package org.mitre.openid.connect;

import com.google.common.base.Strings;
import com.nimbusds.jose.util.JSONObjectUtils;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import net.minidev.json.JSONObject;
import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
import org.mitre.jwt.signer.service.impl.JWKSetSigningAndValidationServiceCacheService;
import org.mitre.oauth2.exception.NonceReuseException;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.openid.connect.service.NonceService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.AuthorizationRequestManager;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.DefaultAuthorizationRequest;
import org.springframework.stereotype.Component;

@Component("authorizationRequestManager")
/* loaded from: input_file:WEB-INF/classes/org/mitre/openid/connect/ConnectAuthorizationRequestManager.class */
public class ConnectAuthorizationRequestManager implements AuthorizationRequestManager {
    private static Logger logger = LoggerFactory.getLogger(ConnectAuthorizationRequestManager.class);

    @Autowired
    private NonceService nonceService;

    @Autowired
    private ClientDetailsEntityService clientDetailsService;

    @Autowired
    private JWKSetSigningAndValidationServiceCacheService validators;

    public ConnectAuthorizationRequestManager(ClientDetailsEntityService clientDetailsEntityService, NonceService nonceService) {
        this.clientDetailsService = clientDetailsEntityService;
        this.nonceService = nonceService;
    }

    public ConnectAuthorizationRequestManager() {
    }

    @Override // org.springframework.security.oauth2.provider.AuthorizationRequestManager
    public AuthorizationRequest createAuthorizationRequest(Map<String, String> map) {
        Map<String, String> processRequestObject = processRequestObject(map);
        String str = processRequestObject.get(AuthorizationRequest.CLIENT_ID);
        if (str == null) {
            throw new InvalidClientException("A client id must be provided");
        }
        ClientDetailsEntity loadClientByClientId = this.clientDetailsService.loadClientByClientId(str);
        String str2 = processRequestObject.get("nonce");
        Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        if (str2 != null && principal != null && (principal instanceof User)) {
            if (this.nonceService.alreadyUsed(str, str2)) {
                throw new NonceReuseException(loadClientByClientId.getClientId(), str2);
            }
            this.nonceService.save(this.nonceService.create(str, str2));
        }
        Set<String> parseParameterList = OAuth2Utils.parseParameterList(processRequestObject.get("scope"));
        if (parseParameterList == null || parseParameterList.isEmpty()) {
            parseParameterList = loadClientByClientId.getScope();
        }
        DefaultAuthorizationRequest defaultAuthorizationRequest = new DefaultAuthorizationRequest(processRequestObject, Collections.emptyMap(), str, parseParameterList);
        defaultAuthorizationRequest.addClientDetails(loadClientByClientId);
        return defaultAuthorizationRequest;
    }

    private Map<String, String> processRequestObject(Map<String, String> map) {
        SignedJWT parse;
        JSONObject jSONObject;
        ClientDetailsEntity loadClientByClientId;
        String str = map.get("request");
        if (Strings.isNullOrEmpty(str)) {
            return map;
        }
        HashMap hashMap = new HashMap(map);
        try {
            parse = SignedJWT.parse(str);
            jSONObject = parse.getPayload().toJSONObject();
            String string = JSONObjectUtils.getString(jSONObject, AuthorizationRequest.CLIENT_ID);
            if (string != null) {
                hashMap.put(AuthorizationRequest.CLIENT_ID, string);
            }
            loadClientByClientId = this.clientDetailsService.loadClientByClientId(string);
        } catch (ParseException e) {
            e.printStackTrace();
        }
        if (loadClientByClientId.getJwksUri() == null) {
            throw new InvalidClientException("Client must have a JWK URI registered to use request objects.");
        }
        JwtSigningAndValidationService jwtSigningAndValidationService = this.validators.get(loadClientByClientId.getJwksUri());
        if (jwtSigningAndValidationService == null) {
            throw new InvalidClientException("Client must have a JWK URI registered to use request objects.");
        }
        if (!jwtSigningAndValidationService.validateSignature(parse)) {
            throw new AuthenticationServiceException("Signature did not validate for presented JWT request object.");
        }
        String string2 = JSONObjectUtils.getString(jSONObject, AuthorizationRequest.RESPONSE_TYPE);
        if (string2 != null) {
            hashMap.put(AuthorizationRequest.RESPONSE_TYPE, string2);
        }
        if (jSONObject.get(AuthorizationRequest.REDIRECT_URI) != null && !map.containsKey(AuthorizationRequest.REDIRECT_URI)) {
            hashMap.put(AuthorizationRequest.REDIRECT_URI, JSONObjectUtils.getString(jSONObject, AuthorizationRequest.REDIRECT_URI));
        }
        String string3 = JSONObjectUtils.getString(jSONObject, AuthorizationRequest.STATE);
        if (string3 != null && !map.containsKey(AuthorizationRequest.STATE)) {
            hashMap.put(AuthorizationRequest.STATE, string3);
        }
        String string4 = JSONObjectUtils.getString(jSONObject, "nonce");
        if (string4 != null && !map.containsKey("nonce")) {
            hashMap.put("nonce", string4);
        }
        String string5 = JSONObjectUtils.getString(jSONObject, "display");
        if (string5 != null && !map.containsKey("display")) {
            hashMap.put("display", string5);
        }
        String string6 = JSONObjectUtils.getString(jSONObject, "prompt");
        if (string6 != null && !map.containsKey("prompt")) {
            hashMap.put("prompt", string6);
        }
        String string7 = JSONObjectUtils.getString(jSONObject, "scope");
        if (string7 != null && !map.containsKey("scope")) {
            hashMap.put("scope", string7);
        }
        return hashMap;
    }

    @Override // org.springframework.security.oauth2.provider.AuthorizationRequestManager
    public void validateParameters(Map<String, String> map, ClientDetails clientDetails) {
        if (map.containsKey("scope") && clientDetails.isScoped()) {
            Set<String> scope = clientDetails.getScope();
            for (String str : OAuth2Utils.parseParameterList(map.get("scope"))) {
                if (!scope.contains(str)) {
                    throw new InvalidScopeException("Invalid scope: " + str, scope);
                }
            }
        }
    }
}
