package io.jans.configapi.auth.service;

import io.jans.as.client.uma.UmaMetadataService;
import io.jans.as.client.uma.UmaPermissionService;
import io.jans.as.client.uma.UmaRptIntrospectionService;
import io.jans.as.model.uma.PermissionTicket;
import io.jans.as.model.uma.RptIntrospectionResponse;
import io.jans.as.model.uma.UmaMetadata;
import io.jans.as.model.uma.UmaPermission;
import io.jans.as.model.uma.UmaPermissionList;
import io.jans.as.model.uma.wrapper.Token;
import io.jans.configapi.auth.client.AuthClientFactory;
import io.jans.configapi.auth.client.UmaClient;
import io.jans.configapi.service.ConfigurationService;
import io.jans.orm.util.StringHelper;
import java.io.Serializable;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.LinkedList;
import java.util.List;
import javax.annotation.PostConstruct;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.inject.Produces;
import javax.inject.Inject;
import javax.inject.Named;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.slf4j.Logger;

@ApplicationScoped
@Named("umaService")
/* loaded from: input_file:io/jans/configapi/auth/service/UmaService.class */
public class UmaService implements Serializable {
    private static final long serialVersionUID = 1;

    @Inject
    Logger log;

    @Inject
    ConfigurationService configurationService;
    UmaMetadata umaMetadata;
    UmaMetadataService umaMetadataService;
    UmaPermissionService umaPermissionService;
    UmaRptIntrospectionService umaRptIntrospectionService;

    @PostConstruct
    public void init() {
        this.umaMetadataService = AuthClientFactory.getUmaMetadataService(this.configurationService.find().getUmaConfigurationEndpoint(), false);
        this.umaMetadata = this.umaMetadataService.getMetadata();
        this.umaPermissionService = AuthClientFactory.getUmaPermissionService(this.umaMetadata, false);
        this.umaRptIntrospectionService = AuthClientFactory.getUmaRptIntrospectionService(this.umaMetadata, false);
    }

    public UmaMetadataService getUmaMetadataService() {
        return this.umaMetadataService;
    }

    @ApplicationScoped
    @Produces
    @Named("umaMetadata")
    public UmaMetadata getUmaMetadata() {
        return this.umaMetadata;
    }

    public UmaPermissionService getUmaPermissionService() {
        return this.umaPermissionService;
    }

    public UmaRptIntrospectionService getUmaRptIntrospectionService() {
        return this.umaRptIntrospectionService;
    }

    public void validateRptToken(Token token, String str, String str2, List<String> list) {
        this.log.trace("Validating RPT, patToken: {}, authorization: {}, resourceId: {}, scopeIds: {} ", new Object[]{token, str, str2, list});
        if (token == null) {
            this.log.trace("Token is blank");
            throw new WebApplicationException("Token is blank.", prepareRegisterPermissionsResponse(token, str2, list));
        }
        if (StringHelper.isNotEmpty(str) && str.startsWith("Bearer ")) {
            String substring = str.substring(7);
            this.log.trace("rptToken: {} " + substring);
            RptIntrospectionResponse statusResponse = getStatusResponse(token, substring);
            this.log.trace("rptStatusResponse: {} ", statusResponse);
            if (statusResponse == null || !statusResponse.getActive()) {
                this.log.warn("Status response for RPT token: '{}' is invalid, will do a retry", substring);
            } else if (isRptHasPermissions(statusResponse)) {
                if (!hasResourcePermission(statusResponse, str2)) {
                    this.log.error("Status response for RPT token: '{}', Resource Id '{}', not contains right resource permissions", substring, str2);
                }
                LinkedList linkedList = new LinkedList();
                for (UmaPermission umaPermission : statusResponse.getPermissions()) {
                    if (umaPermission.getScopes() != null) {
                        linkedList.addAll(umaPermission.getScopes());
                    }
                }
                if (linkedList.containsAll(list)) {
                    return;
                } else {
                    this.log.error("Status response for RPT token: '{}' not contains right permissions", substring);
                }
            }
        }
        throw new WebApplicationException("UMA authentication failed.", prepareRegisterPermissionsResponse(token, str2, list));
    }

    private boolean isRptHasPermissions(RptIntrospectionResponse rptIntrospectionResponse) {
        return (rptIntrospectionResponse.getPermissions() == null || rptIntrospectionResponse.getPermissions().isEmpty()) ? false : true;
    }

    private boolean hasResourcePermission(RptIntrospectionResponse rptIntrospectionResponse, String str) {
        return rptIntrospectionResponse.getPermissions().stream().anyMatch(umaPermission -> {
            return umaPermission.getResourceId().equalsIgnoreCase(str);
        });
    }

    private RptIntrospectionResponse getStatusResponse(Token token, String str) {
        String str2 = "Bearer " + token.getAccessToken();
        this.log.trace("ResponseStatus, patToken: {}, rptToken: {} ", token, str);
        RptIntrospectionResponse rptIntrospectionResponse = null;
        try {
            rptIntrospectionResponse = UmaClient.getRptStatus(this.umaMetadata, str2, str);
            this.log.trace(" rptStatusResponse: {}" + rptIntrospectionResponse);
        } catch (Exception e) {
            this.log.error("Failed to determine RPT status", e);
            e.printStackTrace();
        }
        if (rptIntrospectionResponse == null || !rptIntrospectionResponse.getActive()) {
            return null;
        }
        return rptIntrospectionResponse;
    }

    private Response prepareRegisterPermissionsResponse(Token token, String str, List<String> list) {
        String registerResourcePermission = registerResourcePermission(token, str, list);
        Response response = null;
        if (StringHelper.isEmpty(registerResourcePermission)) {
            return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
        }
        this.log.trace("Construct response: HTTP 401 (Unauthorized), ticket: '{}'", registerResourcePermission);
        try {
            response = Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", String.format("UMA realm=\"Authorization required\", host_id=%s, as_uri=%s, ticket=%s", getHost(this.umaMetadata.getIssuer()), this.configurationService.find().getUmaConfigurationEndpoint(), registerResourcePermission)).build();
        } catch (MalformedURLException e) {
            this.log.error("Failed to determine host by URI", e);
        }
        return response;
    }

    public String registerResourcePermission(Token token, String str, List<String> list) {
        UmaPermission umaPermission = new UmaPermission();
        umaPermission.setResourceId(str);
        umaPermission.setScopes(list);
        PermissionTicket registerPermission = getUmaPermissionService().registerPermission("Bearer " + token.getAccessToken(), UmaPermissionList.instance(new UmaPermission[]{umaPermission}));
        if (registerPermission == null) {
            return null;
        }
        return registerPermission.getTicket();
    }

    private String getHost(String str) throws MalformedURLException {
        return new URL(str).getHost();
    }
}
