package pl.edu.icm.unity.oauth.as.webauthz;

import com.google.common.collect.Sets;
import com.nimbusds.oauth2.sdk.AuthorizationRequest;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.client.ClientType;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.OIDCResponseTypeValue;
import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
import com.nimbusds.openid.connect.sdk.Prompt;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.logging.log4j.Logger;
import org.springframework.util.AntPathMatcher;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.AttributesManagement;
import pl.edu.icm.unity.engine.api.EntityManagement;
import pl.edu.icm.unity.oauth.as.OAuthASProperties;
import pl.edu.icm.unity.oauth.as.OAuthAuthzContext;
import pl.edu.icm.unity.oauth.as.OAuthRequestValidator;
import pl.edu.icm.unity.oauth.as.OAuthScope;
import pl.edu.icm.unity.oauth.as.OAuthScopesService;
import pl.edu.icm.unity.oauth.as.OAuthSystemAttributesProvider;
import pl.edu.icm.unity.oauth.as.OAuthSystemScopeProvider;
import pl.edu.icm.unity.oauth.as.OAuthValidationException;
import pl.edu.icm.unity.types.basic.AttributeExt;
import pl.edu.icm.unity.types.basic.EntityParam;
import pl.edu.icm.unity.types.basic.IdentityTaV;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:pl/edu/icm/unity/oauth/as/webauthz/OAuthWebRequestValidator.class */
public class OAuthWebRequestValidator {
    private static final Logger log = Log.getLogger("unity.server.oauth", OAuthWebRequestValidator.class);
    private static final Set<ResponseType.Value> KNOWN_RESPONSE_TYPES = Sets.newHashSet(new ResponseType.Value[]{ResponseType.Value.CODE, ResponseType.Value.TOKEN, OIDCResponseTypeValue.ID_TOKEN});
    private OAuthASProperties oauthConfig;
    private EntityManagement identitiesMan;
    private OAuthRequestValidator baseRequestValidator;

    public OAuthWebRequestValidator(OAuthASProperties oAuthASProperties, EntityManagement entityManagement, AttributesManagement attributesManagement, OAuthScopesService oAuthScopesService) {
        this.oauthConfig = oAuthASProperties;
        this.identitiesMan = entityManagement;
        this.baseRequestValidator = new OAuthRequestValidator(oAuthASProperties, entityManagement, attributesManagement, oAuthScopesService);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void validate(OAuthAuthzContext oAuthAuthzContext) throws OAuthValidationException {
        AuthorizationRequest request = oAuthAuthzContext.getRequest();
        String value = request.getClientID().getValue();
        EntityParam entityParam = new EntityParam(new IdentityTaV("userName", value));
        try {
            oAuthAuthzContext.setClientEntityId(this.identitiesMan.getEntity(entityParam).getId().longValue());
            oAuthAuthzContext.setClientUsername(value);
            this.baseRequestValidator.validateGroupMembership(entityParam, value);
            Map<String, AttributeExt> attributesNoAuthZ = this.baseRequestValidator.getAttributesNoAuthZ(entityParam);
            AttributeExt attributeExt = attributesNoAuthZ.get(OAuthSystemAttributesProvider.ALLOWED_RETURN_URI);
            AttributeExt attributeExt2 = attributesNoAuthZ.get(OAuthSystemAttributesProvider.CLIENT_NAME);
            AttributeExt attributeExt3 = attributesNoAuthZ.get(OAuthSystemAttributesProvider.CLIENT_LOGO);
            AttributeExt attributeExt4 = attributesNoAuthZ.get(OAuthSystemAttributesProvider.PER_CLIENT_GROUP);
            AttributeExt attributeExt5 = attributesNoAuthZ.get(OAuthSystemAttributesProvider.CLIENT_TYPE);
            if (attributeExt5 != null) {
                oAuthAuthzContext.setClientType(ClientType.valueOf((String) attributeExt5.getValues().get(0)));
            } else {
                oAuthAuthzContext.setClientType(ClientType.CONFIDENTIAL);
            }
            if (attributeExt == null || attributeExt.getValues().isEmpty()) {
                throw new OAuthValidationException("The '" + value + "' has no authorized redirect URI(s) defined");
            }
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            Iterator it = attributeExt.getValues().iterator();
            while (it.hasNext()) {
                linkedHashSet.add(it.next().toString());
            }
            validateFlowAndMode(request, this.baseRequestValidator.getAllowedFlows(attributesNoAuthZ), value, oAuthAuthzContext);
            URI redirectionURI = request.getRedirectionURI();
            validateReturnURI(redirectionURI, linkedHashSet, value, oAuthAuthzContext.getClientType());
            if (redirectionURI != null) {
                oAuthAuthzContext.setReturnURI(redirectionURI);
            } else {
                String next = linkedHashSet.iterator().next();
                try {
                    oAuthAuthzContext.setReturnURI(new URI(next));
                } catch (URISyntaxException e) {
                    log.error("The URI configured for the client '" + value + "' is invalid: " + next, e);
                    throw new OAuthValidationException("The URI configured for the client '" + value + "' is invalid: " + next);
                }
            }
            if (attributeExt3 != null) {
                oAuthAuthzContext.setClientLogo(attributeExt3);
            }
            if (attributeExt2 != null) {
                oAuthAuthzContext.setClientName((String) attributeExt2.getValues().get(0));
            }
            if (attributeExt4 != null) {
                oAuthAuthzContext.setUsersGroup((String) attributeExt4.getValues().get(0));
            } else {
                oAuthAuthzContext.setUsersGroup(this.oauthConfig.getValue(OAuthASProperties.USERS_GROUP));
            }
            oAuthAuthzContext.setTranslationProfile(this.oauthConfig.getOutputTranslationProfile());
            validateAndRecordPrompt(oAuthAuthzContext, request);
            validateAndRecordScopes(attributesNoAuthZ, oAuthAuthzContext, request);
            validateAndRecordResources(oAuthAuthzContext, request);
            if (oAuthAuthzContext.getClientType() == ClientType.PUBLIC) {
                validatePKCEIsUsedForCodeFlow(request, value);
            }
        } catch (IllegalArgumentException e2) {
            throw new OAuthValidationException("The client '" + value + "' is unknown");
        } catch (Exception e3) {
            log.error("Problem retrieving identity of the OAuth client", e3);
            throw new OAuthValidationException("Internal error, can not retrieve OAuth client's data");
        }
    }

    private void validateAndRecordResources(OAuthAuthzContext oAuthAuthzContext, AuthorizationRequest authorizationRequest) {
        if (authorizationRequest.getResources() == null) {
            return;
        }
        oAuthAuthzContext.setAdditionalAudience((List) authorizationRequest.getResources().stream().filter(uri -> {
            return uri != null;
        }).map(uri2 -> {
            return uri2.toASCIIString();
        }).collect(Collectors.toList()));
    }

    private void validateAndRecordPrompt(OAuthAuthzContext oAuthAuthzContext, AuthorizationRequest authorizationRequest) throws OAuthValidationException {
        if (authorizationRequest.getPrompt() != null) {
            Prompt prompt = authorizationRequest.getPrompt();
            if (prompt.contains(Prompt.Type.SELECT_ACCOUNT) || prompt.contains(Prompt.Type.CREATE)) {
                throw new OAuthValidationException("Prompt " + prompt + " is not supported");
            }
            prompt.forEach(type -> {
                oAuthAuthzContext.addPrompt(OAuthAuthzContext.Prompt.valueOf(type.toString().toUpperCase()));
            });
        }
    }

    private void validateAndRecordScopes(Map<String, AttributeExt> map, OAuthAuthzContext oAuthAuthzContext, AuthorizationRequest authorizationRequest) throws OAuthValidationException {
        Scope scope = authorizationRequest.getScope();
        if (scope != null) {
            List<OAuthScope> validRequestedScopes = this.baseRequestValidator.getValidRequestedScopes(map, scope);
            Optional<OAuthScope> findAny = validRequestedScopes.stream().filter(oAuthScope -> {
                return oAuthScope.name.equals(OAuthSystemScopeProvider.OFFLINE_ACCESS_SCOPE);
            }).findAny();
            if (!findAny.isEmpty() && !oAuthAuthzContext.getPrompts().contains(OAuthAuthzContext.Prompt.CONSENT)) {
                log.info("Client requested " + OAuthSystemScopeProvider.OFFLINE_ACCESS_SCOPE + " with scope, but the prompt parameter does not contain 'consent', ignore offline_access scope");
                validRequestedScopes.remove(findAny.get());
            }
            assertScopeSupportedByServer(OIDCScopeValue.OPENID, scope, validRequestedScopes);
            validRequestedScopes.forEach(oAuthScope2 -> {
                oAuthAuthzContext.addEffectiveScopeInfo(oAuthScope2);
            });
            scope.forEach(value -> {
                oAuthAuthzContext.addRequestedScope(value.getValue());
            });
        }
    }

    private void assertScopeSupportedByServer(OIDCScopeValue oIDCScopeValue, Scope scope, List<OAuthScope> list) throws OAuthValidationException {
        boolean contains = scope.contains(oIDCScopeValue.getValue());
        boolean isPresent = list.stream().filter(oAuthScope -> {
            return oAuthScope.name.equals(oIDCScopeValue.getValue());
        }).findAny().isPresent();
        if (contains && !isPresent) {
            throw new OAuthValidationException("Client requested " + oIDCScopeValue.getValue() + " with scope, which is not enabled on this server");
        }
    }

    private void validatePKCEIsUsedForCodeFlow(AuthorizationRequest authorizationRequest, String str) throws OAuthValidationException {
        if (authorizationRequest.getResponseType().contains(ResponseType.Value.CODE) && authorizationRequest.getCodeChallenge() == null) {
            throw new OAuthValidationException("The public client '" + str + "' must use PKCE Oauth extension for security reasons, while no challenge found");
        }
    }

    private void validateReturnURI(URI uri, Set<String> set, String str, ClientType clientType) throws OAuthValidationException {
        if (uri == null) {
            return;
        }
        String uri2 = uri.toString();
        try {
            URI uri3 = new URI(uri2);
            if (clientType == ClientType.PUBLIC) {
                if (allowedLoopbackURI(uri3, set)) {
                    return;
                } else {
                    assertPrivateUseURIIsSane(uri3);
                }
            }
            if (this.oauthConfig.getBooleanValue(OAuthASProperties.ALLOW_FOR_WILDCARDS_IN_ALLOWED_URI).booleanValue()) {
                AntPathMatcher antPathMatcher = new AntPathMatcher();
                Iterator<String> it = set.iterator();
                while (it.hasNext()) {
                    if (antPathMatcher.match(it.next(), uri2)) {
                        return;
                    }
                }
            } else if (set.contains(uri2)) {
                return;
            }
            throw new OAuthValidationException("The '" + str + "' requested to use a not registered response redirection URI: " + uri);
        } catch (URISyntaxException e) {
            log.warn("Requested URI parsing problem", e);
            throw new OAuthValidationException("The requested return address '" + uri2 + "' can not be parsed as URI");
        }
    }

    private void assertPrivateUseURIIsSane(URI uri) throws OAuthValidationException {
        String scheme = uri.getScheme();
        if (!scheme.equals("http") && !scheme.equals("https") && !scheme.contains(".")) {
            throw new OAuthValidationException("The requested return URI seems to be private use URI, but has no mandatory dot in it: '" + scheme + "'");
        }
    }

    private boolean allowedLoopbackURI(URI uri, Set<String> set) throws OAuthValidationException {
        String host = uri.getHost();
        String scheme = uri.getScheme();
        if (host == null || scheme == null) {
            return false;
        }
        if (!host.equals("127.0.0.1") && ((!host.equals("[::1]") || !scheme.equals("http")) && !scheme.equals("https"))) {
            return false;
        }
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (verifyIfMatchingLoopbackURIs(uri, it.next())) {
                return true;
            }
        }
        return false;
    }

    private boolean verifyIfMatchingLoopbackURIs(URI uri, String str) {
        try {
            URI uri2 = new URI(str);
            if (uri2.getScheme().equals("http") || uri2.getScheme().equals("https")) {
                return (uri2.getHost().equals("127.0.0.1") || uri2.getHost().equals("[::1]")) && uri2.getPath().equals(uri.getPath());
            }
            return false;
        } catch (URISyntaxException e) {
            log.warn("The configured allowed URI '" + str + "' can not be parsed as URI", e);
            return false;
        }
    }

    private void validateFlowAndMode(AuthorizationRequest authorizationRequest, Set<OAuthSystemAttributesProvider.GrantFlow> set, String str, OAuthAuthzContext oAuthAuthzContext) throws OAuthValidationException {
        ResponseType responseType = authorizationRequest.getResponseType();
        Scope scope = authorizationRequest.getScope();
        oAuthAuthzContext.setOpenIdMode(scope != null && scope.contains(OIDCScopeValue.OPENID));
        if (oAuthAuthzContext.isOpenIdMode()) {
            if (responseType.contains(ResponseType.Value.TOKEN) && responseType.size() == 1) {
                throw new OAuthValidationException("The OpenID Connect mode implied by the requested 'openid' scope can not be used with the 'token' response type - it makes no sense");
            }
            if (!(authorizationRequest instanceof AuthenticationRequest)) {
                throw new OAuthValidationException("The OpenID Connect mode implied by the requested 'openid' scope was used with non OIDC compliant, plain OOAuth request");
            }
        } else if (responseType.contains(OIDCResponseTypeValue.ID_TOKEN)) {
            throw new OAuthValidationException("The 'openid' scope was not requested and the 'id_token' response type was what is an invalid combination");
        }
        Sets.SetView difference = Sets.difference(responseType, KNOWN_RESPONSE_TYPES);
        if (!difference.isEmpty()) {
            throw new OAuthValidationException("The following response type(s) is(are) not supported: " + difference);
        }
        if (!responseType.contains(ResponseType.Value.CODE)) {
            oAuthAuthzContext.setFlow(OAuthSystemAttributesProvider.GrantFlow.implicit);
        } else if (responseType.size() == 1) {
            oAuthAuthzContext.setFlow(OAuthSystemAttributesProvider.GrantFlow.authorizationCode);
        } else {
            oAuthAuthzContext.setFlow(OAuthSystemAttributesProvider.GrantFlow.openidHybrid);
            if (!oAuthAuthzContext.isOpenIdMode()) {
                throw new OAuthValidationException("The OpenID Connect mode implied by the requested hybrid flow must use the 'openid' scope");
            }
        }
        if (!set.contains(oAuthAuthzContext.getFlow())) {
            throw new OAuthValidationException("The '" + str + "' is not authorized to use the '" + oAuthAuthzContext.getFlow() + "' grant flow.");
        }
    }
}
