package org.forgerock.openidconnect;

import com.google.inject.Key;
import com.google.inject.TypeLiteral;
import com.google.inject.name.Names;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.shared.debug.Debug;
import java.net.URI;
import java.nio.charset.Charset;
import java.util.HashMap;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.json.JsonValue;
import org.forgerock.json.jose.common.JwtReconstruction;
import org.forgerock.json.jose.jws.SignedJwt;
import org.forgerock.json.jose.jws.SigningManager;
import org.forgerock.json.jose.jwt.Jwt;
import org.forgerock.oauth2.core.ClientRegistration;
import org.forgerock.oauth2.core.ClientRegistrationStore;
import org.forgerock.oauth2.core.OAuth2Request;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.oauth2.core.exceptions.UnauthorizedClientException;
import org.forgerock.openam.cts.CTSPersistentStore;
import org.forgerock.openam.cts.adapters.TokenAdapter;
import org.forgerock.openam.utils.OpenAMSettings;
import org.forgerock.openam.utils.StringUtils;

/* loaded from: input_file:org/forgerock/openidconnect/CheckSession.class */
public class CheckSession {
    private final Debug logger = Debug.getInstance("OAuth2Provider");
    private final SSOTokenManager ssoTokenManager = (SSOTokenManager) InjectorHolder.getInstance(SSOTokenManager.class);
    private final OpenAMSettings openAMSettings = (OpenAMSettings) InjectorHolder.getInstance(OpenAMSettings.class);
    private final SigningManager signingManager = (SigningManager) InjectorHolder.getInstance(SigningManager.class);
    private final ClientRegistrationStore clientRegistrationStore = (ClientRegistrationStore) InjectorHolder.getInstance(ClientRegistrationStore.class);
    private final CTSPersistentStore cts = (CTSPersistentStore) InjectorHolder.getInstance(CTSPersistentStore.class);
    private final TokenAdapter<JsonValue> tokenAdapter = (TokenAdapter) InjectorHolder.getInstance(Key.get(new TypeLiteral<TokenAdapter<JsonValue>>() { // from class: org.forgerock.openidconnect.CheckSession.1
    }, Names.named("oauthTokenAdapter")));

    public String getCookieName() {
        return this.openAMSettings.getSSOCookieName();
    }

    public String getClientSessionURI(HttpServletRequest httpServletRequest) throws UnauthorizedClientException, InvalidClientException, NotFoundException {
        SignedJwt iDToken = getIDToken(httpServletRequest);
        if (iDToken == null) {
            return "";
        }
        ClientRegistration clientRegistration = getClientRegistration(iDToken);
        return (clientRegistration == null || isJwtValid(iDToken, clientRegistration)) ? clientRegistration.getClientSessionURI() : "";
    }

    private ClientRegistration getClientRegistration(Jwt jwt) throws InvalidClientException, NotFoundException {
        List audience = jwt.getClaimsSet().getAudience();
        String str = (String) jwt.getClaimsSet().getClaim("realm");
        if (audience == null || audience.isEmpty()) {
            return null;
        }
        return this.clientRegistrationStore.get((String) audience.iterator().next(), OAuth2Request.forRealm(str));
    }

    private boolean isJwtValid(SignedJwt signedJwt, ClientRegistration clientRegistration) {
        String clientSecret = clientRegistration.getClientSecret();
        if (StringUtils.isEmpty(clientSecret)) {
            return false;
        }
        return signedJwt != null && signedJwt.verify(this.signingManager.newHmacSigningHandler(clientSecret.getBytes(Charset.forName("UTF-8"))));
    }

    public boolean getValidSession(HttpServletRequest httpServletRequest) {
        SignedJwt iDToken = getIDToken(httpServletRequest);
        if (iDToken == null) {
            return false;
        }
        try {
            ClientRegistration clientRegistration = getClientRegistration(iDToken);
            if (clientRegistration != null && !isJwtValid(iDToken, clientRegistration)) {
                return false;
            }
            String str = (String) iDToken.getClaimsSet().getClaim("org.forgerock.openidconnect.ops");
            if (str == null) {
                str = (String) iDToken.getClaimsSet().getClaim("ops");
            }
            return this.ssoTokenManager.isValidToken(this.ssoTokenManager.createSSOToken(((JsonValue) this.tokenAdapter.fromToken(this.cts.read(str))).get("ops").asString()));
        } catch (Exception e) {
            this.logger.error("Unable to get the SSO token", e);
            return false;
        }
    }

    private SignedJwt getIDToken(HttpServletRequest httpServletRequest) {
        try {
            URI uri = new URI(httpServletRequest.getHeader("Referer"));
            HashMap hashMap = null;
            if (uri != null && uri.getQuery() != null && !uri.getQuery().isEmpty()) {
                String[] split = uri.getQuery().split("&");
                hashMap = new HashMap();
                for (String str : split) {
                    int indexOf = str.indexOf(61);
                    hashMap.put(str.substring(0, indexOf), str.substring(indexOf + 1, str.length()));
                }
            }
            if (hashMap == null || !hashMap.containsKey("id_token")) {
                return null;
            }
            return new JwtReconstruction().reconstructJwt((String) hashMap.get("id_token"), SignedJwt.class);
        } catch (Exception e) {
            this.logger.error("No id_token supplied to the checkSesison endpoint", e);
            return null;
        }
    }
}
