package io.jans.as.server.model.token;

import com.google.common.collect.Lists;
import io.jans.as.common.claims.Audience;
import io.jans.as.common.model.common.User;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.model.session.SessionId;
import io.jans.as.common.service.AttributeService;
import io.jans.as.model.authorize.CodeVerifier;
import io.jans.as.model.common.ScopeType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.exception.InvalidClaimException;
import io.jans.as.model.jwt.JwtClaims;
import io.jans.as.model.jwt.JwtSubClaimObject;
import io.jans.as.model.token.JsonWebResponse;
import io.jans.as.persistence.model.Scope;
import io.jans.as.server.model.authorize.Claim;
import io.jans.as.server.model.authorize.JwtAuthorizationRequest;
import io.jans.as.server.model.common.AbstractToken;
import io.jans.as.server.model.common.AccessToken;
import io.jans.as.server.model.common.AuthorizationCode;
import io.jans.as.server.model.common.CIBAGrant;
import io.jans.as.server.model.common.ExecutionContext;
import io.jans.as.server.model.common.IAuthorizationGrant;
import io.jans.as.server.model.common.RefreshToken;
import io.jans.as.server.model.common.UnmodifiableAuthorizationGrant;
import io.jans.as.server.service.ScopeService;
import io.jans.as.server.service.SessionIdService;
import io.jans.as.server.service.date.DateFormatterService;
import io.jans.as.server.service.external.ExternalAuthenticationService;
import io.jans.as.server.service.external.ExternalDynamicScopeService;
import io.jans.as.server.service.external.ExternalUpdateTokenService;
import io.jans.as.server.service.external.context.DynamicScopeExternalContext;
import io.jans.as.server.service.external.context.ExternalUpdateTokenContext;
import io.jans.as.server.service.stat.StatService;
import io.jans.as.server.token.ws.rs.TokenExchangeService;
import io.jans.model.GluuAttribute;
import io.jans.model.custom.script.conf.CustomScriptConfiguration;
import io.jans.model.custom.script.type.auth.PersonAuthenticationType;
import jakarta.ejb.Stateless;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import org.apache.commons.lang.StringUtils;
import org.apache.logging.log4j.util.Strings;
import org.json.JSONObject;
import org.slf4j.Logger;

@ApplicationScoped
@Named
@Stateless
/* loaded from: input_file:io/jans/as/server/model/token/IdTokenFactory.class */
public class IdTokenFactory {

    @Inject
    private Logger log;

    @Inject
    private ExternalDynamicScopeService externalDynamicScopeService;

    @Inject
    private ExternalAuthenticationService externalAuthenticationService;

    @Inject
    private ExternalUpdateTokenService externalUpdateTokenService;

    @Inject
    private ScopeService scopeService;

    @Inject
    private AttributeService attributeService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private JwrService jwrService;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private DateFormatterService dateFormatterService;

    private void setAmrClaim(JsonWebResponse jsonWebResponse, String str) {
        Map authenticationMethodClaims;
        ArrayList newArrayList = Lists.newArrayList();
        CustomScriptConfiguration customScriptConfigurationByName = this.externalAuthenticationService.getCustomScriptConfigurationByName(str);
        if (customScriptConfigurationByName != null) {
            newArrayList.add(Integer.toString(customScriptConfigurationByName.getLevel()));
            PersonAuthenticationType externalType = customScriptConfigurationByName.getExternalType();
            if (externalType.getApiVersion() > 3 && (authenticationMethodClaims = externalType.getAuthenticationMethodClaims(customScriptConfigurationByName.getConfigurationAttributes())) != null) {
                for (String str2 : authenticationMethodClaims.keySet()) {
                    newArrayList.add(str2 + ":" + ((String) authenticationMethodClaims.get(str2)));
                }
            }
        }
        jsonWebResponse.getClaims().setClaim("amr", newArrayList);
    }

    private void fillClaims(JsonWebResponse jsonWebResponse, IAuthorizationGrant iAuthorizationGrant, AuthorizationCode authorizationCode, AccessToken accessToken, RefreshToken refreshToken, ExecutionContext executionContext) throws Exception {
        Client client = iAuthorizationGrant.getClient();
        jsonWebResponse.getClaims().setIssuer(this.appConfiguration.getIssuer());
        Audience.setAudience(jsonWebResponse.getClaims(), client);
        int idTokenLifetime = this.appConfiguration.getIdTokenLifetime();
        if (client.getAttributes().getIdTokenLifetime() != null && client.getAttributes().getIdTokenLifetime().intValue() > 0) {
            idTokenLifetime = client.getAttributes().getIdTokenLifetime().intValue();
            this.log.trace("Override id token lifetime with value from client: {}", client.getClientId());
        }
        int idTokenLifetimeInSeconds = this.externalUpdateTokenService.getIdTokenLifetimeInSeconds(ExternalUpdateTokenContext.of(executionContext));
        if (idTokenLifetimeInSeconds > 0) {
            idTokenLifetime = idTokenLifetimeInSeconds;
            this.log.trace("Override id token lifetime with value from script: {}", Integer.valueOf(idTokenLifetimeInSeconds));
        }
        Calendar calendar = Calendar.getInstance();
        Date time = calendar.getTime();
        calendar.add(13, idTokenLifetime);
        jsonWebResponse.getClaims().setExpirationTime(calendar.getTime());
        jsonWebResponse.getClaims().setIssuedAt(time);
        jsonWebResponse.setClaim("random", UUID.randomUUID().toString());
        if (executionContext.getPreProcessing() != null) {
            executionContext.getPreProcessing().apply(jsonWebResponse);
        }
        SessionId sessionByDn = this.sessionIdService.getSessionByDn(iAuthorizationGrant.getSessionDn());
        if (sessionByDn != null) {
            jsonWebResponse.setClaim("sid", sessionByDn.getOutsideSid());
        }
        addTokenExchangeClaims(jsonWebResponse, executionContext, sessionByDn);
        if (iAuthorizationGrant.getAcrValues() != null) {
            jsonWebResponse.setClaim("acr", iAuthorizationGrant.getAcrValues());
            setAmrClaim(jsonWebResponse, iAuthorizationGrant.getAcrValues());
        }
        String nonce = executionContext.getNonce();
        if (StringUtils.isNotBlank(nonce)) {
            jsonWebResponse.setClaim("nonce", nonce);
        }
        if (iAuthorizationGrant.getAuthenticationTime() != null) {
            jsonWebResponse.getClaims().setClaim("auth_time", iAuthorizationGrant.getAuthenticationTime());
        }
        if (authorizationCode != null) {
            jsonWebResponse.setClaim("c_hash", AbstractToken.getHash(authorizationCode.getCode(), jsonWebResponse.getHeader().getSignatureAlgorithm()));
        }
        if (accessToken != null) {
            jsonWebResponse.setClaim("at_hash", AbstractToken.getHash(accessToken.getCode(), jsonWebResponse.getHeader().getSignatureAlgorithm()));
        }
        String state = executionContext.getState();
        if (Strings.isNotBlank(state)) {
            jsonWebResponse.setClaim("s_hash", AbstractToken.getHash(state, jsonWebResponse.getHeader().getSignatureAlgorithm()));
        }
        if (iAuthorizationGrant.getGrantType() != null) {
            jsonWebResponse.setClaim("grant", iAuthorizationGrant.getGrantType().getValue());
        }
        jsonWebResponse.setClaim("jansOpenIDConnectVersion", this.appConfiguration.getJansOpenIdConnectVersion());
        User user = iAuthorizationGrant.getUser();
        ArrayList arrayList = new ArrayList();
        if (executionContext.isIncludeIdTokenClaims() && client.isIncludeClaimsInIdToken()) {
            Iterator<String> it = executionContext.getScopes().iterator();
            while (it.hasNext()) {
                Scope scopeById = this.scopeService.getScopeById(it.next());
                if (scopeById != null) {
                    if (ScopeType.DYNAMIC == scopeById.getScopeType()) {
                        arrayList.add(scopeById);
                    } else {
                        Map<String, Object> claims = this.scopeService.getClaims(user, scopeById);
                        if (Boolean.TRUE.equals(scopeById.isGroupClaims())) {
                            JwtSubClaimObject jwtSubClaimObject = new JwtSubClaimObject();
                            jwtSubClaimObject.setName(scopeById.getId());
                            for (Map.Entry<String, Object> entry : claims.entrySet()) {
                                String key = entry.getKey();
                                Object value = entry.getValue();
                                if (value instanceof List) {
                                    jwtSubClaimObject.setClaim(key, (List) value);
                                } else {
                                    jwtSubClaimObject.setClaim(key, (String) value);
                                }
                            }
                            jsonWebResponse.getClaims().setClaim(scopeById.getId(), jwtSubClaimObject);
                        } else {
                            for (Map.Entry<String, Object> entry2 : claims.entrySet()) {
                                String key2 = entry2.getKey();
                                Object value2 = entry2.getValue();
                                if (value2 instanceof List) {
                                    jsonWebResponse.getClaims().setClaim(key2, (List) value2);
                                } else if (value2 instanceof Boolean) {
                                    jsonWebResponse.getClaims().setClaim(key2, (Boolean) value2);
                                } else if (value2 instanceof Date) {
                                    jsonWebResponse.getClaims().setClaimObject(key2, this.dateFormatterService.formatClaim((Date) value2, key2), true);
                                } else {
                                    jsonWebResponse.setClaim(key2, (String) value2);
                                }
                            }
                        }
                        jsonWebResponse.getClaims().setSubjectIdentifier(iAuthorizationGrant.getUser().getAttribute("inum"));
                    }
                }
            }
        }
        setClaimsFromJwtAuthorizationRequest(jsonWebResponse, iAuthorizationGrant, executionContext.getScopes());
        setClaimsFromRequestedClaims(executionContext.getClaimsAsString(), jsonWebResponse, user);
        filterClaimsBasedOnAccessToken(jsonWebResponse, accessToken, authorizationCode);
        this.jwrService.setSubjectIdentifier(jsonWebResponse, iAuthorizationGrant);
        if (arrayList.size() > 0 && this.externalDynamicScopeService.isEnabled()) {
            this.externalDynamicScopeService.executeExternalUpdateMethods(new DynamicScopeExternalContext(arrayList, jsonWebResponse, new UnmodifiableAuthorizationGrant(iAuthorizationGrant)));
        }
        processCiba(jsonWebResponse, iAuthorizationGrant, refreshToken);
        if (executionContext.getPostProcessor() != null) {
            executionContext.getPostProcessor().apply(jsonWebResponse);
        }
    }

    private void addTokenExchangeClaims(JsonWebResponse jsonWebResponse, ExecutionContext executionContext, SessionId sessionId) {
        if (sessionId == null) {
            return;
        }
        String deviceSecret = executionContext.getDeviceSecret();
        if (StringUtils.isBlank(deviceSecret)) {
            deviceSecret = executionContext.getHttpRequest().getParameter(TokenExchangeService.DEVICE_SECRET);
        }
        if (StringUtils.isNotBlank(deviceSecret) && sessionId.getDeviceSecrets().contains(deviceSecret)) {
            jsonWebResponse.setClaim("ds_hash", CodeVerifier.s256(deviceSecret));
        }
    }

    private void filterClaimsBasedOnAccessToken(JsonWebResponse jsonWebResponse, AccessToken accessToken, AuthorizationCode authorizationCode) {
        if (!(accessToken == null && authorizationCode == null) && this.appConfiguration.getIdTokenFilterClaimsBasedOnAccessToken().booleanValue()) {
            JwtClaims claims = jsonWebResponse.getClaims();
            claims.removeClaim("profile");
            claims.removeClaim("email");
            claims.removeClaim("address");
            claims.removeClaim("phone_number");
        }
    }

    private void setClaimsFromRequestedClaims(String str, JsonWebResponse jsonWebResponse, User user) throws InvalidClaimException {
        if (str != null) {
            JSONObject jSONObject = new JSONObject(str);
            if (jSONObject.has(StatService.ID_TOKEN_KEY)) {
                Iterator<String> keys = jSONObject.getJSONObject(StatService.ID_TOKEN_KEY).keys();
                while (keys.hasNext()) {
                    String next = keys.next();
                    GluuAttribute byClaimName = this.attributeService.getByClaimName(next);
                    if (byClaimName != null) {
                        Object attribute = user.getAttribute(byClaimName.getName(), false, byClaimName.getOxMultiValuedAttribute().booleanValue());
                        if (attribute instanceof List) {
                            jsonWebResponse.getClaims().setClaim(next, (List) attribute);
                        } else if (attribute instanceof Boolean) {
                            jsonWebResponse.getClaims().setClaim(next, (Boolean) attribute);
                        } else if (attribute instanceof Date) {
                            jsonWebResponse.getClaims().setClaim(next, Long.valueOf(((Date) attribute).getTime() / 1000));
                        } else {
                            jsonWebResponse.setClaim(next, (String) attribute);
                        }
                    }
                }
            }
        }
    }

    private void processCiba(JsonWebResponse jsonWebResponse, IAuthorizationGrant iAuthorizationGrant, RefreshToken refreshToken) {
        if (iAuthorizationGrant instanceof CIBAGrant) {
            jsonWebResponse.setClaim("urn:openid:params:jwt:claim:rt_hash", AbstractToken.getHash(refreshToken.getCode(), null));
            jsonWebResponse.setClaim("urn:openid:params:jwt:claim:auth_req_id", ((CIBAGrant) iAuthorizationGrant).getAuthReqId());
        }
    }

    private void setClaimsFromJwtAuthorizationRequest(JsonWebResponse jsonWebResponse, IAuthorizationGrant iAuthorizationGrant, Set<String> set) throws InvalidClaimException {
        JwtAuthorizationRequest jwtAuthorizationRequest = iAuthorizationGrant.getJwtAuthorizationRequest();
        if (jwtAuthorizationRequest == null || jwtAuthorizationRequest.getIdTokenMember() == null) {
            return;
        }
        for (Claim claim : jwtAuthorizationRequest.getIdTokenMember().getClaims()) {
            GluuAttribute byClaimName = this.attributeService.getByClaimName(claim.getName());
            if (byClaimName != null && validateRequesteClaim(byClaimName, iAuthorizationGrant.getClient().getClaims(), set)) {
                jsonWebResponse.getClaims().setClaimFromJsonObject(claim.getName(), iAuthorizationGrant.getUser().getAttribute(byClaimName.getName(), true, byClaimName.getOxMultiValuedAttribute().booleanValue()));
            }
        }
    }

    public JsonWebResponse createJwr(IAuthorizationGrant iAuthorizationGrant, AuthorizationCode authorizationCode, AccessToken accessToken, RefreshToken refreshToken, ExecutionContext executionContext) throws Exception {
        Client client = iAuthorizationGrant.getClient();
        JsonWebResponse createJwr = this.jwrService.createJwr(client);
        fillClaims(createJwr, iAuthorizationGrant, authorizationCode, accessToken, refreshToken, executionContext);
        if (this.log.isTraceEnabled()) {
            this.log.trace("Created claims for id_token, claims: {}", createJwr.getClaims().toJsonString());
        }
        return this.jwrService.encode(createJwr, client);
    }

    private boolean validateRequesteClaim(GluuAttribute gluuAttribute, String[] strArr, Collection<String> collection) {
        if (gluuAttribute == null) {
            return false;
        }
        if (strArr != null) {
            for (String str : strArr) {
                if (gluuAttribute.getDn().equals(str)) {
                    return true;
                }
            }
        }
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            Scope scopeById = this.scopeService.getScopeById(it.next());
            if (scopeById != null && scopeById.getClaims() != null) {
                Iterator it2 = scopeById.getClaims().iterator();
                while (it2.hasNext()) {
                    if (gluuAttribute.getDisplayName().equals(this.attributeService.getAttributeByDn((String) it2.next()).getDisplayName())) {
                        return true;
                    }
                }
            }
        }
        return false;
    }
}
