package org.forgerock.oauth2.core;

import com.google.common.base.Predicates;
import com.google.common.collect.Maps;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import javax.inject.Inject;
import org.forgerock.oauth2.core.exceptions.AccessDeniedException;
import org.forgerock.oauth2.core.exceptions.BadRequestException;
import org.forgerock.oauth2.core.exceptions.ClientAuthenticationFailureFactory;
import org.forgerock.oauth2.core.exceptions.CsrfException;
import org.forgerock.oauth2.core.exceptions.DuplicateRequestParameterException;
import org.forgerock.oauth2.core.exceptions.InteractionRequiredException;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.InvalidRequestException;
import org.forgerock.oauth2.core.exceptions.InvalidScopeException;
import org.forgerock.oauth2.core.exceptions.LoginRequiredException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.oauth2.core.exceptions.RedirectUriMismatchException;
import org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired;
import org.forgerock.oauth2.core.exceptions.ResourceOwnerConsentRequired;
import org.forgerock.oauth2.core.exceptions.ResourceOwnerConsentRequiredException;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.forgerock.oauth2.core.exceptions.UnauthorizedClientException;
import org.forgerock.oauth2.core.exceptions.UnsupportedResponseTypeException;
import org.forgerock.openam.utils.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/forgerock/oauth2/core/AuthorizationService.class */
public class AuthorizationService {
    private final Logger logger = LoggerFactory.getLogger("OAuth2Provider");
    private final List<AuthorizeRequestValidator> requestValidators;
    private final ResourceOwnerSessionValidator resourceOwnerSessionValidator;
    private final OAuth2ProviderSettingsFactory providerSettingsFactory;
    private final ResourceOwnerConsentVerifier consentVerifier;
    private final ClientRegistrationStore clientRegistrationStore;
    private final AuthorizationTokenIssuer tokenIssuer;
    private final ClientAuthenticationFailureFactory failureFactory;
    private final CsrfProtection csrfProtection;

    @Inject
    public AuthorizationService(List<AuthorizeRequestValidator> list, ResourceOwnerSessionValidator resourceOwnerSessionValidator, OAuth2ProviderSettingsFactory oAuth2ProviderSettingsFactory, ResourceOwnerConsentVerifier resourceOwnerConsentVerifier, ClientRegistrationStore clientRegistrationStore, AuthorizationTokenIssuer authorizationTokenIssuer, ClientAuthenticationFailureFactory clientAuthenticationFailureFactory, CsrfProtection csrfProtection) {
        this.requestValidators = list;
        this.resourceOwnerSessionValidator = resourceOwnerSessionValidator;
        this.providerSettingsFactory = oAuth2ProviderSettingsFactory;
        this.consentVerifier = resourceOwnerConsentVerifier;
        this.clientRegistrationStore = clientRegistrationStore;
        this.tokenIssuer = authorizationTokenIssuer;
        this.failureFactory = clientAuthenticationFailureFactory;
        this.csrfProtection = csrfProtection;
    }

    public AuthorizationToken authorize(OAuth2Request oAuth2Request) throws ResourceOwnerAuthenticationRequired, ResourceOwnerConsentRequired, InvalidClientException, UnsupportedResponseTypeException, RedirectUriMismatchException, InvalidRequestException, AccessDeniedException, ServerException, LoginRequiredException, BadRequestException, InteractionRequiredException, ResourceOwnerConsentRequiredException, InvalidScopeException, NotFoundException, DuplicateRequestParameterException {
        OAuth2ProviderSettings oAuth2ProviderSettings = this.providerSettingsFactory.get(oAuth2Request);
        Iterator<AuthorizeRequestValidator> it = this.requestValidators.iterator();
        while (it.hasNext()) {
            it.next().validateRequest(oAuth2Request);
        }
        ClientRegistration clientRegistration = this.clientRegistrationStore.get((String) oAuth2Request.getParameter("client_id"), oAuth2Request);
        Set<String> splitScope = Utils.splitScope((String) oAuth2Request.getParameter("scope"));
        Set<String> validateAuthorizationScope = oAuth2ProviderSettings.validateAuthorizationScope(clientRegistration, splitScope, oAuth2Request);
        ResourceOwner validate = this.resourceOwnerSessionValidator.validate(oAuth2Request);
        if ((oAuth2ProviderSettings.clientsCanSkipConsent() && clientRegistration.isConsentImplied()) ? false : true) {
            if (!this.consentVerifier.verify(oAuth2ProviderSettings.isConsentSaved(validate, clientRegistration.getClientId(), validateAuthorizationScope), oAuth2Request, clientRegistration)) {
                Locale locale = getLocale((String) oAuth2Request.getParameter("ui_locales"), (String) oAuth2Request.getParameter("locale"));
                if (locale == null) {
                    locale = oAuth2Request.getLocale();
                }
                UserInfoClaims userInfoClaims = null;
                try {
                    userInfoClaims = oAuth2ProviderSettings.getUserInfo(clientRegistration, (AccessToken) oAuth2Request.getToken(AccessToken.class), oAuth2Request);
                } catch (UnauthorizedClientException e) {
                    this.logger.debug("Couldn't get user info - continuing to display consent page without claims.", e);
                }
                String displayName = clientRegistration.getDisplayName(locale);
                if (displayName == null) {
                    displayName = clientRegistration.getClientId();
                    this.logger.warn("Client does not have a display name or client name set. using client ID {} for display", displayName);
                }
                String displayDescription = clientRegistration.getDisplayDescription(locale);
                throw new ResourceOwnerConsentRequired(displayName, displayDescription == null ? "" : displayDescription, getScopeDescriptions(validateAuthorizationScope, clientRegistration.getScopeDescriptions(locale)), getClaimDescriptions(userInfoClaims.getValues(), clientRegistration.getClaimDescriptions(locale)), userInfoClaims, validate.getName(oAuth2ProviderSettings), oAuth2ProviderSettings.isSaveConsentEnabled());
            }
        }
        return this.tokenIssuer.issueTokens(oAuth2Request, clientRegistration, validate, splitScope, oAuth2ProviderSettings);
    }

    private Locale getLocale(String str, String str2) {
        if (!StringUtils.isEmpty(str)) {
            return Locale.forLanguageTag(str);
        }
        if (StringUtils.isEmpty(str2)) {
            return null;
        }
        return Locale.forLanguageTag(str2);
    }

    private Map<String, String> getClaimDescriptions(Map<String, Object> map, Map<String, String> map2) {
        return Maps.filterKeys(map2, Predicates.in(map.keySet()));
    }

    private Map<String, String> getScopeDescriptions(Set<String> set, Map<String, String> map) {
        return Maps.filterKeys(map, Predicates.in(set));
    }

    public AuthorizationToken authorize(OAuth2Request oAuth2Request, boolean z, boolean z2) throws AccessDeniedException, ResourceOwnerAuthenticationRequired, InvalidClientException, UnsupportedResponseTypeException, InvalidRequestException, RedirectUriMismatchException, ServerException, LoginRequiredException, BadRequestException, InteractionRequiredException, InvalidScopeException, NotFoundException, DuplicateRequestParameterException, CsrfException {
        OAuth2ProviderSettings oAuth2ProviderSettings = this.providerSettingsFactory.get(oAuth2Request);
        Iterator<AuthorizeRequestValidator> it = this.requestValidators.iterator();
        while (it.hasNext()) {
            it.next().validateRequest(oAuth2Request);
        }
        if (this.csrfProtection.isCsrfAttack(oAuth2Request)) {
            this.logger.debug("Session id from consent request does not match users session");
            throw new CsrfException();
        }
        ResourceOwner validate = this.resourceOwnerSessionValidator.validate(oAuth2Request);
        ClientRegistration clientRegistration = this.clientRegistrationStore.get((String) oAuth2Request.getParameter("client_id"), oAuth2Request);
        if (!z) {
            this.logger.debug("Resource Owner did not authorize the request");
            throw new AccessDeniedException("Resource Owner did not authorize the request", Utils.getRequiredUrlLocation(oAuth2Request, clientRegistration));
        }
        Set<String> splitScope = Utils.splitScope((String) oAuth2Request.getParameter("scope"));
        Set<String> validateAuthorizationScope = oAuth2ProviderSettings.validateAuthorizationScope(clientRegistration, splitScope, oAuth2Request);
        if (z2) {
            oAuth2ProviderSettings.saveConsent(validate, clientRegistration.getClientId(), validateAuthorizationScope);
        }
        return this.tokenIssuer.issueTokens(oAuth2Request, clientRegistration, validate, splitScope, oAuth2ProviderSettings);
    }
}
