package org.opends.server.protocols.http.authz;

import java.util.ArrayList;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import org.forgerock.http.filter.Filters;
import org.forgerock.http.handler.HttpClientHandler;
import org.forgerock.http.oauth2.AccessTokenResolver;
import org.forgerock.http.oauth2.resolver.CachingAccessTokenResolver;
import org.forgerock.json.JsonException;
import org.forgerock.json.JsonPointer;
import org.forgerock.opendj.config.server.ConfigException;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.rest2ldap.authz.Authorization;
import org.forgerock.opendj.rest2ldap.authz.ConditionalFilters;
import org.forgerock.opendj.server.config.server.HTTPOauth2AuthorizationMechanismCfg;
import org.forgerock.util.Options;
import org.forgerock.util.PerItemEvictionStrategyCache;
import org.forgerock.util.time.Duration;
import org.forgerock.util.time.TimeService;
import org.opends.messages.ConfigMessages;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.ServerContext;
import org.opends.server.extensions.ExtensionsConstants;
import org.opends.server.types.CryptoManager;
import org.opends.server.types.DirectoryException;

/* JADX WARN: Classes with same name are omitted:
  input_file:embedded-opendj/opendj.zip:opendj/lib/opendj.jar:org/opends/server/protocols/http/authz/HttpOAuth2AuthorizationMechanism.class
 */
/* loaded from: input_file:embedded-opendj/opendj.zip:opendj/lib/org.openidentityplatform.opendj.opendj-server-legacy.jar:org/opends/server/protocols/http/authz/HttpOAuth2AuthorizationMechanism.class */
abstract class HttpOAuth2AuthorizationMechanism<T extends HTTPOauth2AuthorizationMechanismCfg> extends HttpAuthorizationMechanism<T> {
    private static final int HTTP_OAUTH2_PRIORITY = 100;
    private static final ScheduledExecutorService CACHE_EVICTOR = Executors.newSingleThreadScheduledExecutor();
    protected final T config;
    protected final ServerContext serverContext;
    private final ConditionalFilters.ConditionalFilter delegate;

    /* JADX INFO: Access modifiers changed from: package-private */
    public HttpOAuth2AuthorizationMechanism(T t, ServerContext serverContext) throws ConfigException {
        super(t.dn(), 100);
        this.config = t;
        this.serverContext = serverContext;
        try {
            new JsonPointer(t.getAuthzidJsonPointer());
            AccessTokenResolver newAccessTokenResolver = newAccessTokenResolver();
            if (t.isAccessTokenCacheEnabled()) {
                Duration duration = Duration.duration(t.getAccessTokenCacheExpiration().longValue(), TimeUnit.SECONDS);
                PerItemEvictionStrategyCache perItemEvictionStrategyCache = new PerItemEvictionStrategyCache(CACHE_EVICTOR, duration);
                perItemEvictionStrategyCache.setMaxTimeout(duration);
                newAccessTokenResolver = new CachingAccessTokenResolver(TimeService.SYSTEM, newAccessTokenResolver, perItemEvictionStrategyCache);
            }
            ConditionalFilters.ConditionalFilter newConditionalOAuth2ResourceServerFilter = Authorization.newConditionalOAuth2ResourceServerFilter("no_realm", t.getRequiredScope(), newAccessTokenResolver, "u:{" + t.getAuthzidJsonPointer() + ExtensionsConstants.STORAGE_SCHEME_SUFFIX);
            this.delegate = ConditionalFilters.newConditionalFilter(Filters.chainOf(newConditionalOAuth2ResourceServerFilter.getFilter(), new InternalProxyAuthzFilter(DirectoryServer.getIdentityMapper(t.getIdentityMapperDN()), serverContext.getSchema())), newConditionalOAuth2ResourceServerFilter.getCondition());
        } catch (JsonException e) {
            throw new ConfigException(ConfigMessages.ERR_CONFIG_OAUTH2_INVALID_JSON_POINTER.get(t.dn(), t.getAuthzidJsonPointer(), e.getMessage()), e);
        }
    }

    abstract AccessTokenResolver newAccessTokenResolver() throws ConfigException;

    @Override // org.opends.server.protocols.http.authz.HttpAuthorizationMechanism
    final ConditionalFilters.ConditionalFilter getDelegate() {
        return this.delegate;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Options toHttpOptions(DN dn, DN dn2) throws ConfigException {
        try {
            Options defaultOptions = Options.defaultOptions();
            defaultOptions.set(HttpClientHandler.OPTION_TRUST_MANAGERS, dn != null ? DirectoryServer.getTrustManagerProvider(dn).getTrustManagers() : null);
            defaultOptions.set(HttpClientHandler.OPTION_KEY_MANAGERS, dn2 != null ? DirectoryServer.getKeyManagerProvider(dn2).getKeyManagers() : null);
            CryptoManager cryptoManager = DirectoryServer.getInstance().getServerContext().getCryptoManager();
            defaultOptions.set(HttpClientHandler.OPTION_SSL_CIPHER_SUITES, new ArrayList(cryptoManager.getSslCipherSuites()));
            defaultOptions.set(HttpClientHandler.OPTION_SSL_ENABLED_PROTOCOLS, new ArrayList(cryptoManager.getSslProtocols()));
            return defaultOptions;
        } catch (DirectoryException e) {
            throw new ConfigException(e.getMessageObject(), e);
        }
    }
}
