package pl.edu.icm.unity.oauth.as;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationSuccessResponse;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.id.Subject;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.OIDCResponseTypeValue;
import com.nimbusds.openid.connect.sdk.claims.AccessTokenHash;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSet;
import com.nimbusds.openid.connect.sdk.claims.CodeHash;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.MessageSource;
import pl.edu.icm.unity.engine.api.token.TokensManagement;
import pl.edu.icm.unity.engine.api.translation.out.TranslationResult;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.oauth.as.OAuthSystemAttributesProvider;
import pl.edu.icm.unity.oauth.as.OAuthToken;
import pl.edu.icm.unity.oauth.as.token.AccessTokenFactory;
import pl.edu.icm.unity.types.basic.Attribute;
import pl.edu.icm.unity.types.basic.DynamicAttribute;
import pl.edu.icm.unity.types.basic.EntityParam;
import pl.edu.icm.unity.types.basic.IdentityParam;
import pl.edu.icm.unity.types.basic.idpStatistic.IdpStatistic;

@Component
/* loaded from: input_file:pl/edu/icm/unity/oauth/as/OAuthProcessor.class */
public class OAuthProcessor {
    public static final String INTERNAL_CODE_TOKEN = "oauth2Code";
    public static final String INTERNAL_REFRESH_TOKEN = "oauth2Refresh";
    private final TokensManagement tokensMan;
    private final OAuthTokenRepository tokenDAO;

    @Autowired
    public OAuthProcessor(TokensManagement tokensManagement, OAuthTokenRepository oAuthTokenRepository, ApplicationEventPublisher applicationEventPublisher, MessageSource messageSource) {
        this.tokensMan = tokensManagement;
        this.tokenDAO = oAuthTokenRepository;
    }

    public static Set<DynamicAttribute> filterAttributes(TranslationResult translationResult, Set<String> set) {
        return filterUnsupportedAttributes(filterNotRequestedAttributes(translationResult, set));
    }

    public AuthorizationSuccessResponse prepareAuthzResponseAndRecordInternalState(Collection<DynamicAttribute> collection, IdentityParam identityParam, OAuthAuthzContext oAuthAuthzContext, OAuthIdpStatisticReporter oAuthIdpStatisticReporter) throws EngineException, JsonProcessingException, ParseException, JOSEException {
        OAuthToken oAuthToken = new OAuthToken();
        OAuthASProperties config = oAuthAuthzContext.getConfig();
        oAuthToken.setEffectiveScope(oAuthAuthzContext.getEffectiveRequestedScopesList());
        oAuthToken.setRequestedScope((String[]) oAuthAuthzContext.getRequestedScopes().stream().toArray(i -> {
            return new String[i];
        }));
        oAuthToken.setClientId(oAuthAuthzContext.getClientEntityId());
        oAuthToken.setRedirectUri(oAuthAuthzContext.getReturnURI().toASCIIString());
        oAuthToken.setClientName(oAuthAuthzContext.getClientName());
        oAuthToken.setClientUsername(oAuthAuthzContext.getClientUsername());
        oAuthToken.setSubject(identityParam.getValue());
        oAuthToken.setMaxExtendedValidity(config.getMaxExtendedAccessTokenValidity());
        oAuthToken.setTokenValidity(config.getAccessTokenValidity());
        oAuthToken.setAudience((List) Stream.concat(Stream.of(oAuthAuthzContext.getClientUsername()), oAuthAuthzContext.getAdditionalAudience().stream()).collect(Collectors.toList()));
        oAuthToken.setIssuerUri(config.getIssuerName());
        oAuthToken.setClientType(oAuthAuthzContext.getClientType());
        oAuthToken.setPkcsInfo(new OAuthToken.PKCSInfo(oAuthAuthzContext.getRequest().getCodeChallenge() == null ? null : oAuthAuthzContext.getRequest().getCodeChallenge().getValue(), oAuthAuthzContext.getRequest().getCodeChallengeMethod() == null ? null : oAuthAuthzContext.getRequest().getCodeChallengeMethod().getValue()));
        Date date = new Date();
        ResponseType responseType = oAuthAuthzContext.getRequest().getResponseType();
        oAuthToken.setResponseType(responseType.toString());
        UserInfo prepareUserInfoClaimSet = prepareUserInfoClaimSet(identityParam.getValue(), collection);
        oAuthToken.setUserInfo(prepareUserInfoClaimSet.toJSONObject().toJSONString());
        Optional<IDTokenClaimsSet> generateIdTokenIfRequested = generateIdTokenIfRequested(config, oAuthAuthzContext, responseType, oAuthToken, identityParam, prepareUserInfoClaimSet, date);
        TokenSigner tokenSigner = config.getTokenSigner();
        JWSAlgorithm signingAlgorithm = tokenSigner.isPKIEnabled() ? tokenSigner.getSigningAlgorithm() : null;
        Curve curve = tokenSigner.getCurve();
        AuthorizationSuccessResponse authorizationSuccessResponse = null;
        AccessTokenFactory accessTokenFactory = new AccessTokenFactory(config);
        if (OAuthSystemAttributesProvider.GrantFlow.authorizationCode == oAuthAuthzContext.getFlow()) {
            AuthorizationCode authorizationCode = new AuthorizationCode();
            oAuthToken.setAuthzCode(authorizationCode.getValue());
            signAndRecordIdToken(generateIdTokenIfRequested, tokenSigner, responseType, oAuthToken);
            authorizationSuccessResponse = new AuthorizationSuccessResponse(oAuthAuthzContext.getReturnURI(), authorizationCode, (AccessToken) null, oAuthAuthzContext.getRequest().getState(), oAuthAuthzContext.getRequest().impliedResponseMode());
            this.tokensMan.addToken(INTERNAL_CODE_TOKEN, authorizationCode.getValue(), new EntityParam(identityParam), oAuthToken.getSerialized(), date, new Date(date.getTime() + (config.getCodeTokenValidity() * 1000)));
        } else if (OAuthSystemAttributesProvider.GrantFlow.implicit == oAuthAuthzContext.getFlow()) {
            if (responseType.contains(OIDCResponseTypeValue.ID_TOKEN) && responseType.size() == 1) {
                return new AuthenticationSuccessResponse(oAuthAuthzContext.getReturnURI(), (AuthorizationCode) null, signAndRecordIdToken(generateIdTokenIfRequested, tokenSigner, responseType, oAuthToken).orElse(null), (AccessToken) null, oAuthAuthzContext.getRequest().getState(), (State) null, oAuthAuthzContext.getRequest().impliedResponseMode());
            }
            AccessToken create = accessTokenFactory.create(oAuthToken, date);
            oAuthToken.setAccessToken(create.getValue());
            addAccessTokenHashIfNeededToIdToken(generateIdTokenIfRequested, create, signingAlgorithm, responseType, curve);
            Optional<JWT> signAndRecordIdToken = signAndRecordIdToken(generateIdTokenIfRequested, tokenSigner, responseType, oAuthToken);
            Date date2 = new Date(date.getTime() + (config.getAccessTokenValidity() * 1000));
            authorizationSuccessResponse = new AuthenticationSuccessResponse(oAuthAuthzContext.getReturnURI(), (AuthorizationCode) null, signAndRecordIdToken.orElse(null), create, oAuthAuthzContext.getRequest().getState(), (State) null, oAuthAuthzContext.getRequest().impliedResponseMode());
            oAuthIdpStatisticReporter.reportStatus(oAuthAuthzContext, IdpStatistic.Status.SUCCESSFUL);
            this.tokenDAO.storeAccessToken(create, oAuthToken, new EntityParam(identityParam), date, date2);
        } else if (OAuthSystemAttributesProvider.GrantFlow.openidHybrid == oAuthAuthzContext.getFlow()) {
            AuthorizationCode authorizationCode2 = new AuthorizationCode();
            oAuthToken.setAuthzCode(authorizationCode2.getValue());
            Date date3 = new Date(date.getTime() + (config.getCodeTokenValidity() * 1000));
            addCodeHashIfNeededToIdToken(generateIdTokenIfRequested, authorizationCode2, signingAlgorithm, responseType, curve);
            signAndRecordIdToken(generateIdTokenIfRequested, tokenSigner, responseType, oAuthToken);
            this.tokensMan.addToken(INTERNAL_CODE_TOKEN, authorizationCode2.getValue(), new EntityParam(identityParam), oAuthToken.getSerialized(), date, date3);
            AccessToken accessToken = null;
            if (responseType.contains(ResponseType.Value.TOKEN)) {
                accessToken = accessTokenFactory.create(oAuthToken, date);
                oAuthToken.setAccessToken(accessToken.getValue());
                Date date4 = new Date(date.getTime() + (config.getAccessTokenValidity() * 1000));
                addAccessTokenHashIfNeededToIdToken(generateIdTokenIfRequested, accessToken, signingAlgorithm, responseType, curve);
                signAndRecordIdToken(generateIdTokenIfRequested, tokenSigner, responseType, oAuthToken);
                oAuthIdpStatisticReporter.reportStatus(oAuthAuthzContext, IdpStatistic.Status.SUCCESSFUL);
                this.tokenDAO.storeAccessToken(accessToken, oAuthToken, new EntityParam(identityParam), date, date4);
            }
            authorizationSuccessResponse = new AuthenticationSuccessResponse(oAuthAuthzContext.getReturnURI(), authorizationCode2, signAndRecordIdToken(generateIdTokenIfRequested, tokenSigner, responseType, oAuthToken).orElse(null), accessToken, oAuthAuthzContext.getRequest().getState(), (State) null, oAuthAuthzContext.getRequest().impliedResponseMode());
        }
        return authorizationSuccessResponse;
    }

    private Optional<IDTokenClaimsSet> generateIdTokenIfRequested(OAuthASProperties oAuthASProperties, OAuthAuthzContext oAuthAuthzContext, ResponseType responseType, OAuthToken oAuthToken, IdentityParam identityParam, UserInfo userInfo, Date date) throws ParseException, JOSEException {
        return Optional.ofNullable(oAuthAuthzContext.isOpenIdMode() ? prepareIdInfoClaimSet(identityParam.getValue(), oAuthToken.getAudience(), oAuthAuthzContext, userInfo, date) : null);
    }

    private Optional<JWT> signAndRecordIdToken(Optional<IDTokenClaimsSet> optional, TokenSigner tokenSigner, ResponseType responseType, OAuthToken oAuthToken) throws ParseException, JOSEException {
        if (!optional.isPresent()) {
            return Optional.empty();
        }
        JWT sign = tokenSigner.sign(optional.get());
        oAuthToken.setOpenidToken(sign.serialize());
        if (!responseType.contains(OIDCResponseTypeValue.ID_TOKEN)) {
            sign = null;
        }
        return Optional.ofNullable(sign);
    }

    private static Set<DynamicAttribute> filterUnsupportedAttributes(Set<DynamicAttribute> set) {
        HashSet hashSet = new HashSet();
        DefaultOAuthAttributeMapper defaultOAuthAttributeMapper = new DefaultOAuthAttributeMapper();
        for (DynamicAttribute dynamicAttribute : set) {
            if (defaultOAuthAttributeMapper.isHandled(dynamicAttribute.getAttribute())) {
                hashSet.add(dynamicAttribute);
            }
        }
        return hashSet;
    }

    private static Set<DynamicAttribute> filterNotRequestedAttributes(TranslationResult translationResult, Set<String> set) {
        Collection<DynamicAttribute> attributes = translationResult.getAttributes();
        HashSet hashSet = new HashSet();
        for (DynamicAttribute dynamicAttribute : attributes) {
            if (set.contains(dynamicAttribute.getAttribute().getName())) {
                hashSet.add(dynamicAttribute);
            }
        }
        return hashSet;
    }

    private IDTokenClaimsSet prepareIdInfoClaimSet(String str, List<String> list, OAuthAuthzContext oAuthAuthzContext, ClaimsSet claimsSet, Date date) {
        AuthenticationRequest request = oAuthAuthzContext.getRequest();
        IDTokenClaimsSet iDTokenClaimsSet = new IDTokenClaimsSet(new Issuer(oAuthAuthzContext.getConfig().getIssuerName()), new Subject(str), (List) list.stream().filter(str2 -> {
            return str2 != null;
        }).map(Audience::new).collect(Collectors.toList()), new Date(date.getTime() + (oAuthAuthzContext.getConfig().getIdTokenValidity() * 1000)), date);
        ResponseType responseType = request.getResponseType();
        if (responseType.contains(OIDCResponseTypeValue.ID_TOKEN) && responseType.size() == 1) {
            iDTokenClaimsSet.putAll(claimsSet);
        }
        if (request.getNonce() != null) {
            iDTokenClaimsSet.setNonce(request.getNonce());
        }
        return iDTokenClaimsSet;
    }

    private void addAccessTokenHashIfNeededToIdToken(Optional<IDTokenClaimsSet> optional, AccessToken accessToken, JWSAlgorithm jWSAlgorithm, ResponseType responseType, Curve curve) {
        if (optional.isPresent()) {
            IDTokenClaimsSet iDTokenClaimsSet = optional.get();
            if (responseType.contains(OIDCResponseTypeValue.ID_TOKEN) && responseType.size() == 1) {
                return;
            }
            iDTokenClaimsSet.setAccessTokenHash(AccessTokenHash.compute(accessToken, jWSAlgorithm, curve));
        }
    }

    private void addCodeHashIfNeededToIdToken(Optional<IDTokenClaimsSet> optional, AuthorizationCode authorizationCode, JWSAlgorithm jWSAlgorithm, ResponseType responseType, Curve curve) {
        if (optional.isPresent()) {
            IDTokenClaimsSet iDTokenClaimsSet = optional.get();
            if (responseType.contains(OIDCResponseTypeValue.ID_TOKEN) && responseType.contains(ResponseType.Value.CODE)) {
                iDTokenClaimsSet.setCodeHash(CodeHash.compute(authorizationCode, jWSAlgorithm, curve));
            }
        }
    }

    public static UserInfo prepareUserInfoClaimSet(String str, Collection<DynamicAttribute> collection) {
        UserInfo userInfo = new UserInfo(new Subject(str));
        DefaultOAuthAttributeMapper defaultOAuthAttributeMapper = new DefaultOAuthAttributeMapper();
        Iterator<DynamicAttribute> it = collection.iterator();
        while (it.hasNext()) {
            Attribute attribute = it.next().getAttribute();
            if (defaultOAuthAttributeMapper.isHandled(attribute)) {
                userInfo.setClaim(defaultOAuthAttributeMapper.getJsonKey(attribute), defaultOAuthAttributeMapper.getJsonValue(attribute));
            }
        }
        return userInfo;
    }
}
