package pl.edu.icm.unity.oauth.as.token;

import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.client.ClientType;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.authn.LoginSession;
import pl.edu.icm.unity.engine.api.idp.EntityInGroup;
import pl.edu.icm.unity.engine.api.idp.IdPEngine;
import pl.edu.icm.unity.engine.api.translation.out.TranslationResult;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.oauth.as.OAuthASProperties;
import pl.edu.icm.unity.oauth.as.OAuthAuthzContext;
import pl.edu.icm.unity.oauth.as.OAuthProcessor;
import pl.edu.icm.unity.oauth.as.OAuthRequestValidator;
import pl.edu.icm.unity.oauth.as.OAuthSystemAttributesProvider;
import pl.edu.icm.unity.oauth.as.OAuthToken;
import pl.edu.icm.unity.oauth.as.OAuthValidationException;
import pl.edu.icm.unity.types.basic.AttributeExt;
import pl.edu.icm.unity.types.basic.EntityParam;

/* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/ClientCredentialsProcessor.class */
public class ClientCredentialsProcessor {
    private static final Logger log = Log.getLogger("unity.server.oauth", AccessTokenResource.class);
    private OAuthRequestValidator requestValidator;
    private IdPEngine idpEngine;
    private OAuthASProperties config;

    public ClientCredentialsProcessor(OAuthRequestValidator oAuthRequestValidator, IdPEngine idPEngine, OAuthASProperties oAuthASProperties) {
        this.requestValidator = oAuthRequestValidator;
        this.idpEngine = idPEngine;
        this.config = oAuthASProperties;
    }

    public OAuthToken processClientFlowRequest(String str) throws OAuthValidationException {
        LoginSession loginSession = InvocationContext.getCurrent().getLoginSession();
        EntityParam entityParam = new EntityParam(Long.valueOf(loginSession.getEntityId()));
        String str2 = (String) loginSession.getAuthenticatedIdentities().iterator().next();
        this.requestValidator.validateGroupMembership(entityParam, str2);
        Map<String, AttributeExt> attributesNoAuthZ = this.requestValidator.getAttributesNoAuthZ(entityParam);
        if (!this.requestValidator.getAllowedFlows(attributesNoAuthZ).contains(OAuthSystemAttributesProvider.GrantFlow.client)) {
            throw new OAuthValidationException("The '" + str2 + "' is not authorized to use the '" + OAuthSystemAttributesProvider.GrantFlow.client + "' grant flow.");
        }
        OAuthToken oAuthToken = new OAuthToken();
        Set<String> establishFlowsAndAttributes = establishFlowsAndAttributes(oAuthToken, str, attributesNoAuthZ);
        oAuthToken.setClientId(loginSession.getEntityId());
        oAuthToken.setClientUsername(str2);
        oAuthToken.setSubject(str2);
        AttributeExt attributeExt = attributesNoAuthZ.get(OAuthSystemAttributesProvider.CLIENT_TYPE);
        if (attributeExt != null) {
            oAuthToken.setClientType(ClientType.valueOf((String) attributeExt.getValues().get(0)));
        } else {
            oAuthToken.setClientType(ClientType.CONFIDENTIAL);
        }
        oAuthToken.setTokenValidity(this.config.getIntValue(OAuthASProperties.ACCESS_TOKEN_VALIDITY).intValue());
        oAuthToken.setMaxExtendedValidity(this.config.isSet(OAuthASProperties.MAX_EXTEND_ACCESS_TOKEN_VALIDITY) ? this.config.getIntValue(OAuthASProperties.MAX_EXTEND_ACCESS_TOKEN_VALIDITY).intValue() : 0);
        try {
            oAuthToken.setUserInfo(OAuthProcessor.prepareUserInfoClaimSet(str2, OAuthProcessor.filterAttributes(getUserInfo(str2, getUsersGroup(attributesNoAuthZ)), establishFlowsAndAttributes)).toJSONObject().toJSONString());
            return oAuthToken;
        } catch (EngineException e) {
            log.warn("Can not obtain user info for OAuth in client credentials flow", e);
            throw new OAuthValidationException("Internal error");
        }
    }

    private Set<String> establishFlowsAndAttributes(OAuthToken oAuthToken, String str, Map<String, AttributeExt> map) {
        HashSet hashSet = new HashSet();
        if (str != null && !str.isEmpty()) {
            List<OAuthAuthzContext.ScopeInfo> validRequestedScopes = this.requestValidator.getValidRequestedScopes(map, Scope.parse(str));
            oAuthToken.setEffectiveScope((String[]) validRequestedScopes.stream().map(scopeInfo -> {
                return scopeInfo.getName();
            }).toArray(i -> {
                return new String[i];
            }));
            Iterator<OAuthAuthzContext.ScopeInfo> it = validRequestedScopes.iterator();
            while (it.hasNext()) {
                hashSet.addAll(it.next().getAttributes());
            }
        }
        return hashSet;
    }

    private TranslationResult getUserInfo(String str, String str2) throws EngineException {
        EntityParam entityParam = new EntityParam(Long.valueOf(InvocationContext.getCurrent().getLoginSession().getEntityId()));
        return this.idpEngine.obtainUserInformationWithEnrichingImport(entityParam, str2, this.config.getOutputTranslationProfile(), str, Optional.of(new EntityInGroup(this.config.getValue(OAuthASProperties.CLIENTS_GROUP), entityParam)), "OAuth2", GrantType.CLIENT_CREDENTIALS.getValue(), true, this.config);
    }

    private String getUsersGroup(Map<String, AttributeExt> map) {
        AttributeExt attributeExt = map.get(OAuthSystemAttributesProvider.PER_CLIENT_GROUP);
        return attributeExt != null ? (String) attributeExt.getValues().get(0) : this.config.getValue(OAuthASProperties.USERS_GROUP);
    }
}
