package io.jans.as.server.service;

import com.google.common.collect.Sets;
import io.jans.as.common.model.common.User;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.model.session.SessionId;
import io.jans.as.common.util.RedirectUri;
import io.jans.as.model.authorize.AuthorizeErrorResponseType;
import io.jans.as.model.ciba.PushErrorResponseType;
import io.jans.as.model.common.BackchannelTokenDeliveryMode;
import io.jans.as.model.common.Prompt;
import io.jans.as.model.common.ResponseMode;
import io.jans.as.model.common.ResponseType;
import io.jans.as.model.config.WebKeysConfiguration;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.AbstractCryptoProvider;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.exception.CryptoProviderException;
import io.jans.as.model.jwk.Algorithm;
import io.jans.as.model.jwk.KeyOpsType;
import io.jans.as.model.jwk.Use;
import io.jans.as.persistence.model.Scope;
import io.jans.as.server.auth.Authenticator;
import io.jans.as.server.ciba.CIBAPingCallbackService;
import io.jans.as.server.ciba.CIBAPushErrorService;
import io.jans.as.server.model.common.CibaRequestCacheControl;
import io.jans.as.server.model.common.CibaRequestStatus;
import io.jans.as.server.model.common.DeviceAuthorizationCacheControl;
import io.jans.as.server.model.common.DeviceAuthorizationStatus;
import io.jans.as.server.security.Identity;
import io.jans.as.server.service.ciba.CibaRequestService;
import io.jans.jsf2.message.FacesMessages;
import io.jans.jsf2.service.FacesService;
import io.jans.util.security.StringEncrypter;
import jakarta.enterprise.context.RequestScoped;
import jakarta.faces.application.FacesMessage;
import jakarta.faces.context.ExternalContext;
import jakarta.inject.Inject;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;

@RequestScoped
/* loaded from: input_file:io/jans/as/server/service/AuthorizeService.class */
public class AuthorizeService {

    @Inject
    private Logger log;

    @Inject
    private ClientService clientService;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private CookieService cookieService;

    @Inject
    private ClientAuthorizationsService clientAuthorizationsService;

    @Inject
    private Identity identity;

    @Inject
    private Authenticator authenticator;

    @Inject
    private FacesService facesService;

    @Inject
    private FacesMessages facesMessages;

    @Inject
    private ExternalContext externalContext;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private ScopeService scopeService;

    @Inject
    private RequestParameterService requestParameterService;

    @Inject
    private CIBAPingCallbackService cibaPingCallbackService;

    @Inject
    private CIBAPushErrorService cibaPushErrorService;

    @Inject
    private CibaRequestService cibaRequestService;

    @Inject
    private DeviceAuthorizationService deviceAuthorizationService;

    @Inject
    private AbstractCryptoProvider cryptoProvider;

    @Inject
    private WebKeysConfiguration webKeysConfiguration;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.jans.as.server.service.AuthorizeService$1, reason: invalid class name */
    /* loaded from: input_file:io/jans/as/server/service/AuthorizeService$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$jans$as$model$common$BackchannelTokenDeliveryMode = new int[BackchannelTokenDeliveryMode.values().length];

        static {
            try {
                $SwitchMap$io$jans$as$model$common$BackchannelTokenDeliveryMode[BackchannelTokenDeliveryMode.POLL.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$jans$as$model$common$BackchannelTokenDeliveryMode[BackchannelTokenDeliveryMode.PING.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$jans$as$model$common$BackchannelTokenDeliveryMode[BackchannelTokenDeliveryMode.PUSH.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public SessionId getSession() {
        return getSession(null);
    }

    public SessionId getSession(String str) {
        if (StringUtils.isBlank(str)) {
            str = this.cookieService.getSessionIdFromCookie();
            if (StringUtils.isBlank(str)) {
                return null;
            }
        }
        if (!this.identity.isLoggedIn()) {
            this.authenticator.authenticateBySessionId(str);
        }
        SessionId sessionId = this.sessionIdService.getSessionId(str);
        if (sessionId == null) {
            this.identity.logout();
        }
        return sessionId;
    }

    public void permissionGranted(HttpServletRequest httpServletRequest, SessionId sessionId) {
        this.log.trace("permissionGranted");
        try {
            User user = this.sessionIdService.getUser(sessionId);
            if (user == null) {
                this.log.debug("Permission denied. Failed to find session user: userDn = {}", sessionId.getUserDn());
                permissionDenied(sessionId);
                return;
            }
            String str = (String) sessionId.getSessionAttributes().get("client_id");
            Client client = this.clientService.getClient(str);
            if (client == null) {
                this.log.debug("Permission denied. Failed to find client by id: {}", str);
                permissionDenied(sessionId);
                return;
            }
            HashSet newHashSet = Sets.newHashSet(io.jans.as.model.util.StringUtils.spaceSeparatedToList((String) sessionId.getSessionAttributes().get("scope")));
            boolean z = !ResponseType.isImplicitFlow((String) sessionId.getSessionAttributes().get("response_type"));
            if (!client.getTrustedClient() && z && client.getPersistClientAuthorizations()) {
                this.clientAuthorizationsService.add(user.getAttribute("inum"), client.getClientId(), newHashSet);
            }
            sessionId.addPermission(str, true, newHashSet);
            this.sessionIdService.updateSessionId(sessionId);
            this.identity.setSessionId(sessionId);
            if (BooleanUtils.isFalse(this.appConfiguration.getInvalidateSessionCookiesAfterAuthorizationFlow())) {
                this.cookieService.createSessionIdCookie(sessionId, false);
            }
            Map<String, String> allowedParameters = this.requestParameterService.getAllowedParameters(sessionId.getSessionAttributes());
            if (allowedParameters.containsKey("prompt")) {
                List fromString = Prompt.fromString(allowedParameters.get("prompt"), " ");
                fromString.remove(Prompt.LOGIN);
                fromString.remove(Prompt.CONSENT);
                allowedParameters.put("prompt", io.jans.as.model.util.StringUtils.implodeEnum(fromString, " "));
            }
            String str2 = httpServletRequest.getContextPath() + "/restv1/authorize?" + this.requestParameterService.parametersAsString(allowedParameters);
            this.log.trace("permissionGranted, redirectTo: {}", str2);
            if (invalidateSessionCookiesIfNeeded() && !str2.contains(CookieService.SESSION_ID_COOKIE_NAME) && BooleanUtils.isTrue(this.appConfiguration.getSessionIdRequestParameterEnabled())) {
                str2 = str2 + "&session_id=" + sessionId.getId();
            }
            this.facesService.redirectToExternalURL(str2);
        } catch (Exception e) {
            this.log.error("Failed to grant permission", e);
            showErrorPage("login.failedToGrantPermission");
        }
    }

    public void permissionDenied(SessionId sessionId) {
        String str;
        CibaRequestCacheControl cibaRequest;
        try {
            this.log.trace("permissionDenied");
            invalidateSessionCookiesIfNeeded();
            if (sessionId == null) {
                authenticationFailedSessionInvalid();
                return;
            }
            String str2 = (String) sessionId.getSessionAttributes().get("redirect_uri");
            String str3 = (String) sessionId.getSessionAttributes().get("state");
            ResponseMode fromString = ResponseMode.fromString((String) sessionId.getSessionAttributes().get("response_mode"));
            RedirectUri redirectUri = new RedirectUri(str2, ResponseType.fromString((String) sessionId.getSessionAttributes().get("response_type"), " "), fromString);
            redirectUri.parseQueryString(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.ACCESS_DENIED, str3));
            Map<String, String> allowedParameters = this.requestParameterService.getAllowedParameters(sessionId.getSessionAttributes());
            if (allowedParameters.containsKey("auth_req_id") && (cibaRequest = this.cibaRequestService.getCibaRequest((str = allowedParameters.get("auth_req_id")))) != null && cibaRequest.getClient() != null) {
                if (cibaRequest.getStatus() == CibaRequestStatus.PENDING) {
                    this.cibaRequestService.removeCibaRequest(str);
                }
                switch (AnonymousClass1.$SwitchMap$io$jans$as$model$common$BackchannelTokenDeliveryMode[cibaRequest.getClient().getBackchannelTokenDeliveryMode().ordinal()]) {
                    case 1:
                        cibaRequest.setStatus(CibaRequestStatus.DENIED);
                        cibaRequest.setTokensDelivered(false);
                        this.cibaRequestService.update(cibaRequest);
                        break;
                    case 2:
                        cibaRequest.setStatus(CibaRequestStatus.DENIED);
                        cibaRequest.setTokensDelivered(false);
                        this.cibaRequestService.update(cibaRequest);
                        this.cibaPingCallbackService.pingCallback(cibaRequest.getAuthReqId(), cibaRequest.getClient().getBackchannelClientNotificationEndpoint(), cibaRequest.getClientNotificationToken());
                        break;
                    case 3:
                        this.cibaPushErrorService.pushError(cibaRequest.getAuthReqId(), cibaRequest.getClient().getBackchannelClientNotificationEndpoint(), cibaRequest.getClientNotificationToken(), PushErrorResponseType.ACCESS_DENIED, "The end-user denied the authorization request.");
                        break;
                }
            }
            if (allowedParameters.containsKey(DeviceAuthorizationService.SESSION_USER_CODE)) {
                processDeviceAuthDeniedResponse(allowedParameters);
            }
            if (fromString == ResponseMode.JWT) {
                this.facesService.redirectToExternalURL(createJarmRedirectUri(redirectUri, this.clientService.getClient((String) sessionId.getSessionAttributes().get("client_id"))));
            } else {
                this.facesService.redirectToExternalURL(redirectUri.toString());
            }
        } catch (Exception e) {
            this.log.error("Unable to perform permission deny", e);
            showErrorPage("login.failedToDeny");
        }
    }

    private String createJarmRedirectUri(RedirectUri redirectUri, Client client) {
        String redirectUri2 = redirectUri.toString();
        SignatureAlgorithm fromString = SignatureAlgorithm.fromString(client.getAttributes().getAuthorizationSignedResponseAlg());
        redirectUri.setSignatureAlgorithm(fromString);
        redirectUri.addResponseParameter("error", "access_denied");
        redirectUri.addResponseParameter("error_description", "User Denied the Access");
        redirectUri.setIssuer(this.appConfiguration.getIssuer());
        redirectUri.setAudience(client.getClientId());
        redirectUri.setCryptoProvider(this.cryptoProvider);
        String str = null;
        try {
            redirectUri.setSharedSecret(this.clientService.decryptSecret(client.getClientSecret()));
            str = new ServerCryptoProvider(this.cryptoProvider).getKeyId(this.webKeysConfiguration, Algorithm.fromString(fromString.getName()), Use.SIGNATURE, KeyOpsType.CONNECT);
        } catch (StringEncrypter.EncryptionException e) {
            this.log.error(e.getMessage(), e);
        } catch (CryptoProviderException e2) {
            this.log.error(e2.getMessage(), e2);
        }
        redirectUri.setKeyId(str);
        String queryString = redirectUri.getQueryString();
        this.log.info("The JARM Query Response: {}", queryString);
        return redirectUri2 + queryString;
    }

    private void authenticationFailedSessionInvalid() {
        showErrorPage(Authenticator.INVALID_SESSION_MESSAGE);
    }

    private void showErrorPage(String str) {
        this.log.debug("Redirect to /error.xhtml page with {} error code.", str);
        this.facesMessages.add(FacesMessage.SEVERITY_ERROR, str);
        this.facesService.redirect("/error.xhtml");
    }

    public List<Scope> getScopes() {
        return getScopes((String) getSession().getSessionAttributes().get("scope"));
    }

    public List<Scope> getScopes(String str) {
        ArrayList arrayList = new ArrayList();
        if (str != null && !str.isEmpty()) {
            for (String str2 : str.split(" ")) {
                Scope scopeById = this.scopeService.getScopeById(str2);
                if (scopeById != null && scopeById.getDescription() != null) {
                    arrayList.add(scopeById);
                }
            }
        }
        return arrayList;
    }

    private boolean invalidateSessionCookiesIfNeeded() {
        if (BooleanUtils.isTrue(this.appConfiguration.getInvalidateSessionCookiesAfterAuthorizationFlow())) {
            return invalidateSessionCookies();
        }
        return false;
    }

    private boolean invalidateSessionCookies() {
        try {
            if (!(this.externalContext.getResponse() instanceof HttpServletResponse)) {
                return false;
            }
            HttpServletResponse httpServletResponse = (HttpServletResponse) this.externalContext.getResponse();
            this.log.trace("Invalidated {} cookie.", CookieService.SESSION_ID_COOKIE_NAME);
            httpServletResponse.addHeader("Set-Cookie", "session_id=deleted; Path=/; Secure; HttpOnly; Expires=Thu, 01 Jan 1970 00:00:01 GMT;");
            this.log.trace("Invalidated {} cookie.", CookieService.CONSENT_SESSION_ID_COOKIE_NAME);
            httpServletResponse.addHeader("Set-Cookie", "consent_session_id=deleted; Path=/; Secure; HttpOnly; Expires=Thu, 01 Jan 1970 00:00:01 GMT;");
            return true;
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
            return false;
        }
    }

    private void processDeviceAuthDeniedResponse(Map<String, String> map) {
        String str = map.get(DeviceAuthorizationService.SESSION_USER_CODE);
        DeviceAuthorizationCacheControl deviceAuthzByUserCode = this.deviceAuthorizationService.getDeviceAuthzByUserCode(str);
        if (deviceAuthzByUserCode == null || deviceAuthzByUserCode.getStatus() != DeviceAuthorizationStatus.PENDING) {
            return;
        }
        deviceAuthzByUserCode.setStatus(DeviceAuthorizationStatus.DENIED);
        this.deviceAuthorizationService.saveInCache(deviceAuthzByUserCode, true, false);
        this.deviceAuthorizationService.removeDeviceAuthRequestInCache(str, null);
    }
}
