package org.apache.cxf.rs.security.oidc.idp;

import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Properties;
import java.util.Set;
import java.util.logging.Level;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.common.AbstractFormImplicitResponse;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.OAuthError;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.provider.OAuthJoseJwtProducer;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.rs.security.oidc.common.IdToken;
import org.apache.cxf.rs.security.oidc.utils.OidcUtils;

/* loaded from: input_file:org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.class */
public class OidcImplicitService extends ImplicitGrantService {
    private OAuthJoseJwtProducer idTokenHandler;
    private IdTokenProvider idTokenProvider;

    public OidcImplicitService() {
        super(new HashSet(Arrays.asList("id_token", OidcUtils.ID_TOKEN_AT_RESPONSE_TYPE)));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public OidcImplicitService(Set<String> set, String str) {
        super(set, str);
    }

    protected boolean canAccessTokenBeReturned(String str) {
        return OidcUtils.ID_TOKEN_AT_RESPONSE_TYPE.equals(str);
    }

    protected Response startAuthorization(MultivaluedMap<String, String> multivaluedMap, UserSubject userSubject, Client client, String str) {
        if (multivaluedMap.getFirst(IdToken.NONCE_CLAIM) == null) {
            LOG.fine("A nonce is required for the Implicit flow");
            return createErrorResponse(multivaluedMap, str, "invalid_request");
        }
        List<String> promptValues = OidcUtils.getPromptValues(multivaluedMap);
        if (promptValues.size() <= 1 || !promptValues.contains(OidcUtils.PROMPT_NONE_VALUE)) {
            return super.startAuthorization(multivaluedMap, userSubject, client, str);
        }
        LOG.log(Level.FINE, "The prompt value {} is invalid", multivaluedMap.getFirst(OidcUtils.PROMPT_PARAMETER));
        return createErrorResponse(multivaluedMap, str, "invalid_request");
    }

    protected boolean canAuthorizationBeSkipped(MultivaluedMap<String, String> multivaluedMap, Client client, UserSubject userSubject, List<String> list, List<OAuthPermission> list2) {
        List<String> promptValues = OidcUtils.getPromptValues(multivaluedMap);
        if (promptValues.contains(OidcUtils.PROMPT_CONSENT_VALUE)) {
            return false;
        }
        boolean canAuthorizationBeSkipped = super.canAuthorizationBeSkipped(multivaluedMap, client, userSubject, list, list2);
        if (canAuthorizationBeSkipped || !promptValues.contains(OidcUtils.PROMPT_NONE_VALUE)) {
            return canAuthorizationBeSkipped;
        }
        LOG.log(Level.FINE, "Prompt 'none' request can not be met");
        throw new OAuthServiceException(new OAuthError(OidcUtils.CONSENT_REQUIRED_ERROR));
    }

    public void setSkipAuthorizationWithOidcScope(boolean z) {
        super.setScopesRequiringNoConsent(Collections.singletonList(OidcUtils.OPENID_SCOPE));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public StringBuilder prepareRedirectResponse(OAuthRedirectionState oAuthRedirectionState, Client client, List<String> list, List<String> list2, UserSubject userSubject, ServerAccessToken serverAccessToken) {
        if (canAccessTokenBeReturned(oAuthRedirectionState.getResponseType())) {
            return super.prepareRedirectResponse(oAuthRedirectionState, client, list, list2, userSubject, serverAccessToken);
        }
        StringBuilder uriWithFragment = getUriWithFragment(oAuthRedirectionState.getRedirectUri());
        String processedIdToken = getProcessedIdToken(oAuthRedirectionState, userSubject, getApprovedScope(list, list2));
        if (processedIdToken != null) {
            uriWithFragment.append("id_token").append('=').append(processedIdToken);
        } else if (oAuthRedirectionState.getResponseType().contains("id_token")) {
            LOG.warning("No IdToken available. Did you configure a IdTokenProvider implementation?");
            throw ExceptionUtils.toInternalServerErrorException((Throwable) null, (Response) null);
        }
        finalizeResponse(uriWithFragment, oAuthRedirectionState);
        return uriWithFragment;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractFormImplicitResponse prepareFormResponse(OAuthRedirectionState oAuthRedirectionState, Client client, List<String> list, List<String> list2, UserSubject userSubject, ServerAccessToken serverAccessToken) {
        if (canAccessTokenBeReturned(oAuthRedirectionState.getResponseType())) {
            return super.prepareFormResponse(oAuthRedirectionState, client, list, list2, userSubject, serverAccessToken);
        }
        String processedIdToken = getProcessedIdToken(oAuthRedirectionState, userSubject, getApprovedScope(list, list2));
        if (processedIdToken == null && oAuthRedirectionState.getResponseType().contains("id_token")) {
            LOG.warning("No IdToken available. Did you configure a IdTokenProvider implementation?");
            throw ExceptionUtils.toInternalServerErrorException((Throwable) null, (Response) null);
        }
        FormIdTokenResponse formIdTokenResponse = new FormIdTokenResponse();
        formIdTokenResponse.setIdToken(processedIdToken);
        formIdTokenResponse.setResponseType(oAuthRedirectionState.getResponseType());
        formIdTokenResponse.setRedirectUri(oAuthRedirectionState.getRedirectUri());
        formIdTokenResponse.setState(oAuthRedirectionState.getState());
        return formIdTokenResponse;
    }

    private String getProcessedIdToken(OAuthRedirectionState oAuthRedirectionState, UserSubject userSubject, List<String> list) {
        if (userSubject.getProperties().containsKey("id_token")) {
            return (String) userSubject.getProperties().get("id_token");
        }
        if (this.idTokenProvider != null) {
            return processIdToken(oAuthRedirectionState, this.idTokenProvider.getIdToken(oAuthRedirectionState.getClientId(), userSubject, list));
        }
        if (!(userSubject instanceof OidcUserSubject)) {
            return null;
        }
        IdToken idToken = new IdToken(((OidcUserSubject) userSubject).getIdToken());
        idToken.setAudience(oAuthRedirectionState.getClientId());
        idToken.setAuthorizedParty(oAuthRedirectionState.getClientId());
        return processIdToken(oAuthRedirectionState, idToken);
    }

    protected OAuthRedirectionState recreateRedirectionStateFromParams(MultivaluedMap<String, String> multivaluedMap) {
        OAuthRedirectionState recreateRedirectionStateFromParams = super.recreateRedirectionStateFromParams(multivaluedMap);
        OidcUtils.setStateClaimsProperty(recreateRedirectionStateFromParams, multivaluedMap);
        return recreateRedirectionStateFromParams;
    }

    protected String processIdToken(OAuthRedirectionState oAuthRedirectionState, IdToken idToken) {
        OAuthJoseJwtProducer oAuthJoseJwtProducer = this.idTokenHandler == null ? new OAuthJoseJwtProducer() : this.idTokenHandler;
        String str = (String) JAXRSUtils.getCurrentMessage().getExchange().get("code");
        if (str != null) {
            Properties loadSignatureOutProperties = JwsUtils.loadSignatureOutProperties(false);
            idToken.setAuthorizationCodeHash(OidcUtils.calculateAuthorizationCodeHash(str, oAuthJoseJwtProducer.isSignWithClientSecret() ? OAuthUtils.getClientSecretSignatureAlgorithm(loadSignatureOutProperties) : JwsUtils.getSignatureAlgorithm(loadSignatureOutProperties, SignatureAlgorithm.RS256)));
        }
        idToken.setNonce(oAuthRedirectionState.getNonce());
        return oAuthJoseJwtProducer.processJwt(new JwtToken(idToken));
    }

    public void setIdTokenJoseHandler(OAuthJoseJwtProducer oAuthJoseJwtProducer) {
        this.idTokenHandler = oAuthJoseJwtProducer;
    }

    public void setIdTokenProvider(IdTokenProvider idTokenProvider) {
        this.idTokenProvider = idTokenProvider;
    }
}
