package io.jans.as.server.service;

import io.jans.as.common.model.registration.Client;
import io.jans.as.common.model.session.SessionId;
import io.jans.as.common.model.session.SessionIdState;
import io.jans.as.model.authorize.AuthorizeErrorResponseType;
import io.jans.as.model.common.Prompt;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.util.Util;
import io.jans.as.server.authorize.ws.rs.AuthzRequest;
import io.jans.as.server.model.exception.AcrChangedException;
import io.jans.as.server.security.Identity;
import io.jans.as.server.service.external.ExternalAuthenticationService;
import io.jans.as.server.service.external.session.SessionEvent;
import io.jans.as.server.service.external.session.SessionEventType;
import io.jans.model.AuthenticationScriptUsageType;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.python.google.common.collect.Lists;
import org.slf4j.Logger;

@Named
/* loaded from: input_file:io/jans/as/server/service/AcrService.class */
public class AcrService {

    @Inject
    private Logger log;

    @Inject
    private Identity identity;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private ExternalAuthenticationService externalAuthenticationService;

    @Inject
    private AppConfiguration appConfiguration;

    public static boolean isAgama(String str) {
        return StringUtils.isNotBlank(str) && str.startsWith("agama_");
    }

    public void validateAcrs(AuthzRequest authzRequest, Client client) throws AcrChangedException {
        applyAcrMappings(authzRequest);
        checkClientAuthorizedAcrs(authzRequest, client);
        checkAcrScriptIsAvailable(authzRequest);
        checkAcrChanged(authzRequest, this.identity.getSessionId());
    }

    public static void removeParametersForAgamaAcr(AuthzRequest authzRequest) {
        List<String> acrValuesList = authzRequest.getAcrValuesList();
        for (int i = 0; i < acrValuesList.size(); i++) {
            acrValuesList.set(i, removeParametersFromAgamaAcr(acrValuesList.get(i)));
        }
        authzRequest.setAcrValues(io.jans.as.model.util.StringUtils.implode(acrValuesList, " "));
    }

    public static String removeParametersFromAgamaAcr(String str) {
        return isAgama(str) ? StringUtils.substringBefore(str, "-") : str;
    }

    public void checkClientAuthorizedAcrs(AuthzRequest authzRequest, Client client) {
        List<String> authorizedAcrValues = client.getAttributes().getAuthorizedAcrValues();
        if (authorizedAcrValues.isEmpty()) {
            return;
        }
        String applyAcrMappings = applyAcrMappings(authorizedAcrValues);
        for (String str : authzRequest.getAcrValuesList()) {
            if (!authorizedAcrValues.contains(str) && !applyAcrMappings.contains(str)) {
                throw authzRequest.getRedirectUriResponse().createWebException(AuthorizeErrorResponseType.INVALID_REQUEST, "Restricted acr value request, please review the list of authorized acr values for this client");
            }
        }
    }

    public void applyAcrMappings(AuthzRequest authzRequest) {
        authzRequest.setAcrValues(applyAcrMappings(authzRequest.getAcrValuesList()));
    }

    public String applyAcrMappings(List<String> list) {
        Map acrMappings = this.appConfiguration.getAcrMappings();
        if (list == null || list.isEmpty()) {
            return "";
        }
        if (acrMappings == null || acrMappings.isEmpty()) {
            return io.jans.as.model.util.StringUtils.implode(list, " ");
        }
        boolean z = false;
        for (int i = 0; i < list.size(); i++) {
            String str = list.get(i);
            String str2 = (String) acrMappings.get(str);
            if (StringUtils.isNotBlank(str2)) {
                this.log.debug("Replaced acr {} with {}, defined from acrMapping.", str, str2);
                list.set(i, str2);
                z = true;
            }
        }
        String implode = io.jans.as.model.util.StringUtils.implode(list, " ");
        if (z) {
            this.log.debug("Mapped result: {}", implode);
        }
        return implode;
    }

    public void checkAcrScriptIsAvailable(AuthzRequest authzRequest) {
        String acrValues = authzRequest.getAcrValues();
        if (StringUtils.isBlank(acrValues) || Util.isBuiltInPasswordAuthn(acrValues)) {
            return;
        }
        List<String> acrsToDetermineScript = getAcrsToDetermineScript(authzRequest.getAcrValuesList());
        if (this.externalAuthenticationService.determineCustomScriptConfiguration(AuthenticationScriptUsageType.INTERACTIVE, acrsToDetermineScript) == null) {
            String format = String.format("Unable to find script for acr: %s. Send error: %s", acrsToDetermineScript, AuthorizeErrorResponseType.UNMET_AUTHENTICATION_REQUIREMENTS.getParameter());
            this.log.debug(format);
            throw authzRequest.getRedirectUriResponse().createWebException(AuthorizeErrorResponseType.UNMET_AUTHENTICATION_REQUIREMENTS, format);
        }
    }

    public static List<String> getAcrsToDetermineScript(List<String> list) {
        return (list == null || list.isEmpty()) ? Lists.newArrayList() : isAgama(list.get(0)) ? Lists.newArrayList(new String[]{"agama"}) : list;
    }

    private void checkAcrChanged(AuthzRequest authzRequest, SessionId sessionId) throws AcrChangedException {
        try {
            this.sessionIdService.assertAuthenticatedSessionCorrespondsToNewRequest(sessionId, authzRequest.getAcrValues());
        } catch (AcrChangedException e) {
            if (!e.isForceReAuthentication()) {
                throw e;
            }
            if (authzRequest.getPromptList().contains(Prompt.LOGIN)) {
                return;
            }
            this.log.info("ACR is changed, adding prompt=login to prompts");
            authzRequest.addPrompt(Prompt.LOGIN);
            sessionId.setState(SessionIdState.UNAUTHENTICATED);
            sessionId.getSessionAttributes().put("prompt", authzRequest.getPrompt());
            if (!this.sessionIdService.persistSessionId(sessionId)) {
                this.log.trace("Unable persist session_id, trying to update it.");
                this.sessionIdService.updateSessionId(sessionId);
            }
            this.sessionIdService.externalEvent(new SessionEvent(SessionEventType.UNAUTHENTICATED, sessionId));
        }
    }
}
