package pl.edu.icm.unity.oauth.as.token.access;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.id.Subject;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.oauth2.sdk.token.Tokens;
import com.nimbusds.openid.connect.sdk.OIDCResponseTypeValue;
import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import java.util.Arrays;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.entity.EntityParam;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.exceptions.InternalException;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.group.IllegalGroupValueException;
import pl.edu.icm.unity.engine.api.idp.EntityInGroup;
import pl.edu.icm.unity.engine.api.idp.IdPEngine;
import pl.edu.icm.unity.engine.api.translation.ExecutionFailException;
import pl.edu.icm.unity.engine.api.translation.out.TranslationResult;
import pl.edu.icm.unity.oauth.as.AttributeFilteringSpec;
import pl.edu.icm.unity.oauth.as.AttributeValueFilterUtils;
import pl.edu.icm.unity.oauth.as.OAuthASProperties;
import pl.edu.icm.unity.oauth.as.OAuthProcessor;
import pl.edu.icm.unity.oauth.as.OAuthRequestValidator;
import pl.edu.icm.unity.oauth.as.OAuthScope;
import pl.edu.icm.unity.oauth.as.OAuthToken;
import pl.edu.icm.unity.oauth.as.token.BaseOAuthResource;
import pl.edu.icm.unity.oauth.as.token.OAuthErrorException;
import pl.edu.icm.unity.oauth.as.token.access.ClientAttributesProvider;
import pl.edu.icm.unity.oauth.as.webauthz.OAuthIdPEngine;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/access/TokenService.class */
public class TokenService {
    private static final Logger log = Log.getLogger("unity.server.oauth", TokenService.class);
    private final OAuthRequestValidator requestValidator;
    private final OAuthASProperties config;
    private final OAuthIdPEngine notAuthorizedOauthIdpEngine;
    private final ClientAttributesProvider clientAttributesProvider;

    @Component
    /* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/access/TokenService$TokenServiceFactory.class */
    public static class TokenServiceFactory {
        private final OAuthRequestValidator.OAuthRequestValidatorFactory requestValidatorFactory;
        private final IdPEngine idPEngine;
        private final ClientAttributesProvider.ClientAttributesProviderFactory clientAttributesProviderFactory;

        @Autowired
        public TokenServiceFactory(OAuthRequestValidator.OAuthRequestValidatorFactory oAuthRequestValidatorFactory, @Qualifier("insecure") IdPEngine idPEngine, ClientAttributesProvider.ClientAttributesProviderFactory clientAttributesProviderFactory) {
            this.requestValidatorFactory = oAuthRequestValidatorFactory;
            this.idPEngine = idPEngine;
            this.clientAttributesProviderFactory = clientAttributesProviderFactory;
        }

        public TokenService getTokenService(OAuthASProperties oAuthASProperties) {
            return new TokenService(this.requestValidatorFactory.getOAuthRequestValidator(oAuthASProperties), oAuthASProperties, new OAuthIdPEngine(this.idPEngine), this.clientAttributesProviderFactory.getClientAttributeProvider(oAuthASProperties));
        }
    }

    TokenService(OAuthRequestValidator oAuthRequestValidator, OAuthASProperties oAuthASProperties, OAuthIdPEngine oAuthIdPEngine, ClientAttributesProvider clientAttributesProvider) {
        this.requestValidator = oAuthRequestValidator;
        this.config = oAuthASProperties;
        this.notAuthorizedOauthIdpEngine = oAuthIdPEngine;
        this.clientAttributesProvider = clientAttributesProvider;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OAuthToken prepareNewTokenBasedOnOldToken(OAuthToken oAuthToken, String str, List<String> list, long j, long j2, String str2, boolean z, String str3) throws OAuthErrorException {
        OAuthToken oAuthToken2 = new OAuthToken(oAuthToken);
        Scope scope = new Scope();
        if (str != null && !str.isEmpty()) {
            scope = Scope.parse(str);
        }
        List list2 = AttributeValueFilterUtils.getScopesWithoutFilterClaims(scope).stream().map(value -> {
            return value.getValue();
        }).toList();
        if (!list.containsAll(list2)) {
            throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.INVALID_SCOPE, "wrong scope"));
        }
        oAuthToken2.setRequestedScope((String[]) list2.stream().toArray(i -> {
            return new String[i];
        }));
        TranslationResult attributes = getAttributes(j2, j, str3);
        List<OAuthScope> validRequestedScopes = this.requestValidator.getValidRequestedScopes(this.clientAttributesProvider.getClientAttributes(new EntityParam(Long.valueOf(j2))), AttributeValueFilterUtils.getScopesWithoutFilterClaims(scope));
        oAuthToken2.setEffectiveScope((String[]) validRequestedScopes.stream().map(oAuthScope -> {
            return oAuthScope.name;
        }).toArray(i2 -> {
            return new String[i2];
        }));
        List<AttributeFilteringSpec> mergeFiltersWithPreservingLast = AttributeValueFilterUtils.mergeFiltersWithPreservingLast(oAuthToken2.getAttributeValueFilters(), AttributeValueFilterUtils.getFiltersFromScopes(scope));
        UserInfo createUserInfo = createUserInfo(validRequestedScopes, oAuthToken2.getSubject(), attributes, mergeFiltersWithPreservingLast);
        oAuthToken2.setUserInfo(createUserInfo.toJSONObject().toJSONString());
        oAuthToken2.setAttributeValueFilters(mergeFiltersWithPreservingLast);
        Date date = new Date();
        if (list2.contains(OIDCScopeValue.OPENID.getValue()) && z) {
            try {
                oAuthToken2.setOpenidToken(createIdToken(date, oAuthToken2, Arrays.asList(new Audience(str2)), createUserInfo));
            } catch (Exception e) {
                log.error("Cannot create new id token", e);
                throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.SERVER_ERROR, e.getMessage()));
            }
        } else {
            oAuthToken2.setOpenidToken(null);
        }
        oAuthToken2.setMaxExtendedValidity(this.config.getMaxExtendedAccessTokenValidity());
        oAuthToken2.setTokenValidity(this.config.getAccessTokenValidity());
        oAuthToken2.setAccessToken(null);
        oAuthToken2.setRefreshToken(null);
        oAuthToken2.setIssuerUri(this.config.getIssuerName());
        return oAuthToken2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AccessTokenResponse getAccessTokenResponse(OAuthToken oAuthToken, AccessToken accessToken, RefreshToken refreshToken, Map<String, Object> map) {
        JWT decodeIDToken = TokenUtils.decodeIDToken(oAuthToken);
        return decodeIDToken == null ? new AccessTokenResponse(new Tokens(accessToken, refreshToken), map) : new OIDCTokenResponse(new OIDCTokens(decodeIDToken, accessToken, refreshToken), map);
    }

    private TranslationResult getAttributes(long j, long j2, String str) throws OAuthErrorException {
        try {
            return this.notAuthorizedOauthIdpEngine.getUserInfoUnsafe(j2, String.valueOf(j), Optional.of(new EntityInGroup(this.config.getValue(OAuthASProperties.CLIENTS_GROUP), new EntityParam(Long.valueOf(j)))), this.config.getValue(OAuthASProperties.USERS_GROUP), this.config.getOutputTranslationProfile(), str, this.config);
        } catch (IllegalGroupValueException e) {
            log.warn("Entity trying to access OAuth resource is not a member of required group");
            throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.ACCESS_DENIED, e.getMessage()));
        } catch (Exception e2) {
            log.error("Engine problem when handling client request", e2);
            throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.SERVER_ERROR, e2.getMessage()));
        } catch (ExecutionFailException e3) {
            log.debug("Authentication failed due to profile's decision, returning error");
            throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.ACCESS_DENIED, e3.getMessage()));
        }
    }

    private UserInfo createUserInfo(List<OAuthScope> list, String str, TranslationResult translationResult, List<AttributeFilteringSpec> list2) {
        HashSet hashSet = new HashSet();
        Iterator<OAuthScope> it = list.iterator();
        while (it.hasNext()) {
            hashSet.addAll(it.next().attributes);
        }
        return OAuthProcessor.prepareUserInfoClaimSet(str, OAuthProcessor.filterAttributes(translationResult, hashSet, list2));
    }

    private String createIdToken(Date date, OAuthToken oAuthToken, List<Audience> list, UserInfo userInfo) throws ParseException, JOSEException, EngineException {
        JWT decodeIDToken = BaseOAuthResource.decodeIDToken(oAuthToken);
        if (decodeIDToken == null) {
            return null;
        }
        try {
            IDTokenClaimsSet iDTokenClaimsSet = new IDTokenClaimsSet(decodeIDToken.getJWTClaimsSet());
            IDTokenClaimsSet iDTokenClaimsSet2 = new IDTokenClaimsSet(new Issuer(this.config.getIssuerName()), new Subject(oAuthToken.getSubject()), list, TokenUtils.getAccessTokenExpiration(this.config, date), date);
            iDTokenClaimsSet2.setNonce(iDTokenClaimsSet.getNonce());
            if (oAuthToken.getResponseType() != null && !oAuthToken.getResponseType().isEmpty()) {
                ResponseType parse = ResponseType.parse(oAuthToken.getResponseType());
                if (parse.contains(OIDCResponseTypeValue.ID_TOKEN) && parse.size() == 1) {
                    iDTokenClaimsSet2.putAll(userInfo);
                }
            }
            return this.config.getTokenSigner().sign(iDTokenClaimsSet2).serialize();
        } catch (Exception e) {
            throw new InternalException("Can not parse the internal id token", e);
        }
    }
}
