package io.jans.as.server.bcauthorize.ws.rs;

import io.jans.as.client.JwkClient;
import io.jans.as.common.model.common.User;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.service.common.UserService;
import io.jans.as.model.ciba.BackchannelAuthenticationErrorResponseType;
import io.jans.as.model.common.BackchannelTokenDeliveryMode;
import io.jans.as.model.common.ComponentType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.AbstractCryptoProvider;
import io.jans.as.model.crypto.signature.AlgorithmFamily;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.error.DefaultErrorResponse;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.exception.InvalidClaimException;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.model.jws.ECDSASigner;
import io.jans.as.model.jws.RSASigner;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.server.audit.ApplicationAuditLogger;
import io.jans.as.server.authorize.ws.rs.AuthorizeRestWebServiceValidator;
import io.jans.as.server.ciba.CIBAAuthorizeParamsValidatorService;
import io.jans.as.server.ciba.CIBAEndUserNotificationService;
import io.jans.as.server.model.audit.Action;
import io.jans.as.server.model.audit.OAuth2AuditLog;
import io.jans.as.server.model.authorize.JwtAuthorizationRequest;
import io.jans.as.server.model.authorize.ScopeChecker;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.common.AuthorizationGrantList;
import io.jans.as.server.model.common.CibaRequestCacheControl;
import io.jans.as.server.model.session.SessionClient;
import io.jans.as.server.security.Identity;
import io.jans.as.server.service.ciba.CibaRequestService;
import io.jans.as.server.util.ServerUtil;
import io.jans.util.StringHelper;
import jakarta.inject.Inject;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.SecurityContext;
import java.util.ArrayList;
import java.util.Date;
import org.apache.commons.lang.StringUtils;
import org.apache.logging.log4j.util.Strings;
import org.json.JSONException;
import org.json.JSONObject;
import org.slf4j.Logger;

@Path("/")
/* loaded from: input_file:io/jans/as/server/bcauthorize/ws/rs/BackchannelAuthorizeRestWebServiceImpl.class */
public class BackchannelAuthorizeRestWebServiceImpl implements BackchannelAuthorizeRestWebService {

    @Inject
    private Logger log;

    @Inject
    private Identity identity;

    @Inject
    private UserService userService;

    @Inject
    private ApplicationAuditLogger applicationAuditLogger;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private ScopeChecker scopeChecker;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private CIBAAuthorizeParamsValidatorService cibaAuthorizeParamsValidatorService;

    @Inject
    private CIBAEndUserNotificationService cibaEndUserNotificationService;

    @Inject
    private CibaRequestService cibaRequestService;

    @Inject
    private AbstractCryptoProvider cryptoProvider;

    @Inject
    private AuthorizeRestWebServiceValidator authorizeRestWebServiceValidator;

    @Override // io.jans.as.server.bcauthorize.ws.rs.BackchannelAuthorizeRestWebService
    public Response requestBackchannelAuthorizationPost(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, Integer num, String str10, String str11, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        DefaultErrorResponse validateParams;
        String urlDecode = ServerUtil.urlDecode(str2);
        OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpServletRequest), Action.BACKCHANNEL_AUTHENTICATION);
        oAuth2AuditLog.setClientId(str);
        oAuth2AuditLog.setScope(urlDecode);
        this.log.debug("Attempting to request backchannel authorization: clientId = {}, scope = {}, clientNotificationToken = {}, acrValues = {}, loginHintToken = {}, idTokenHint = {}, loginHint = {}, bindingMessage = {}, userCodeParam = {}, requestedExpiry = {}, request= {}", new Object[]{str, urlDecode, str3, str4, str5, str6, str7, str8, str9, num, str10});
        this.log.debug("Attempting to request backchannel authorization: isSecure = {}", Boolean.valueOf(securityContext.isSecure()));
        this.errorResponseFactory.validateComponentEnabled(ComponentType.CIBA);
        Response.ResponseBuilder ok = Response.ok();
        SessionClient sessionClient = this.identity.getSessionClient();
        Client client = null;
        if (sessionClient != null) {
            client = sessionClient.getClient();
        }
        if (client == null) {
            Response.ResponseBuilder status = Response.status(Response.Status.UNAUTHORIZED.getStatusCode());
            status.entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_CLIENT));
            return status.build();
        }
        if (!this.cibaRequestService.hasCibaCompatibility(client)) {
            Response.ResponseBuilder status2 = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
            status2.entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST));
            return status2.build();
        }
        ArrayList arrayList = new ArrayList();
        if (StringHelper.isNotEmpty(urlDecode)) {
            arrayList.addAll(this.scopeChecker.checkScopesPolicy(client, urlDecode));
        }
        JwtAuthorizationRequest jwtAuthorizationRequest = null;
        if (StringUtils.isNotBlank(str10) || StringUtils.isNotBlank(str11)) {
            jwtAuthorizationRequest = JwtAuthorizationRequest.createJwtRequest(str10, str11, client, null, this.cryptoProvider, this.appConfiguration);
            if (jwtAuthorizationRequest == null) {
                this.log.error("The JWT couldn't be processed");
                Response.ResponseBuilder status3 = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
                status3.entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST));
                throw new WebApplicationException(status3.build());
            }
            this.authorizeRestWebServiceValidator.validateCibaRequestObject(jwtAuthorizationRequest, client.getClientId());
            if (!jwtAuthorizationRequest.getScopes().isEmpty()) {
                arrayList.addAll(this.scopeChecker.checkScopesPolicy(client, jwtAuthorizationRequest.getScopes()));
            }
            if (StringUtils.isNotBlank(jwtAuthorizationRequest.getClientNotificationToken())) {
                str3 = jwtAuthorizationRequest.getClientNotificationToken();
            }
            if (StringUtils.isNotBlank(jwtAuthorizationRequest.getAcrValues())) {
                str4 = jwtAuthorizationRequest.getAcrValues();
            }
            if (StringUtils.isNotBlank(jwtAuthorizationRequest.getLoginHintToken())) {
                str5 = jwtAuthorizationRequest.getLoginHintToken();
            }
            if (StringUtils.isNotBlank(jwtAuthorizationRequest.getIdTokenHint())) {
                str6 = jwtAuthorizationRequest.getIdTokenHint();
            }
            if (StringUtils.isNotBlank(jwtAuthorizationRequest.getLoginHint())) {
                str7 = jwtAuthorizationRequest.getLoginHint();
            }
            if (StringUtils.isNotBlank(jwtAuthorizationRequest.getBindingMessage())) {
                str8 = jwtAuthorizationRequest.getBindingMessage();
            }
            if (StringUtils.isNotBlank(jwtAuthorizationRequest.getUserCode())) {
                str9 = jwtAuthorizationRequest.getUserCode();
            }
            if (jwtAuthorizationRequest.getRequestedExpiry() != null) {
                num = jwtAuthorizationRequest.getRequestedExpiry();
            } else if (jwtAuthorizationRequest.getExp() != null) {
                num = Integer.valueOf(Math.toIntExact(jwtAuthorizationRequest.getExp().intValue() - (System.currentTimeMillis() / 1000)));
            }
        }
        if (this.appConfiguration.isFapi() && jwtAuthorizationRequest == null) {
            Response.ResponseBuilder status4 = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
            status4.entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST));
            return status4.build();
        }
        User user = null;
        try {
            if (Strings.isNotBlank(str7)) {
                user = this.userService.getUniqueUserByAttributes(this.appConfiguration.getBackchannelLoginHintClaims(), str7);
            } else if (Strings.isNotBlank(str6)) {
                AuthorizationGrant authorizationGrantByIdToken = this.authorizationGrantList.getAuthorizationGrantByIdToken(str6);
                if (authorizationGrantByIdToken == null) {
                    Response.ResponseBuilder status5 = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
                    status5.entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.UNKNOWN_USER_ID));
                    return status5.build();
                }
                user = authorizationGrantByIdToken.getUser();
            }
            if (Strings.isNotBlank(str5)) {
                Jwt parse = Jwt.parse(str5);
                SignatureAlgorithm signatureAlgorithm = parse.getHeader().getSignatureAlgorithm();
                String keyId = parse.getHeader().getKeyId();
                if (signatureAlgorithm == null || Strings.isBlank(keyId)) {
                    Response.ResponseBuilder status6 = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
                    status6.entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.UNKNOWN_USER_ID));
                    return status6.build();
                }
                boolean z = false;
                if (signatureAlgorithm.getFamily() == AlgorithmFamily.RSA) {
                    z = new RSASigner(signatureAlgorithm, JwkClient.getRSAPublicKey(client.getJwksUri(), keyId)).validate(parse);
                } else if (signatureAlgorithm.getFamily() == AlgorithmFamily.EC) {
                    z = new ECDSASigner(signatureAlgorithm, JwkClient.getECDSAPublicKey(client.getJwksUri(), keyId)).validate(parse);
                }
                if (!z) {
                    Response.ResponseBuilder status7 = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
                    status7.entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.UNKNOWN_USER_ID));
                    return status7.build();
                }
                JSONObject claimAsJSON = parse.getClaims().getClaimAsJSON("subject");
                if (claimAsJSON == null || !claimAsJSON.has("subject_type") || !claimAsJSON.has(claimAsJSON.getString("subject_type"))) {
                    Response.ResponseBuilder status8 = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
                    status8.entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.UNKNOWN_USER_ID));
                    return status8.build();
                }
                user = this.userService.getUniqueUserByAttributes(this.appConfiguration.getBackchannelLoginHintClaims(), claimAsJSON.getString(claimAsJSON.getString("subject_type")));
            }
        } catch (InvalidJwtException e) {
            this.log.error(e.getMessage(), e);
        } catch (JSONException e2) {
            this.log.error(e2.getMessage(), e2);
        }
        if (user == null) {
            Response.ResponseBuilder status9 = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
            status9.entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.UNKNOWN_USER_ID));
            return status9.build();
        }
        try {
            validateParams = this.cibaAuthorizeParamsValidatorService.validateParams(arrayList, str3, client.getBackchannelTokenDeliveryMode(), str5, str6, str7, str8, client.getBackchannelUserCodeParameter(), str9, (String) user.getAttribute("jansBackchannelUsrCode", true, false), num);
        } catch (InvalidClaimException e3) {
            ok = Response.status(400);
            ok.entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST));
            this.log.error(e3.getMessage(), e3);
        } catch (JSONException e4) {
            ok = Response.status(400);
            ok.entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST));
            this.log.error(e4.getMessage(), e4);
        }
        if (validateParams != null) {
            Response.ResponseBuilder status10 = Response.status(validateParams.getStatus());
            status10.entity(this.errorResponseFactory.errorAsJson(validateParams.getType(), validateParams.getReason()));
            return status10.build();
        }
        String str12 = (String) user.getAttribute("jansBackchannelDeviceRegistrationTkn", true, false);
        if (str12 == null) {
            Response.ResponseBuilder status11 = Response.status(Response.Status.UNAUTHORIZED.getStatusCode());
            status11.entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.UNAUTHORIZED_END_USER_DEVICE));
            return status11.build();
        }
        int intValue = num != null ? num.intValue() : this.appConfiguration.getBackchannelAuthenticationResponseExpiresIn();
        Integer valueOf = client.getBackchannelTokenDeliveryMode() == BackchannelTokenDeliveryMode.PUSH ? null : Integer.valueOf(this.appConfiguration.getBackchannelAuthenticationResponseInterval());
        CibaRequestCacheControl cibaRequestCacheControl = new CibaRequestCacheControl(user, client, intValue, arrayList, str3, str8, Long.valueOf(new Date().getTime()), str4);
        this.cibaRequestService.save(cibaRequestCacheControl, intValue);
        String authReqId = cibaRequestCacheControl.getAuthReqId();
        this.cibaEndUserNotificationService.notifyEndUser(cibaRequestCacheControl.getScopesAsString(), cibaRequestCacheControl.getAcrValues(), authReqId, str12);
        ok.entity(getJSONObject(authReqId, intValue, valueOf).toString(4).replace("\\/", "/"));
        ok.type(MediaType.APPLICATION_JSON_TYPE);
        ok.cacheControl(ServerUtil.cacheControl(true, false));
        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
        return ok.build();
    }

    private JSONObject getJSONObject(String str, int i, Integer num) throws JSONException {
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("auth_req_id", str);
        jSONObject.put("expires_in", i);
        if (num != null) {
            jSONObject.put("interval", num);
        }
        return jSONObject;
    }
}
