package org.forgerock.openidconnect;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.sun.identity.shared.validation.ValidationException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import javax.inject.Inject;
import javax.inject.Singleton;
import org.forgerock.json.JsonException;
import org.forgerock.json.JsonValue;
import org.forgerock.json.JsonValueException;
import org.forgerock.oauth2.core.AccessTokenVerifier;
import org.forgerock.oauth2.core.OAuth2ProviderSettings;
import org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory;
import org.forgerock.oauth2.core.OAuth2Request;
import org.forgerock.oauth2.core.TokenStore;
import org.forgerock.oauth2.core.exceptions.AccessDeniedException;
import org.forgerock.oauth2.core.exceptions.InvalidRequestException;
import org.forgerock.oauth2.core.exceptions.InvalidTokenException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.forgerock.oauth2.core.exceptions.UnauthorizedClientException;
import org.forgerock.oauth2.core.exceptions.UnsupportedResponseTypeException;
import org.forgerock.openam.oauth2.OAuth2Constants;
import org.forgerock.openam.oauth2.OAuth2Utils;
import org.forgerock.openam.oauth2.validation.OpenIDConnectURLValidator;
import org.forgerock.openam.utils.JsonValueBuilder;
import org.forgerock.openidconnect.Client;
import org.forgerock.openidconnect.exceptions.InvalidClientMetadata;
import org.forgerock.openidconnect.exceptions.InvalidPostLogoutRedirectUri;
import org.forgerock.openidconnect.exceptions.InvalidRedirectUri;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:org/forgerock/openidconnect/OpenIdConnectClientRegistrationService.class */
public class OpenIdConnectClientRegistrationService {
    private static final String ID_TOKEN_SIGNED_RESPONSE_ALG_DEFAULT = "HS256";
    private static final String DEFAULT_APPLICATION_TYPE = "web";
    private static final String REGISTRATION_CLIENT_URI = "registration_client_uri";
    private static final String EXPIRES_AT = "client_secret_expires_at";
    private final ClientDAO clientDAO;
    private final OAuth2ProviderSettingsFactory providerSettingsFactory;
    private final AccessTokenVerifier tokenVerifier;
    private final TokenStore tokenStore;
    private final OpenIDConnectURLValidator urlValidator;
    private final Logger logger = LoggerFactory.getLogger("OAuth2Provider");
    private final ObjectMapper mapper = new ObjectMapper();

    @Inject
    OpenIdConnectClientRegistrationService(ClientDAO clientDAO, OAuth2ProviderSettingsFactory oAuth2ProviderSettingsFactory, AccessTokenVerifier accessTokenVerifier, TokenStore tokenStore, OpenIDConnectURLValidator openIDConnectURLValidator) {
        this.clientDAO = clientDAO;
        this.providerSettingsFactory = oAuth2ProviderSettingsFactory;
        this.tokenVerifier = accessTokenVerifier;
        this.tokenStore = tokenStore;
        this.urlValidator = openIDConnectURLValidator;
    }

    public JsonValue createRegistration(String str, String str2, OAuth2Request oAuth2Request) throws InvalidRedirectUri, InvalidClientMetadata, ServerException, UnsupportedResponseTypeException, AccessDeniedException, NotFoundException, InvalidPostLogoutRedirectUri {
        OAuth2ProviderSettings oAuth2ProviderSettings = this.providerSettingsFactory.get(oAuth2Request);
        if (!oAuth2ProviderSettings.isOpenDynamicClientRegistrationAllowed() && !this.tokenVerifier.verify(oAuth2Request).isValid()) {
            throw new AccessDeniedException("Access Token not valid");
        }
        JsonValue body = oAuth2Request.getBody();
        for (String str3 : body.keys()) {
            if (OAuth2Constants.ShortClientAttributeNames.fromString(str3) == null) {
                this.logger.warn("Unknown input given. Key: " + str3);
            }
        }
        ClientBuilder clientBuilder = new ClientBuilder();
        try {
            boolean z = false;
            if (body.get(OAuth2Constants.ShortClientAttributeNames.JWKS.getType()).asString() != null) {
                z = true;
                try {
                    JsonValueBuilder.toJsonValue(body.get(OAuth2Constants.ShortClientAttributeNames.JWKS.getType()).asString());
                    clientBuilder.setJwks(body.get(OAuth2Constants.ShortClientAttributeNames.JWKS.getType()).asString());
                    clientBuilder.setPublicKeySelector(Client.PublicKeySelector.JWKS.getType());
                } catch (JsonException e) {
                    throw new InvalidClientMetadata("jwks must be valid JSON.");
                }
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.JWKS_URI.getType()).asString() != null) {
                if (z) {
                    throw new InvalidClientMetadata("Must define either jwks or jwks_uri, not both.");
                }
                z = true;
                try {
                    new URL(body.get(OAuth2Constants.ShortClientAttributeNames.JWKS_URI.getType()).asString());
                    clientBuilder.setJwksUri(body.get(OAuth2Constants.ShortClientAttributeNames.JWKS_URI.getType()).asString());
                    clientBuilder.setPublicKeySelector(Client.PublicKeySelector.JWKS_URI.getType());
                } catch (MalformedURLException e2) {
                    throw new InvalidClientMetadata("jwks_uri must be a valid URL.");
                }
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.X509.getType()).asString() != null) {
                clientBuilder.setX509(body.get(OAuth2Constants.ShortClientAttributeNames.X509.getType()).asString());
            }
            if (!z) {
                clientBuilder.setPublicKeySelector(Client.PublicKeySelector.X509.getType());
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.TOKEN_ENDPOINT_AUTH_METHOD.getType()).asString() == null) {
                clientBuilder.setTokenEndpointAuthMethod(Client.TokenEndpointAuthMethod.CLIENT_SECRET_BASIC.getType());
            } else {
                if (Client.TokenEndpointAuthMethod.fromString(body.get(OAuth2Constants.ShortClientAttributeNames.TOKEN_ENDPOINT_AUTH_METHOD.getType()).asString()) == null) {
                    this.logger.error("Invalid token_endpoint_auth_method requested.");
                    throw new InvalidClientMetadata("Invalid token_endpoint_auth_method requested.");
                }
                clientBuilder.setTokenEndpointAuthMethod(body.get(OAuth2Constants.ShortClientAttributeNames.TOKEN_ENDPOINT_AUTH_METHOD.getType()).asString());
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.CLIENT_ID.getType()).asString() != null) {
                clientBuilder.setClientID(body.get(OAuth2Constants.ShortClientAttributeNames.CLIENT_ID.getType()).asString());
            } else {
                clientBuilder.setClientID(UUID.randomUUID().toString());
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.CLIENT_SECRET.getType()).asString() != null) {
                clientBuilder.setClientSecret(body.get(OAuth2Constants.ShortClientAttributeNames.CLIENT_SECRET.getType()).asString());
            } else {
                clientBuilder.setClientSecret(UUID.randomUUID().toString());
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.CLIENT_TYPE.getType()).asString() == null) {
                clientBuilder.setClientType(Client.ClientType.CONFIDENTIAL.getType());
            } else {
                if (Client.ClientType.fromString(body.get(OAuth2Constants.ShortClientAttributeNames.CLIENT_TYPE.getType()).asString()) == null) {
                    this.logger.error("Invalid client_type requested.");
                    throw new InvalidClientMetadata("Invalid client_type requested");
                }
                clientBuilder.setClientType(body.get(OAuth2Constants.ShortClientAttributeNames.CLIENT_TYPE.getType()).asString());
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.DEFAULT_MAX_AGE.getType()).asLong() != null) {
                clientBuilder.setDefaultMaxAge(body.get(OAuth2Constants.ShortClientAttributeNames.DEFAULT_MAX_AGE.getType()).asLong());
                clientBuilder.setDefaultMaxAgeEnabled(true);
            } else {
                clientBuilder.setDefaultMaxAge(1L);
                clientBuilder.setDefaultMaxAgeEnabled(false);
            }
            List<String> arrayList = new ArrayList();
            if (body.get(OAuth2Constants.ShortClientAttributeNames.REDIRECT_URIS.getType()).asList() != null) {
                arrayList = body.get(OAuth2Constants.ShortClientAttributeNames.REDIRECT_URIS.getType()).asList(String.class);
                boolean z2 = true;
                for (String str4 : arrayList) {
                    try {
                        this.urlValidator.validate(str4);
                    } catch (ValidationException e3) {
                        z2 = false;
                        this.logger.error("The redirectUri: " + str4 + " is invalid.");
                    }
                }
                if (!z2) {
                    throw new InvalidRedirectUri();
                }
                clientBuilder.setRedirectionURIs(arrayList);
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.SECTOR_IDENTIFIER_URI.getType()).asString() != null) {
                try {
                    if (!((List) this.mapper.readValue(new URL(body.get(OAuth2Constants.ShortClientAttributeNames.SECTOR_IDENTIFIER_URI.getType()).asString()), List.class)).containsAll(arrayList)) {
                        this.logger.error("Request_uris not included in sector_identifier_uri.");
                        throw new InvalidClientMetadata();
                    }
                    clientBuilder.setSectorIdentifierUri(body.get(OAuth2Constants.ShortClientAttributeNames.SECTOR_IDENTIFIER_URI.getType()).asString());
                } catch (Exception e4) {
                    this.logger.error("Invalid sector_identifier_uri requested.");
                    throw new InvalidClientMetadata("Invalid sector_identifier_uri requested.");
                }
            }
            List<String> asList = body.get(OAuth2Constants.ShortClientAttributeNames.SCOPES.getType()).asList(String.class);
            if (asList == null || asList.isEmpty()) {
                asList = new ArrayList();
                asList.addAll(oAuth2ProviderSettings.getDefaultScopes());
            } else if (!containsAllCaseInsensitive(oAuth2ProviderSettings.getSupportedScopes(), asList)) {
                this.logger.error("Invalid scopes requested.");
                throw new InvalidClientMetadata("Invalid scopes requested");
            }
            if (!asList.contains("openid")) {
                asList = new ArrayList(asList);
                asList.add("openid");
            }
            clientBuilder.setAllowedGrantScopes(asList);
            List<String> asList2 = body.get(OAuth2Constants.ShortClientAttributeNames.DEFAULT_SCOPES.getType()).asList(String.class);
            if (asList2 != null) {
                if (!containsAllCaseInsensitive(oAuth2ProviderSettings.getSupportedScopes(), asList2)) {
                    throw new InvalidClientMetadata("Invalid default scopes requested.");
                }
                clientBuilder.setDefaultGrantScopes(asList2);
            }
            ArrayList arrayList2 = new ArrayList();
            for (String str5 : body.keys()) {
                if (str5.equals(OAuth2Constants.ShortClientAttributeNames.CLIENT_NAME.getType())) {
                    arrayList2.add(body.get(str5).asString());
                } else if (str5.startsWith(OAuth2Constants.ShortClientAttributeNames.CLIENT_NAME.getType())) {
                    try {
                        arrayList2.add(new Locale(str5.substring(OAuth2Constants.ShortClientAttributeNames.CLIENT_NAME.getType().length() + 1)).toString() + "|" + body.get(str5).asString());
                    } catch (Exception e5) {
                        this.logger.error("Invalid locale for client_name.");
                        throw new InvalidClientMetadata("Invalid locale for client_name.");
                    }
                } else {
                    continue;
                }
            }
            if (arrayList2 != null) {
                clientBuilder.setClientName(arrayList2);
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.CLIENT_DESCRIPTION.getType()).asList() != null) {
                clientBuilder.setDisplayDescription(body.get(OAuth2Constants.ShortClientAttributeNames.CLIENT_DESCRIPTION.getType()).asList(String.class));
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.SUBJECT_TYPE.getType()).asString() == null) {
                clientBuilder.setSubjectType(Client.SubjectType.PUBLIC.getType());
            } else {
                if (!oAuth2ProviderSettings.getSupportedSubjectTypes().contains(body.get(OAuth2Constants.ShortClientAttributeNames.SUBJECT_TYPE.getType()).asString())) {
                    this.logger.error("Invalid subject_type requested.");
                    throw new InvalidClientMetadata("Invalid subject_type requested");
                }
                clientBuilder.setSubjectType(body.get(OAuth2Constants.ShortClientAttributeNames.SUBJECT_TYPE.getType()).asString());
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.ID_TOKEN_SIGNED_RESPONSE_ALG.getType()).asString() == null) {
                clientBuilder.setIdTokenSignedResponseAlgorithm(ID_TOKEN_SIGNED_RESPONSE_ALG_DEFAULT);
            } else {
                if (!containsCaseInsensitive(oAuth2ProviderSettings.getSupportedIDTokenSigningAlgorithms(), body.get(OAuth2Constants.ShortClientAttributeNames.ID_TOKEN_SIGNED_RESPONSE_ALG.getType()).asString())) {
                    this.logger.error("Unsupported id_token_response_signed_alg requested.");
                    throw new InvalidClientMetadata("Unsupported id_token_response_signed_alg requested.");
                }
                clientBuilder.setIdTokenSignedResponseAlgorithm(body.get(OAuth2Constants.ShortClientAttributeNames.ID_TOKEN_SIGNED_RESPONSE_ALG.getType()).asString());
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.POST_LOGOUT_REDIRECT_URIS.getType()).asList() != null) {
                List<String> asList3 = body.get(OAuth2Constants.ShortClientAttributeNames.POST_LOGOUT_REDIRECT_URIS.getType()).asList(String.class);
                boolean z3 = true;
                for (String str6 : asList3) {
                    try {
                        this.urlValidator.validate(str6);
                    } catch (ValidationException e6) {
                        z3 = false;
                        this.logger.error("The post_logout_redirect_uris: {} is invalid.", str6);
                    }
                }
                if (!z3) {
                    throw new InvalidPostLogoutRedirectUri();
                }
                clientBuilder.setPostLogoutRedirectionURIs(asList3);
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.REGISTRATION_ACCESS_TOKEN.getType()).asString() != null) {
                clientBuilder.setAccessToken(body.get(OAuth2Constants.ShortClientAttributeNames.REGISTRATION_ACCESS_TOKEN.getType()).asString());
            } else {
                clientBuilder.setAccessToken(str);
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.CLIENT_SESSION_URI.getType()).asString() != null) {
                clientBuilder.setClientSessionURI(body.get(OAuth2Constants.ShortClientAttributeNames.CLIENT_SESSION_URI.getType()).asString());
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.APPLICATION_TYPE.getType()).asString() == null) {
                clientBuilder.setApplicationType(DEFAULT_APPLICATION_TYPE);
            } else {
                if (Client.ApplicationType.fromString(body.get(OAuth2Constants.ShortClientAttributeNames.APPLICATION_TYPE.getType()).asString()) == null) {
                    this.logger.error("Invalid application_type requested.");
                    throw new InvalidClientMetadata("Invalid application_type requested.");
                }
                clientBuilder.setApplicationType(Client.ApplicationType.WEB.getType());
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.DISPLAY_NAME.getType()).asList() != null) {
                clientBuilder.setDisplayName(body.get(OAuth2Constants.ShortClientAttributeNames.DISPLAY_NAME.getType()).asList(String.class));
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.RESPONSE_TYPES.getType()).asList() != null) {
                List<String> asList4 = body.get(OAuth2Constants.ShortClientAttributeNames.RESPONSE_TYPES.getType()).asList(String.class);
                ArrayList arrayList3 = new ArrayList();
                Iterator<String> it = asList4.iterator();
                while (it.hasNext()) {
                    arrayList3.addAll(Arrays.asList(it.next().split(OAuth2Utils.SCOPE_DELIMITER)));
                }
                if (!containsAllCaseInsensitive(oAuth2ProviderSettings.getAllowedResponseTypes().keySet(), arrayList3)) {
                    this.logger.error("Invalid response_types requested.");
                    throw new InvalidClientMetadata("Invalid response_types requested.");
                }
                clientBuilder.setResponseTypes(asList4);
            } else {
                ArrayList arrayList4 = new ArrayList();
                arrayList4.add("code");
                clientBuilder.setResponseTypes(arrayList4);
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.AUTHORIZATION_CODE_LIFE_TIME.getType()).asLong() != null) {
                clientBuilder.setAuthorizationCodeLifeTime(body.get(OAuth2Constants.ShortClientAttributeNames.AUTHORIZATION_CODE_LIFE_TIME.getType()).asLong());
            } else {
                clientBuilder.setAuthorizationCodeLifeTime(0L);
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.ACCESS_TOKEN_LIFE_TIME.getType()).asLong() != null) {
                clientBuilder.setAccessTokenLifeTime(body.get(OAuth2Constants.ShortClientAttributeNames.ACCESS_TOKEN_LIFE_TIME.getType()).asLong());
            } else {
                clientBuilder.setAccessTokenLifeTime(0L);
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.REFRESH_TOKEN_LIFE_TIME.getType()).asLong() != null) {
                clientBuilder.setRefreshTokenLifeTime(body.get(OAuth2Constants.ShortClientAttributeNames.REFRESH_TOKEN_LIFE_TIME.getType()).asLong());
            } else {
                clientBuilder.setRefreshTokenLifeTime(0L);
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.JWT_TOKEN_LIFE_TIME.getType()).asLong() != null) {
                clientBuilder.setJwtTokenLifeTime(body.get(OAuth2Constants.ShortClientAttributeNames.JWT_TOKEN_LIFE_TIME.getType()).asLong());
            } else {
                clientBuilder.setJwtTokenLifeTime(0L);
            }
            if (body.get(OAuth2Constants.ShortClientAttributeNames.CONTACTS.getType()).asList() != null) {
                clientBuilder.setContacts(body.get(OAuth2Constants.ShortClientAttributeNames.CONTACTS.getType()).asList(String.class));
            }
            Client createClient = clientBuilder.createClient();
            if (oAuth2ProviderSettings.isRegistrationAccessTokenGenerationEnabled() && !createClient.hasAccessToken()) {
                createClient.setAccessToken(createRegistrationAccessToken(createClient, oAuth2Request));
            }
            this.clientDAO.create(createClient, oAuth2Request);
            if (this.logger.isInfoEnabled()) {
                this.logger.info("Registered OpenID Connect client: " + createClient.getClientID() + ", name=" + createClient.getClientName() + ", type=" + createClient.getClientType());
            }
            Map<String, Object> convertClientReadResponseFormat = convertClientReadResponseFormat(createClient.asMap());
            convertClientReadResponseFormat.put(REGISTRATION_CLIENT_URI, str2 + "/oauth2/connect/register?client_id=" + createClient.getClientID());
            convertClientReadResponseFormat.put(EXPIRES_AT, 0);
            return new JsonValue(convertClientReadResponseFormat);
        } catch (JsonValueException e7) {
            this.logger.error("Unable to build client.", e7);
            throw new InvalidClientMetadata();
        }
    }

    private Map<String, Object> convertClientReadResponseFormat(Map<String, Object> map) {
        ArrayList arrayList = (ArrayList) map.get(OAuth2Constants.ShortClientAttributeNames.CLIENT_NAME.getType());
        map.remove(OAuth2Constants.ShortClientAttributeNames.CLIENT_NAME.getType());
        if (arrayList != null && !arrayList.isEmpty()) {
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                if (str.indexOf("|") >= 0) {
                    String[] split = str.split("\\|");
                    map.put(OAuth2Constants.ShortClientAttributeNames.CLIENT_NAME.getType() + "#" + split[0], split[1]);
                } else {
                    map.put(OAuth2Constants.ShortClientAttributeNames.CLIENT_NAME.getType(), str);
                }
            }
        }
        return map;
    }

    private String createRegistrationAccessToken(Client client, OAuth2Request oAuth2Request) throws ServerException, NotFoundException {
        return this.tokenStore.createAccessToken(null, "Bearer", null, client.getClientID(), client.getClientID(), null, Collections.emptySet(), null, null, null, oAuth2Request).getTokenId();
    }

    private boolean containsAllCaseInsensitive(Set<String> set, List<String> list) {
        for (String str : list) {
            boolean z = false;
            Iterator<String> it = set.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (it.next().equalsIgnoreCase(str)) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                return false;
            }
        }
        return true;
    }

    private boolean containsCaseInsensitive(Set<String> set, String str) {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (it.next().equalsIgnoreCase(str)) {
                return true;
            }
        }
        return false;
    }

    public JsonValue getRegistration(String str, String str2, OAuth2Request oAuth2Request) throws InvalidRequestException, InvalidClientMetadata, InvalidTokenException {
        if (str == null) {
            this.logger.error("ConnectClientRegistration.readRequest(): No client id sent");
            throw new InvalidRequestException();
        }
        try {
            Client read = this.clientDAO.read(str, oAuth2Request);
            if (!read.getAccessToken().equals(str2)) {
                this.logger.error("ConnectClientRegistration.getClient(): Invalid accessToken");
                throw new InvalidTokenException();
            }
            read.remove(OAuth2Constants.ShortClientAttributeNames.REGISTRATION_ACCESS_TOKEN.getType());
            JsonValue jsonValue = new JsonValue(convertClientReadResponseFormat(read.asMap()));
            jsonValue.put(EXPIRES_AT, 0);
            return jsonValue;
        } catch (UnauthorizedClientException e) {
            this.logger.error("ConnectClientRegistration.Validate(): Unable to create client", e);
            throw new InvalidClientMetadata();
        }
    }
}
