package pl.edu.icm.unity.oauth.as;

import io.imunity.idp.AccessProtocol;
import io.imunity.idp.ApplicationId;
import io.imunity.idp.IdPClientData;
import io.imunity.idp.LastIdPClinetAccessAttributeManagement;
import io.imunity.idp.TechnicalInformationProperty;
import io.imunity.idp.TrustedIdPClientsManagement;
import io.imunity.vaadin.auth.services.idp.IdpUsersHelper;
import io.imunity.vaadin.endpoint.common.consent_utils.URIPresentationHelper;
import java.io.IOException;
import java.io.StringReader;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Properties;
import java.util.Set;
import java.util.stream.Collectors;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.attribute.Attribute;
import pl.edu.icm.unity.base.attribute.AttributeExt;
import pl.edu.icm.unity.base.endpoint.Endpoint;
import pl.edu.icm.unity.base.entity.EntityParam;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.exceptions.InternalException;
import pl.edu.icm.unity.base.identity.Identity;
import pl.edu.icm.unity.base.json.JsonUtil;
import pl.edu.icm.unity.base.message.MessageSource;
import pl.edu.icm.unity.engine.api.EndpointManagement;
import pl.edu.icm.unity.engine.api.PreferencesManagement;
import pl.edu.icm.unity.engine.api.attributes.AttributeTypeSupport;
import pl.edu.icm.unity.engine.api.authn.AuthorizationException;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.bulk.BulkGroupQueryService;
import pl.edu.icm.unity.engine.api.bulk.EntityInGroupData;
import pl.edu.icm.unity.engine.api.exceptions.RuntimeEngineException;
import pl.edu.icm.unity.engine.api.token.SecuredTokensManagement;
import pl.edu.icm.unity.engine.api.utils.TimeUtil;
import pl.edu.icm.unity.oauth.as.preferences.OAuthPreferences;
import pl.edu.icm.unity.oauth.as.token.OAuthTokenEndpoint;
import pl.edu.icm.unity.oauth.as.token.access.OAuthAccessTokenRepository;
import pl.edu.icm.unity.oauth.as.token.access.OAuthRefreshTokenRepository;
import pl.edu.icm.unity.oauth.as.webauthz.OAuthAuthzWebEndpoint;

@Component
/* loaded from: input_file:pl/edu/icm/unity/oauth/as/TrustedOAuthClientsManagement.class */
public class TrustedOAuthClientsManagement implements TrustedIdPClientsManagement {
    private final SecuredTokensManagement tokenMan;
    private final PreferencesManagement preferencesManagement;
    private final OAuthAccessTokenRepository accessTokenDAO;
    private final OAuthRefreshTokenRepository refreshTokenDAO;
    private final EndpointManagement endpointManagement;
    private final AttributeTypeSupport aTypeSupport;
    private final BulkGroupQueryService bulkService;
    private final IdpUsersHelper idpUsersHelper;
    private final MessageSource msg;
    private final OAuthScopesService scopesService;
    private final LastIdPClinetAccessAttributeManagement lastAccessAttributeManagement;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/oauth/as/TrustedOAuthClientsManagement$OAuthClientInfo.class */
    public static class OAuthClientInfo {
        public final Optional<String> name;
        public final Optional<String> id;
        public final Optional<String> redirectURI;
        public final Optional<byte[]> logo;

        /* loaded from: input_file:pl/edu/icm/unity/oauth/as/TrustedOAuthClientsManagement$OAuthClientInfo$Builder.class */
        public static final class Builder {
            private Optional<String> name = Optional.empty();
            private Optional<String> id = Optional.empty();
            private Optional<String> redirectURI = Optional.empty();
            private Optional<byte[]> logo = Optional.empty();

            private Builder() {
            }

            public Builder withName(String str) {
                this.name = Optional.ofNullable(str);
                return this;
            }

            public Builder withId(String str) {
                this.id = Optional.ofNullable(str);
                return this;
            }

            public Builder withRedirectURI(String str) {
                this.redirectURI = Optional.ofNullable(str).map(URIPresentationHelper::getHumanReadableDomain);
                return this;
            }

            public Builder withLogo(byte[] bArr) {
                this.logo = Optional.ofNullable(bArr);
                return this;
            }

            public OAuthClientInfo build() {
                return new OAuthClientInfo(this);
            }
        }

        private OAuthClientInfo(Builder builder) {
            this.name = builder.name;
            this.id = builder.id;
            this.redirectURI = builder.redirectURI;
            this.logo = builder.logo;
        }

        public static Builder builder() {
            return new Builder();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/oauth/as/TrustedOAuthClientsManagement$OAuthServiceConfiguration.class */
    public class OAuthServiceConfiguration {
        public final String issuerURI;
        public final List<OAuthScope> scopes;
        public final List<OAuthClientInfo> clients;

        public OAuthServiceConfiguration(MessageSource messageSource, String str, OAuthScopesService oAuthScopesService) {
            Properties properties = new Properties();
            try {
                properties.load(new StringReader(str));
                OAuthASProperties oAuthASProperties = new OAuthASProperties(properties);
                this.issuerURI = oAuthASProperties.getIssuerName();
                this.scopes = new ArrayList();
                oAuthScopesService.getScopes(oAuthASProperties).stream().forEach(oAuthScope -> {
                    this.scopes.add(oAuthScope);
                });
                this.clients = getOAuthClients(oAuthASProperties.getValue(OAuthASProperties.CLIENTS_GROUP));
            } catch (IOException e) {
                throw new InternalException("Invalid configuration of the oauth idp service", e);
            }
        }

        private List<OAuthClientInfo> getOAuthClients(String str) {
            try {
                ArrayList arrayList = new ArrayList();
                Map membershipInfo = TrustedOAuthClientsManagement.this.bulkService.getMembershipInfo(TrustedOAuthClientsManagement.this.bulkService.getBulkMembershipData(str));
                String clientNameAttr = TrustedOAuthClientsManagement.this.idpUsersHelper.getClientNameAttr();
                for (EntityInGroupData entityInGroupData : membershipInfo.values()) {
                    if (isOAuthClient(entityInGroupData)) {
                        arrayList.add(getOAuthClient(entityInGroupData, str, clientNameAttr));
                    }
                }
                return arrayList;
            } catch (EngineException e) {
                throw new RuntimeEngineException(e);
            }
        }

        private boolean isOAuthClient(EntityInGroupData entityInGroupData) {
            return entityInGroupData.groupAttributesByName.keySet().contains(OAuthSystemAttributesProvider.ALLOWED_FLOWS) && getUserName(entityInGroupData.entity.getIdentities()) != null;
        }

        private OAuthClientInfo getOAuthClient(EntityInGroupData entityInGroupData, String str, String str2) throws EngineException {
            OAuthClientInfo.Builder builder = OAuthClientInfo.builder();
            builder.withId(getUserName(entityInGroupData.entity.getIdentities()));
            Map map = entityInGroupData.groupAttributesByName;
            if (map.containsKey(OAuthSystemAttributesProvider.ALLOWED_RETURN_URI)) {
                builder.withRedirectURI(((AttributeExt) map.get(OAuthSystemAttributesProvider.ALLOWED_RETURN_URI)).getValues().isEmpty() ? null : (String) ((AttributeExt) map.get(OAuthSystemAttributesProvider.ALLOWED_RETURN_URI)).getValues().get(0));
            }
            if (map.containsKey(OAuthSystemAttributesProvider.CLIENT_NAME)) {
                Attribute attribute = (Attribute) map.get(OAuthSystemAttributesProvider.CLIENT_NAME);
                if (!attribute.getValues().isEmpty()) {
                    builder.withName((String) attribute.getValues().get(0));
                }
            }
            if (builder.name.isEmpty() && str2 != null && entityInGroupData.rootAttributesByName.containsKey(str2) && !((AttributeExt) entityInGroupData.rootAttributesByName.get(str2)).getValues().isEmpty()) {
                builder.withName((String) ((AttributeExt) entityInGroupData.rootAttributesByName.get(str2)).getValues().get(0));
            }
            if (map.containsKey(OAuthSystemAttributesProvider.CLIENT_LOGO)) {
                builder.withLogo(getLogo((Attribute) map.get(OAuthSystemAttributesProvider.CLIENT_LOGO)));
            }
            return builder.build();
        }

        private byte[] getLogo(Attribute attribute) {
            if (attribute.getValues().isEmpty() || attribute.getValues().get(0) == null) {
                return null;
            }
            return TrustedOAuthClientsManagement.this.aTypeSupport.getSyntax(attribute).convertFromString((String) attribute.getValues().get(0)).getImage();
        }

        private String getUserName(List<Identity> list) {
            for (Identity identity : list) {
                if (identity.getTypeId().equals("userName")) {
                    return identity.getValue();
                }
            }
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/oauth/as/TrustedOAuthClientsManagement$OAuthTokenWithTime.class */
    public static class OAuthTokenWithTime {
        public final OAuthToken token;
        public final Instant createdTime;
        public final Instant expiredTime;
        public final String type;
        public final String value;

        public OAuthTokenWithTime(String str, Instant instant, Instant instant2, OAuthToken oAuthToken, String str2) {
            this.type = str;
            this.token = oAuthToken;
            this.createdTime = instant;
            this.expiredTime = instant2;
            this.value = str2;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/oauth/as/TrustedOAuthClientsManagement$TokensAndPreferences.class */
    public static class TokensAndPreferences {
        private List<OAuthTokenWithTime> tokens;
        private Optional<OAuthPreferences.OAuthClientSettings> preferences;

        public TokensAndPreferences(OAuthPreferences.OAuthClientSettings oAuthClientSettings) {
            this.preferences = Optional.of(oAuthClientSettings);
            this.tokens = new ArrayList();
        }

        public TokensAndPreferences(OAuthTokenWithTime oAuthTokenWithTime) {
            this.tokens = new ArrayList();
            this.preferences = Optional.empty();
            this.tokens.add(oAuthTokenWithTime);
        }

        public List<OAuthTokenWithTime> getTokens() {
            return this.tokens;
        }

        public void setPreferences(OAuthPreferences.OAuthClientSettings oAuthClientSettings) {
            this.preferences = Optional.ofNullable(oAuthClientSettings);
        }
    }

    public TrustedOAuthClientsManagement(SecuredTokensManagement securedTokensManagement, PreferencesManagement preferencesManagement, OAuthAccessTokenRepository oAuthAccessTokenRepository, OAuthRefreshTokenRepository oAuthRefreshTokenRepository, @Qualifier("insecure") EndpointManagement endpointManagement, @Qualifier("insecure") BulkGroupQueryService bulkGroupQueryService, IdpUsersHelper idpUsersHelper, MessageSource messageSource, OAuthScopesService oAuthScopesService, AttributeTypeSupport attributeTypeSupport, LastIdPClinetAccessAttributeManagement lastIdPClinetAccessAttributeManagement) {
        this.tokenMan = securedTokensManagement;
        this.preferencesManagement = preferencesManagement;
        this.accessTokenDAO = oAuthAccessTokenRepository;
        this.refreshTokenDAO = oAuthRefreshTokenRepository;
        this.endpointManagement = endpointManagement;
        this.bulkService = bulkGroupQueryService;
        this.idpUsersHelper = idpUsersHelper;
        this.msg = messageSource;
        this.scopesService = oAuthScopesService;
        this.aTypeSupport = attributeTypeSupport;
        this.lastAccessAttributeManagement = lastIdPClinetAccessAttributeManagement;
    }

    public List<IdPClientData> getIdpClientsData() throws EngineException {
        Map<String, TokensAndPreferences> clientPreferencesAndTokensGroupedByClient = getClientPreferencesAndTokensGroupedByClient();
        List<OAuthServiceConfiguration> services = getServices();
        ArrayList arrayList = new ArrayList();
        for (OAuthServiceConfiguration oAuthServiceConfiguration : services) {
            for (String str : clientPreferencesAndTokensGroupedByClient.keySet()) {
                List<OAuthTokenWithTime> list = (List) clientPreferencesAndTokensGroupedByClient.get(str).tokens.stream().filter(oAuthTokenWithTime -> {
                    return oAuthTokenWithTime.type.equals(OAuthAccessTokenRepository.INTERNAL_ACCESS_TOKEN) && oAuthTokenWithTime.token.getIssuerUri().equals(oAuthServiceConfiguration.issuerURI);
                }).sorted((oAuthTokenWithTime2, oAuthTokenWithTime3) -> {
                    return oAuthTokenWithTime3.createdTime.compareTo(oAuthTokenWithTime2.createdTime);
                }).collect(Collectors.toList());
                List<OAuthTokenWithTime> list2 = (List) clientPreferencesAndTokensGroupedByClient.get(str).tokens.stream().filter(oAuthTokenWithTime4 -> {
                    return oAuthTokenWithTime4.type.equals(OAuthRefreshTokenRepository.INTERNAL_REFRESH_TOKEN) && oAuthTokenWithTime4.token.getIssuerUri().equals(oAuthServiceConfiguration.issuerURI);
                }).sorted((oAuthTokenWithTime5, oAuthTokenWithTime6) -> {
                    return oAuthTokenWithTime6.createdTime.compareTo(oAuthTokenWithTime5.createdTime);
                }).collect(Collectors.toList());
                Optional<OAuthClientInfo> findAny = oAuthServiceConfiguration.clients.stream().filter(oAuthClientInfo -> {
                    return oAuthClientInfo.id.isPresent() && oAuthClientInfo.id.get().equals(str);
                }).findAny();
                if (findAny.isPresent()) {
                    OAuthClientInfo oAuthClientInfo2 = findAny.get();
                    if (isDisallowed(clientPreferencesAndTokensGroupedByClient.get(str).preferences)) {
                        arrayList.add(IdPClientData.builder().withApplicationId(new ApplicationId(str)).withLogo(oAuthClientInfo2.logo).withAccessProtocol(AccessProtocol.OAuth).withAccessStatus(IdPClientData.AccessStatus.disallowWithoutAsking).withApplicationName(oAuthClientInfo2.name).withApplicationDomain(oAuthClientInfo2.redirectURI).withAccessDeniedTime(Optional.of(clientPreferencesAndTokensGroupedByClient.get(str).preferences.get().getTimestamp())).build());
                    }
                    if (list.size() > 0 || list2.size() > 0 || isAllowedWithoutAsking(clientPreferencesAndTokensGroupedByClient.get(str).preferences)) {
                        Set<String> scopes = getScopes(list, oAuthServiceConfiguration);
                        arrayList.add(IdPClientData.builder().withApplicationId(new ApplicationId(str)).withLogo(oAuthClientInfo2.logo).withAccessProtocol(AccessProtocol.OAuth).withLastAccessTime(Optional.ofNullable(getLastAccessByClient().get(new LastIdPClinetAccessAttributeManagement.LastIdPClientAccessKey(AccessProtocol.OAuth, str)))).withAccessStatus(isAllowedWithoutAsking(clientPreferencesAndTokensGroupedByClient.get(str).preferences) ? IdPClientData.AccessStatus.allowWithoutAsking : IdPClientData.AccessStatus.allow).withAccessGrantTime(getGrantTime(list2, clientPreferencesAndTokensGroupedByClient.get(str).preferences)).withApplicationName(oAuthClientInfo2.name).withAccessScopes(Optional.ofNullable(scopes.size() > 0 ? (List) scopes.stream().collect(Collectors.toList()) : null)).withApplicationDomain(oAuthClientInfo2.redirectURI).withTechnicalInformations(getTechnicalInformations(list, list2)).build());
                    }
                }
            }
        }
        return arrayList;
    }

    private Set<String> getScopes(List<OAuthTokenWithTime> list, OAuthServiceConfiguration oAuthServiceConfiguration) {
        HashSet hashSet = new HashSet();
        for (int i = 0; i < list.size(); i++) {
            hashSet.addAll(getScopes(list.get(i), oAuthServiceConfiguration));
        }
        return hashSet;
    }

    private List<TechnicalInformationProperty> getTechnicalInformations(List<OAuthTokenWithTime> list, List<OAuthTokenWithTime> list2) {
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < list.size(); i++) {
            arrayList.add(TechnicalInformationProperty.builder().withTitleKey(this.msg.getMessage("OAuthApplicationProvider.accessTokenLabel", new Object[0]) + (list.size() > 1 ? " (" + (i + 1) + "):" : ":")).withValue(getTokenRepresentation(list.get(i).createdTime, list.get(i).expiredTime, list.get(i).token.getAccessToken())).build());
        }
        for (int i2 = 0; i2 < list2.size(); i2++) {
            arrayList.add(TechnicalInformationProperty.builder().withTitleKey(this.msg.getMessage("OAuthApplicationProvider.refreshTokenLabel", new Object[0]) + (list2.size() > 1 ? " (" + (i2 + 1) + "):" : ":")).withValue(getTokenRepresentation(list2.get(i2).createdTime, list2.get(i2).expiredTime, list2.get(i2).token.getRefreshToken())).build());
        }
        return arrayList;
    }

    private String getTokenRepresentation(Instant instant, Instant instant2, String str) {
        return str + "\n\n" + (instant != null ? this.msg.getMessage("OAuthApplicationProvider.issuedOn", new Object[0]) + " " + TimeUtil.formatStandardInstant(instant) : OAuthTokenEndpoint.PATH) + (instant2 != null ? "\n" + this.msg.getMessage("OAuthApplicationProvider.expiresOn", new Object[0]) + " " + TimeUtil.formatStandardInstant(instant2) : OAuthTokenEndpoint.PATH);
    }

    private Map<LastIdPClinetAccessAttributeManagement.LastIdPClientAccessKey, Instant> getLastAccessByClient() throws EngineException {
        return this.lastAccessAttributeManagement.getLastAccessByClient();
    }

    private Optional<Instant> getGrantTime(List<OAuthTokenWithTime> list, Optional<OAuthPreferences.OAuthClientSettings> optional) {
        if (list.isEmpty() && (optional.isEmpty() || optional.get().getTimestamp() == null)) {
            return Optional.empty();
        }
        if (optional.isEmpty() || optional.get().getTimestamp() == null) {
            return Optional.of(list.get(list.size() - 1).createdTime);
        }
        if (list.isEmpty()) {
            return Optional.of(optional.get().getTimestamp());
        }
        return Optional.of(list.get(list.size() - 1).createdTime.compareTo(optional.get().getTimestamp()) < 0 ? list.get(list.size() - 1).createdTime : optional.get().getTimestamp());
    }

    private List<String> getScopes(OAuthTokenWithTime oAuthTokenWithTime, OAuthServiceConfiguration oAuthServiceConfiguration) {
        ArrayList arrayList = new ArrayList();
        for (String str : oAuthTokenWithTime.token.getEffectiveScope()) {
            Optional<OAuthScope> findFirst = oAuthServiceConfiguration.scopes.stream().filter(oAuthScope -> {
                return oAuthScope.name.equals(str);
            }).findFirst();
            if (findFirst.isEmpty() || findFirst.get().description == null) {
                arrayList.add(str);
            } else {
                arrayList.add(findFirst.get().description);
            }
        }
        return arrayList;
    }

    private Map<String, TokensAndPreferences> getClientPreferencesAndTokensGroupedByClient() throws EngineException {
        HashMap hashMap = new HashMap();
        OAuthPreferences preferences = getPreferences();
        List<OAuthTokenWithTime> tokens = getTokens();
        for (String str : preferences.getKeys()) {
            if (hashMap.containsKey(str)) {
                ((TokensAndPreferences) hashMap.get(str)).setPreferences(preferences.getSPSettings(str));
            } else {
                hashMap.put(str, new TokensAndPreferences(preferences.getSPSettings(str)));
            }
        }
        for (OAuthTokenWithTime oAuthTokenWithTime : tokens) {
            if (hashMap.containsKey(oAuthTokenWithTime.token.getClientUsername())) {
                ((TokensAndPreferences) hashMap.get(oAuthTokenWithTime.token.getClientUsername())).getTokens().add(oAuthTokenWithTime);
            } else {
                hashMap.put(oAuthTokenWithTime.token.getClientUsername(), new TokensAndPreferences(oAuthTokenWithTime));
            }
        }
        return hashMap;
    }

    private boolean isDisallowed(Optional<OAuthPreferences.OAuthClientSettings> optional) {
        return optional.isPresent() && !optional.get().isDefaultAccept() && optional.get().isDoNotAsk();
    }

    private boolean isAllowedWithoutAsking(Optional<OAuthPreferences.OAuthClientSettings> optional) {
        return optional.isPresent() && optional.get().isDefaultAccept() && optional.get().isDoNotAsk();
    }

    protected List<OAuthTokenWithTime> getTokens() throws EngineException {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll((Collection) this.accessTokenDAO.getOwnedAccessTokens().stream().map(token -> {
            return new OAuthTokenWithTime(token.getType(), token.getCreated().toInstant(), token.getExpires() != null ? token.getExpires().toInstant() : null, OAuthToken.getInstanceFromJson(token.getContents()), token.getValue());
        }).collect(Collectors.toList()));
        arrayList.addAll((Collection) this.refreshTokenDAO.getOwnedRefreshTokens().stream().map(token2 -> {
            return new OAuthTokenWithTime(token2.getType(), token2.getCreated().toInstant(), token2.getExpires() != null ? token2.getExpires().toInstant() : null, OAuthToken.getInstanceFromJson(token2.getContents()), token2.getValue());
        }).collect(Collectors.toList()));
        return arrayList;
    }

    private OAuthPreferences getPreferences() throws EngineException {
        String preference = this.preferencesManagement.getPreference(new EntityParam(Long.valueOf(InvocationContext.getCurrent().getLoginSession().getEntityId())), OAuthPreferences.ID);
        OAuthPreferences oAuthPreferences = new OAuthPreferences();
        if (preference != null) {
            oAuthPreferences.setSerializedConfiguration(JsonUtil.parse(preference));
        }
        return oAuthPreferences;
    }

    private List<OAuthServiceConfiguration> getServices() throws AuthorizationException {
        ArrayList arrayList = new ArrayList();
        Iterator it = ((List) this.endpointManagement.getEndpoints().stream().filter(endpoint -> {
            return endpoint.getTypeId().equals(OAuthAuthzWebEndpoint.Factory.TYPE.getName());
        }).collect(Collectors.toList())).iterator();
        while (it.hasNext()) {
            arrayList.add(new OAuthServiceConfiguration(this.msg, ((Endpoint) it.next()).getConfiguration().getConfiguration(), this.scopesService));
        }
        return arrayList;
    }

    private void clearPreferences(String str) throws EngineException {
        OAuthPreferences preferences = getPreferences();
        preferences.removeSPSettings(str);
        OAuthPreferences.savePreferences(this.preferencesManagement, preferences);
    }

    public synchronized void unblockAccess(ApplicationId applicationId) throws EngineException {
        clearPreferences(applicationId.id);
    }

    public synchronized void revokeAccess(ApplicationId applicationId) throws EngineException {
        for (OAuthTokenWithTime oAuthTokenWithTime : getTokens()) {
            if (oAuthTokenWithTime.token.getClientUsername().equals(applicationId.id)) {
                this.tokenMan.removeToken(oAuthTokenWithTime.type, oAuthTokenWithTime.value);
            }
        }
        clearPreferences(applicationId.id);
    }

    public AccessProtocol getSupportedProtocol() {
        return AccessProtocol.OAuth;
    }
}
