package ru.org.openam.oauth.v2.data;

import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.MapperFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;
import com.google.common.hash.Hashing;
import com.iplanet.am.util.SystemProperties;
import com.iplanet.dpro.session.SessionException;
import com.iplanet.dpro.session.SessionID;
import com.iplanet.dpro.session.service.AuthenticationSessionStore;
import com.iplanet.dpro.session.service.InternalSession;
import com.iplanet.dpro.session.service.SessionService;
import com.iplanet.dpro.session.service.SessionType;
import com.iplanet.services.util.Crypt;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.authentication.service.AuthD;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.AMIdentityRepository;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdSearchControl;
import com.sun.identity.idm.IdSearchOpModifier;
import com.sun.identity.idm.IdSearchResults;
import com.sun.identity.idm.IdType;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.sm.DNMapper;
import com.sun.identity.sm.SMSException;
import com.sun.identity.sm.ServiceConfig;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.lang.annotation.Annotation;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import java.security.MessageDigest;
import java.security.PrivilegedAction;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.TreeSet;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.util.encode.Base64url;
import org.glassfish.hk2.api.ServiceLocator;
import org.glassfish.hk2.utilities.Binder;
import org.glassfish.hk2.utilities.ServiceLocatorUtilities;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import ru.org.openam.auth.modules.Idm2Idm;
import ru.org.openam.auth.modules.Idm2IdmHelper;
import ru.org.openam.auth.modules.OAuth2Auth;
import ru.org.openam.auth.modules.OAuth2Principal;
import ru.org.openam.auth.modules.OAuth2Token;
import ru.org.openam.auth.modules.adaptive.persistence.Session;
import ru.org.openam.auth.modules.adaptive.plugins.UserAgent;
import ru.org.openam.auth.modules.adaptive.plugins.oauth.client_name;
import ru.org.openam.auth.modules.exception.auth.access_denied;
import ru.org.openam.auth.modules.exception.auth.unsupported_response_type;
import ru.org.openam.auth.modules.exception.error;
import ru.org.openam.auth.modules.exception.invalid_request;
import ru.org.openam.auth.modules.exception.token.invalid_client;
import ru.org.openam.auth.modules.exception.token.invalid_grant;
import ru.org.openam.auth.modules.exception.token.unsupported_grant_type;
import ru.org.openam.auth.modules.exception.unauthorized_client;
import ru.org.openam.crypt.Hash;
import ru.org.openam.crypt.UUIDType5;
import ru.org.openam.httpdump.Dump;
import ru.org.openam.idm.MultipleFoundException;
import ru.org.openam.idm.User;
import ru.org.openam.idm.UserNotFoundException;
import ru.org.openam.oauth.selfcare.data.IdentityApplicationMapper;
import ru.org.openam.oauth.selfcare.data.Scope;
import ru.org.openam.oauth.selfcare.data.ScopeProvider;
import ru.org.openam.oauth.selfcare.jaxrs.DependencyBinder;
import ru.org.openam.oauth.v2.Stat;
import ru.org.openam.oauth.v2.data.refresh_token;
import ru.org.openam.oauth.v2.ext.OAuth2Extension;
import ru.org.openam.oauth.v2.ext.OAuth2ExtensionHolder;
import ru.org.openam.oauth.v2.jaxrs.OAuth2;
import ru.org.openam.servlets.Authentificate;
import ru.org.openam.web.UIRequestWrapper;
import ru.org.openam.web.Version;

/* loaded from: input_file:ru/org/openam/oauth/v2/data/Permission.class */
public class Permission {
    public Boolean p;

    /* renamed from: ru, reason: collision with root package name */
    public String f0ru;
    public String st;
    public String cid;
    public String aud;
    public String bid;
    public Set<String> sc;
    public String org;
    public TreeMap<String, Set<String>> sub;
    public access_type act;
    public Boolean trust;
    public String dn;
    public Session s;
    public String[] amr;
    public String lh;
    public String code_challenge;
    public code_challenge_methods code_challenge_method;
    public Map<String, String> props;
    private Set<String> restrictScope;
    AMIdentity identity;
    static final Set<String> allow_edit;
    public String appName;
    public String nonce;
    public String service;
    public String modules;
    public Integer level;
    public Set<String> acr_values;
    public Long a;
    public Long exp;
    static ServiceLocator serviceLocator;
    static ScopeProvider scopeProvider;
    static IdentityApplicationMapper identityAppMapper;
    static final Set<String> copyAttrNames;
    public static access_token_SSOTokenListener acListener;
    public Long ac;
    static ObjectMapper mapper;
    final Map<String, Set<String>> getOAuth2AuthOptions;
    public static Logger logger = LoggerFactory.getLogger(Permission.class);
    static final Map<String, String> scope2repo = new HashMap();

    /* loaded from: input_file:ru/org/openam/oauth/v2/data/Permission$code_challenge_methods.class */
    public enum code_challenge_methods {
        plain,
        S256
    }

    public Permission() {
        this.p = false;
        this.sc = new TreeSet(String.CASE_INSENSITIVE_ORDER);
        this.org = "b2c";
        this.sub = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
        this.act = access_type.online;
        this.trust = false;
        this.props = new HashMap();
        this.restrictScope = null;
        this.acr_values = new HashSet(1);
        this.exp = Long.valueOf(System.currentTimeMillis());
        this.getOAuth2AuthOptions = new HashMap();
    }

    public String sub() {
        return sub(this.sub);
    }

    public static String sub(Map<String, Set<String>> map) {
        String str = null;
        if (map.size() == 1 && map.containsKey("uid")) {
            return map.get("uid").iterator().next();
        }
        for (Map.Entry<String, Set<String>> entry : map.entrySet()) {
            str = (str == null ? "" : str.concat(".")).concat(entry.getKey().substring(0, 1));
            for (String str2 : entry.getValue()) {
                if (StringUtils.isNotBlank(str2)) {
                    str = str.concat(".").concat(str2);
                }
            }
        }
        return str;
    }

    public String getUid() {
        return this.aud.concat("@").concat(sub());
    }

    public Set<String> getRestrictScope() {
        try {
            return getRestrictScope(new client_id(this.aud).getIdentity());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public Set<String> getRestrictScope(AMIdentity aMIdentity) {
        try {
            if (this.restrictScope == null) {
                this.restrictScope = aMIdentity.getAttribute("oauth-app-scope");
            }
            return this.restrictScope;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    static void fixOldScope(Set<String> set) {
        if (set != null) {
            if (set.remove("phone")) {
                set.add("mobile:phone");
                set.add("phone_number");
            }
            if (set.remove("email")) {
                set.add("profile:mail");
            }
            if (set.remove("mc_phonenumber")) {
                set.add("phone_number");
            }
        }
    }

    public Set<String> getScope() {
        return checkScope(this.sc, getRestrictScope());
    }

    /* JADX WARN: Multi-variable type inference failed */
    public AMIdentity getIdentity() {
        if (this.identity == null && StringUtils.isNotBlank(this.dn)) {
            try {
                this.identity = IdUtils.getIdentity((SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance()), this.dn);
                if (!this.identity.isExists()) {
                    throw new IdRepoException("not found");
                }
            } catch (IdRepoException | SSOException e) {
                logger.warn("not identity found dn {}: {}", this.dn, e.getMessage());
            }
        }
        try {
            if (this.identity != null && this.identity.isExists()) {
                TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
                treeMap.putAll(this.identity.getAttributes(this.sub.keySet()));
                Iterator it = new HashSet(this.sub.keySet()).iterator();
                while (it.hasNext()) {
                    String str = (String) it.next();
                    if (this.sub.get(str).isEmpty() && treeMap.get(str) != null && !((Set) treeMap.get(str)).isEmpty()) {
                        logger.warn("restore empty sub {} {}={}", new Object[]{this.identity.getUniversalId(), str, treeMap.get(str)});
                        this.sub.put(str, treeMap.get(str));
                    }
                    if (str.equalsIgnoreCase("uid")) {
                        Set<String> set = this.sub.get(str);
                        if (!set.equals(treeMap.get("uid"))) {
                            Iterator it2 = new HashSet(set).iterator();
                            while (it2.hasNext()) {
                                String str2 = (String) it2.next();
                                if (!str2.equals(str2.toLowerCase())) {
                                    set.remove(str2);
                                    set.add(str2.toLowerCase());
                                }
                            }
                        }
                    }
                }
                if (!this.sub.equals(treeMap)) {
                    logger.warn("change sub {} {}->{}", new Object[]{this.identity.getUniversalId(), this.sub, treeMap});
                    return null;
                }
            }
            if (this.identity == null) {
                try {
                    AMIdentityRepository aMIdentityRepository = new AMIdentityRepository((SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance()), this.org);
                    IdSearchControl idSearchControl = new IdSearchControl();
                    idSearchControl.setAllReturnAttributes(false);
                    idSearchControl.setReturnAttributes(new HashSet(Arrays.asList("uid")));
                    idSearchControl.setMaxResults(2);
                    idSearchControl.setSearchModifiers(IdSearchOpModifier.AND, this.sub);
                    IdSearchResults searchIdentities = aMIdentityRepository.searchIdentities(IdType.USER, "*", idSearchControl);
                    if (searchIdentities != null) {
                        try {
                            Set searchResults = searchIdentities.getSearchResults();
                            if (searchResults == null || searchResults.size() != 1) {
                                if (searchResults == null || searchResults.size() <= 1) {
                                    throw new UserNotFoundException();
                                }
                                throw new MultipleFoundException("Multiple result found " + this.sub.toString(), searchResults);
                            }
                            this.identity = (AMIdentity) searchResults.iterator().next();
                            this.dn = this.identity.getUniversalId();
                        } catch (UserNotFoundException e2) {
                            logger.warn("not identity found {}: {}", this, e2.getMessage());
                        }
                    }
                } catch (SSOException | IdRepoException e3) {
                    throw new RuntimeException((Throwable) e3);
                }
            }
            return this.identity;
        } catch (SSOException | IdRepoException e4) {
            throw new RuntimeException((Throwable) e4);
        }
    }

    public static Set<String> getScopeSupported() {
        HashSet hashSet = new HashSet(scope2repo.keySet());
        hashSet.add("openid");
        hashSet.add("mc_authn");
        hashSet.add("mc_phonenumber");
        return hashSet;
    }

    public Map<String, Object> setData(Map<String, Object> map, HttpServletRequest httpServletRequest, AMIdentity aMIdentity, AMIdentity aMIdentity2) throws IdRepoException, SSOException {
        HashMap hashMap = new HashMap();
        if (map.containsKey("claims")) {
            map = (Map) map.get("claims");
        }
        if (map.containsKey("premiuminfo")) {
            map = (Map) map.get("premiuminfo");
        }
        Set<String> scope = getScope();
        TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
        for (Map.Entry<String, String> entry : scope2repo.entrySet()) {
            if (!this.trust.booleanValue() && scope.size() != 0 && httpServletRequest.getAttribute("rt2data") == null) {
                Iterator<String> it = scope.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (StringUtils.startsWithIgnoreCase(entry.getKey(), it.next())) {
                        treeMap.put(entry.getKey(), entry.getValue());
                        break;
                    }
                }
            } else {
                treeMap.put(entry.getKey(), entry.getValue());
            }
        }
        User user = new User(aMIdentity);
        for (Map.Entry<String, Object> entry2 : map.entrySet()) {
            if ((entry2.getValue() instanceof Map) && ((Map) entry2.getValue()).containsKey("value")) {
                entry2.setValue(((Map) entry2.getValue()).get("value"));
            }
            if (allow_edit.contains(entry2.getKey()) && treeMap.containsKey(entry2.getKey())) {
                try {
                    user.save(scope2repo.get(entry2.getKey()), entry2.getValue());
                    logger.info("set {} from {} {}={}", new Object[]{aMIdentity, aMIdentity2, entry2.getKey(), entry2.getValue()});
                } catch (Exception e) {
                    logger.warn("set {} from {} {}={}: {}", new Object[]{aMIdentity, aMIdentity2, entry2.getKey(), entry2.getValue(), e.toString()});
                }
            } else if (entry2.getKey().endsWith("_match")) {
                continue;
            } else if ((!entry2.getKey().endsWith("_hash") || this.sc.contains("mc_kyc_hashed")) && (entry2.getKey().endsWith("_hash") || this.sc.contains("mc_kyc_plain"))) {
                String str = scope2repo.get(entry2.getKey().replace("_hash", ""));
                String attr = str != null ? user.getAttr(str) : null;
                if (StringUtils.isBlank(attr)) {
                    hashMap.put(entry2.getKey().replace("_hash", "").concat("_match"), "N-NA");
                } else {
                    try {
                        String str2 = Hash.get(attr.getBytes("UTF-8"), "SHA-256");
                        hashMap.put(entry2.getKey().replace("_hash", "").concat("_match"), StringUtils.equals(entry2.getValue().toString(), entry2.getKey().endsWith("_hash") ? str2 : attr) ? "Y" : "N-AV");
                        if ("Y".equals(hashMap.get(entry2.getKey().replace("_hash", "").concat("_match")))) {
                            hashMap.put(entry2.getKey(), entry2.getKey().endsWith("_hash") ? str2 : attr);
                        }
                    } catch (UnsupportedEncodingException e2) {
                        throw new RuntimeException(e2);
                    }
                }
            } else {
                hashMap.put(entry2.getKey().replace("_hash", "").concat("_match"), "N-AD");
            }
            if (StringUtils.equals(entry2.getKey(), "profile:slaves") && (scope == null || scope.size() == 0 || scope.contains("profile:slaves") || scope.contains("profile") || this.trust.booleanValue())) {
                if (entry2.getValue() != null && (entry2.getValue() instanceof Map) && ((Map) entry2.getValue()).containsKey("profile:slaves:accounts")) {
                    Set<String> slaves = Idm2IdmHelper.getSlaves(this.identity);
                    SSOToken sSOToken = (SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance());
                    for (String str3 : slaves) {
                        AMIdentity aMIdentity3 = new AMIdentity(sSOToken, str3);
                        if (aMIdentity3 == null || !aMIdentity3.isExists()) {
                            Idm2IdmHelper.removeManager(aMIdentity, str3);
                        } else {
                            for (Map.Entry entry3 : ((Map) ((Map) entry2.getValue()).get("profile:slaves:accounts")).entrySet()) {
                                if (StringUtils.equals(sub(aMIdentity3.getAttributes(this.sub.keySet())), (CharSequence) entry3.getKey())) {
                                    setData((Map) entry3.getValue(), httpServletRequest, aMIdentity3, aMIdentity);
                                }
                            }
                        }
                    }
                }
            }
        }
        return hashMap;
    }

    public static void filterScope(HttpServletRequest httpServletRequest, Map<String, ?> map) {
        if (StringUtils.isNotBlank(httpServletRequest.getParameter("exclude"))) {
            Iterator it = new HashSet(Arrays.asList(httpServletRequest.getParameter("exclude").split(",| "))).iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                Iterator it2 = new HashSet(map.keySet()).iterator();
                while (it2.hasNext()) {
                    String str2 = (String) it2.next();
                    if (StringUtils.startsWithIgnoreCase(str2, str)) {
                        map.remove(str2);
                    }
                }
            }
        }
        if (StringUtils.isNotBlank(httpServletRequest.getParameter("scope"))) {
            Iterator it3 = new HashSet(Arrays.asList(httpServletRequest.getParameter("scope").split(",| "))).iterator();
            while (it3.hasNext()) {
                String str3 = (String) it3.next();
                Iterator it4 = new HashSet(map.keySet()).iterator();
                while (it4.hasNext()) {
                    String str4 = (String) it4.next();
                    if (!StringUtils.startsWithIgnoreCase(str4, str3)) {
                        map.remove(str4);
                    }
                }
            }
        }
    }

    public Map<String, Object> getData(HttpServletRequest httpServletRequest, AMIdentity aMIdentity, AMIdentity aMIdentity2) throws SSOException, IdRepoException {
        HashMap hashMap = new HashMap();
        String sub = aMIdentity2 == null ? sub() : sub(aMIdentity.getAttributes(this.sub.keySet()));
        if (!this.trust.booleanValue()) {
            String concat = this.aud.concat("@").concat(sub);
            sub = this.acr_values.size() > 0 ? UUIDType5.nameUUIDFromNamespaceAndString(UUIDType5.NAMESPACE_OID, concat).toString() : Crypt.encryptLocal(concat);
        }
        hashMap.put("sub", sub);
        if (aMIdentity2 == null && httpServletRequest != null) {
            hashMap.put("iss", OAuth2.getIssuer(httpServletRequest));
            hashMap.put("aud", this.aud);
            hashMap.put("exp", Long.valueOf(this.exp.longValue() / 1000));
            hashMap.put("iat", Long.valueOf(this.a.longValue() / 1000));
            hashMap.put("scope", this.sc);
            hashMap.put("trust", this.trust);
            hashMap.put("aud:name", this.appName);
            hashMap.put("nonce", this.nonce);
            hashMap.put("amr", this.amr);
            hashMap.put("auth_time", Long.valueOf(this.a.longValue() / 1000));
            hashMap.put("acr", String.join(" ", this.acr_values));
            hashMap.put("azp", this.aud);
            if (this.lh != null) {
                hashMap.put("hashed_login_hint", Hash.get(this.lh.getBytes(), "SHA-256"));
            }
        }
        if (aMIdentity != null) {
            String orgNameToRealmName = DNMapper.orgNameToRealmName(aMIdentity.getRealm());
            if (StringUtils.startsWith(aMIdentity.getName(), "comstar-")) {
                orgNameToRealmName = "/users&service=stream";
            } else if (aMIdentity.isExists() && CollectionUtils.containsAny(aMIdentity.getAttribute("sn"), new String[]{"lbsv"})) {
                orgNameToRealmName = "/users&service=mobile-and-fix";
            }
            String str = (String) Idm2Idm.org2type.get(orgNameToRealmName);
            if (str != null) {
                hashMap.put("profile:realm", orgNameToRealmName);
                hashMap.put("profile:type", str);
            }
            Set<String> scope = getScope();
            TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
            for (Map.Entry<String, String> entry : scope2repo.entrySet()) {
                if (!this.trust.booleanValue() && scope.size() != 0 && httpServletRequest.getAttribute("rt2data") == null) {
                    Iterator<String> it = scope.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        if (StringUtils.startsWithIgnoreCase(entry.getKey(), it.next())) {
                            treeMap.put(entry.getKey(), entry.getValue());
                            break;
                        }
                    }
                } else {
                    treeMap.put(entry.getKey(), entry.getValue());
                }
            }
            filterScope(httpServletRequest, treeMap);
            SSOToken token = Authentificate.getToken(httpServletRequest);
            Map attributes = aMIdentity.isExists() ? aMIdentity.getAttributes(new HashSet(treeMap.values())) : Collections.EMPTY_MAP;
            for (Map.Entry entry2 : treeMap.entrySet()) {
                Set set = (Set) attributes.get(entry2.getValue());
                if (set == null && attributes.isEmpty() && token != null) {
                    String property = token.getProperty((String) entry2.getValue(), true);
                    if (StringUtils.isNotBlank(property)) {
                        set = new TreeSet(Arrays.asList(property));
                    }
                }
                if (set == null) {
                    break;
                }
                if (set.size() == 1) {
                    hashMap.put(entry2.getKey(), testOnRAW((String) set.iterator().next()));
                } else if (set.size() > 1) {
                    Iterator it2 = set.iterator();
                    while (it2.hasNext()) {
                        hashMap.put(entry2.getKey(), testOnRAW((String) it2.next()));
                    }
                }
            }
            if ("/b2c/dbo".equalsIgnoreCase(orgNameToRealmName)) {
                Set attribute = aMIdentity.getAttribute("employeeNumber");
                hashMap.put("dbo:id", attribute.size() > 1 ? attribute : attribute.iterator().next());
            }
            if (token != null && ((scope == null || scope.size() == 0 || scope.contains("profile:slaves") || scope.contains("profile") || this.trust.booleanValue()) && aMIdentity.isExists())) {
                String sSOTokenID = token.getTokenID().toString();
                URI uRIPrefix = getURIPrefix(httpServletRequest);
                if (aMIdentity2 == null) {
                    Set<String> slaves = Idm2IdmHelper.getSlaves(this.identity);
                    hashMap.put("profile:slaves", new HashMap());
                    ((HashMap) hashMap.get("profile:slaves")).put("profile:slaves:accounts", new HashMap());
                    if (slaves.size() > 0) {
                        SSOToken sSOToken = (SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance());
                        for (String str2 : slaves) {
                            AMIdentity identity = IdUtils.getIdentity(sSOToken, str2);
                            if (identity == null || !identity.isExists()) {
                                Idm2IdmHelper.removeManager(this.identity, str2);
                            } else {
                                ((HashMap) ((HashMap) hashMap.get("profile:slaves")).get("profile:slaves:accounts")).put(sub(identity.getAttributes(this.sub.keySet())), getData(httpServletRequest, identity, aMIdentity));
                            }
                        }
                        try {
                            hashMap.put("login", uRIPrefix.resolve("/amserver/UI/Login?service=oauth2sso&IDToken1=" + URLEncoder.encode(sSOTokenID, "UTF-8") + "&goto=".concat(URLEncoder.encode("/amserver/UI/Login?service=idp2idp".concat("&IDButton=switch&IDToken1=").concat(URLEncoder.encode(this.identity.getUniversalId(), "UTF-8")).concat("&org=").concat(URLEncoder.encode(DNMapper.orgNameToRealmName(this.identity.getRealm()), "UTF-8")).concat("&ForceAuth=true&goto="), "UTF-8"))));
                        } catch (Exception e) {
                            logger.warn("{}", this.identity, e);
                        }
                    }
                    HashMap hashMap2 = new HashMap();
                    for (Map.Entry entry3 : Idm2Idm.org2type.entrySet()) {
                        try {
                            hashMap2.put(entry3.getValue(), uRIPrefix.resolve("/amserver/UI/Login?service=oauth2sso&IDToken1=" + URLEncoder.encode(sSOTokenID, "UTF-8") + "&goto=".concat(URLEncoder.encode("/amserver/UI/Login?org=".concat(((String) entry3.getKey()).replace("/", "%2F")).concat("&ForceAuth=true&login_hint=&goto="), "UTF-8"))));
                        } catch (Exception e2) {
                            logger.warn("{}", this.identity, e2);
                        }
                    }
                    if (hashMap2.size() > 0) {
                        ((HashMap) hashMap.get("profile:slaves")).put("profile:slaves:add", hashMap2);
                    }
                } else {
                    try {
                        hashMap.put("login", uRIPrefix.resolve("/amserver/UI/Login?service=oauth2sso&IDToken1=" + URLEncoder.encode(sSOTokenID, "UTF-8") + "&goto=".concat(URLEncoder.encode("/amserver/UI/Login?service=idp2idp".concat("&IDButton=switch&IDToken1=").concat(URLEncoder.encode(aMIdentity.getUniversalId(), "UTF-8")).concat("&org=").concat(URLEncoder.encode(orgNameToRealmName, "UTF-8")).concat("&ForceAuth=true&goto="), "UTF-8"))));
                        hashMap.put("delete", uRIPrefix.resolve("/amserver/UI/Login?service=oauth2sso&IDToken1=" + URLEncoder.encode(sSOTokenID, "UTF-8") + "&goto=".concat(URLEncoder.encode("/amserver/UI/Login?service=idp2idp".concat("&IDButton=delete&IDToken1=").concat(URLEncoder.encode(aMIdentity.getUniversalId(), "UTF-8")).concat("&ForceAuth=true&goto="), "UTF-8"))));
                    } catch (Exception e3) {
                        logger.warn("{}", this.identity, e3);
                    }
                }
                if (aMIdentity2 == null) {
                    try {
                        for (AMIdentity aMIdentity3 : Idm2IdmHelper.getReferences(this.identity)) {
                            if (((HashMap) ((HashMap) hashMap.get("profile:slaves")).get("profile:slaves:accounts")).get(aMIdentity3.getUniversalId()) == null) {
                                HashMap hashMap3 = new HashMap();
                                try {
                                    hashMap3.put("delete", getURIPrefix(httpServletRequest).resolve("/amserver/UI/Login?service=oauth2sso&IDToken1=" + URLEncoder.encode(sSOTokenID, "UTF-8") + "&goto=".concat(URLEncoder.encode("/amserver/UI/Login?service=idp2idp".concat("&IDButton=delete&IDToken1=").concat(URLEncoder.encode(aMIdentity3.getUniversalId(), "UTF-8")).concat("&ForceAuth=true&goto="), "UTF-8"))));
                                } catch (Exception e4) {
                                    logger.warn("{}", aMIdentity3, e4);
                                }
                                ((HashMap) ((HashMap) hashMap.get("profile:slaves")).get("profile:slaves:accounts")).put(aMIdentity3.getUniversalId(), hashMap3);
                            }
                        }
                    } catch (RuntimeException e5) {
                        logger.warn("search manager {}", this.identity, e5);
                    }
                }
            }
        }
        OAuth2Extension extenstion = OAuth2ExtensionHolder.getExtenstion();
        return extenstion != null ? extenstion.enrichProfileData(hashMap, httpServletRequest, aMIdentity, aMIdentity2) : hashMap;
    }

    public URI getURIPrefix(HttpServletRequest httpServletRequest) {
        String str;
        try {
            String concat = httpServletRequest.getScheme().concat("://").concat(httpServletRequest.getServerName());
            if (httpServletRequest.getServerPort() > 0) {
                str = ":".concat("" + (httpServletRequest.getServerPort() == 443 ? 443 : httpServletRequest.getServerPort()));
            } else {
                str = "";
            }
            return new URI(concat.concat(str).concat(httpServletRequest.getRequestURI()));
        } catch (URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }

    Object testOnRAW(String str) {
        try {
            return mapper.readValue(str, Object.class);
        } catch (Exception e) {
            return str;
        }
    }

    static Set<String> checkScope(Set<String> set, Set<String> set2) {
        TreeSet treeSet = new TreeSet(String.CASE_INSENSITIVE_ORDER);
        fixOldScope(set);
        if (set == null || set.isEmpty()) {
            if (set2 != null) {
                treeSet.addAll(set2);
            }
        } else if (set2 == null || set2.isEmpty()) {
            treeSet.addAll(set);
        } else {
            for (String str : set) {
                for (String str2 : set2) {
                    if (str.startsWith(str2)) {
                        treeSet.add(str);
                    } else if (str2.startsWith(str)) {
                        treeSet.add(str2);
                    }
                }
            }
        }
        treeSet.add("sub");
        return treeSet;
    }

    public void auth(OAuth2Auth oAuth2Auth) throws invalid_request, unsupported_response_type, unauthorized_client, AuthLoginException {
        HttpServletRequest httpServletRequest = oAuth2Auth.getHttpServletRequest();
        this.st = httpServletRequest.getParameter("state");
        this.cid = httpServletRequest.getParameter("correlation_id");
        if (StringUtils.isBlank(httpServletRequest.getParameter("redirect_uri"))) {
            throw new invalid_request(oAuth2Auth, "redirect_uri is invalid");
        }
        try {
            URL url = getURL(httpServletRequest.getParameter("redirect_uri"));
            Object[] objArr = new Object[4];
            objArr[0] = url.toString();
            objArr[1] = url.getQuery() == null ? "?" : "&";
            objArr[2] = OAuth2Auth.uriencode(this.st);
            objArr[3] = StringUtils.isBlank(this.cid) ? "" : MessageFormat.format("&correlation_id={0}", OAuth2Auth.uriencode(this.cid));
            this.f0ru = MessageFormat.format("{0}{1}state={2}{3}", objArr);
            client_id client_idVar = new client_id(oAuth2Auth, httpServletRequest.getParameter("client_id"));
            if (client_idVar.identity == null) {
                throw new invalid_request(oAuth2Auth, "client_id is invalid");
            }
            String successURL = client_idVar.getSuccessURL();
            try {
                if (!StringUtils.isBlank(successURL) && !StringUtils.startsWith(url.toString(), getURL(successURL).toString())) {
                    throw new invalid_request(oAuth2Auth, "redirect_uri is invalid");
                }
                this.appName = client_idVar.getName();
                this.aud = client_idVar.getAud();
                this.bid = client_idVar.getBid();
                if ("0".equalsIgnoreCase(httpServletRequest.getParameter("result"))) {
                    throw new access_denied(oAuth2Auth, "The client is not authorized to request an authorization code");
                }
                if ("1".equalsIgnoreCase(httpServletRequest.getParameter("result"))) {
                    throw new invalid_request(oAuth2Auth, "Invalid value for login_hint or login_hint_token");
                }
                if ("3".equalsIgnoreCase(httpServletRequest.getParameter("result"))) {
                    throw new invalid_request(oAuth2Auth, "Unable to negotiate authentication level by acr_values");
                }
                if (StringUtils.isNotBlank(httpServletRequest.getParameter("version")) && !OAuth2.version.contains(httpServletRequest.getParameter("version"))) {
                    throw new invalid_request(oAuth2Auth, "MANDATORY parameter version is missing / invalid");
                }
                if (StringUtils.isNotBlank(httpServletRequest.getParameter("version")) && StringUtils.isBlank(httpServletRequest.getParameter("acr_values"))) {
                    throw new invalid_request(oAuth2Auth, "MANDATORY parameter acr_values is missing / invalid");
                }
                if (StringUtils.isNotBlank(httpServletRequest.getParameter("acr_values"))) {
                    if (!OAuth2.acr_values.containsAll(Arrays.asList(httpServletRequest.getParameter("acr_values").split(" ")))) {
                        throw new invalid_request(oAuth2Auth, "MANDATORY parameter acr_values is missing / invalid");
                    }
                    this.acr_values.addAll(Arrays.asList(httpServletRequest.getParameter("acr_values").split(" ")));
                }
                if (StringUtils.isBlank(this.st)) {
                    throw new invalid_request(oAuth2Auth, "RECOMMENDED parameter state is invalid");
                }
                if (!StringUtils.equalsIgnoreCase(httpServletRequest.getParameter("response_type"), "code")) {
                    throw new invalid_request(oAuth2Auth, "MANDATORY parameter response_type is missing or value is invalid");
                }
                if (httpServletRequest.getParameter("access_type") != null && !StringUtils.containsAny(httpServletRequest.getParameter("access_type"), new CharSequence[]{"offline", "online"})) {
                    throw new invalid_request(oAuth2Auth, "OPTIONAL parameter access_type invalid");
                }
                this.act = StringUtils.equalsIgnoreCase(httpServletRequest.getParameter("access_type"), "offline") ? access_type.offline : access_type.online;
                this.code_challenge = httpServletRequest.getParameter("code_challenge");
                if (this.code_challenge != null) {
                    if ("S256".equalsIgnoreCase(httpServletRequest.getParameter("code_challenge_method"))) {
                        this.code_challenge_method = code_challenge_methods.S256;
                    } else {
                        if (!"plain".equalsIgnoreCase(httpServletRequest.getParameter("code_challenge_method")) && httpServletRequest.getParameter("code_challenge_method") != null) {
                            throw new invalid_request(oAuth2Auth, "PKCE code_challenge_method invalid");
                        }
                        this.code_challenge_method = code_challenge_methods.plain;
                    }
                } else if (CollectionHelper.getBooleanMapAttr(oAuth2Auth.options, "ru.org.openam.auth.modules.OAuth2Auth.PKCE", false)) {
                    throw new invalid_request(oAuth2Auth, "MANDATORY parameter code_challenge is missing");
                }
                if (StringUtils.isBlank(httpServletRequest.getParameter("scope"))) {
                    throw new invalid_request(oAuth2Auth, "MANDATORY parameter scope is missing");
                }
                if (StringUtils.contains(httpServletRequest.getParameter("scope"), "openid") && StringUtils.isBlank(httpServletRequest.getParameter("nonce")) && !StringUtils.isBlank(httpServletRequest.getParameter("acr_values"))) {
                    throw new invalid_request(oAuth2Auth, "MANDATORY parameter nonce is missing (or) invalid.");
                }
                this.nonce = httpServletRequest.getParameter("nonce");
                this.lh = httpServletRequest.getParameter("login_hint");
                if (client_idVar.identity != null) {
                    this.sc = checkScope(new HashSet(Arrays.asList(httpServletRequest.getParameter("scope").split(",| "))), getRestrictScope(client_idVar.identity));
                }
                Set set = (Set) oAuth2Auth.options.get("ru.org.openam.auth.modules.OAuth2Auth.pub.trusted");
                this.trust = Boolean.valueOf(set != null && (set.size() == 0 || set.contains(client_idVar.getOwnerName())));
            } catch (MalformedURLException e) {
                throw new invalid_request(oAuth2Auth, "redirect_uri is invalid");
            }
        } catch (MalformedURLException e2) {
            throw new invalid_request(oAuth2Auth, "redirect_uri is invalid");
        }
    }

    public Permission(OAuth2Token oAuth2Token) throws invalid_request, unsupported_response_type, unauthorized_client, AuthLoginException {
        this.p = false;
        this.sc = new TreeSet(String.CASE_INSENSITIVE_ORDER);
        this.org = "b2c";
        this.sub = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);
        this.act = access_type.online;
        this.trust = false;
        this.props = new HashMap();
        this.restrictScope = null;
        this.acr_values = new HashSet(1);
        this.exp = Long.valueOf(System.currentTimeMillis());
        this.getOAuth2AuthOptions = new HashMap();
        HttpServletRequest httpServletRequest = oAuth2Token.getHttpServletRequest();
        this.act = (oAuth2Token.pre$session == null || !StringUtils.equalsIgnoreCase(httpServletRequest.getParameter("access_type"), "offline")) ? access_type.online : access_type.offline;
        try {
            client_id client_idVar = new client_id(oAuth2Token, getClientId(httpServletRequest));
            if (client_idVar.identity != null) {
                this.sc = checkScope(new HashSet(Arrays.asList(httpServletRequest.getParameter("scope") == null ? new String[0] : httpServletRequest.getParameter("scope").split(",| "))), getRestrictScope(client_idVar.identity));
            }
            this.appName = client_idVar.getName();
            this.aud = client_idVar.getAud();
            this.org = oAuth2Token.pre$session == null ? client_idVar.getIdentity().getRealm() : oAuth2Token.pre$session.getPropertyWithoutValidation("Organization");
            this.service = oAuth2Token.pre$session != null ? oAuth2Token.pre$session.getPropertyWithoutValidation("Service") : null;
            Set<String> set = getOAuth2AuthOptions().get("ru.org.openam.auth.modules.OAuth2Auth.pub.trusted");
            this.trust = Boolean.valueOf((set != null && set.contains(client_idVar.getOwnerName())) || set.size() == 0);
            if (!this.trust.booleanValue()) {
                throw new invalid_request(oAuth2Token, "untrusted client_id: cannot use without accept dialog");
            }
            accept(oAuth2Token, oAuth2Token.pre$session == null ? client_idVar.getIdentity() : IdUtils.getIdentity((SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance()), oAuth2Token.pre$session.getPropertyWithoutValidation("sun.am.UniversalIdentifier")), getOAuth2AuthOptions().get("ru.org.openam.auth.modules.OAuth2Auth.sub"));
        } catch (SSOException | IdRepoException e) {
            throw new invalid_client(oAuth2Token, "server error: " + e.getMessage());
        }
    }

    static URL getURL(String str) throws MalformedURLException {
        return new URL(StringUtils.startsWithIgnoreCase(str, "urn:ietf:wg:oauth:2.0:oob") ? MessageFormat.format("{0}{1}", "http://", StringUtils.replace(str, ":", ".")) : str);
    }

    public boolean ignoreAccept() {
        return this.trust.booleanValue() || (this.sc.size() == 1 && this.sc.contains("sub")) || (Version.isTest() && this.sc.contains("trust"));
    }

    void accept(AMLoginModule aMLoginModule, AMIdentity aMIdentity, Set<String> set) throws SSOException, IdRepoException, AuthLoginException {
        this.identity = aMIdentity;
        this.dn = aMIdentity.getUniversalId();
        this.org = aMIdentity.getRealm();
        if (aMIdentity.isExists()) {
            this.sub.putAll(aMIdentity.getAttributes(set));
        } else {
            this.sub.put("uid", new HashSet(Arrays.asList(aMIdentity.getName())));
        }
        aMLoginModule.setUserSessionProperty("am.protected.oauth2.client_name", getApplication());
        this.s = new Session(aMLoginModule.getHttpServletRequest(), aMLoginModule.getHttpServletResponse());
        this.s.extra.put(client_name.class.getName(), getApplication());
        this.s.extra.put(UserAgent.class.getName(), aMLoginModule.getHttpServletRequest().getHeader("user-agent"));
    }

    public void accept(OAuth2Auth oAuth2Auth) throws SSOException, AuthLoginException, IdRepoException {
        this.a = Long.valueOf(System.currentTimeMillis());
        accept(oAuth2Auth, IdUtils.getIdentity((SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance()), oAuth2Auth.userToken.getProperty("sun.am.UniversalIdentifier")), (Set) oAuth2Auth.options.get("ru.org.openam.auth.modules.OAuth2Auth.sub"));
        this.service = oAuth2Auth.userToken.getProperty("Service", true);
        this.modules = oAuth2Auth.userToken.getProperty("AuthType", true);
        this.level = Integer.valueOf(oAuth2Auth.userToken.getAuthLevel());
        oAuth2Auth.setUserSessionProperty("am.protected.oauth2.client_name", getApplication());
        this.s = new Session(oAuth2Auth.getHttpServletRequest(), oAuth2Auth.getHttpServletResponse());
        this.s.extra.put(client_name.class.getName(), getApplication());
        this.s.extra.put(UserAgent.class.getName(), oAuth2Auth.getHttpServletRequest().getHeader("user-agent"));
        String replace = oAuth2Auth.userToken.getPrincipal().getName().replace("id=", "id=".concat("oauth2-"));
        InternalSession newInternalSession = ((SessionService) InjectorHolder.getInstance(SessionService.class)).newInternalSession(oAuth2Auth.ls.getOrgDN(), false);
        newInternalSession.setClientID(replace);
        newInternalSession.setClientDomain(oAuth2Auth.ls.getOrgDN());
        newInternalSession.putProperty("sun.am.UniversalIdentifier", replace);
        newInternalSession.putProperty("am.protected.oauth2.accept", toString());
        newInternalSession.setMaxCachingTime(4L);
        newInternalSession.setMaxIdleTime(5L);
        newInternalSession.setMaxSessionTime(6L);
        newInternalSession.setType(SessionType.USER);
        newInternalSession.putProperty("Host", oAuth2Auth.ls.getClient());
        newInternalSession.activate(replace);
        ((AuthenticationSessionStore) InjectorHolder.getInstance(AuthenticationSessionStore.class)).promoteSession(newInternalSession.getID());
        if (StringUtils.containsIgnoreCase(this.f0ru, "urn.ietf.wg.oauth.2.0.oob")) {
            oAuth2Auth.getHttpServletRequest().setAttribute("ru.org.openam.auth.modules.OAuth2Auth.result", MessageFormat.format("Success code={0}&state={1}&correlation_id={2}", newInternalSession.getID().toString(), this.st, this.cid));
            oAuth2Auth.getHttpServletRequest().setAttribute("PostProcessLoginSuccessURL", MessageFormat.format("{0}?forward=true", UIRequestWrapper.getDefaultFileName(oAuth2Auth.getHttpServletRequest(), "urn-ietf-wg-oauth-2.0-oob.jsp")));
        } else {
            oAuth2Auth.setLoginSuccessURL(MessageFormat.format("{0}&code={1}", this.f0ru, OAuth2Auth.uriencode(newInternalSession.getID().toString())));
            oAuth2Auth.ls.setSuccessLoginURL(MessageFormat.format("{0}&code={1}", this.f0ru, OAuth2Auth.uriencode(newInternalSession.getID().toString())));
        }
        oAuth2Auth.getHttpServletRequest().setAttribute("ru.org.openam.auth.modules.OAuth2Auth.app", getApplication());
        logger.info("{}", newInternalSession);
        Stat.auth(oAuth2Auth.userToken, this);
    }

    public ArrayList<String> getSubjects() {
        TreeSet treeSet = new TreeSet(String.CASE_INSENSITIVE_ORDER);
        treeSet.addAll(getSubjectsMap(false).values());
        return new ArrayList<>(treeSet);
    }

    public Map<String, String> getSubjectsMap(boolean z) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        Set<String> scope = getScope();
        if (CollectionUtils.isNotEmpty(scope)) {
            for (String str : scope) {
                for (Map.Entry entry : scopeProvider.getScopeList().entrySet()) {
                    if (StringUtils.equals((CharSequence) entry.getKey(), str) || (!z && StringUtils.startsWithIgnoreCase((CharSequence) entry.getKey(), str))) {
                        linkedHashMap.put(entry.getKey(), ((Scope) entry.getValue()).getDescription());
                    }
                }
            }
            if (access_type.offline.equals(this.act)) {
                linkedHashMap.put("offline", ((Scope) scopeProvider.getScopeList().get("offline")).getDescription());
            }
        } else {
            linkedHashMap.put("profile", "Данные о владельце (ФИО или название организации, дата рождения, предпочтения и персональные предложения);");
            linkedHashMap.put("mobile", "Данные об услугах связи (номер телефона, номер личного счета, баланс лицевого счета, информация участника в программе «МТС Бонус», список услуг мобильной связи, список услуг передачи данных, тарифный план).");
            if (access_type.offline.equals(this.act)) {
                linkedHashMap.put("offline", "Доступ к данным запрашивается на неограниченный срок");
            }
        }
        return linkedHashMap;
    }

    public String getApplication() {
        return this.appName;
    }

    public static String getClientId(HttpServletRequest httpServletRequest) {
        if (httpServletRequest.getParameter("client_id") != null) {
            return httpServletRequest.getParameter("client_id");
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (StringUtils.startsWithIgnoreCase(header, "Basic ")) {
            try {
                String[] split = new String(Base64.decodeBase64(header.replaceFirst("Basic\\s+", ""))).split(":", 2);
                if (split.length > 0) {
                    return split[0];
                }
            } catch (IllegalArgumentException e) {
                return null;
            }
        }
        if (Authentificate.getToken(httpServletRequest) == null) {
            return null;
        }
        try {
            return Authentificate.getToken(httpServletRequest).getProperty("am.protected.oauth2.client_id", true);
        } catch (SSOException e2) {
            return null;
        }
    }

    public static String getClientSecret(HttpServletRequest httpServletRequest) {
        if (httpServletRequest.getParameter("client_secret") != null) {
            return httpServletRequest.getParameter("client_secret");
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (!StringUtils.startsWithIgnoreCase(header, "Basic ")) {
            return null;
        }
        String[] split = new String(Base64.decodeBase64(header.replaceFirst("Basic\\s+", ""))).split(":", 2);
        if (split.length > 1) {
            return split[1];
        }
        return null;
    }

    public static OAuth2Principal access_token(OAuth2Token oAuth2Token) throws invalid_request, AuthLoginException {
        HttpServletRequest httpServletRequest = oAuth2Token.getHttpServletRequest();
        try {
            if (StringUtils.isBlank(getClientId(httpServletRequest))) {
                throw new invalid_client(oAuth2Token, "MANDATORY parameter client_id is missing");
            }
            Permission permission = null;
            refresh_token refresh_tokenVar = null;
            if (StringUtils.isBlank(httpServletRequest.getParameter("grant_type"))) {
                throw new unsupported_grant_type(oAuth2Token, "Request was missing the 'grant_type' parameter.");
            }
            if (StringUtils.equalsIgnoreCase(httpServletRequest.getParameter("grant_type"), "authorization_code")) {
                if (StringUtils.isBlank(httpServletRequest.getParameter("code"))) {
                    throw new invalid_request(oAuth2Token, "MANDATORY parameter code is missing");
                }
                SessionID sessionID = new SessionID(httpServletRequest.getParameter("code"));
                oAuth2Token.pre$session = com.iplanet.dpro.session.Session.getSession(sessionID);
                if (oAuth2Token.pre$session != null && SystemProperties.getAsBoolean("ru.org.openam.oauth.v2.data.access_token.ipFromCode", true)) {
                    oAuth2Token.ls.setClient(oAuth2Token.pre$session.getPropertyWithoutValidation("Host"));
                }
                String propertyWithoutValidation = oAuth2Token.pre$session.getPropertyWithoutValidation("am.protected.oauth2.accept");
                if (StringUtils.isNoneBlank(new CharSequence[]{propertyWithoutValidation})) {
                    logger.info("found code={}: {}", sessionID, propertyWithoutValidation);
                    permission = fromString(propertyWithoutValidation);
                    if (StringUtils.isBlank(httpServletRequest.getParameter("redirect_uri"))) {
                        throw new invalid_request(oAuth2Token, "MANDATORY parameter redirect_uri is missing");
                    }
                    try {
                        if (!StringUtils.startsWith(permission.f0ru, getURL(httpServletRequest.getParameter("redirect_uri")).toString())) {
                            throw new invalid_client(oAuth2Token, "redirect_uri changed");
                        }
                        if (permission.code_challenge != null) {
                            if (StringUtils.isEmpty(httpServletRequest.getParameter("code_verifier"))) {
                                throw new invalid_grant(oAuth2Token, "code_verifier is missing");
                            }
                            if (permission.code_challenge_method.equals(code_challenge_methods.plain) && !StringUtils.equals(permission.code_challenge, httpServletRequest.getParameter("code_verifier"))) {
                                throw new invalid_grant(oAuth2Token, "code_verifier incorrect");
                            }
                            if (permission.code_challenge_method.equals(code_challenge_methods.S256) && !StringUtils.equals(permission.code_challenge, Base64url.encode(MessageDigest.getInstance("SHA-256").digest(httpServletRequest.getParameter("code_verifier").getBytes(StandardCharsets.US_ASCII))))) {
                                throw new invalid_grant(oAuth2Token, "code_verifier incorrect");
                            }
                        }
                    } catch (MalformedURLException e) {
                        throw new invalid_client(oAuth2Token, "redirect_uri is incorrect");
                    }
                } else {
                    permission = new Permission(oAuth2Token);
                    permission.a = Long.valueOf(System.currentTimeMillis());
                    if (Authentificate.getToken(httpServletRequest) != null) {
                        permission.appName = Authentificate.getToken(httpServletRequest).getProperty("am.protected.oauth2.client_name", true);
                    }
                }
            } else if (StringUtils.equalsIgnoreCase(httpServletRequest.getParameter("grant_type"), "refresh_token")) {
                refresh_tokenVar = new refresh_token(oAuth2Token, httpServletRequest.getParameter("refresh_token"), getClientId(httpServletRequest));
                permission = refresh_tokenVar.getPermission();
                if (CollectionHelper.getBooleanMapAttr(oAuth2Token.options, "ru.org.openam.auth.modules.OAuth2Token.refresh_token.replace", false)) {
                    if (SystemProperties.getAsBoolean("ru.org.openam.oauth.v2.data.refresh_token.password", true)) {
                        refresh_tokenVar.updatePassword();
                    } else {
                        r13 = copyAttrNames.isEmpty() ? null : refresh_tokenVar.getIdentity().getAttributes(copyAttrNames);
                        try {
                            refresh_tokenVar.destroy(refresh_token.DestroyReason.ISSUE_NEW, httpServletRequest);
                        } catch (invalid_grant e2) {
                        }
                        refresh_tokenVar = null;
                    }
                }
            } else if (!StringUtils.equalsIgnoreCase(httpServletRequest.getParameter("grant_type"), "client_credentials")) {
                throw new unsupported_grant_type(oAuth2Token, "unknown grant_type");
            }
            if (permission != null && !StringUtils.equals(getClientId(httpServletRequest), permission.aud)) {
                throw new invalid_client(oAuth2Token, "client_id changed");
            }
            client_id client_idVar = new client_id(oAuth2Token, getClientId(httpServletRequest), getClientSecret(httpServletRequest), Boolean.valueOf(!StringUtils.equalsIgnoreCase(httpServletRequest.getParameter("grant_type"), "client_credentials")));
            if (StringUtils.equalsIgnoreCase(httpServletRequest.getParameter("grant_type"), "client_credentials")) {
                httpServletRequest.setAttribute(access_token.class.getName(), new access_token(oAuth2Token.getHttpServletRequest(), client_idVar));
                return null;
            }
            client_idVar.logout();
            permission.appName = client_idVar.getAppName();
            OAuth2Extension extenstion = OAuth2ExtensionHolder.getExtenstion();
            if (extenstion != null) {
                extenstion.enrichPermission(permission, httpServletRequest);
            }
            access_token access_tokenVar = new access_token(oAuth2Token, permission);
            httpServletRequest.setAttribute(access_token.class.getName(), access_tokenVar);
            if (access_type.offline.equals(permission.act) && refresh_tokenVar == null && permission.getIdentity().isExists()) {
                refresh_tokenVar = new refresh_token(oAuth2Token, permission);
            }
            if (refresh_tokenVar != null) {
                access_tokenVar.refresh_token = refresh_tokenVar.toClient();
                oAuth2Token.setUserSessionProperty("am.protected.oauth2.refresh_token", refresh_tokenVar.getUID());
            }
            try {
                Integer valueOf = Integer.valueOf(Integer.parseInt(CollectionHelper.getMapAttr(permission.getOAuth2AuthOptions(), "ru.org.openam.auth.modules.OAuth2Auth.max_per_app", "0")));
                if (valueOf.intValue() > 0 && permission.getIdentity().isExists()) {
                    Boolean valueOf2 = Boolean.valueOf(CollectionHelper.getBooleanMapAttr(permission.getOAuth2AuthOptions(), "ru.org.openam.auth.modules.OAuth2Auth.max_per_app.ignore_app", false));
                    Map<com.iplanet.dpro.session.Session, String> accessTokens = OAuth2.getAccessTokens(permission.getIdentity());
                    HashMap hashMap = new HashMap();
                    for (com.iplanet.dpro.session.Session session : accessTokens.keySet()) {
                        try {
                            if (session.getProperty("am.protected.oauth2.accept") != null) {
                                Permission fromString = fromString(session.getProperty("am.protected.oauth2.accept"));
                                if (valueOf2.booleanValue() || StringUtils.equals(fromString.getApplication(), permission.getApplication())) {
                                    hashMap.put(session, fromString.ac);
                                }
                            }
                        } catch (Throwable th) {
                            logger.warn("error get property", th);
                        }
                    }
                    HashMap hashMap2 = new HashMap();
                    for (refresh_token refresh_tokenVar2 : OAuth2.getRefreshTokens(permission.getIdentity())) {
                        if (!refresh_tokenVar2.equals(refresh_tokenVar) && !accessTokens.containsValue(refresh_tokenVar2.getUID())) {
                            try {
                                Permission permission2 = refresh_tokenVar2.getPermission();
                                if (valueOf2.booleanValue() || StringUtils.equals(permission2.getApplication(), permission.getApplication())) {
                                    hashMap2.put(refresh_tokenVar2, permission2.ac);
                                }
                            } catch (Throwable th2) {
                                logger.warn("error get property", th2);
                            }
                        }
                    }
                    if (extenstion != null) {
                        extenstion.cleanupRefreshToken(hashMap2, accessTokens, refresh_tokenVar, access_tokenVar, valueOf, httpServletRequest);
                    }
                    Map<refresh_token, Long> crunchifySortMapRefreshToken = crunchifySortMapRefreshToken(hashMap2, access_tokenVar);
                    while (crunchifySortMapRefreshToken.size() > 0) {
                        if (crunchifySortMapRefreshToken.size() + accessTokens.size() + (refresh_tokenVar != null ? 1 : 0) <= valueOf.intValue()) {
                            break;
                        }
                        refresh_token next = crunchifySortMapRefreshToken.keySet().iterator().next();
                        try {
                            next.destroy(refresh_token.DestroyReason.LIMIT_REACHED, httpServletRequest);
                            crunchifySortMapRefreshToken.remove(next);
                        } catch (Throwable th3) {
                            crunchifySortMapRefreshToken.remove(next);
                            throw th3;
                        }
                        for (Map.Entry entry : new HashMap(accessTokens).entrySet()) {
                            if (StringUtils.equals((CharSequence) entry.getValue(), refresh_tokenVar.getUID())) {
                                try {
                                    OAuth2.destroy((com.iplanet.dpro.session.Session) entry.getKey());
                                    accessTokens.remove(entry.getKey());
                                } catch (Throwable th4) {
                                    accessTokens.remove(entry.getKey());
                                    throw th4;
                                }
                            }
                        }
                    }
                    Map<com.iplanet.dpro.session.Session, String> crunchifySortMapSessionRefreshToken = crunchifySortMapSessionRefreshToken(accessTokens, access_tokenVar);
                    while (crunchifySortMapSessionRefreshToken.size() >= valueOf.intValue()) {
                        Map.Entry<com.iplanet.dpro.session.Session, String> next2 = crunchifySortMapSessionRefreshToken.entrySet().iterator().next();
                        if (StringUtils.equals(next2.getKey().getSessionID().toString(), access_tokenVar.access_token)) {
                            next2 = crunchifySortMapSessionRefreshToken.entrySet().iterator().next();
                        }
                        if (next2.getValue() != null) {
                            try {
                                new refresh_token(next2.getValue()).destroy(refresh_token.DestroyReason.LIMIT_REACHED, httpServletRequest);
                            } catch (Throwable th5) {
                            }
                        }
                        try {
                            OAuth2.destroy(next2.getKey());
                            crunchifySortMapSessionRefreshToken.remove(next2.getKey());
                        } catch (Throwable th6) {
                            crunchifySortMapSessionRefreshToken.remove(next2.getKey());
                            throw th6;
                        }
                    }
                }
            } catch (NumberFormatException e3) {
                logger.error("error in ru.org.openam.auth.modules.OAuth2Auth.max_per_app {}", permission.getOAuth2AuthOptions(), e3);
            }
            if (permission.getIdentity().isExists()) {
                if (!StringUtils.equalsIgnoreCase(httpServletRequest.getParameter("grant_type"), "client_credentials")) {
                    oAuth2Token.setUserSessionProperty("am.protected.oauth2.uid", permission.getIdentity().getUniversalId());
                }
                if (r13 != null) {
                    AMIdentity identity = refresh_tokenVar.getIdentity();
                    identity.setAttributes(r13);
                    identity.store();
                }
            }
            permission.exp = Long.valueOf(System.currentTimeMillis() + 3600);
            if (permission.sc != null && permission.sc.contains("openid")) {
                String userDN = oAuth2Token.ls.getUserDN(new AMIdentity((SSOToken) null, permission.getUid(), IdType.USER, oAuth2Token.ls.getOrgDN(), (String) null));
                InternalSession session2 = oAuth2Token.ls.getSession();
                session2.setClientID(permission.getUid());
                session2.setClientDomain(oAuth2Token.ls.getOrgDN());
                session2.putProperty("sun.am.UniversalIdentifier", userDN);
                session2.setMaxCachingTime(oAuth2Token.ls.getCacheTime());
                session2.setMaxIdleTime(oAuth2Token.ls.getIdleTime());
                session2.setMaxSessionTime(oAuth2Token.ls.getMaxSession());
                session2.putProperty("Host", oAuth2Token.ls.getClient());
                session2.setType(SessionType.USER);
                session2.activate(userDN);
                ((AuthenticationSessionStore) InjectorHolder.getInstance(AuthenticationSessionStore.class)).promoteSession(new SessionID(oAuth2Token.getSessionId()));
                access_tokenVar.id_token = OAuth2.convertToken(SSOTokenManager.getInstance().createSSOToken(oAuth2Token.getSessionId()), permission);
            }
            Stat.token(oAuth2Token.getSessionId(), permission);
            if (oAuth2Token.pre$session != null) {
                oAuth2Token.pre$session.logout();
            }
            return new OAuth2Principal(Hashing.sha256().hashString(refresh_tokenVar == null ? permission.getUid() : refresh_tokenVar.getUID(), StandardCharsets.UTF_8).toString());
        } catch (SessionException e4) {
            throw new invalid_request(oAuth2Token, "Reject second use of authorization code ");
        } catch (IOException e5) {
            throw new invalid_grant(oAuth2Token, "server error: " + e5.toString());
        } catch (error e6) {
            throw e6;
        } catch (Throwable th7) {
            logger.error("error in {}", Dump.toString(httpServletRequest), th7);
            throw new invalid_request(oAuth2Token, "unsupported authorization code");
        }
    }

    public String toString() {
        try {
            return mapper.writeValueAsString(this);
        } catch (JsonProcessingException e) {
            return null;
        }
    }

    public static Permission fromString(String str) throws IOException {
        return (Permission) mapper.readValue(str, Permission.class);
    }

    public Map<String, Set<String>> getOAuth2AuthOptions() {
        if (this.getOAuth2AuthOptions.isEmpty()) {
            try {
                ServiceConfig serviceConfig = AuthD.getAuth().getOrgConfigManager(this.org).getServiceConfig("sunAMAuthOAuth2AuthService");
                if (serviceConfig.getSubConfigNames().isEmpty()) {
                    throw new RuntimeException("oauth2auth disabled for " + this.org);
                }
                this.getOAuth2AuthOptions.putAll(serviceConfig.getSubConfig((String) serviceConfig.getSubConfigNames().iterator().next()).getAttributes());
            } catch (SMSException | SSOException e) {
                throw new RuntimeException("getOAuth2AuthOptions", e);
            }
        }
        return this.getOAuth2AuthOptions;
    }

    static <V extends Comparable<? super V>> Map<refresh_token, Long> crunchifySortMapRefreshToken(Map<refresh_token, Long> map, access_token access_tokenVar) {
        OAuth2Extension extenstion = OAuth2ExtensionHolder.getExtenstion();
        return extenstion != null ? extenstion.sortMapRefreshToken(map, access_tokenVar) : crunchifySortMap(map);
    }

    static <V extends Comparable<? super V>> Map<com.iplanet.dpro.session.Session, String> crunchifySortMapSessionRefreshToken(Map<com.iplanet.dpro.session.Session, String> map, access_token access_tokenVar) {
        OAuth2Extension extenstion = OAuth2ExtensionHolder.getExtenstion();
        return extenstion != null ? extenstion.sortMapSessionRefreshToken(map, access_tokenVar) : crunchifySortMap(map);
    }

    /* JADX WARN: Multi-variable type inference failed */
    static <K, V extends Comparable<? super V>> Map<K, V> crunchifySortMap(Map<K, V> map) {
        ArrayList<Map.Entry> arrayList = new ArrayList(map.entrySet());
        Collections.sort(arrayList, new Comparator<Map.Entry<K, V>>() { // from class: ru.org.openam.oauth.v2.data.Permission.1
            @Override // java.util.Comparator
            public int compare(Map.Entry<K, V> entry, Map.Entry<K, V> entry2) {
                if (entry.getValue() == null) {
                    return -1;
                }
                return ((Comparable) entry.getValue()).compareTo(entry2.getValue());
            }
        });
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (Map.Entry entry : arrayList) {
            linkedHashMap.put(entry.getKey(), entry.getValue());
        }
        return linkedHashMap;
    }

    static {
        scope2repo.put("mobile:phone", "sunidentitymsisdnnumber");
        scope2repo.put("phone_number", "sunidentitymsisdnnumber");
        scope2repo.put("mobile:phone:foris", "destinationIndicator");
        scope2repo.put("mobile:phone:mnp:region:code", "mnp-region");
        scope2repo.put("mobile:phone:mnp:operator:code", "mnp-operator");
        scope2repo.put("mobile:account", "personalaccountnumber");
        scope2repo.put("mobile:balance", "balance");
        scope2repo.put("mobile:bonus", "bonus");
        scope2repo.put("mobile:services", "services");
        scope2repo.put("mobile:services:data", "h2o");
        scope2repo.put("mobile:tariff", "businesscategory");
        scope2repo.put("mobile:tariff:system", "tariff");
        scope2repo.put("mobile:tariff:id", "tariffid");
        scope2repo.put("mobile:terminal:id", "tdid");
        scope2repo.put("profile:name", "displayname");
        scope2repo.put("profile:name:first", "givenName");
        scope2repo.put("profile:name:patronym", "initials");
        scope2repo.put("profile:name:lastname", "sn");
        scope2repo.put("profile:name:org", "o");
        scope2repo.put("profile:name:type", "employeetype");
        scope2repo.put("profile:birthday", "birthday");
        scope2repo.put("profile:ad", "ad");
        scope2repo.put("profile:mail", "mail");
        scope2repo.put("profile:name:org:private", "is-private-org");
        scope2repo.put("profile:lbsv:serverid", "lbsv-ServerID");
        scope2repo.put("profile:lbsv:userid", "lbsv-SubscriberID");
        scope2repo.put("profile:lbsv:account", "lbsv-AccountNumber");
        scope2repo.put("profile:google:id", "googleid");
        scope2repo.put("profile:description", "description");
        scope2repo.put("profile:avatar", "avatar");
        scope2repo.put("profile:esia:doc_vrfstu", "doc_vrfStu");
        scope2repo.put("profile:esia:lastname", "lastName");
        scope2repo.put("profile:esia:firstname", "firstName");
        scope2repo.put("profile:esia:middlename", "middleName");
        scope2repo.put("profile:esia:doc_number", "doc_number");
        scope2repo.put("profile:esia:doc_series", "doc_series");
        scope2repo.put("profile:esia:doc_issuedby", "doc_issuedBy");
        scope2repo.put("profile:esia:doc_issuedate", "doc_issueDate");
        scope2repo.put("profile:esia:doc_issueid", "doc_issueId");
        scope2repo.put("profile:documents:type:code", "idDocTypeCode");
        scope2repo.put("profile:documents:type:name", "idDocTypeName");
        scope2repo.put("profile:documents:number", "idDocNumber");
        scope2repo.put("profile:documents:series", "idDocSeries");
        scope2repo.put("profile:documents:issuer:date", "idDocIssueDate");
        scope2repo.put("profile:documents:issuer", "idDocIssuer");
        scope2repo.put("profile:documents:issuer:code", "idDocIssuerCode");
        scope2repo.put("profile:documents:issuer:note", "idDocNote");
        scope2repo.put("profile:documents:source", "idDocSource");
        scope2repo.put("profile:documents:status", "idDocStatus");
        scope2repo.put("name", "displayname");
        scope2repo.put("given_name", "givenName");
        scope2repo.put("family_name", "sn");
        scope2repo.put("address", "address");
        scope2repo.put("birthday", "birthday");
        allow_edit = new HashSet();
        allow_edit.add("profile:description");
        allow_edit.add("profile:avatar");
        serviceLocator = ServiceLocatorUtilities.bind(new Binder[]{new DependencyBinder()});
        scopeProvider = (ScopeProvider) serviceLocator.getService(ScopeProvider.class, new Annotation[0]);
        identityAppMapper = (IdentityApplicationMapper) serviceLocator.getService(IdentityApplicationMapper.class, new Annotation[0]);
        copyAttrNames = SystemProperties.getAsSet(Permission.class.getPackage().getName().concat(".copy-attr-names"), ",");
        acListener = new access_token_SSOTokenListener();
        mapper = new ObjectMapper();
        mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
        mapper.setSerializationInclusion(JsonInclude.Include.NON_NULL);
        mapper.configure(MapperFeature.AUTO_DETECT_GETTERS, false);
        mapper.configure(SerializationFeature.WRITE_NULL_MAP_VALUES, false);
    }
}
