package io.jans.as.server.authorize.ws.rs;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import io.jans.as.common.model.common.User;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.model.session.SessionId;
import io.jans.as.common.util.CommonUtils;
import io.jans.as.common.util.RedirectUri;
import io.jans.as.model.authorize.AuthorizeErrorResponseType;
import io.jans.as.model.common.GrantType;
import io.jans.as.model.common.Prompt;
import io.jans.as.model.common.ResponseMode;
import io.jans.as.model.config.WebKeysConfiguration;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.AbstractCryptoProvider;
import io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm;
import io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm;
import io.jans.as.model.crypto.signature.AlgorithmFamily;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.jwe.Jwe;
import io.jans.as.model.jwk.Algorithm;
import io.jans.as.model.jwk.JSONWebKeySet;
import io.jans.as.model.jwk.Use;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.jwt.JwtHeader;
import io.jans.as.model.token.JsonWebResponse;
import io.jans.as.model.util.Util;
import io.jans.as.persistence.model.Par;
import io.jans.as.server.model.audit.Action;
import io.jans.as.server.model.audit.OAuth2AuditLog;
import io.jans.as.server.model.authorize.Claim;
import io.jans.as.server.model.authorize.IdTokenMember;
import io.jans.as.server.model.authorize.JwtAuthorizationRequest;
import io.jans.as.server.model.authorize.ScopeChecker;
import io.jans.as.server.model.config.Constants;
import io.jans.as.server.model.token.HandleTokenFactory;
import io.jans.as.server.par.ws.rs.ParService;
import io.jans.as.server.service.ClientService;
import io.jans.as.server.service.RedirectUriResponse;
import io.jans.as.server.service.RedirectionUriService;
import io.jans.as.server.service.RequestParameterService;
import io.jans.as.server.service.ServerCryptoProvider;
import io.jans.as.server.service.external.ExternalAuthenticationService;
import io.jans.as.server.token.ws.rs.TokenExchangeService;
import io.jans.as.server.util.ServerUtil;
import jakarta.ejb.Stateless;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.StringUtils;
import org.jetbrains.annotations.Nullable;
import org.json.JSONObject;
import org.slf4j.Logger;

@Named
@Stateless
/* loaded from: input_file:io/jans/as/server/authorize/ws/rs/AuthzRequestService.class */
public class AuthzRequestService {
    public static final String INVALID_JWT_AUTHORIZATION_REQUEST = "Invalid JWT authorization request";
    private static final long ACR_TO_LEVEL_CACHE_LIFETIME_IN_MINUTES = 15;
    private static final String ACR_TO_LEVEL_KEY = "ACR_TO_LEVEL_KEY";

    @Inject
    private Logger log;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private AuthorizeRestWebServiceValidator authorizeRestWebServiceValidator;

    @Inject
    private ParService parService;

    @Inject
    private AbstractCryptoProvider cryptoProvider;

    @Inject
    private ScopeChecker scopeChecker;

    @Inject
    private RequestParameterService requestParameterService;

    @Inject
    private WebKeysConfiguration webKeysConfiguration;

    @Inject
    private ClientService clientService;

    @Inject
    private RedirectionUriService redirectionUriService;

    @Inject
    private ExternalAuthenticationService externalAuthenticationService;
    private final Cache<String, Map<String, Integer>> acrToLevelCache = CacheBuilder.newBuilder().expireAfterWrite(ACR_TO_LEVEL_CACHE_LIFETIME_IN_MINUTES, TimeUnit.MINUTES).build();

    public Map<String, Integer> getAcrToLevelMap() {
        Map<String, Integer> map = (Map) this.acrToLevelCache.getIfPresent(ACR_TO_LEVEL_KEY);
        if (map != null) {
            return map;
        }
        Map<String, Integer> acrToLevelMapping = this.externalAuthenticationService.acrToLevelMapping();
        this.acrToLevelCache.put(ACR_TO_LEVEL_KEY, acrToLevelMapping);
        return acrToLevelMapping;
    }

    public void addDeviceSecretToSession(AuthzRequest authzRequest, SessionId sessionId) {
        if (!BooleanUtils.isFalse(this.appConfiguration.getReturnDeviceSecretFromAuthzEndpoint()) && Arrays.asList(authzRequest.getScope().split(" ")).contains("device_sso")) {
            if (!ArrayUtils.contains(authzRequest.getClient().getGrantTypes(), GrantType.TOKEN_EXCHANGE)) {
                this.log.debug("Skip device secret. Scope has {} value but client does not have Token Exchange Grant Type enabled ('urn:ietf:params:oauth:grant-type:token-exchange')", "device_sso");
                return;
            }
            String generateDeviceSecret = HandleTokenFactory.generateDeviceSecret();
            sessionId.getDeviceSecrets().add(generateDeviceSecret);
            authzRequest.getRedirectUriResponse().getRedirectUri().addResponseParameter(TokenExchangeService.DEVICE_SECRET, generateDeviceSecret);
        }
    }

    public boolean processPar(AuthzRequest authzRequest) {
        boolean isPar = Util.isPar(authzRequest.getRequestUri());
        if (!isPar && org.apache.commons.lang3.BooleanUtils.isTrue(this.appConfiguration.getRequirePar())) {
            this.log.debug("Server configured for PAR only (via requirePar conf property). Failed to find PAR by request_uri (id): {}", authzRequest.getRequestUri());
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, authzRequest.getState(), "Failed to find par by request_uri")).type(MediaType.APPLICATION_JSON_TYPE).build());
        }
        if (!isPar) {
            return false;
        }
        Par parAndValidateForAuthorizationRequest = this.parService.getParAndValidateForAuthorizationRequest(authzRequest.getRequestUri(), authzRequest.getState(), authzRequest.getClientId());
        authzRequest.setRequestUri(null);
        authzRequest.setRequest(null);
        this.log.debug("Setting request parameters from PAR - {}", parAndValidateForAuthorizationRequest);
        authzRequest.setResponseType(parAndValidateForAuthorizationRequest.getAttributes().getResponseType());
        authzRequest.setResponseMode(parAndValidateForAuthorizationRequest.getAttributes().getResponseMode());
        authzRequest.setScope(parAndValidateForAuthorizationRequest.getAttributes().getScope());
        authzRequest.setPrompt(parAndValidateForAuthorizationRequest.getAttributes().getPrompt());
        authzRequest.setRedirectUri(parAndValidateForAuthorizationRequest.getAttributes().getRedirectUri());
        authzRequest.setAcrValues(parAndValidateForAuthorizationRequest.getAttributes().getAcrValuesStr());
        authzRequest.setAmrValues(parAndValidateForAuthorizationRequest.getAttributes().getAmrValuesStr());
        authzRequest.setCodeChallenge(parAndValidateForAuthorizationRequest.getAttributes().getCodeChallenge());
        authzRequest.setCodeChallengeMethod(parAndValidateForAuthorizationRequest.getAttributes().getCodeChallengeMethod());
        authzRequest.setState(StringUtils.isNotBlank(parAndValidateForAuthorizationRequest.getAttributes().getState()) ? parAndValidateForAuthorizationRequest.getAttributes().getState() : "");
        if (StringUtils.isNotBlank(parAndValidateForAuthorizationRequest.getAttributes().getNonce())) {
            authzRequest.setNonce(parAndValidateForAuthorizationRequest.getAttributes().getNonce());
        }
        if (StringUtils.isNotBlank(parAndValidateForAuthorizationRequest.getAttributes().getSessionId())) {
            authzRequest.setSessionId(parAndValidateForAuthorizationRequest.getAttributes().getSessionId());
        }
        if (StringUtils.isNotBlank(parAndValidateForAuthorizationRequest.getAttributes().getCustomResponseHeaders())) {
            authzRequest.setCustomResponseHeaders(parAndValidateForAuthorizationRequest.getAttributes().getCustomResponseHeaders());
        }
        if (StringUtils.isNotBlank(parAndValidateForAuthorizationRequest.getAttributes().getClaims())) {
            authzRequest.setClaims(parAndValidateForAuthorizationRequest.getAttributes().getClaims());
        }
        if (StringUtils.isNotBlank(parAndValidateForAuthorizationRequest.getAttributes().getOriginHeaders())) {
            authzRequest.setOriginHeaders(parAndValidateForAuthorizationRequest.getAttributes().getOriginHeaders());
        }
        if (StringUtils.isNotBlank(parAndValidateForAuthorizationRequest.getAttributes().getUiLocales())) {
            authzRequest.setUiLocales(parAndValidateForAuthorizationRequest.getAttributes().getUiLocales());
        }
        if (!parAndValidateForAuthorizationRequest.getAttributes().getCustomParameters().isEmpty()) {
            if (authzRequest.getCustomParameters() == null) {
                authzRequest.setCustomParameters(new HashMap());
            }
            authzRequest.getCustomParameters().putAll(parAndValidateForAuthorizationRequest.getAttributes().getCustomParameters());
        }
        return isPar;
    }

    public void processRequestObject(AuthzRequest authzRequest, Client client, Set<String> set, User user, List<Prompt> list) {
        RedirectUriResponse redirectUriResponse = authzRequest.getRedirectUriResponse();
        JwtAuthorizationRequest jwtAuthorizationRequest = null;
        if (StringUtils.isNotBlank(authzRequest.getRequest()) || StringUtils.isNotBlank(authzRequest.getRequestUri())) {
            try {
                jwtAuthorizationRequest = JwtAuthorizationRequest.createJwtRequest(authzRequest.getRequest(), authzRequest.getRequestUri(), client, redirectUriResponse, this.cryptoProvider, this.appConfiguration);
                if (jwtAuthorizationRequest == null) {
                    throw this.authorizeRestWebServiceValidator.createInvalidJwtRequestException(redirectUriResponse, "Failed to parse jwt.");
                }
                authzRequest.setJwtRequest(jwtAuthorizationRequest);
                if (StringUtils.isNotBlank(jwtAuthorizationRequest.getState())) {
                    authzRequest.setState(jwtAuthorizationRequest.getState());
                    redirectUriResponse.setState(authzRequest.getState());
                }
                if (this.appConfiguration.isFapi() && StringUtils.isBlank(jwtAuthorizationRequest.getState())) {
                    authzRequest.setState("");
                    redirectUriResponse.setState("");
                }
                if (jwtAuthorizationRequest.getRedirectUri() != null) {
                    if (!jwtAuthorizationRequest.getRedirectUri().equals(authzRequest.getRedirectUri())) {
                        this.log.error("The redirect_uri parameter in url is not the same as in the JWT");
                        throw this.authorizeRestWebServiceValidator.createInvalidJwtRequestException(redirectUriResponse, "The redirect_uri parameter in url is not the same as in the JWT");
                    }
                    if (StringUtils.isBlank(this.redirectionUriService.validateRedirectionUri(client, jwtAuthorizationRequest.getRedirectUri()))) {
                        this.log.error("redirect_uri in request object is not valid.");
                        throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_REDIRECT_URI, authzRequest.getState(), "")).build());
                    }
                    redirectUriResponse.getRedirectUri().setBaseRedirectUri(jwtAuthorizationRequest.getRedirectUri());
                }
                SignatureAlgorithm fromString = SignatureAlgorithm.fromString(jwtAuthorizationRequest.getAlgorithm());
                if (Boolean.TRUE.equals(this.appConfiguration.getForceSignedRequestObject()) && fromString == SignatureAlgorithm.NONE) {
                    throw this.authorizeRestWebServiceValidator.createInvalidJwtRequestException(redirectUriResponse, "A signed request object is required");
                }
                if (!jwtAuthorizationRequest.getScopes().isEmpty()) {
                    if (!set.contains(Constants.OX_AUTH_SCOPE_TYPE_OPENID)) {
                        throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_SCOPE, authzRequest.getState(), "scope parameter does not contain openid value which is required.")).build());
                    }
                    set.clear();
                    set.addAll(this.scopeChecker.checkScopesPolicy(client, Lists.newArrayList(jwtAuthorizationRequest.getScopes())));
                }
                if (StringUtils.isNotBlank(jwtAuthorizationRequest.getNonce())) {
                    authzRequest.setNonce(jwtAuthorizationRequest.getNonce());
                }
                if (StringUtils.isNotBlank(jwtAuthorizationRequest.getCodeChallenge())) {
                    authzRequest.setCodeChallenge(jwtAuthorizationRequest.getCodeChallenge());
                }
                if (StringUtils.isNotBlank(jwtAuthorizationRequest.getCodeChallengeMethod())) {
                    authzRequest.setCodeChallengeMethod(jwtAuthorizationRequest.getCodeChallengeMethod());
                }
                if (jwtAuthorizationRequest.getDisplay() != null && StringUtils.isNotBlank(jwtAuthorizationRequest.getDisplay().getParamName())) {
                    authzRequest.setDisplay(jwtAuthorizationRequest.getDisplay().getParamName());
                }
                if (!jwtAuthorizationRequest.getPrompts().isEmpty()) {
                    list.clear();
                    list.addAll(Lists.newArrayList(jwtAuthorizationRequest.getPrompts()));
                    authzRequest.setPrompt(io.jans.as.model.util.StringUtils.implode(list, " "));
                    authzRequest.setPromptFromJwt(true);
                }
                if (jwtAuthorizationRequest.getResponseMode() != null) {
                    authzRequest.setResponseMode(jwtAuthorizationRequest.getResponseMode().getValue());
                    redirectUriResponse.getRedirectUri().setResponseMode(jwtAuthorizationRequest.getResponseMode());
                }
                checkIdTokenMember(authzRequest, redirectUriResponse, user, jwtAuthorizationRequest);
                this.requestParameterService.getCustomParameters(jwtAuthorizationRequest, authzRequest.getCustomParameters());
            } catch (WebApplicationException e) {
                JsonWebResponse parseRequestToJwr = parseRequestToJwr(authzRequest.getRequest());
                if (parseRequestToJwr != null) {
                    if ("none".equals(parseRequestToJwr.getClaims().getClaimAsString("alg"))) {
                        throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT, "", "The None algorithm in nested JWT is not allowed for FAPI")).type(MediaType.APPLICATION_JSON_TYPE).build());
                    }
                    ResponseMode byValue = ResponseMode.getByValue(parseRequestToJwr.getClaims().getClaimAsString("response_mode"));
                    if (byValue == ResponseMode.JWT) {
                        authzRequest.setResponseMode(byValue.getValue());
                        redirectUriResponse.getRedirectUri().setResponseMode(ResponseMode.JWT);
                        fillRedirectUriResponseforJARM(redirectUriResponse, parseRequestToJwr, client);
                        if (this.appConfiguration.isFapi()) {
                            this.authorizeRestWebServiceValidator.throwInvalidJwtRequestExceptionAsJwtMode(redirectUriResponse, INVALID_JWT_AUTHORIZATION_REQUEST, parseRequestToJwr.getClaims().getClaimAsString("state"), authzRequest.getHttpRequest());
                        }
                    }
                }
                throw e;
            } catch (Exception e2) {
                this.log.error("Invalid JWT authorization request. Message : " + e2.getMessage(), e2);
                throw this.authorizeRestWebServiceValidator.createInvalidJwtRequestException(redirectUriResponse, INVALID_JWT_AUTHORIZATION_REQUEST);
            }
        }
        if (Sets.newHashSet(new ResponseMode[]{ResponseMode.QUERY_JWT, ResponseMode.FRAGMENT_JWT, ResponseMode.JWT, ResponseMode.FORM_POST_JWT}).contains(authzRequest.getResponseModeEnum())) {
            fillRedirectUriResponseforJARM(redirectUriResponse, parseRequestToJwr(authzRequest.getRequest()), client);
        }
        if (jwtAuthorizationRequest != null) {
            this.authorizeRestWebServiceValidator.validateJwtRequest(authzRequest.getClientId(), authzRequest.getState(), authzRequest.getHttpRequest(), authzRequest.getResponseTypeList(), redirectUriResponse, jwtAuthorizationRequest);
        }
    }

    public void handleJwr(AuthzRequest authzRequest, Client client, RedirectUriResponse redirectUriResponse, JsonWebResponse jsonWebResponse) {
        if (jsonWebResponse == null) {
            return;
        }
        if ("none".equals(jsonWebResponse.getClaims().getClaimAsString("alg"))) {
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT, "", "The None algorithm in nested JWT is not allowed for FAPI")).type(MediaType.APPLICATION_JSON_TYPE).build());
        }
        ResponseMode byValue = ResponseMode.getByValue(jsonWebResponse.getClaims().getClaimAsString("response_mode"));
        if (byValue == ResponseMode.JWT) {
            authzRequest.setResponseMode(byValue.getValue());
            redirectUriResponse.getRedirectUri().setResponseMode(ResponseMode.JWT);
            fillRedirectUriResponseforJARM(redirectUriResponse, jsonWebResponse, client);
            if (this.appConfiguration.isFapi()) {
                this.authorizeRestWebServiceValidator.throwInvalidJwtRequestExceptionAsJwtMode(redirectUriResponse, INVALID_JWT_AUTHORIZATION_REQUEST, jsonWebResponse.getClaims().getClaimAsString("state"), authzRequest.getHttpRequest());
            }
        }
    }

    public void checkIdTokenMember(AuthzRequest authzRequest, RedirectUriResponse redirectUriResponse, User user, JwtAuthorizationRequest jwtAuthorizationRequest) {
        IdTokenMember idTokenMember = jwtAuthorizationRequest.getIdTokenMember();
        if (idTokenMember == null) {
            return;
        }
        if (idTokenMember.getMaxAge() != null) {
            authzRequest.setMaxAge(idTokenMember.getMaxAge());
        }
        Claim claim = idTokenMember.getClaim("acr");
        if (claim != null && claim.getClaimValue() != null) {
            authzRequest.setAcrValues(claim.getClaimValue().getValueAsString());
        }
        Claim claim2 = idTokenMember.getClaim("sub");
        if (claim2 == null || claim2.getClaimValue() == null || claim2.getClaimValue().getValue() == null) {
            return;
        }
        String value = claim2.getClaimValue().getValue();
        if (user != null && !user.getUserId().equalsIgnoreCase(value)) {
            throw new WebApplicationException(redirectUriResponse.createErrorBuilder(AuthorizeErrorResponseType.USER_MISMATCHED).build());
        }
    }

    @Nullable
    public JsonWebResponse parseRequestToJwr(String str) {
        if (str == null) {
            return null;
        }
        String[] split = str.split("\\.");
        try {
            if (split.length != 5) {
                return Jwt.parseSilently(str);
            }
            JwtHeader jwtHeader = new JwtHeader(split[0]);
            String keyId = jwtHeader.getKeyId();
            PrivateKey privateKey = null;
            if (AlgorithmFamily.RSA.equals(KeyEncryptionAlgorithm.fromName(jwtHeader.getClaimAsString("alg")).getFamily())) {
                privateKey = this.cryptoProvider.getPrivateKey(keyId);
            }
            return Jwe.parse(str, privateKey, (byte[]) null);
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
            return null;
        }
    }

    public void fillRedirectUriResponseforJARM(RedirectUriResponse redirectUriResponse, JsonWebResponse jsonWebResponse, Client client) {
        if (jsonWebResponse != null) {
            try {
                String claimAsString = jsonWebResponse.getClaims().getClaimAsString("redirect_uri");
                if (StringUtils.isNotBlank(claimAsString)) {
                    redirectUriResponse.getRedirectUri().setBaseRedirectUri(URLDecoder.decode(claimAsString, "UTF-8"));
                }
            } catch (Exception e) {
                this.log.error(e.getMessage(), e);
                return;
            }
        }
        String clientId = client.getClientId();
        redirectUriResponse.getRedirectUri().setIssuer(this.appConfiguration.getIssuer());
        redirectUriResponse.getRedirectUri().setAudience(clientId);
        redirectUriResponse.getRedirectUri().setAuthorizationCodeLifetime(this.appConfiguration.getAuthorizationCodeLifetime());
        redirectUriResponse.getRedirectUri().setSignatureAlgorithm(SignatureAlgorithm.fromString(client.getAttributes().getAuthorizationSignedResponseAlg()));
        redirectUriResponse.getRedirectUri().setKeyEncryptionAlgorithm(KeyEncryptionAlgorithm.fromName(client.getAttributes().getAuthorizationEncryptedResponseAlg()));
        redirectUriResponse.getRedirectUri().setBlockEncryptionAlgorithm(BlockEncryptionAlgorithm.fromName(client.getAttributes().getAuthorizationEncryptedResponseEnc()));
        redirectUriResponse.getRedirectUri().setCryptoProvider(this.cryptoProvider);
        String str = null;
        if (client.getAttributes().getAuthorizationEncryptedResponseAlg() == null || client.getAttributes().getAuthorizationEncryptedResponseEnc() == null) {
            SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.RS256;
            if (client.getAttributes().getAuthorizationSignedResponseAlg() != null) {
                signatureAlgorithm = SignatureAlgorithm.fromString(client.getAttributes().getAuthorizationSignedResponseAlg());
            }
            String keyId = new ServerCryptoProvider(this.cryptoProvider).getKeyId(this.webKeysConfiguration, Algorithm.fromString(signatureAlgorithm.getName()), Use.SIGNATURE);
            redirectUriResponse.getRedirectUri().setJsonWebKeys(CommonUtils.getJwks(client));
            redirectUriResponse.getRedirectUri().setSharedSecret(this.clientService.decryptSecret(client.getClientSecret()));
            redirectUriResponse.getRedirectUri().setKeyId(keyId);
        } else {
            if (client.getAttributes().getAuthorizationSignedResponseAlg() != null) {
                String keyId2 = new ServerCryptoProvider(this.cryptoProvider).getKeyId(this.webKeysConfiguration, Algorithm.fromString(SignatureAlgorithm.fromString(client.getAttributes().getAuthorizationSignedResponseAlg()).getName()), Use.SIGNATURE);
                redirectUriResponse.getRedirectUri().setNestedJsonWebKeys(CommonUtils.getJwks(client));
                redirectUriResponse.getRedirectUri().setNestedSharedSecret(this.clientService.decryptSecret(client.getClientSecret()));
                redirectUriResponse.getRedirectUri().setNestedKeyId(keyId2);
            }
            JSONObject jwks = CommonUtils.getJwks(client);
            if (jwks != null) {
                str = new ServerCryptoProvider(this.cryptoProvider).getKeyId(JSONWebKeySet.fromJSONObject(jwks), Algorithm.fromString(client.getAttributes().getAuthorizationEncryptedResponseAlg()), Use.ENCRYPTION);
            }
            redirectUriResponse.getRedirectUri().setSharedSymmetricKey(this.clientService.decryptSecret(client.getClientSecret()).getBytes(StandardCharsets.UTF_8));
            redirectUriResponse.getRedirectUri().setJsonWebKeys(jwks);
            redirectUriResponse.getRedirectUri().setKeyId(str);
        }
    }

    public void setAcrsIfNeeded(AuthzRequest authzRequest) {
        Client client = authzRequest.getClient();
        if (StringUtils.isBlank(authzRequest.getAcrValues())) {
            if (ArrayUtils.isEmpty(client.getDefaultAcrValues())) {
                return;
            }
            authzRequest.setAcrValues(io.jans.as.model.util.StringUtils.implode(client.getDefaultAcrValues(), " "));
            return;
        }
        int currentMinAcrLevel = getCurrentMinAcrLevel(authzRequest);
        if (currentMinAcrLevel >= client.getAttributes().getMinimumAcrLevel().intValue()) {
            return;
        }
        if (BooleanUtils.isNotTrue(client.getAttributes().getMinimumAcrLevelAutoresolve())) {
            this.log.error("Current acr level is less then minimum required. currentMinAcrLevel: {}, clientMinAcrLevel: {}", Integer.valueOf(currentMinAcrLevel), client.getAttributes().getMinimumAcrLevel());
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, authzRequest.getState(), "Current acr level is less then minimum required by client")).build());
        }
        Map<String, Integer> acrToLevelMap = getAcrToLevelMap();
        if (client.getAttributes().getMinimumAcrPriorityList().isEmpty()) {
            for (Map.Entry<String, Integer> entry : acrToLevelMap.entrySet()) {
                if (currentMinAcrLevel < entry.getValue().intValue()) {
                    authzRequest.setAcrValues(entry.getKey());
                    return;
                }
            }
        }
        for (String str : client.getAttributes().getMinimumAcrPriorityList()) {
            Integer num = acrToLevelMap.get(str);
            if (num != null && num.intValue() >= currentMinAcrLevel) {
                authzRequest.setAcrValues(str);
                return;
            }
        }
        this.log.error("Current acr level is less then minimum required by client. currentMinAcrLevel: {}, clientAttributes: {}", Integer.valueOf(currentMinAcrLevel), client.getAttributes());
        throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, authzRequest.getState(), "Current acr level is less then minimum required by client:" + client.getClientId())).build());
    }

    public int getCurrentMinAcrLevel(AuthzRequest authzRequest) {
        if (StringUtils.isBlank(authzRequest.getAcrValues())) {
            return -1;
        }
        Integer num = null;
        Map<String, Integer> acrToLevelMap = getAcrToLevelMap();
        Iterator<String> it = authzRequest.getAcrValuesList().iterator();
        while (it.hasNext()) {
            Integer num2 = acrToLevelMap.get(it.next());
            if (num == null) {
                num = num2;
            } else if (num2 != null && num2.intValue() < num.intValue()) {
                num = num2;
            }
        }
        if (num != null) {
            return num.intValue();
        }
        return -1;
    }

    public void createRedirectUriResponse(AuthzRequest authzRequest) {
        RedirectUriResponse redirectUriResponse = new RedirectUriResponse(new RedirectUri(authzRequest.getRedirectUri(), authzRequest.getResponseTypeList(), authzRequest.getResponseModeEnum()), authzRequest.getState(), authzRequest.getHttpRequest(), this.errorResponseFactory);
        redirectUriResponse.setFapiCompatible(this.appConfiguration.isFapi());
        authzRequest.setRedirectUriResponse(redirectUriResponse);
    }

    public void createOauth2AuditLog(AuthzRequest authzRequest) {
        OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(authzRequest.getHttpRequest()), Action.USER_AUTHORIZATION);
        oAuth2AuditLog.setClientId(authzRequest.getClientId());
        oAuth2AuditLog.setScope(authzRequest.getScope());
        authzRequest.setAuditLog(oAuth2AuditLog);
    }
}
