()) {
                throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "Missing client id", 400);
            }
            OA2Client oA2Client = (OA2Client) getOA2SE().getClientStore().get(BasicIdentifier.newID(parameter));
            if (oA2Client == null) {
                httpServletResponse.setStatus(204);
                return;
            }
            checkAdminPermission(andCheckAdminClient, oA2Client);
            getOA2SE().getClientApprovalStore().remove(oA2Client.getIdentifier());
            getOA2SE().getClientStore().remove(oA2Client.getIdentifier());
            getPermissionServer().removeClient(new RemoveClientRequest(andCheckAdminClient, oA2Client));
            httpServletResponse.setStatus(204);
        } catch (Throwable th) {
            handleException(th, httpServletRequest, httpServletResponse);
        }
    }

    protected void checkAdminPermission(AdminClient adminClient, OA2Client oA2Client) {
        if (oA2Client == null) {
            throw new OA2GeneralError(OA2Errors.UNAUTHORIZED_CLIENT, "unknown client", 401);
        }
        if (!getOA2SE().getPermissionStore().getClients(adminClient.getIdentifier()).contains(oA2Client.getIdentifier())) {
            throw new OA2GeneralError(OA2Errors.ACCESS_DENIED, "access denied", 403);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // javax.servlet.http.HttpServlet
    protected void doPut(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        if (!getOA2SE().getCmConfigs().hasRFC7592Config()) {
            throw new IllegalAccessError("Error: RFC 7592 not supported on this server. Request rejected.");
        }
        try {
            AdminClient andCheckAdminClient = getAndCheckAdminClient(httpServletRequest);
            OA2Client client = getClient(httpServletRequest);
            checkAdminPermission(andCheckAdminClient, client);
            JSON payload = getPayload(httpServletRequest);
            DebugUtil.trace(this, payload.toString());
            if (payload.isArray()) {
                getMyLogger().info("Error: Got a JSON array rather than a request:" + payload);
                throw new IllegalArgumentException("Error: incorrect argument. Not a valid JSON request");
            }
            JSONObject jSONObject = (JSONObject) payload;
            if (jSONObject.size() == 0) {
                getMyLogger().info("Error: Got an empty JSON object. Request rejected.");
                throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "invalid request", 400);
            }
            if (jSONObject.containsKey(OIDCCMConstants.REGISTRATION_ACCESS_TOKEN) || jSONObject.containsKey(OIDCCMConstants.CLIENT_SECRET_EXPIRES_AT) || jSONObject.containsKey(OIDCCMConstants.CLIENT_SECRET_EXPIRES_AT) || jSONObject.containsKey(OIDCCMConstants.CLIENT_ID_ISSUED_AT)) {
                throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "invalid parameter", 400);
            }
            if (jSONObject.containsKey("scope")) {
                boolean z = false;
                JSONArray jSONArray = jSONObject.getJSONArray("scope");
                Collection<String> scopes = client.getScopes();
                if (scopes.size() < jSONArray.size()) {
                    z = true;
                } else {
                    Iterator it = jSONArray.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        } else if (!scopes.contains(it.next().toString())) {
                            z = true;
                            break;
                        }
                    }
                }
                if (z) {
                    throw new OA2GeneralError(OA2Errors.INVALID_SCOPE, "invalid scope", 403);
                }
            }
            OA2Client oA2Client = (OA2Client) getOA2SE().getClientStore().create();
            oA2Client.setIdentifier(client.getIdentifier());
            oA2Client.setSecret(client.getSecret());
            oA2Client.setConfig(client.getConfig());
            try {
                getOA2SE().getClientStore().save(updateClient(oA2Client, jSONObject, httpServletResponse));
            } catch (Throwable th) {
                warn("Error attempting to update client \"" + client.getIdentifierString() + "\". Message = \"" + th.getMessage() + "\". Request is rejected");
                handleException(th, httpServletRequest, httpServletResponse);
            }
        } catch (Throwable th2) {
            handleException(th2, httpServletRequest, httpServletResponse);
        }
    }

    @Override // edu.uiuc.ncsa.security.servlet.AbstractServlet, javax.servlet.http.HttpServlet
    public void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        if (!getOA2SE().getCmConfigs().hasRFC7591Config()) {
            throw new IllegalAccessError("Error: RFC 7591 not supported on this server. Request rejected.");
        }
        try {
            if (doPing(httpServletRequest, httpServletResponse)) {
                return;
            }
            System.err.println("ENCODING is of type " + httpServletRequest.getContentType());
            if (httpServletRequest.getContentType().contains("application/json")) {
                doIt(httpServletRequest, httpServletResponse);
            } else {
                httpServletResponse.setStatus(415);
                throw new ServletException("Error: Unsupported encoding of \"" + httpServletRequest.getContentType() + "\" for body of POST. Request rejected.");
            }
        } catch (Throwable th) {
            handleException(th, httpServletRequest, httpServletResponse);
        }
    }

    public PermissionServer getPermissionServer() {
        if (this.permissionServer == null) {
            this.permissionServer = new PermissionServer(getOA2SE());
        }
        return this.permissionServer;
    }

    protected AdminClient getAndCheckAdminClient(HttpServletRequest httpServletRequest) throws Throwable {
        String[] credentialsFromHeaders = HeaderUtils.getCredentialsFromHeaders(httpServletRequest, OA2Constants.BEARER_TOKEN_TYPE);
        Identifier newID = BasicIdentifier.newID(credentialsFromHeaders[HeaderUtils.ID_INDEX]);
        if (!getOA2SE().getAdminClientStore().containsKey(newID)) {
            throw new GeneralException("Error: the given id of \"" + newID + "\" is not recognized as an admin client.");
        }
        AdminClient adminClient = (AdminClient) getOA2SE().getAdminClientStore().get(newID);
        String str = credentialsFromHeaders[HeaderUtils.SECRET_INDEX];
        if (str == null || str.isEmpty()) {
            throw new GeneralException("Error: missing secret.");
        }
        if (!getOA2SE().getClientApprovalStore().isApproved(newID)) {
            ServletDebugUtil.trace(this, "Admin client \"" + newID + "\" is not approved.");
            throw new GeneralException("error: This admin client has not been approved.");
        }
        if (adminClient.getSecret().equals(DigestUtils.sha1Hex(str))) {
            return adminClient;
        }
        throw new GeneralException("error: client and secret do not match");
    }

    @Override // edu.uiuc.ncsa.security.servlet.AbstractServlet
    protected void doIt(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Throwable {
        AdminClient andCheckAdminClient = getAndCheckAdminClient(httpServletRequest);
        JSON payload = getPayload(httpServletRequest);
        if (andCheckAdminClient.getMaxClients() < getOA2SE().getPermissionStore().getClientCount(andCheckAdminClient.getIdentifier())) {
            getMyLogger().info("Error: Max client count of " + andCheckAdminClient.getMaxClients() + " exceeded.");
            throw new GeneralException("Error: Max client count of " + andCheckAdminClient.getMaxClients() + " exceeded.");
        }
        DebugUtil.trace(this, payload.toString());
        if (payload.isArray()) {
            getMyLogger().info("Error: Got a JSON array rather than a request:" + payload);
            throw new IllegalArgumentException("Error: incorrect argument. Not a valid JSON request");
        }
        OA2Client processRegistrationRequest = processRegistrationRequest((JSONObject) payload, httpServletResponse);
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("client_id", processRegistrationRequest.getIdentifierString());
        jSONObject.put("client_secret", processRegistrationRequest.getSecret());
        jSONObject.put(OIDCCMConstants.CLIENT_ID_ISSUED_AT, Long.valueOf(processRegistrationRequest.getCreationTS().getTime() / 1000));
        processRegistrationRequest.setSecret(DigestUtils.sha1Hex(processRegistrationRequest.getSecret()));
        jSONObject.put(OIDCCMConstants.CLIENT_SECRET_EXPIRES_AT, 0L);
        jSONObject.put(OIDCCMConstants.REGISTRATION_CLIENT_URI, getOA2SE().getCmConfigs().getRFC7591Config().uri.toString() + "?client_id=" + processRegistrationRequest.getIdentifierString());
        getOA2SE().getClientStore().save(processRegistrationRequest);
        getPermissionServer().addClient(new AddClientRequest(andCheckAdminClient, processRegistrationRequest));
        ClientApproval clientApproval = new ClientApproval(processRegistrationRequest.getIdentifier());
        clientApproval.setApprovalTimestamp(new Date());
        clientApproval.setApprover(andCheckAdminClient.getIdentifierString());
        clientApproval.setApproved(true);
        clientApproval.setStatus(ClientApproval.Status.APPROVED);
        getOA2SE().getClientApprovalStore().save(clientApproval);
        writeOK(httpServletResponse, jSONObject);
    }

    private void writeOK(HttpServletResponse httpServletResponse, JSONObject jSONObject) throws IOException {
        httpServletResponse.setContentType("application/json");
        httpServletResponse.getWriter().println(jSONObject.toString());
        httpServletResponse.getWriter().flush();
        httpServletResponse.setStatus(200);
    }

    protected JSON getPayload(HttpServletRequest httpServletRequest) throws IOException {
        BufferedReader reader = httpServletRequest.getReader();
        DebugUtil.trace(this, "query=" + httpServletRequest.getQueryString());
        StringBuffer stringBuffer = new StringBuffer();
        String readLine = reader.readLine();
        DebugUtil.trace(this, "line=" + readLine);
        while (readLine != null) {
            stringBuffer.append(readLine);
            readLine = reader.readLine();
        }
        reader.close();
        if (stringBuffer.length() == 0) {
            throw new IllegalArgumentException("Error: There is no content for this request");
        }
        return JSONSerializer.toJSON(stringBuffer.toString());
    }

    protected OA2Client getClient(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("client_id");
        if (parameter == null || parameter.isEmpty()) {
            return null;
        }
        return (OA2Client) getOA2SE().getClientStore().get(BasicIdentifier.newID(parameter));
    }

    protected OA2Client updateClient(OA2Client oA2Client, JSONObject jSONObject, HttpServletResponse httpServletResponse) {
        OA2ClientKeys oA2ClientKeys = new OA2ClientKeys();
        if (jSONObject.containsKey(OIDCCMConstants.APPLICATION_TYPE) && !jSONObject.getString(OIDCCMConstants.APPLICATION_TYPE).equals("web")) {
            throw new OA2GeneralError("Unsupported application type", OA2Errors.INVALID_REQUEST, "Unsupported application type", 400);
        }
        jSONObject.remove(OIDCCMConstants.APPLICATION_TYPE);
        if (!jSONObject.containsKey(OIDCCMConstants.GRANT_TYPES)) {
            oA2Client.setRtLifetime(0L);
        } else if (jSONObject.getJSONArray(OIDCCMConstants.GRANT_TYPES).contains(OA2Constants.REFRESH_TOKEN)) {
            if (jSONObject.containsKey(oA2ClientKeys.rtLifetime(new String[0]))) {
                oA2Client.setRtLifetime(jSONObject.getLong(oA2ClientKeys.rtLifetime(new String[0])));
            } else {
                oA2Client.setRtLifetime(getOA2SE().getMaxClientRefreshTokenLifetime());
            }
        }
        jSONObject.remove(OIDCCMConstants.GRANT_TYPES);
        if (!jSONObject.containsKey(OIDCCMConstants.REDIRECT_URIS)) {
            throw new OA2GeneralError("Error: Required parameter \"redirect_uris\" missing.", OA2Errors.INVALID_REQUEST, "Error: Required parameter \"redirect_uris\" missing.", 400);
        }
        oA2Client.setCallbackURIs(jSONObject.getJSONArray(OIDCCMConstants.REDIRECT_URIS));
        jSONObject.remove(OIDCCMConstants.REDIRECT_URIS);
        if (!jSONObject.containsKey(OIDCCMConstants.CLIENT_NAME)) {
            throw new OA2GeneralError("Error: no client name", OA2Errors.INVALID_REQUEST, 400);
        }
        oA2Client.setName(jSONObject.getString(OIDCCMConstants.CLIENT_NAME));
        jSONObject.remove(OIDCCMConstants.CLIENT_NAME);
        if (jSONObject.containsKey(OIDCCMConstants.CLIENT_URI)) {
            oA2Client.setHomeUri(jSONObject.getString(OIDCCMConstants.CLIENT_URI));
            jSONObject.remove(OIDCCMConstants.CLIENT_URI);
        } else {
            oA2Client.setHomeUri("");
        }
        oA2Client.setSignTokens(true);
        if (jSONObject.containsKey("scope")) {
            oA2Client.setScopes(jSONObject.getJSONArray("scope"));
        } else if (getOA2SE().isOIDCEnabled()) {
            oA2Client.getScopes().add(OA2Scopes.SCOPE_OPENID);
            oA2Client.setPublicClient(true);
        }
        jSONObject.remove("scope");
        byte[] bArr = new byte[getOA2SE().getClientSecretLength()];
        this.random.nextBytes(bArr);
        oA2Client.setSecret(Base64.encodeBase64URLSafeString(bArr));
        JSONObject config = oA2Client.getConfig();
        if (config == null) {
            config = new JSONObject();
        }
        if (jSONObject.containsKey(OIDCCMConstants.CONTACTS)) {
            JSONArray jSONArray = jSONObject.getJSONArray(OIDCCMConstants.CONTACTS);
            ServletDebugUtil.info(this, "Multiple contacts addresses found " + jSONArray + "\n Only the first is used currently.");
            if (!jSONArray.isEmpty()) {
                oA2Client.setEmail(jSONArray.getString(0));
            }
            jSONObject.remove(OIDCCMConstants.CONTACTS);
        }
        OA2ClientConfigurationUtil.setExtraAttributes(config, jSONObject);
        oA2Client.setConfig(config);
        return oA2Client;
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected OA2Client processRegistrationRequest(JSONObject jSONObject, HttpServletResponse httpServletResponse) {
        return updateClient((OA2Client) getOA2SE().getClientStore().create(), jSONObject, httpServletResponse);
    }
}
