package io.jans.as.server.authorize.ws.rs;

import io.jans.as.common.model.registration.Client;
import io.jans.as.common.model.session.SessionId;
import io.jans.as.common.model.session.SessionIdState;
import io.jans.as.model.authorize.AuthorizeErrorResponseType;
import io.jans.as.model.common.Prompt;
import io.jans.as.model.common.SubjectType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.AbstractCryptoProvider;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.model.util.Base64Util;
import io.jans.as.model.util.JwtUtil;
import io.jans.as.model.util.Util;
import io.jans.as.persistence.model.ClientAuthorization;
import io.jans.as.persistence.model.Scope;
import io.jans.as.server.auth.Authenticator;
import io.jans.as.server.i18n.LanguageBean;
import io.jans.as.server.model.auth.AuthenticationMode;
import io.jans.as.server.model.authorize.Claim;
import io.jans.as.server.model.authorize.JwtAuthorizationRequest;
import io.jans.as.server.model.authorize.ScopeChecker;
import io.jans.as.server.model.common.CibaRequestCacheControl;
import io.jans.as.server.model.common.DefaultScope;
import io.jans.as.server.model.config.Constants;
import io.jans.as.server.model.exception.AcrChangedException;
import io.jans.as.server.security.Identity;
import io.jans.as.server.service.AuthenticationService;
import io.jans.as.server.service.AuthorizeService;
import io.jans.as.server.service.ClientAuthorizationsService;
import io.jans.as.server.service.ClientService;
import io.jans.as.server.service.CookieService;
import io.jans.as.server.service.DeviceAuthorizationService;
import io.jans.as.server.service.ErrorHandlerService;
import io.jans.as.server.service.RedirectionUriService;
import io.jans.as.server.service.RequestParameterService;
import io.jans.as.server.service.SessionIdService;
import io.jans.as.server.service.ciba.CibaRequestService;
import io.jans.as.server.service.external.ExternalAuthenticationService;
import io.jans.as.server.service.external.ExternalConsentGatheringService;
import io.jans.as.server.service.external.ExternalPostAuthnService;
import io.jans.as.server.service.external.context.ExternalPostAuthnContext;
import io.jans.jsf2.message.FacesMessages;
import io.jans.jsf2.service.FacesService;
import io.jans.model.AuthenticationScriptUsageType;
import io.jans.model.custom.script.conf.CustomScriptConfiguration;
import io.jans.orm.exception.EntryPersistenceException;
import io.jans.service.net.NetworkService;
import io.jans.util.StringHelper;
import io.jans.util.ilocale.LocaleUtil;
import jakarta.enterprise.context.RequestScoped;
import jakarta.faces.context.ExternalContext;
import jakarta.faces.context.FacesContext;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.client.ClientBuilder;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.text.StringEscapeUtils;
import org.apache.logging.log4j.util.Strings;
import org.slf4j.Logger;

@Named
@RequestScoped
/* loaded from: input_file:io/jans/as/server/authorize/ws/rs/AuthorizeAction.class */
public class AuthorizeAction {

    @Inject
    private Logger log;

    @Inject
    private ClientService clientService;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private RedirectionUriService redirectionUriService;

    @Inject
    private ClientAuthorizationsService clientAuthorizationsService;

    @Inject
    private ExternalAuthenticationService externalAuthenticationService;

    @Inject
    private ExternalConsentGatheringService externalConsentGatheringService;

    @Inject
    private AuthenticationMode defaultAuthenticationMode;

    @Inject
    private LanguageBean languageBean;

    @Inject
    private NetworkService networkService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private FacesService facesService;

    @Inject
    private FacesMessages facesMessages;

    @Inject
    private FacesContext facesContext;

    @Inject
    private ExternalContext externalContext;

    @Inject
    private ConsentGathererService consentGatherer;

    @Inject
    private AuthorizeService authorizeService;

    @Inject
    private RequestParameterService requestParameterService;

    @Inject
    private ScopeChecker scopeChecker;

    @Inject
    private ErrorHandlerService errorHandlerService;

    @Inject
    private AbstractCryptoProvider cryptoProvider;

    @Inject
    private CookieService cookieService;

    @Inject
    private Authenticator authenticator;

    @Inject
    private AuthenticationService authenticationService;

    @Inject
    private ExternalPostAuthnService externalPostAuthnService;

    @Inject
    private CibaRequestService cibaRequestService;

    @Inject
    private Identity identity;

    @Inject
    private AuthorizeRestWebServiceValidator authorizeRestWebServiceValidator;
    private String scope;
    private String responseType;
    private String clientId;
    private String redirectUri;
    private String state;
    private String responseMode;
    private String nonce;
    private String display;
    private String prompt;
    private Integer maxAge;
    private String uiLocales;
    private String idTokenHint;
    private String loginHint;
    private String acrValues;
    private String amrValues;
    private String request;
    private String requestUri;
    private String codeChallenge;
    private String codeChallengeMethod;
    private String claims;
    private String authReqId;
    private String sessionId;
    private String allowedScope;

    public void checkUiLocales() {
        if (StringUtils.isNotBlank(this.uiLocales)) {
            Locale localeMatch = LocaleUtil.localeMatch(Util.splittedStringAsList(this.uiLocales, " "), this.languageBean.getSupportedLocales());
            if (localeMatch != null) {
                this.languageBean.setLocale(localeMatch);
                return;
            }
            return;
        }
        Locale requestLocale = this.facesContext.getExternalContext().getRequestLocale();
        if (requestLocale != null) {
            this.languageBean.setLocale(requestLocale);
            return;
        }
        Locale defaultLocale = this.facesContext.getApplication().getDefaultLocale();
        if (defaultLocale != null) {
            this.languageBean.setLocale(defaultLocale);
        }
    }

    public void checkPermissionGranted() {
        try {
            checkPermissionGrantedInternal();
        } catch (Exception e) {
            this.log.error("Failed to perform checkPermissionGranted()", e);
            permissionDenied();
        }
    }

    public void checkPermissionGrantedInternal() throws IOException {
        if (this.clientId == null || this.clientId.isEmpty()) {
            this.log.debug("Permission denied. client_id should be not empty.");
            permissionDenied();
            return;
        }
        try {
            Client client = this.clientService.getClient(this.clientId);
            if (client == null) {
                this.log.debug("Permission denied. Failed to find client_id '{}' in LDAP.", this.clientId);
                permissionDenied();
                return;
            }
            Set<String> checkScopesPolicy = this.scopeChecker.checkScopesPolicy(client, this.scope);
            this.allowedScope = io.jans.as.model.util.StringUtils.implode(checkScopesPolicy, " ");
            SessionId session = getSession();
            List<Prompt> fromString = Prompt.fromString(this.prompt, " ");
            try {
                this.redirectUri = this.authorizeRestWebServiceValidator.validateRedirectUri(client, this.redirectUri, this.state, session != null ? (String) session.getSessionAttributes().get(DeviceAuthorizationService.SESSION_USER_CODE) : null, (HttpServletRequest) this.externalContext.getRequest());
                try {
                    session = this.sessionIdService.assertAuthenticatedSessionCorrespondsToNewRequest(session, this.acrValues);
                } catch (AcrChangedException e) {
                    this.log.debug("There is already existing session which has another acr then {}, session: {}", this.acrValues, session.getId());
                    if (!e.isForceReAuthentication()) {
                        this.log.error("ACR is changed, please provide a supported and enabled acr value");
                        permissionDenied();
                        return;
                    }
                    session = handleAcrChange(session, fromString);
                }
                if (session != null && !StringUtils.isBlank(session.getUserDn()) && SessionIdState.AUTHENTICATED == session.getState()) {
                    if (StringUtils.isBlank((String) session.getSessionAttributes().get(DeviceAuthorizationService.SESSION_USER_CODE)) && StringUtils.isBlank(this.redirectionUriService.validateRedirectionUri(this.clientId, this.redirectUri))) {
                        ExternalContext externalContext = this.facesContext.getExternalContext();
                        externalContext.setResponseStatus(400);
                        externalContext.setResponseContentType("application/json");
                        externalContext.getResponseOutputWriter().write(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_REDIRECT_URI, this.state, ""));
                        this.facesContext.responseComplete();
                    }
                    if (this.log.isTraceEnabled()) {
                        this.log.trace("checkPermissionGranted, userDn = " + session.getUserDn());
                    }
                    if (fromString.contains(Prompt.SELECT_ACCOUNT)) {
                        this.facesService.redirect("/selectAccount.xhtml", this.requestParameterService.getAllowedParameters(this.externalContext.getRequestParameterMap()));
                        return;
                    }
                    if (fromString.contains(Prompt.NONE) && fromString.size() > 1) {
                        invalidRequest();
                        return;
                    }
                    AuthzRequest authzRequest = new AuthzRequest();
                    authzRequest.setHttpRequest((HttpServletRequest) this.externalContext.getRequest());
                    authzRequest.setHttpResponse((HttpServletResponse) this.externalContext.getResponse());
                    authzRequest.setClient(client);
                    authzRequest.setSessionId(this.sessionId);
                    boolean externalForceAuthorization = this.externalPostAuthnService.externalForceAuthorization(client, new ExternalPostAuthnContext(client, session, authzRequest, fromString));
                    if (!fromString.contains(Prompt.CONSENT) && !externalForceAuthorization) {
                        boolean z = BooleanUtils.isTrue(this.appConfiguration.getTrustedClientEnabled()) && client.getTrustedClient();
                        boolean z2 = BooleanUtils.isTrue(this.appConfiguration.getSkipAuthorizationForOpenIdScopeAndPairwiseId()) && SubjectType.PAIRWISE.equals(client.getSubjectType()) && hasOnlyOpenidScope();
                        boolean z3 = client.getSubjectType() == SubjectType.PAIRWISE && checkScopesPolicy.size() == 1 && checkScopesPolicy.contains(DefaultScope.OPEN_ID.toString()) && this.scope.equals(DefaultScope.OPEN_ID.toString()) && this.claims == null && this.request == null;
                        if (z || z2 || z3) {
                            permissionGranted(session);
                            return;
                        }
                        ClientAuthorization find = this.clientAuthorizationsService.find(this.sessionIdService.getUser(session).getAttribute("inum"), client.getClientId());
                        if (find != null && find.getScopes() != null && Arrays.asList(find.getScopes()).containsAll(io.jans.as.model.util.StringUtils.spaceSeparatedToList(this.scope))) {
                            permissionGranted(session);
                            return;
                        }
                    }
                    if (this.externalConsentGatheringService.isEnabled()) {
                        if (this.consentGatherer.isConsentGathered()) {
                            this.log.trace("Consent-gathered flow passed successfully");
                            permissionGranted(session);
                            return;
                        }
                        this.log.trace("Starting external consent-gathering flow");
                        if (this.consentGatherer.configure(session.getUserDn(), this.clientId, this.state)) {
                            return;
                        }
                        this.log.error("Failed to initialize external consent-gathering flow.");
                        permissionDenied();
                        return;
                    }
                    return;
                }
                Map<String, String> allowedParameters = this.requestParameterService.getAllowedParameters(this.externalContext.getRequestParameterMap());
                String str = "/login.xhtml";
                allowedParameters.put("acr", "simple_password_auth");
                List<String> acrValuesList = this.sessionIdService.acrValuesList(this.acrValues);
                boolean isEnabled = this.externalAuthenticationService.isEnabled(AuthenticationScriptUsageType.INTERACTIVE);
                boolean shouldSkipScript = shouldSkipScript(acrValuesList);
                if (isEnabled && !shouldSkipScript) {
                    if (acrValuesList.isEmpty()) {
                        acrValuesList = Arrays.asList(this.defaultAuthenticationMode.getName());
                    }
                    CustomScriptConfiguration determineCustomScriptConfiguration = this.externalAuthenticationService.determineCustomScriptConfiguration(AuthenticationScriptUsageType.INTERACTIVE, acrValuesList);
                    if (determineCustomScriptConfiguration == null) {
                        this.log.error("Failed to get CustomScriptConfiguration. auth_step: {}, acr_values: {}", 1, this.acrValues);
                        permissionDenied();
                        return;
                    }
                    allowedParameters.put("acr", determineCustomScriptConfiguration.getName());
                    allowedParameters.put("auth_step", Integer.toString(1));
                    String executeExternalGetPageForStep = this.externalAuthenticationService.executeExternalGetPageForStep(determineCustomScriptConfiguration, 1);
                    if (StringHelper.isNotEmpty(executeExternalGetPageForStep)) {
                        this.log.trace("Redirect to person authentication login page: {}", executeExternalGetPageForStep);
                        str = executeExternalGetPageForStep;
                    }
                }
                allowedParameters.put(Constants.REMOTE_IP, this.networkService.getRemoteIp());
                if (session != null && session.getSessionAttributes().containsKey(DeviceAuthorizationService.SESSION_USER_CODE)) {
                    allowedParameters.put(DeviceAuthorizationService.SESSION_USER_CODE, (String) session.getSessionAttributes().get(DeviceAuthorizationService.SESSION_USER_CODE));
                }
                SessionId generateUnauthenticatedSessionId = this.sessionIdService.generateUnauthenticatedSessionId(null, new Date(), SessionIdState.UNAUTHENTICATED, allowedParameters, false);
                generateUnauthenticatedSessionId.setSessionAttributes(allowedParameters);
                generateUnauthenticatedSessionId.addPermission(this.clientId, false);
                if (this.appConfiguration.getKeepAuthenticatorAttributesOnAcrChange().booleanValue()) {
                    this.authenticationService.copyAuthenticatorExternalAttributes(session, generateUnauthenticatedSessionId);
                }
                if (session != null && session.getPermissionGrantedMap() != null && session.getPermissionGrantedMap().getPermissionGranted() != null) {
                    for (Map.Entry entry : session.getPermissionGrantedMap().getPermissionGranted().entrySet()) {
                        generateUnauthenticatedSessionId.addPermission((String) entry.getKey(), (Boolean) entry.getValue());
                    }
                    this.sessionIdService.remove(session);
                }
                if (this.sessionIdService.persistSessionId(generateUnauthenticatedSessionId, !fromString.contains(Prompt.NONE)) && this.log.isTraceEnabled()) {
                    this.log.trace("Session '{}' persisted to LDAP", generateUnauthenticatedSessionId.getId());
                }
                this.sessionId = generateUnauthenticatedSessionId.getId();
                this.cookieService.createSessionIdCookie(generateUnauthenticatedSessionId, false);
                this.cookieService.creatRpOriginIdCookie(this.redirectUri);
                this.identity.setSessionId(generateUnauthenticatedSessionId);
                HashMap hashMap = new HashMap();
                if (allowedParameters.containsKey("login_hint")) {
                    hashMap.put("login_hint", allowedParameters.get("login_hint"));
                }
                if (StringHelper.toBoolean(System.getProperty("gluu.enable-redirect", "false"), false) || !str.toLowerCase().endsWith("xhtml")) {
                    this.facesService.redirectWithExternal(str, hashMap);
                } else if (str.toLowerCase().endsWith("postlogin.xhtml")) {
                    this.authenticator.authenticateWithOutcome();
                } else {
                    this.authenticator.prepareAuthenticationForStep(generateUnauthenticatedSessionId);
                    this.facesService.renderView(str);
                }
            } catch (WebApplicationException e2) {
                this.log.error(e2.getMessage(), e2);
                permissionDenied();
            }
        } catch (EntryPersistenceException e3) {
            this.log.debug("Permission denied. Failed to find client by inum '{}' in LDAP.", this.clientId, e3);
            permissionDenied();
        }
    }

    public boolean shouldSkipScript(List<String> list) {
        if (list.size() == 1 && list.contains("simple_password_auth")) {
            return true;
        }
        return list.isEmpty() && org.apache.commons.lang.BooleanUtils.isFalse(this.appConfiguration.getUseHighestLevelScriptIfAcrScriptNotFound()) && "simple_password_auth".equalsIgnoreCase(this.defaultAuthenticationMode.getName());
    }

    private SessionId handleAcrChange(SessionId sessionId, List<Prompt> list) {
        if (sessionId != null && sessionId.getState() == SessionIdState.AUTHENTICATED) {
            if (!list.contains(Prompt.LOGIN)) {
                list.add(Prompt.LOGIN);
            }
            sessionId.getSessionAttributes().put("prompt", io.jans.as.model.util.StringUtils.implode(list, " "));
            sessionId.setState(SessionIdState.UNAUTHENTICATED);
            sessionId.getSessionAttributes().put(Constants.REMOTE_IP, this.networkService.getRemoteIp());
            if (!this.sessionIdService.reinitLogin(sessionId, false)) {
                this.sessionIdService.updateSessionId(sessionId);
            }
        }
        return sessionId;
    }

    private SessionId getSession() {
        return this.authorizeService.getSession(this.sessionId);
    }

    public List<Scope> getScopes() {
        return this.authorizeService.getScopes(this.allowedScope);
    }

    /* JADX WARN: Finally extract failed */
    public List<String> getRequestedClaims() {
        HashSet hashSet = new HashSet();
        String str = this.request;
        if (StringUtils.isBlank(str) && StringUtils.isNotBlank(this.requestUri)) {
            try {
                URI uri = new URI(this.requestUri);
                String fragment = uri.getFragment();
                String str2 = uri.getScheme() + ":" + uri.getSchemeSpecificPart();
                jakarta.ws.rs.client.Client newClient = ClientBuilder.newClient();
                try {
                    Response invoke = newClient.target(str2).request().buildGet().invoke();
                    newClient.close();
                    if (invoke.getStatus() == 200) {
                        String str3 = (String) invoke.readEntity(String.class);
                        if (StringUtils.isBlank(fragment)) {
                            str = str3;
                        } else if (StringUtils.equals(fragment, Base64Util.base64urlencode(JwtUtil.getMessageDigestSHA256(str3)))) {
                            str = str3;
                        }
                    }
                    newClient.close();
                } catch (Throwable th) {
                    newClient.close();
                    throw th;
                }
            } catch (Exception e) {
                this.log.error(e.getMessage(), e);
            }
        }
        if (StringUtils.isNotBlank(str)) {
            try {
                Client client = this.clientService.getClient(this.clientId);
                if (client != null) {
                    JwtAuthorizationRequest jwtAuthorizationRequest = new JwtAuthorizationRequest(this.appConfiguration, this.cryptoProvider, this.request, client);
                    if (jwtAuthorizationRequest.getUserInfoMember() != null) {
                        Iterator<Claim> it = jwtAuthorizationRequest.getUserInfoMember().getClaims().iterator();
                        while (it.hasNext()) {
                            hashSet.add(it.next().getName());
                        }
                    }
                    if (jwtAuthorizationRequest.getIdTokenMember() != null) {
                        Iterator<Claim> it2 = jwtAuthorizationRequest.getIdTokenMember().getClaims().iterator();
                        while (it2.hasNext()) {
                            hashSet.add(it2.next().getName());
                        }
                    }
                }
            } catch (EntryPersistenceException | InvalidJwtException e2) {
                this.log.error(e2.getMessage(), e2);
            }
        }
        return new ArrayList(hashSet);
    }

    public String getScope() {
        return this.scope;
    }

    public void setScope(String str) {
        this.scope = str;
    }

    public String getResponseType() {
        return this.responseType;
    }

    public void setResponseType(String str) {
        this.responseType = str;
    }

    public String getClientId() {
        return this.clientId;
    }

    public void setClientId(String str) {
        this.clientId = str;
    }

    public String getRedirectUri() {
        return this.redirectUri;
    }

    public void setRedirectUri(String str) {
        this.redirectUri = str;
    }

    public String getState() {
        return this.state;
    }

    public void setState(String str) {
        this.state = str;
    }

    public String getResponseMode() {
        return this.responseMode;
    }

    public void setResponseMode(String str) {
        this.responseMode = str;
    }

    public String getNonce() {
        return this.nonce;
    }

    public void setNonce(String str) {
        this.nonce = str;
    }

    public String getDisplay() {
        return this.display;
    }

    public void setDisplay(String str) {
        this.display = str;
    }

    public String getPrompt() {
        return this.prompt;
    }

    public void setPrompt(String str) {
        this.prompt = str;
    }

    public Integer getMaxAge() {
        return this.maxAge;
    }

    public void setMaxAge(Integer num) {
        this.maxAge = num;
    }

    public String getUiLocales() {
        return this.uiLocales;
    }

    public void setUiLocales(String str) {
        this.uiLocales = str;
    }

    public String getIdTokenHint() {
        return this.idTokenHint;
    }

    public void setIdTokenHint(String str) {
        this.idTokenHint = str;
    }

    public String getLoginHint() {
        return this.loginHint;
    }

    public void setLoginHint(String str) {
        this.loginHint = StringEscapeUtils.escapeEcmaScript(str);
    }

    public String getAcrValues() {
        return this.acrValues;
    }

    public void setAcrValues(String str) {
        this.acrValues = str;
    }

    public String getAmrValues() {
        return this.amrValues;
    }

    public void setAmrValues(String str) {
        this.amrValues = str;
    }

    public String getRequest() {
        return this.request;
    }

    public void setRequest(String str) {
        this.request = str;
    }

    public String getRequestUri() {
        return this.requestUri;
    }

    public void setRequestUri(String str) {
        this.requestUri = str;
    }

    public String getSessionId() {
        return this.sessionId;
    }

    public void setSessionId(String str) {
        this.sessionId = str;
    }

    public void permissionGranted() {
        permissionGranted(getSession());
    }

    public void permissionGranted(SessionId sessionId) {
        this.authorizeService.permissionGranted((HttpServletRequest) this.externalContext.getRequest(), sessionId);
    }

    public void permissionDenied() {
        this.authorizeService.permissionDenied(getSession());
    }

    public void invalidRequest() {
        this.log.trace("invalidRequest");
        StringBuilder sb = new StringBuilder();
        sb.append(this.redirectUri);
        if (this.redirectUri == null || !this.redirectUri.contains("?")) {
            sb.append("?");
        } else {
            sb.append("&");
        }
        sb.append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.INVALID_REQUEST, getState()));
        this.facesService.redirectToExternalURL(sb.toString());
    }

    public void consentRequired() {
        StringBuilder sb = new StringBuilder();
        sb.append(this.redirectUri);
        if (this.redirectUri == null || !this.redirectUri.contains("?")) {
            sb.append("?");
        } else {
            sb.append("&");
        }
        sb.append(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.CONSENT_REQUIRED, getState()));
        this.facesService.redirectToExternalURL(sb.toString());
    }

    public String getCodeChallenge() {
        return this.codeChallenge;
    }

    public void setCodeChallenge(String str) {
        this.codeChallenge = str;
    }

    public String getCodeChallengeMethod() {
        return this.codeChallengeMethod;
    }

    public void setCodeChallengeMethod(String str) {
        this.codeChallengeMethod = str;
    }

    public String getClaims() {
        return this.claims;
    }

    public void setClaims(String str) {
        this.claims = str;
    }

    public String getAuthReqId() {
        return this.authReqId;
    }

    public void setAuthReqId(String str) {
        this.authReqId = str;
    }

    public String getBindingMessage() {
        CibaRequestCacheControl cibaRequest;
        String str = null;
        if (Strings.isNotBlank(getAuthReqId()) && (cibaRequest = this.cibaRequestService.getCibaRequest(this.authReqId)) != null) {
            str = cibaRequest.getBindingMessage();
        }
        return str;
    }

    public String encodeParameters(String str, Map<String, Object> map) {
        if (map.isEmpty()) {
            return str;
        }
        StringBuilder sb = new StringBuilder(str);
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            String key = entry.getKey();
            if (!containsParameter(str, key)) {
                Object value = entry.getValue();
                if (value instanceof Iterable) {
                    for (Object obj : (Iterable) value) {
                        sb.append('&').append(key).append('=');
                        if (obj != null) {
                            sb.append(encode(obj));
                        }
                    }
                } else {
                    sb.append('&').append(key).append('=');
                    if (value != null) {
                        sb.append(encode(value));
                    }
                }
            }
        }
        if (str.indexOf(63) < 0) {
            sb.setCharAt(str.length(), '?');
        }
        return sb.toString();
    }

    private boolean containsParameter(String str, String str2) {
        return str.indexOf(new StringBuilder().append('?').append(str2).append('=').toString()) > 0 || str.indexOf(new StringBuilder().append('&').append(str2).append('=').toString()) > 0;
    }

    private String encode(Object obj) {
        try {
            return URLEncoder.encode(String.valueOf(obj), "UTF-8");
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    private boolean hasOnlyOpenidScope() {
        return getScopes() != null && getScopes().size() == 1 && getScopes().get(0).getId().equals(Constants.OX_AUTH_SCOPE_TYPE_OPENID);
    }

    protected void handleSessionInvalid() {
        this.errorHandlerService.handleError(Authenticator.INVALID_SESSION_MESSAGE, AuthorizeErrorResponseType.AUTHENTICATION_SESSION_INVALID, "Create authorization request to start new authentication session.");
    }

    protected void handleScriptError(String str) {
        this.errorHandlerService.handleError(Authenticator.AUTHENTICATION_ERROR_MESSAGE, AuthorizeErrorResponseType.INVALID_AUTHENTICATION_METHOD, "Contact administrator to fix specific ACR method issue.");
    }
}
