package org.forgerock.openam.oauth2;

import com.iplanet.am.sdk.AMHashMap;
import com.iplanet.am.util.SystemProperties;
import com.iplanet.dpro.session.SessionException;
import com.iplanet.dpro.session.service.SessionService;
import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.AMIdentityRepository;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdSearchControl;
import com.sun.identity.idm.IdType;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.sm.DNMapper;
import com.sun.identity.sm.SMSException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.text.DateFormat;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import javax.script.ScriptException;
import javax.script.SimpleBindings;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import org.forgerock.oauth2.core.AccessToken;
import org.forgerock.oauth2.core.ClientRegistration;
import org.forgerock.oauth2.core.OAuth2ProviderSettings;
import org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory;
import org.forgerock.oauth2.core.OAuth2Request;
import org.forgerock.oauth2.core.ScopeValidator;
import org.forgerock.oauth2.core.Token;
import org.forgerock.oauth2.core.UserInfoClaims;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.InvalidScopeException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.forgerock.oauth2.core.exceptions.UnauthorizedClientException;
import org.forgerock.openam.agent.TokenRestrictionResolver;
import org.forgerock.openam.scripting.ScriptEvaluator;
import org.forgerock.openam.scripting.ScriptObject;
import org.forgerock.openam.scripting.SupportedScriptingLanguage;
import org.forgerock.openam.scripting.service.ScriptConfiguration;
import org.forgerock.openam.scripting.service.ScriptingServiceFactory;
import org.forgerock.openam.utils.OpenAMSettings;
import org.forgerock.openam.utils.OpenAMSettingsImpl;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.openidconnect.OpenIDTokenIssuer;
import org.forgerock.openidconnect.OpenIdConnectClientRegistration;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;
import org.restlet.Request;
import org.restlet.ext.servlet.ServletUtils;

@Singleton
/* loaded from: input_file:org/forgerock/openam/oauth2/OpenAMScopeValidator.class */
public class OpenAMScopeValidator implements ScopeValidator {
    private static final String MULTI_ATTRIBUTE_SEPARATOR = ",";
    private static final String DEFAULT_TIMESTAMP = "0";
    private static final DateFormat TIMESTAMP_DATE_FORMAT = new SimpleDateFormat("yyyyMMddhhmmss");
    private final OAuth2ProviderSettingsFactory providerSettingsFactory;
    private final Debug logger = Debug.getInstance("OAuth2Provider");
    private final IdentityManager identityManager;
    private final OpenIDTokenIssuer openIDTokenIssuer;
    private final OpenAMSettings openAMSettings;
    private final ScriptEvaluator scriptEvaluator;
    private final ScriptingServiceFactory scriptingServiceFactory;
    private final TokenRestrictionResolver agentValidator;
    private final SessionService sessionService;

    @Inject
    public OpenAMScopeValidator(IdentityManager identityManager, OpenIDTokenIssuer openIDTokenIssuer, OAuth2ProviderSettingsFactory oAuth2ProviderSettingsFactory, OpenAMSettings openAMSettings, @Named("OIDC_CLAIMS") ScriptEvaluator scriptEvaluator, ScriptingServiceFactory scriptingServiceFactory, TokenRestrictionResolver tokenRestrictionResolver, SessionService sessionService) {
        this.identityManager = identityManager;
        this.openIDTokenIssuer = openIDTokenIssuer;
        this.providerSettingsFactory = oAuth2ProviderSettingsFactory;
        this.openAMSettings = openAMSettings;
        this.scriptEvaluator = scriptEvaluator;
        this.scriptingServiceFactory = scriptingServiceFactory;
        this.agentValidator = tokenRestrictionResolver;
        this.sessionService = sessionService;
    }

    @Override // org.forgerock.oauth2.core.ScopeValidator
    public Set<String> validateAuthorizationScope(ClientRegistration clientRegistration, Set<String> set, OAuth2Request oAuth2Request) throws InvalidScopeException, ServerException {
        return validateScopes(set, clientRegistration.getDefaultScopes(), clientRegistration.getAllowedScopes(), oAuth2Request);
    }

    @Override // org.forgerock.oauth2.core.ScopeValidator
    public Set<String> validateAccessTokenScope(ClientRegistration clientRegistration, Set<String> set, OAuth2Request oAuth2Request) throws InvalidScopeException, ServerException {
        return validateScopes(set, clientRegistration.getDefaultScopes(), clientRegistration.getAllowedScopes(), oAuth2Request);
    }

    @Override // org.forgerock.oauth2.core.ScopeValidator
    public Set<String> validateRefreshTokenScope(ClientRegistration clientRegistration, Set<String> set, Set<String> set2, OAuth2Request oAuth2Request) throws ServerException, InvalidScopeException {
        return validateScopes(set, set2, set2, oAuth2Request);
    }

    private Set<String> validateScopes(Set<String> set, Set<String> set2, Set<String> set3, OAuth2Request oAuth2Request) throws InvalidScopeException, ServerException {
        Set<String> set4;
        if (set == null || set.isEmpty()) {
            set4 = set2;
        } else {
            set4 = new HashSet(set3);
            set4.retainAll(set);
            if (set.size() > set4.size()) {
                HashSet hashSet = new HashSet(set);
                hashSet.removeAll(set3);
                throw InvalidScopeException.create("Unknown/invalid scope(s): " + hashSet.toString(), oAuth2Request);
            }
        }
        if (set4 == null || set4.isEmpty()) {
            throw InvalidScopeException.create("No scope requested and no default scope configured", oAuth2Request);
        }
        return set4;
    }

    @Override // org.forgerock.oauth2.core.ScopeValidator
    public UserInfoClaims getUserInfo(ClientRegistration clientRegistration, AccessToken accessToken, OAuth2Request oAuth2Request) throws UnauthorizedClientException, NotFoundException {
        String orgNameToRealmName;
        AMIdentity resourceOwnerIdentity;
        Set<String> splitScope;
        HashMap hashMap = new HashMap();
        SimpleBindings simpleBindings = new SimpleBindings();
        SSOToken usersSession = getUsersSession(oAuth2Request);
        OAuth2ProviderSettings oAuth2ProviderSettings = this.providerSettingsFactory.get(oAuth2Request);
        Map<String, Set<String>> gatherRequestedClaims = gatherRequestedClaims(oAuth2ProviderSettings, oAuth2Request, accessToken);
        try {
            if (accessToken != null) {
                orgNameToRealmName = accessToken.getRealm();
                splitScope = accessToken.getScope();
                resourceOwnerIdentity = this.identityManager.getResourceOwnerIdentity(accessToken.getResourceOwnerId(), orgNameToRealmName);
                addSubToResponseIfOpenIdConnect(clientRegistration, accessToken, hashMap, oAuth2ProviderSettings);
                hashMap.put("updated_at", getUpdatedAt(accessToken.getResourceOwnerId(), accessToken.getRealm(), oAuth2Request));
            } else {
                orgNameToRealmName = DNMapper.orgNameToRealmName(usersSession.getProperty("Organization"));
                resourceOwnerIdentity = this.identityManager.getResourceOwnerIdentity(usersSession.getProperty("UserId"), orgNameToRealmName);
                splitScope = org.forgerock.oauth2.core.Utils.splitScope((String) oAuth2Request.getParameter("scope"));
            }
            simpleBindings.put("scopes", getScriptFriendlyScopes(splitScope));
            simpleBindings.put("identity", resourceOwnerIdentity);
            simpleBindings.put("logger", this.logger);
            simpleBindings.put("claims", hashMap);
            simpleBindings.put("session", usersSession);
            simpleBindings.put("requestedClaims", gatherRequestedClaims);
            try {
                UserInfoClaims userInfoClaims = (UserInfoClaims) this.scriptEvaluator.evaluateScript(getOIDCClaimsExtensionScript(orgNameToRealmName), simpleBindings);
                return isAgentRequest(clientRegistration) ? addRestrictedSSOTokenToUserInfoClaims(userInfoClaims, clientRegistration, orgNameToRealmName, usersSession) : userInfoClaims;
            } catch (ScriptException e) {
                this.logger.message("Error running OIDC claims script", e);
                throw new ServerException("Error running OIDC claims script: " + e.getMessage());
            }
        } catch (ServerException | SSOException e2) {
            throw new NotFoundException(e2.getMessage());
        }
    }

    private void addSubToResponseIfOpenIdConnect(ClientRegistration clientRegistration, AccessToken accessToken, Map<String, Object> map, OAuth2ProviderSettings oAuth2ProviderSettings) {
        if (clientRegistration instanceof OpenIdConnectClientRegistration) {
            map.put("sub", ((OpenIdConnectClientRegistration) clientRegistration).getSubValue(accessToken.getResourceOwnerId(), oAuth2ProviderSettings));
        }
    }

    private boolean isAgentRequest(ClientRegistration clientRegistration) {
        return clientRegistration instanceof AgentClientRegistration;
    }

    private UserInfoClaims addRestrictedSSOTokenToUserInfoClaims(UserInfoClaims userInfoClaims, ClientRegistration clientRegistration, String str, SSOToken sSOToken) {
        String restrictedTokenId = getRestrictedTokenId(clientRegistration, str, sSOToken);
        Map<String, Object> values = userInfoClaims.getValues();
        values.put("ssoToken", restrictedTokenId);
        return new UserInfoClaims(values, userInfoClaims.getCompositeScopes());
    }

    private Set<String> getScriptFriendlyScopes(Set<String> set) {
        return set == null ? new HashSet() : new HashSet(set);
    }

    private String getRestrictedTokenId(ClientRegistration clientRegistration, String str, SSOToken sSOToken) {
        if (!SystemProperties.getAsBoolean("com.sun.identity.enableUniqueSSOTokenCookie")) {
            return sSOToken.getTokenID().toString();
        }
        try {
            return this.sessionService.getRestrictedTokenId(sSOToken.getTokenID().toString(), this.agentValidator.resolve(clientRegistration.getClientId(), str, (SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance())));
        } catch (SSOException | IdRepoException | SMSException | SessionException e) {
            this.logger.warning("Failed to get restricted session token", e);
            return null;
        }
    }

    private Map<String, Set<String>> gatherRequestedClaims(OAuth2ProviderSettings oAuth2ProviderSettings, OAuth2Request oAuth2Request, AccessToken accessToken) {
        Request request = oAuth2Request.getRequest();
        if (accessToken == null) {
            return gatherRequestedClaims(oAuth2ProviderSettings, (String) oAuth2Request.getParameter("claims"), "id_token");
        }
        String claims = accessToken.getClaims();
        return request.getResourceRef().getLastSegment().equals("userinfo") ? gatherRequestedClaims(oAuth2ProviderSettings, claims, "userinfo") : gatherRequestedClaims(oAuth2ProviderSettings, claims, "id_token");
    }

    private Map<String, Set<String>> gatherRequestedClaims(OAuth2ProviderSettings oAuth2ProviderSettings, String str, String str2) {
        HashMap hashMap = new HashMap();
        try {
            if (oAuth2ProviderSettings.getClaimsParameterSupported() && str != null) {
                try {
                    JSONObject jSONObject = new JSONObject(str).getJSONObject(str2);
                    Iterator<String> keys = jSONObject.keys();
                    while (keys.hasNext()) {
                        String next = keys.next();
                        JSONObject optJSONObject = jSONObject.optJSONObject(next);
                        HashSet hashSet = new HashSet();
                        if (optJSONObject != null) {
                            JSONArray optJSONArray = optJSONObject.optJSONArray("values");
                            if (optJSONArray != null) {
                                for (int i = 0; i < optJSONArray.length(); i++) {
                                    hashSet.add(optJSONArray.getString(i));
                                }
                            }
                            String optString = optJSONObject.optString("value");
                            if (!StringUtils.isBlank(optString)) {
                                hashSet.add(optString);
                            }
                        }
                        hashMap.put(next, hashSet);
                    }
                } catch (JSONException e) {
                }
            }
        } catch (ServerException e2) {
            this.logger.message("Requested Claims Supported not set.");
        }
        return hashMap;
    }

    private SSOToken getUsersSession(OAuth2Request oAuth2Request) {
        String session = oAuth2Request.getSession();
        if (session == null) {
            HttpServletRequest request = ServletUtils.getRequest(oAuth2Request.getRequest());
            if (request.getCookies() != null) {
                String sSOCookieName = this.openAMSettings.getSSOCookieName();
                for (Cookie cookie : request.getCookies()) {
                    if (cookie.getName().equals(sSOCookieName)) {
                        session = cookie.getValue();
                    }
                }
            }
        }
        SSOToken sSOToken = null;
        if (session != null) {
            try {
                sSOToken = SSOTokenManager.getInstance().createSSOToken(session);
            } catch (SSOException e) {
                this.logger.message("Session Id is not valid");
            }
        }
        return sSOToken;
    }

    private ScriptObject getOIDCClaimsExtensionScript(String str) throws ServerException {
        try {
            String stringSetting = new OpenAMSettingsImpl("OAuth2Provider", "1.0").getStringSetting(str, "forgerock-oauth2-provider-oidc-claims-extension-script");
            if ("[Empty]".equals(stringSetting)) {
                return new ScriptObject("oidc-claims-script", "", SupportedScriptingLanguage.JAVASCRIPT);
            }
            ScriptConfiguration scriptConfiguration = getScriptConfiguration(str, stringSetting);
            return new ScriptObject(scriptConfiguration.getName(), scriptConfiguration.getScript(), scriptConfiguration.getLanguage());
        } catch (org.forgerock.openam.scripting.ScriptException | SSOException | SMSException e) {
            this.logger.message("Error running OIDC claims script", e);
            throw new ServerException("Error running OIDC claims script: " + e.getMessage());
        }
    }

    private ScriptConfiguration getScriptConfiguration(String str, String str2) throws org.forgerock.openam.scripting.ScriptException {
        return this.scriptingServiceFactory.create(str).get(str2);
    }

    /* JADX WARN: Removed duplicated region for block: B:15:0x007f  */
    @Override // org.forgerock.oauth2.core.ScopeValidator
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public java.util.Map<java.lang.String, java.lang.Object> evaluateScope(org.forgerock.oauth2.core.AccessToken r5) {
        /*
            Method dump skipped, instructions count: 274
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.forgerock.openam.oauth2.OpenAMScopeValidator.evaluateScope(org.forgerock.oauth2.core.AccessToken):java.util.Map");
    }

    @Override // org.forgerock.oauth2.core.ScopeValidator
    public Map<String, String> additionalDataToReturnFromAuthorizeEndpoint(Map<String, Token> map, OAuth2Request oAuth2Request) {
        HashMap hashMap = new HashMap();
        if ("fragment".equals(oAuth2Request.getParameter("response_mode"))) {
            hashMap.put("returnLocation", "fragment");
            hashMap.put("session_state", (String) oAuth2Request.getParameter("nonce"));
        }
        return hashMap;
    }

    @Override // org.forgerock.oauth2.core.ScopeValidator
    public void additionalDataToReturnFromTokenEndpoint(AccessToken accessToken, OAuth2Request oAuth2Request) throws ServerException, InvalidClientException, NotFoundException {
        Map.Entry<String, String> issueToken;
        Set<String> scope = accessToken.getScope();
        if (scope == null || !scope.contains("openid") || (issueToken = this.openIDTokenIssuer.issueToken(accessToken, oAuth2Request)) == null) {
            return;
        }
        accessToken.addExtraData(issueToken.getKey(), issueToken.getValue());
    }

    private String getUpdatedAt(String str, String str2, OAuth2Request oAuth2Request) throws NotFoundException {
        String l;
        String l2;
        try {
            OAuth2ProviderSettings oAuth2ProviderSettings = this.providerSettingsFactory.get(oAuth2Request);
            try {
                String modifiedTimestampAttributeName = oAuth2ProviderSettings.getModifiedTimestampAttributeName();
                String createdTimestampAttributeName = oAuth2ProviderSettings.getCreatedTimestampAttributeName();
                if (modifiedTimestampAttributeName == null && createdTimestampAttributeName == null) {
                    return null;
                }
                AMHashMap timestamps = getTimestamps(str, str2, modifiedTimestampAttributeName, createdTimestampAttributeName);
                String mapAttr = CollectionHelper.getMapAttr(timestamps, modifiedTimestampAttributeName);
                if (mapAttr != null) {
                    synchronized (TIMESTAMP_DATE_FORMAT) {
                        l2 = Long.toString(TIMESTAMP_DATE_FORMAT.parse(mapAttr).getTime() / 1000);
                    }
                    return l2;
                }
                String mapAttr2 = CollectionHelper.getMapAttr(timestamps, createdTimestampAttributeName);
                if (mapAttr2 == null) {
                    return DEFAULT_TIMESTAMP;
                }
                synchronized (TIMESTAMP_DATE_FORMAT) {
                    l = Long.toString(TIMESTAMP_DATE_FORMAT.parse(mapAttr2).getTime() / 1000);
                }
                return l;
            } catch (ServerException e) {
                this.logger.error("Unable to read last modified attribute from datastore", e);
                return DEFAULT_TIMESTAMP;
            }
        } catch (ParseException e2) {
            this.logger.warning("Error getting updatedAt attribute", e2);
            return null;
        } catch (SSOException e3) {
            this.logger.warning("Error getting updatedAt attribute", e3);
            return null;
        } catch (IdRepoException e4) {
            if (!this.logger.errorEnabled()) {
                return null;
            }
            this.logger.error("ScopeValidatorImpl.getUpdatedAt: error searching Identities with username : " + str, e4);
            return null;
        }
    }

    private AMHashMap getTimestamps(String str, String str2, String str3, String str4) throws IdRepoException, SSOException {
        AMIdentityRepository aMIdentityRepository = new AMIdentityRepository((SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance()), str2);
        IdSearchControl idSearchControl = new IdSearchControl();
        idSearchControl.setReturnAttributes(new HashSet(Arrays.asList(str3, str4)));
        idSearchControl.setMaxResults(0);
        Iterator it = aMIdentityRepository.searchIdentities(IdType.USER, str, idSearchControl).getResultAttributes().values().iterator();
        if (it.hasNext()) {
            return (AMHashMap) it.next();
        }
        this.logger.warning("Error retrieving timestamps from datastore");
        throw new IdRepoException();
    }
}
