package org.forgerock.oauth2.core;

import com.iplanet.sso.SSOException;
import com.iplanet.sso.SSOToken;
import com.iplanet.sso.SSOTokenManager;
import com.sun.identity.authentication.util.AMAuthUtils;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.security.AdminTokenAction;
import com.sun.identity.shared.DateUtils;
import com.sun.identity.shared.debug.Debug;
import freemarker.template.Template;
import freemarker.template.TemplateException;
import java.io.IOException;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.text.ParseException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.inject.Inject;
import javax.inject.Singleton;
import javax.servlet.http.HttpServletRequest;
import org.forgerock.oauth2.core.exceptions.AccessDeniedException;
import org.forgerock.oauth2.core.exceptions.BadRequestException;
import org.forgerock.oauth2.core.exceptions.InteractionRequiredException;
import org.forgerock.oauth2.core.exceptions.InvalidClientAuthZHeaderException;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.InvalidRequestException;
import org.forgerock.oauth2.core.exceptions.LoginRequiredException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.forgerock.oauth2.core.exceptions.UnauthorizedClientException;
import org.forgerock.openam.core.DNWrapper;
import org.forgerock.openam.oauth2.ClientCredentials;
import org.forgerock.openam.oauth2.ClientCredentialsReader;
import org.forgerock.openam.oauth2.OAuth2Constants;
import org.forgerock.openam.oauth2.OpenAMAuthenticationMethod;
import org.forgerock.openam.utils.RealmNormaliser;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.openam.utils.Time;
import org.forgerock.openidconnect.Client;
import org.forgerock.openidconnect.ClientDAO;
import org.forgerock.openidconnect.OpenIdPrompt;
import org.forgerock.util.annotations.VisibleForTesting;
import org.owasp.esapi.errors.EncodingException;
import org.restlet.Request;
import org.restlet.data.Form;
import org.restlet.data.Parameter;
import org.restlet.data.Reference;
import org.restlet.ext.servlet.ServletUtils;

@Singleton
/* loaded from: input_file:org/forgerock/oauth2/core/ResourceOwnerSessionValidator.class */
public class ResourceOwnerSessionValidator {
    private static final Debug logger = Debug.getInstance("OAuth2Provider");
    private static final String UNMATCHED_ACR_VALUE = "0";
    private final SSOTokenManager ssoTokenManager;
    private final OAuth2ProviderSettingsFactory providerSettingsFactory;
    private final ClientDAO clientDAO;
    private final ClientCredentialsReader clientCredentialsReader;
    private RealmNormaliser realmNormaliser = new RealmNormaliser();
    private DNWrapper dnWrapper;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/forgerock/oauth2/core/ResourceOwnerSessionValidator$ACRValue.class */
    public static class ACRValue {
        private final String acr;
        private final OpenAMAuthenticationMethod method;

        private ACRValue(String str, OpenAMAuthenticationMethod openAMAuthenticationMethod) {
            this.acr = str;
            this.method = openAMAuthenticationMethod;
        }
    }

    @Inject
    public ResourceOwnerSessionValidator(DNWrapper dNWrapper, SSOTokenManager sSOTokenManager, OAuth2ProviderSettingsFactory oAuth2ProviderSettingsFactory, ClientDAO clientDAO, ClientCredentialsReader clientCredentialsReader) {
        this.ssoTokenManager = sSOTokenManager;
        this.providerSettingsFactory = oAuth2ProviderSettingsFactory;
        this.clientDAO = clientDAO;
        this.clientCredentialsReader = clientCredentialsReader;
        this.dnWrapper = dNWrapper;
    }

    public ResourceOwner validate(OAuth2Request oAuth2Request) throws ResourceOwnerAuthenticationRequired, AccessDeniedException, BadRequestException, InteractionRequiredException, LoginRequiredException, ServerException, NotFoundException {
        OpenIdPrompt openIdPrompt = new OpenIdPrompt(oAuth2Request);
        if (!openIdPrompt.isValid()) {
            String str = "Invalid prompt parameter \"" + openIdPrompt.getOriginalValue() + "\"";
            logger.message(str);
            throw new BadRequestException(str);
        }
        SSOToken resourceOwnerSession = getResourceOwnerSession(oAuth2Request);
        if (resourceOwnerSession != null) {
            try {
                if (this.ssoTokenManager.isValidToken(resourceOwnerSession)) {
                    try {
                        if (!this.dnWrapper.orgNameToDN(this.realmNormaliser.normalise((String) oAuth2Request.getParameter("realm"))).toLowerCase().equals(resourceOwnerSession.getProperty("Organization"))) {
                            throw authenticationRequired(oAuth2Request);
                        }
                        if (openIdPrompt.containsLogin()) {
                            throw authenticationRequired(oAuth2Request, resourceOwnerSession);
                        }
                        String str2 = (String) oAuth2Request.getParameter("acr_values");
                        if (str2 != null) {
                            setCurrentAcr(resourceOwnerSession, oAuth2Request, str2);
                        }
                        try {
                            long time = DateUtils.stringToDate(resourceOwnerSession.getProperty("authInstant")).getTime();
                            if (isPastMaxAge(getMaxAge(oAuth2Request), time)) {
                                alterMaxAge(oAuth2Request);
                                throw authenticationRequired(oAuth2Request, resourceOwnerSession);
                            }
                            AMIdentity identity = IdUtils.getIdentity((SSOToken) AccessController.doPrivileged((PrivilegedAction) AdminTokenAction.getInstance()), resourceOwnerSession.getProperty("sun.am.UniversalIdentifier"));
                            return new ResourceOwner(identity.getName(), identity, time);
                        } catch (Exception e) {
                            logger.error("Error authenticating user against OpenAM: ", e);
                            throw new LoginRequiredException();
                        }
                    } catch (SSOException e2) {
                        throw new AccessDeniedException((Throwable) e2);
                    } catch (org.forgerock.json.resource.NotFoundException e3) {
                        throw new NotFoundException(e3.getMessage());
                    }
                }
            } catch (SSOException | UnsupportedEncodingException | URISyntaxException e4) {
                throw new AccessDeniedException((Throwable) e4);
            }
        }
        if ("password".equals(oAuth2Request.getParameter("grant_type")) || "client_credentials".equals(oAuth2Request.getParameter("grant_type"))) {
            return getResourceOwner((IntrospectableToken) oAuth2Request.getToken(AccessToken.class));
        }
        if (!openIdPrompt.containsNone()) {
            if (isRefreshToken(oAuth2Request)) {
                return getResourceOwner((IntrospectableToken) oAuth2Request.getToken(RefreshToken.class));
            }
            throw authenticationRequired(oAuth2Request);
        }
        logger.error("Not pre-authenticated and prompt parameter equals none.");
        if (oAuth2Request.getParameter("response_type") != null) {
            throw new InteractionRequiredException(Utils.isOpenIdConnectFragmentErrorType(Utils.splitResponseType((String) oAuth2Request.getParameter("response_type"))) ? OAuth2Constants.UrlLocation.FRAGMENT : OAuth2Constants.UrlLocation.QUERY);
        }
        throw new InteractionRequiredException();
    }

    public SSOToken getResourceOwnerSession(OAuth2Request oAuth2Request) {
        SSOToken sSOToken = null;
        try {
            sSOToken = this.ssoTokenManager.createSSOToken(getHttpServletRequest(oAuth2Request.getRequest()));
        } catch (SSOException e) {
            logger.warning("Error authenticating user against OpenAM: ", e);
        }
        if (sSOToken == null) {
            try {
                sSOToken = this.ssoTokenManager.createSSOToken(oAuth2Request.getSession());
            } catch (SSOException e2) {
                logger.warning("Error authenticating user against OpenAM: ", e2);
            }
        }
        return sSOToken;
    }

    private ResourceOwner getResourceOwner(IntrospectableToken introspectableToken) {
        return new ResourceOwner(introspectableToken.getResourceOwnerId(), IdUtils.getIdentity(introspectableToken.getResourceOwnerId(), introspectableToken.getRealm()), TimeUnit.SECONDS.toMillis(introspectableToken.getAuthTimeSeconds()));
    }

    private boolean isRefreshToken(OAuth2Request oAuth2Request) {
        return StringUtils.isEqualTo((String) oAuth2Request.getParameter("grant_type"), "refresh_token");
    }

    private void alterMaxAge(OAuth2Request oAuth2Request) {
        Request request = oAuth2Request.getRequest();
        Form queryAsForm = request.getResourceRef().getQueryAsForm();
        Parameter first = queryAsForm.getFirst("max_age");
        if (first == null) {
            queryAsForm.add(new Parameter("max_age", Client.CONFIRMED_MAX_AGE));
        } else {
            first.setValue(Client.CONFIRMED_MAX_AGE);
        }
        request.getResourceRef().setQuery(queryAsForm.getQueryString());
    }

    private boolean isPastMaxAge(long j, long j2) throws SSOException {
        return j > -1 && j <= Time.currentTimeMillis() - j2;
    }

    private long getMaxAge(OAuth2Request oAuth2Request) throws URISyntaxException, AccessDeniedException, ServerException, NotFoundException, EncodingException, UnauthorizedClientException, ResourceOwnerAuthenticationRequired, SSOException, ParseException, InvalidClientAuthZHeaderException, InvalidClientException, InvalidRequestException {
        ClientCredentials extractCredentials = this.clientCredentialsReader.extractCredentials(oAuth2Request, null);
        String str = (String) oAuth2Request.getParameter("max_age");
        long j = -1;
        if (str != null) {
            j = Long.valueOf(str).longValue();
            if (j < 1) {
                j = 1;
            }
        } else {
            Client read = this.clientDAO.read(extractCredentials.getClientId(), oAuth2Request);
            if (read.getDefaultMaxAgeEnabled().booleanValue()) {
                j = read.getDefaultMaxAge().longValue();
            }
        }
        return j * 1000;
    }

    private void setCurrentAcr(SSOToken sSOToken, OAuth2Request oAuth2Request, String str) throws NotFoundException, ServerException, SSOException, AccessDeniedException, UnsupportedEncodingException, URISyntaxException, ResourceOwnerAuthenticationRequired {
        Set<String> authenticatedServices = AMAuthUtils.getAuthenticatedServices(sSOToken);
        HashSet hashSet = new HashSet(Arrays.asList(str.split("\\s+")));
        Map<String, AuthenticationMethod> acrMapping = this.providerSettingsFactory.get(oAuth2Request).getAcrMapping();
        Request request = oAuth2Request.getRequest();
        String str2 = UNMATCHED_ACR_VALUE;
        for (String str3 : authenticatedServices) {
            Iterator it = hashSet.iterator();
            while (true) {
                if (it.hasNext()) {
                    String str4 = (String) it.next();
                    if (acrMapping.containsKey(str4) && str3.equals(acrMapping.get(str4).getName())) {
                        str2 = str4;
                        break;
                    }
                }
            }
        }
        request.getAttributes().put("acr", str2);
    }

    private ResourceOwnerAuthenticationRequired authenticationRequired(OAuth2Request oAuth2Request, SSOToken sSOToken) throws URISyntaxException, AccessDeniedException, ServerException, NotFoundException, UnsupportedEncodingException {
        try {
            this.ssoTokenManager.destroyToken(sSOToken);
        } catch (SSOException e) {
            logger.error("Error destroying SSOToken: ", e);
        }
        return authenticationRequired(oAuth2Request);
    }

    private ResourceOwnerAuthenticationRequired authenticationRequired(OAuth2Request oAuth2Request) throws AccessDeniedException, URISyntaxException, ServerException, NotFoundException, UnsupportedEncodingException {
        Template customLoginUrlTemplate = this.providerSettingsFactory.get(oAuth2Request).getCustomLoginUrlTemplate();
        removeLoginPrompt(oAuth2Request.getRequest());
        String reference = oAuth2Request.getRequest().getResourceRef().toString();
        if (oAuth2Request.getParameter("user_code") != null) {
            reference = reference + (reference.indexOf(63) > -1 ? "&" : "?") + "user_code=" + oAuth2Request.getParameter("user_code");
        }
        String str = (String) oAuth2Request.getParameter("acr_values");
        String str2 = (String) oAuth2Request.getParameter("realm");
        String str3 = (String) oAuth2Request.getParameter("module");
        String str4 = (String) oAuth2Request.getParameter("service");
        String requestLocale = getRequestLocale(oAuth2Request);
        return new ResourceOwnerAuthenticationRequired(customLoginUrlTemplate != null ? buildCustomLoginUrl(customLoginUrlTemplate, reference, str, str2, str3, str4, requestLocale) : buildDefaultLoginUrl(oAuth2Request, reference, str, str2, str3, str4, requestLocale));
    }

    private String getRequestLocale(OAuth2Request oAuth2Request) {
        String str = (String) oAuth2Request.getParameter("locale");
        String str2 = (String) oAuth2Request.getParameter("ui_locales");
        return !Utils.isEmpty(str2) ? str2 : str;
    }

    private URI buildDefaultLoginUrl(OAuth2Request oAuth2Request, String str, String str2, String str3, String str4, String str5, String str6) throws URISyntaxException, ServerException, NotFoundException {
        Reference reference = new Reference(new URI(getAuthURL(getHttpServletRequest(oAuth2Request.getRequest()))));
        if (!Utils.isEmpty(str3)) {
            reference.addQueryParameter("realm", str3);
        }
        if (!Utils.isEmpty(str6)) {
            reference.addQueryParameter("locale", str6);
        }
        if (!Utils.isEmpty(str2)) {
            ACRValue chooseBestAcrValue = chooseBestAcrValue(oAuth2Request, str2.split("\\s+"));
            if (chooseBestAcrValue != null) {
                reference.addQueryParameter(chooseBestAcrValue.method.getIndexType().toString(), chooseBestAcrValue.method.getName());
            }
        } else if (!Utils.isEmpty(str4)) {
            reference.addQueryParameter("module", str4);
        } else if (!Utils.isEmpty(str5)) {
            reference.addQueryParameter("service", str5);
        }
        reference.addQueryParameter("goto", str);
        return reference.toUri();
    }

    private URI buildCustomLoginUrl(Template template, String str, String str2, String str3, String str4, String str5, String str6) throws ServerException, UnsupportedEncodingException {
        HashMap hashMap = new HashMap();
        hashMap.put("goto", URLEncoder.encode(str, StandardCharsets.UTF_8.toString()));
        hashMap.put("acrValues", str2 != null ? URLEncoder.encode(str2, StandardCharsets.UTF_8.toString()) : null);
        hashMap.put("realm", str3);
        hashMap.put("module", str4);
        hashMap.put("service", str5);
        hashMap.put("locale", str6);
        try {
            StringWriter stringWriter = new StringWriter();
            template.process(hashMap, stringWriter);
            return URI.create(stringWriter.toString());
        } catch (IOException | TemplateException e) {
            logger.error("Failed to template custom login url", e);
            throw new ServerException("Failed to template custom login url");
        }
    }

    private ACRValue chooseBestAcrValue(OAuth2Request oAuth2Request, String... strArr) throws ServerException, NotFoundException {
        Map<String, AuthenticationMethod> acrMapping = this.providerSettingsFactory.get(oAuth2Request).getAcrMapping();
        if (acrMapping != null) {
            for (String str : strArr) {
                AuthenticationMethod authenticationMethod = acrMapping.get(str);
                if (authenticationMethod instanceof OpenAMAuthenticationMethod) {
                    if (logger.messageEnabled()) {
                        logger.message("Picked ACR value [" + str + "] -> " + authenticationMethod);
                    }
                    return new ACRValue(str, (OpenAMAuthenticationMethod) authenticationMethod);
                }
            }
        }
        if (!logger.messageEnabled()) {
            return null;
        }
        logger.message("No ACR value matched - using default login configuration");
        return null;
    }

    private void removeLoginPrompt(Request request) {
        Form queryAsForm = request.getResourceRef().getQueryAsForm();
        Parameter first = queryAsForm.getFirst("prompt");
        if (first != null && first.getValue() != null) {
            first.setValue(first.getValue().toLowerCase().replace(OpenIdPrompt.PROMPT_LOGIN, "").trim());
        }
        request.getResourceRef().setQuery(queryAsForm.getQueryString());
    }

    private String getAuthURL(HttpServletRequest httpServletRequest) {
        String requestURI = httpServletRequest.getRequestURI();
        String str = requestURI;
        int indexOf = requestURI.indexOf("/", requestURI.indexOf("/") + 1);
        if (indexOf != -1) {
            str = requestURI.substring(0, indexOf);
        }
        return httpServletRequest.getScheme() + "://" + httpServletRequest.getServerName() + ":" + httpServletRequest.getServerPort() + str + "/UI/Login";
    }

    @VisibleForTesting
    HttpServletRequest getHttpServletRequest(Request request) {
        return ServletUtils.getRequest(request);
    }
}
