package ru.org.openam.oauth.v2.data;

import com.iplanet.am.util.SystemProperties;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.sun.identity.authentication.AuthContext;
import com.sun.identity.authentication.server.AuthContextLocal;
import com.sun.identity.authentication.service.AuthD;
import com.sun.identity.authentication.service.AuthUtils;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.AMIdentityRepository;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdSearchControl;
import com.sun.identity.idm.IdSearchResults;
import com.sun.identity.idm.IdType;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.sm.ServiceConfig;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang3.StringUtils;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.openam.core.realms.Realm;
import org.forgerock.openam.core.realms.RealmLookup;
import org.forgerock.openam.core.realms.RealmLookupException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import ru.org.openam.auth.modules.OAuth2AMLoginModule;
import ru.org.openam.auth.modules.OAuth2Auth;
import ru.org.openam.auth.modules.OAuth2Token;
import ru.org.openam.auth.modules.exception.invalid_request;
import ru.org.openam.auth.modules.exception.token.invalid_client;
import ru.org.openam.auth.modules.exception.unauthorized_client;
import ru.org.openam.idm.UserNotFoundException;

/* loaded from: input_file:ru/org/openam/oauth/v2/data/client_id.class */
public class client_id {
    public static Logger logger = LoggerFactory.getLogger(client_id.class);
    final String client_id;
    AuthContextLocal authContext;
    OAuth2Token lm;
    Pattern format;
    Matcher match;
    AMIdentity identity;

    public client_id(OAuth2AMLoginModule oAuth2AMLoginModule, String str) throws invalid_request, unauthorized_client, AuthLoginException {
        this.authContext = null;
        this.lm = null;
        this.format = Pattern.compile("^(?<name>[a-zA-Z0-9_\\-\\.]+)(@(?<realm>[a-zA-Z0-9\\.]+)){0,1}$");
        this.match = null;
        if (str == null || StringUtils.contains(str, "@")) {
            this.client_id = str;
        } else {
            this.client_id = str.concat("@").concat(CollectionHelper.getMapAttr(oAuth2AMLoginModule.options, "ru.org.openam.auth.modules.OAuth2Token.realm_default", oAuth2AMLoginModule.getHttpServletRequest().getServerName()));
        }
        if (!StringUtils.isBlank(str) && isMatch().booleanValue()) {
            try {
                getIdentity();
            } catch (SSOException | IdRepoException e) {
            }
        } else {
            if (oAuth2AMLoginModule instanceof OAuth2Auth) {
                throw new invalid_request((OAuth2Auth) oAuth2AMLoginModule, "MANDATORY parameter client_id is missing");
            }
            if (!(oAuth2AMLoginModule instanceof OAuth2Token)) {
                throw new RuntimeException("unknown type");
            }
            throw new invalid_request((OAuth2Token) oAuth2AMLoginModule, "MANDATORY parameter client_id is missing");
        }
    }

    public client_id(OAuth2Token oAuth2Token, String str, String str2, Boolean bool) throws invalid_request, unauthorized_client, AuthLoginException {
        this(oAuth2Token, str);
        this.lm = oAuth2Token;
        try {
            if (bool.booleanValue()) {
                oAuth2Token.getHttpServletRequest().setAttribute("org.forgerock.openam.auth.noSession", "true");
            }
            login(oAuth2Token.getHttpServletRequest(), str2);
            oAuth2Token.getHttpServletRequest().removeAttribute("org.forgerock.openam.auth.noSession");
            if (bool.booleanValue()) {
                oAuth2Token.setUserSessionProperty("am.protected.oauth2.client_id", str);
                oAuth2Token.setUserSessionProperty("am.protected.oauth2.client_name", getAppName());
                oAuth2Token.setUserSessionProperty("am.protected.oauth2.client_owner", getOwnerName());
            }
        } catch (Throwable th) {
            oAuth2Token.getHttpServletRequest().removeAttribute("org.forgerock.openam.auth.noSession");
            throw th;
        }
    }

    public SSOToken getToken() {
        if (this.authContext != null) {
            return this.authContext.getSSOToken();
        }
        return null;
    }

    public void login(HttpServletRequest httpServletRequest, String str) throws invalid_request, unauthorized_client, AuthLoginException {
        if (StringUtils.isBlank(str)) {
            throw new unauthorized_client(this.lm, "Invalid client_id or client_secret");
        }
        try {
            final String realm = getRealm();
            Realm lookup = ((RealmLookup) InjectorHolder.getInstance(RealmLookup.class)).lookup(realm == null ? httpServletRequest.getServerName() : realm);
            if (lookup == null || StringUtils.equals(lookup.asPath(), "/")) {
                throw new unauthorized_client(this.lm, "Invalid client_id realm");
            }
            HttpServletRequestWrapper httpServletRequestWrapper = new HttpServletRequestWrapper(httpServletRequest) { // from class: ru.org.openam.oauth.v2.data.client_id.1
                public String getServerName() {
                    return realm == null ? super.getServerName() : realm;
                }
            };
            this.authContext = AuthUtils.getAuthContext(lookup.asDN(), httpServletRequestWrapper);
            this.authContext.getLoginState().setHttpServletRequest(httpServletRequestWrapper);
            this.authContext.login();
            int i = 0;
            while (true) {
                if (this.authContext.getStatus() != AuthContext.Status.IN_PROGRESS || !this.authContext.hasMoreRequirements()) {
                    break;
                }
                int i2 = i;
                i++;
                if (i2 > 10) {
                    logger.error("login: auth attempts exceeded");
                    throw new unauthorized_client(this.lm, "Invalid client_id or client_secret");
                }
                NameCallback[] requirements = this.authContext.getRequirements(false);
                if (requirements.length >= 2 && (requirements[0] instanceof NameCallback) && (requirements[1] instanceof PasswordCallback)) {
                    requirements[0].setName(getUser());
                    if (str != null) {
                        ((PasswordCallback) requirements[1]).setPassword(str.toCharArray());
                    }
                    if (httpServletRequest.getAttribute("org.forgerock.openam.auth.noSession") != null) {
                        this.authContext.getLoginState().getSession().putProperty("am.protected.sfo.disable", "1");
                    }
                    this.authContext.getLoginState().getSession().putProperty("am.protected.oauth2.client_id", this.client_id);
                    this.authContext.getLoginState().getSession().putProperty("am.protected.oauth2.client_name", getAppName());
                    this.authContext.getLoginState().getSession().putProperty("am.protected.oauth2.client_owner", getOwnerName());
                    this.authContext.submitRequirements(requirements);
                } else {
                    this.authContext.submitRequirements(requirements);
                }
            }
            if (this.authContext.getStatus() != AuthContext.Status.SUCCESS) {
                throw new unauthorized_client(this.lm, "Invalid client_id or client_secret");
            }
        } catch (unauthorized_client e) {
            throw e;
        } catch (RealmLookupException e2) {
            throw new unauthorized_client(this.lm, "Invalid client_id realm");
        } catch (Exception e3) {
            logger.error("login", e3);
            throw new unauthorized_client(this.lm, "Invalid client_id or client_secret: temporary error");
        }
    }

    /* JADX WARN: Type inference failed for: r0v5, types: [ru.org.openam.oauth.v2.data.client_id$2] */
    public void logout() {
        if (this.authContext == null || this.authContext.getSSOToken() == null) {
            return;
        }
        new Thread() { // from class: ru.org.openam.oauth.v2.data.client_id.2
            @Override // java.lang.Thread, java.lang.Runnable
            public void run() {
                setPriority(1);
                try {
                    client_id.this.authContext.logout();
                } catch (AuthLoginException e) {
                    client_id.logger.warn("authContext.logout()", e);
                }
            }
        }.start();
    }

    public client_id(String str) throws AuthLoginException {
        this.authContext = null;
        this.lm = null;
        this.format = Pattern.compile("^(?<name>[a-zA-Z0-9_\\-\\.]+)(@(?<realm>[a-zA-Z0-9\\.]+)){0,1}$");
        this.match = null;
        if (str == null || StringUtils.contains(str, "@")) {
            this.client_id = str;
        } else {
            try {
                ServiceConfig serviceConfig = AuthD.getAuth().getOrgConfigManager("/oauth").getServiceConfig("sunAMAuthOAuth2TokenService");
                if (serviceConfig.getSubConfigNames().isEmpty()) {
                    throw new invalid_client(null, "Invalid client_id or client_secret: realm oauth disabled");
                }
                this.client_id = str.concat("@").concat(CollectionHelper.getMapAttr(serviceConfig.getSubConfig((String) serviceConfig.getSubConfigNames().iterator().next()).getAttributes(), "ru.org.openam.auth.modules.OAuth2Token.realm_default", "missing"));
            } catch (Exception e) {
                logger.error("get /oauth oauth2token", e);
                throw new invalid_client(null, "Invalid client_id or client_secret: realm oauth error");
            }
        }
        if (!isMatch().booleanValue()) {
            throw new invalid_client(null, "Invalid client_id or client_secret: client_id is invalid");
        }
    }

    public Boolean isMatch() {
        return Boolean.valueOf(!StringUtils.isBlank(this.client_id) && getMatch().matches());
    }

    public String getAud() {
        return this.client_id;
    }

    Matcher getMatch() {
        if (this.match == null) {
            this.match = this.format.matcher(this.client_id);
        }
        return this.match;
    }

    public String getUser() {
        Matcher match = getMatch();
        if (match.matches()) {
            return match.group("name");
        }
        return null;
    }

    public String getRealm() {
        Matcher match = getMatch();
        if (match.matches()) {
            return match.group("realm");
        }
        return null;
    }

    public AMIdentity getIdentity() throws SSOException, IdRepoException {
        if (this.identity == null) {
            SSOToken sSOToken = (SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance());
            AMIdentityRepository aMIdentityRepository = new AMIdentityRepository(sSOToken, IdUtils.getOrganization(sSOToken, getRealm()));
            IdSearchControl idSearchControl = new IdSearchControl();
            idSearchControl.setAllReturnAttributes(false);
            idSearchControl.setReturnAttributes(new HashSet(Arrays.asList("uid")));
            idSearchControl.setMaxResults(1);
            IdSearchResults searchIdentities = aMIdentityRepository.searchIdentities(IdType.USER, getUser(), idSearchControl);
            if (searchIdentities != null) {
                try {
                    Set searchResults = searchIdentities.getSearchResults();
                    if (searchResults == null || searchResults.size() != 1) {
                        throw new UserNotFoundException();
                    }
                    this.identity = (AMIdentity) searchResults.iterator().next();
                } catch (UserNotFoundException e) {
                    logger.warn("not identity found {}: {}", this, e.getMessage());
                }
            }
        }
        return this.identity;
    }

    public String getAppName() {
        try {
            Set attribute = getIdentity().getAttribute("cn");
            return (attribute == null || attribute.size() == 0) ? "Неизвестное приложение" : (String) attribute.iterator().next();
        } catch (Throwable th) {
            return "Неизвестное приложение";
        }
    }

    public String getOwnerName() {
        try {
            Set attribute = getIdentity().getAttribute("sn");
            return (attribute == null || attribute.size() == 0) ? "Неизвестный издатель" : (String) attribute.iterator().next();
        } catch (Throwable th) {
            return "Неизвестный издатель";
        }
    }

    public String getSuccessURL() throws AuthLoginException {
        try {
            Set attribute = getIdentity().getAttribute("iplanet-am-user-success-url");
            if (attribute == null || attribute.size() == 0) {
                return null;
            }
            return (String) attribute.iterator().next();
        } catch (Throwable th) {
            throw new AuthLoginException(th);
        }
    }

    public Boolean getIplanetAmSessionCaching() {
        try {
            Set attribute = getIdentity().getAttribute("iplanet-am-session-caching");
            return (attribute == null || attribute.size() == 0) ? Boolean.valueOf(SystemProperties.getAsBoolean("oauth2.iplanet-am-session-caching.identity", true)) : Boolean.valueOf(Boolean.parseBoolean((String) attribute.iterator().next()));
        } catch (Throwable th) {
            return false;
        }
    }

    public String getBid() throws AuthLoginException {
        try {
            Set attribute = getIdentity().getAttribute("sunIdentityMSISDNNumber");
            return (attribute == null || attribute.size() == 0) ? "" : (String) attribute.iterator().next();
        } catch (Throwable th) {
            throw new AuthLoginException(th);
        }
    }

    public String getName() throws AuthLoginException {
        return MessageFormat.format("{0} ({1})", getAppName(), getOwnerName());
    }

    public String toString() {
        String str = this.client_id;
        try {
            str = MessageFormat.format("{0}:{1}", MessageFormat.format("{0}:{1}", str, getIdentity().getUniversalId()), getName());
        } catch (Throwable th) {
        }
        return str;
    }
}
