package io.jans.as.server.authorize.ws.rs;

import com.google.common.collect.Maps;
import io.jans.as.common.model.common.User;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.model.session.SessionId;
import io.jans.as.common.model.session.SessionIdState;
import io.jans.as.common.util.RedirectUri;
import io.jans.as.model.authorize.AuthorizeErrorResponseType;
import io.jans.as.model.common.BackchannelTokenDeliveryMode;
import io.jans.as.model.common.GrantType;
import io.jans.as.model.common.Prompt;
import io.jans.as.model.common.ResponseMode;
import io.jans.as.model.common.ResponseType;
import io.jans.as.model.common.SubjectType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.binding.TokenBindingMessage;
import io.jans.as.model.crypto.binding.TokenBindingParseException;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.token.JsonWebResponse;
import io.jans.as.model.util.QueryStringDecoder;
import io.jans.as.model.util.StringUtils;
import io.jans.as.model.util.Util;
import io.jans.as.persistence.model.ClientAuthorization;
import io.jans.as.server.audit.ApplicationAuditLogger;
import io.jans.as.server.ciba.CIBAPingCallbackService;
import io.jans.as.server.ciba.CIBAPushTokenDeliveryService;
import io.jans.as.server.model.authorize.AuthorizeParamsValidator;
import io.jans.as.server.model.authorize.ScopeChecker;
import io.jans.as.server.model.common.AccessToken;
import io.jans.as.server.model.common.AuthorizationCode;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.common.AuthorizationGrantList;
import io.jans.as.server.model.common.CIBAGrant;
import io.jans.as.server.model.common.CibaRequestCacheControl;
import io.jans.as.server.model.common.CibaRequestStatus;
import io.jans.as.server.model.common.DefaultScope;
import io.jans.as.server.model.common.DeviceAuthorizationCacheControl;
import io.jans.as.server.model.common.DeviceAuthorizationStatus;
import io.jans.as.server.model.common.ExecutionContext;
import io.jans.as.server.model.common.IdToken;
import io.jans.as.server.model.common.RefreshToken;
import io.jans.as.server.model.config.ConfigurationFactory;
import io.jans.as.server.model.config.Constants;
import io.jans.as.server.model.exception.AcrChangedException;
import io.jans.as.server.model.exception.InvalidRedirectUrlException;
import io.jans.as.server.model.exception.InvalidSessionStateException;
import io.jans.as.server.model.token.JwrService;
import io.jans.as.server.security.Identity;
import io.jans.as.server.service.AttributeService;
import io.jans.as.server.service.AuthenticationFilterService;
import io.jans.as.server.service.ClientAuthorizationsService;
import io.jans.as.server.service.ClientService;
import io.jans.as.server.service.CookieService;
import io.jans.as.server.service.DeviceAuthorizationService;
import io.jans.as.server.service.RequestParameterService;
import io.jans.as.server.service.SessionIdService;
import io.jans.as.server.service.UserService;
import io.jans.as.server.service.ciba.CibaRequestService;
import io.jans.as.server.service.external.ExternalPostAuthnService;
import io.jans.as.server.service.external.ExternalUpdateTokenService;
import io.jans.as.server.service.external.context.ExternalPostAuthnContext;
import io.jans.as.server.service.external.context.ExternalUpdateTokenContext;
import io.jans.as.server.service.external.session.SessionEvent;
import io.jans.as.server.service.external.session.SessionEventType;
import io.jans.as.server.service.stat.StatService;
import io.jans.as.server.util.RedirectUtil;
import io.jans.as.server.util.ServerUtil;
import io.jans.orm.exception.EntryPersistenceException;
import io.jans.orm.exception.operation.SearchException;
import io.jans.util.Pair;
import io.jans.util.StringHelper;
import jakarta.inject.Inject;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.SecurityContext;
import java.net.URI;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import org.apache.commons.lang3.BooleanUtils;
import org.slf4j.Logger;

@Path("/")
/* loaded from: input_file:io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceImpl.class */
public class AuthorizeRestWebServiceImpl implements AuthorizeRestWebService {
    private static final String SUCCESSFUL_RP_REDIRECT_COUNT = "successful_rp_redirect_count";

    @Inject
    private Logger log;

    @Inject
    private ApplicationAuditLogger applicationAuditLogger;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private ClientService clientService;

    @Inject
    private UserService userService;

    @Inject
    private Identity identity;

    @Inject
    private AuthenticationFilterService authenticationFilterService;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private CookieService cookieService;

    @Inject
    private ScopeChecker scopeChecker;

    @Inject
    private ClientAuthorizationsService clientAuthorizationsService;

    @Inject
    private RequestParameterService requestParameterService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private ConfigurationFactory configurationFactory;

    @Inject
    private AuthorizeRestWebServiceValidator authorizeRestWebServiceValidator;

    @Inject
    private CIBAPushTokenDeliveryService cibaPushTokenDeliveryService;

    @Inject
    private CIBAPingCallbackService cibaPingCallbackService;

    @Inject
    private ExternalPostAuthnService externalPostAuthnService;

    @Inject
    private CibaRequestService cibaRequestService;

    @Inject
    private DeviceAuthorizationService deviceAuthorizationService;

    @Inject
    private AttributeService attributeService;

    @Inject
    private ExternalUpdateTokenService externalUpdateTokenService;

    @Inject
    private AuthzRequestService authzRequestService;

    @Context
    private HttpServletRequest servletRequest;

    @Override // io.jans.as.server.authorize.ws.rs.AuthorizeRestWebService
    public Response requestAuthorizationGet(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, Integer num, String str10, String str11, String str12, String str13, String str14, String str15, String str16, String str17, String str18, String str19, String str20, String str21, String str22, String str23, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        this.authorizeRestWebServiceValidator.validateNotWebView(httpServletRequest);
        AuthzRequest authzRequest = new AuthzRequest();
        authzRequest.setHttpMethod("GET");
        authzRequest.setScope(str);
        authzRequest.setResponseType(str2);
        authzRequest.setClientId(str3);
        authzRequest.setRedirectUri(str4);
        authzRequest.setState(str5);
        authzRequest.setResponseMode(str6);
        authzRequest.setNonce(str7);
        authzRequest.setDisplay(str8);
        authzRequest.setPrompt(str9);
        authzRequest.setMaxAge(num);
        authzRequest.setUiLocales(str10);
        authzRequest.setIdTokenHint(str11);
        authzRequest.setLoginHint(str12);
        authzRequest.setAcrValues(str13);
        authzRequest.setAmrValues(str14);
        authzRequest.setRequest(str15);
        authzRequest.setRequestUri(str16);
        authzRequest.setSessionId(str17);
        authzRequest.setOriginHeaders(str18);
        authzRequest.setCodeChallenge(str19);
        authzRequest.setCodeChallengeMethod(str20);
        authzRequest.setCustomResponseHeaders(str21);
        authzRequest.setClaims(str22);
        authzRequest.setAuthReqId(str23);
        authzRequest.setHttpRequest(httpServletRequest);
        authzRequest.setHttpResponse(httpServletResponse);
        authzRequest.setSecurityContext(securityContext);
        return requestAuthorization(authzRequest);
    }

    @Override // io.jans.as.server.authorize.ws.rs.AuthorizeRestWebService
    public Response requestAuthorizationPost(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, Integer num, String str10, String str11, String str12, String str13, String str14, String str15, String str16, String str17, String str18, String str19, String str20, String str21, String str22, String str23, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SecurityContext securityContext) {
        this.authorizeRestWebServiceValidator.validateNotWebView(httpServletRequest);
        AuthzRequest authzRequest = new AuthzRequest();
        authzRequest.setHttpMethod("POST");
        authzRequest.setScope(str);
        authzRequest.setResponseType(str2);
        authzRequest.setClientId(str3);
        authzRequest.setRedirectUri(str4);
        authzRequest.setState(str5);
        authzRequest.setResponseMode(str6);
        authzRequest.setNonce(str7);
        authzRequest.setDisplay(str8);
        authzRequest.setPrompt(str9);
        authzRequest.setMaxAge(num);
        authzRequest.setUiLocales(str10);
        authzRequest.setIdTokenHint(str11);
        authzRequest.setLoginHint(str12);
        authzRequest.setAcrValues(str13);
        authzRequest.setAmrValues(str14);
        authzRequest.setRequest(str15);
        authzRequest.setRequestUri(str16);
        authzRequest.setSessionId(str17);
        authzRequest.setOriginHeaders(str18);
        authzRequest.setCodeChallenge(str19);
        authzRequest.setCodeChallengeMethod(str20);
        authzRequest.setCustomResponseHeaders(str21);
        authzRequest.setClaims(str22);
        authzRequest.setAuthReqId(str23);
        authzRequest.setHttpRequest(httpServletRequest);
        authzRequest.setHttpResponse(httpServletResponse);
        authzRequest.setSecurityContext(securityContext);
        return requestAuthorization(authzRequest);
    }

    private Response requestAuthorization(AuthzRequest authzRequest) {
        Response.ResponseBuilder type;
        authzRequest.setScope(ServerUtil.urlDecode(authzRequest.getScope()));
        this.authzRequestService.createOauth2AuditLog(authzRequest);
        this.log.debug("Attempting to request authorization: {}", authzRequest);
        authzRequest.setCustomParameters(this.requestParameterService.getCustomParameters(QueryStringDecoder.decode(authzRequest.getHttpRequest().getQueryString())));
        try {
            type = authorize(authzRequest);
        } catch (WebApplicationException e) {
            this.applicationAuditLogger.sendMessage(authzRequest.getAuditLog());
            if (this.log.isErrorEnabled() && canLogWebApplicationException(e)) {
                this.log.error(e.getMessage(), e);
            }
            throw e;
        } catch (AcrChangedException e2) {
            this.log.error("ACR is changed, please provide a supported and enabled acr value");
            this.log.error(e2.getMessage(), e2);
            RedirectUri redirectUri = new RedirectUri(authzRequest.getRedirectUri(), authzRequest.getResponseTypeList(), authzRequest.getResponseModeEnum());
            redirectUri.parseQueryString(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.SESSION_SELECTION_REQUIRED, authzRequest.getState()));
            redirectUri.addResponseParameter("hint", "Use prompt=login in order to alter existing session.");
            this.applicationAuditLogger.sendMessage(authzRequest.getAuditLog());
            return RedirectUtil.getRedirectResponseBuilder(redirectUri, authzRequest.getHttpRequest()).build();
        } catch (InvalidSessionStateException e3) {
            throw e3;
        } catch (Exception e4) {
            type = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
            this.log.error(e4.getMessage(), e4);
        } catch (EntryPersistenceException e5) {
            type = Response.status(Response.Status.UNAUTHORIZED.getStatusCode()).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.UNAUTHORIZED_CLIENT, authzRequest.getState(), "")).type(MediaType.APPLICATION_JSON_TYPE);
            this.log.error(e5.getMessage(), e5);
        } catch (InvalidRedirectUrlException e6) {
            type = Response.status(Response.Status.BAD_REQUEST.getStatusCode()).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_REDIRECT_URI, authzRequest.getState(), "")).type(MediaType.APPLICATION_JSON_TYPE);
            this.log.error(e6.getMessage(), e6);
        }
        this.applicationAuditLogger.sendMessage(authzRequest.getAuditLog());
        return type.build();
    }

    private static boolean canLogWebApplicationException(WebApplicationException webApplicationException) {
        return (webApplicationException == null || webApplicationException.getResponse() == null || webApplicationException.getResponse().getStatus() == 302) ? false : true;
    }

    private Response.ResponseBuilder authorize(AuthzRequest authzRequest) throws AcrChangedException, SearchException, TokenBindingParseException {
        String header = authzRequest.getHttpRequest().getHeader("Sec-Token-Binding");
        boolean processPar = this.authzRequestService.processPar(authzRequest);
        List<Prompt> fromString = Prompt.fromString(authzRequest.getPrompt(), " ");
        List<ResponseType> responseTypeList = authzRequest.getResponseTypeList();
        SessionId sessionId = this.identity.getSessionId();
        User user = this.sessionIdService.getUser(sessionId);
        updateSessionForROPC(authzRequest.getHttpRequest(), sessionId);
        Client validateClient = this.authorizeRestWebServiceValidator.validateClient(authzRequest, processPar);
        String userCodeFromSession = this.deviceAuthorizationService.getUserCodeFromSession(authzRequest.getHttpRequest());
        authzRequest.setRedirectUri(this.authorizeRestWebServiceValidator.validateRedirectUri(validateClient, authzRequest.getRedirectUri(), authzRequest.getState(), userCodeFromSession, authzRequest.getHttpRequest()));
        this.authzRequestService.createRedirectUriResponse(authzRequest);
        this.authorizeRestWebServiceValidator.validateAcrs(authzRequest, validateClient);
        Set<String> checkScopesPolicy = this.scopeChecker.checkScopesPolicy(validateClient, authzRequest.getScope());
        this.authorizeRestWebServiceValidator.checkSignedRequestRequired(authzRequest);
        this.authzRequestService.processRequestObject(authzRequest, validateClient, checkScopesPolicy, user, fromString);
        validateRequestJwt(authzRequest, processPar, validateClient);
        this.authorizeRestWebServiceValidator.validate(authzRequest, responseTypeList, validateClient);
        this.authorizeRestWebServiceValidator.validatePkce(authzRequest.getCodeChallenge(), authzRequest.getRedirectUriResponse());
        this.authzRequestService.setAcrsIfNeeded(authzRequest);
        checkOfflineAccessScopes(responseTypeList, fromString, validateClient, checkScopesPolicy);
        checkResponseType(authzRequest, responseTypeList, validateClient);
        AuthorizationGrant authorizationGrant = null;
        if (user == null) {
            Pair<User, SessionId> ifUserIsNull = ifUserIsNull(authzRequest);
            user = (User) ifUserIsNull.getFirst();
            sessionId = (SessionId) ifUserIsNull.getSecond();
        }
        validateMaxAge(authzRequest, fromString, sessionId, validateClient);
        authzRequest.getAuditLog().setUsername(user.getUserId());
        ExternalPostAuthnContext externalPostAuthnContext = new ExternalPostAuthnContext(validateClient, sessionId, authzRequest, fromString);
        checkForceReAuthentication(authzRequest, fromString, validateClient, externalPostAuthnContext);
        checkForceAuthorization(authzRequest, fromString, validateClient, externalPostAuthnContext);
        ClientAuthorization clientAuthorization = null;
        boolean z = false;
        if (!checkScopesPolicy.isEmpty()) {
            Pair<ClientAuthorization, Boolean> fetchClientAuthorization = fetchClientAuthorization(authzRequest, validateClient, sessionId, user, checkScopesPolicy);
            clientAuthorization = (ClientAuthorization) fetchClientAuthorization.getFirst();
            z = ((Boolean) fetchClientAuthorization.getSecond()).booleanValue();
        }
        addPromptLoginIfNeeded(fromString, validateClient);
        checkPromptLogin(authzRequest, fromString);
        checkPromptConsent(authzRequest, fromString, sessionId, user, clientAuthorization, z);
        checkPromptSelectAccount(authzRequest, fromString);
        AuthorizationCode authorizationCode = null;
        if (responseTypeList.contains(ResponseType.CODE)) {
            authorizationGrant = this.authorizationGrantList.createAuthorizationCodeGrant(user, validateClient, sessionId.getAuthenticationTime());
            authorizationGrant.setNonce(authzRequest.getNonce());
            authorizationGrant.setJwtAuthorizationRequest(authzRequest.getJwtRequest());
            authorizationGrant.setTokenBindingHash(TokenBindingMessage.getTokenBindingIdHashFromTokenBindingMessage(header, validateClient.getIdTokenTokenBindingCnf()));
            authorizationGrant.setScopes(checkScopesPolicy);
            authorizationGrant.setCodeChallenge(authzRequest.getCodeChallenge());
            authorizationGrant.setCodeChallengeMethod(authzRequest.getCodeChallengeMethod());
            authorizationGrant.setClaims(authzRequest.getClaims());
            authorizationGrant.setAcrValues(getAcrForGrant(authzRequest.getAcrValues(), sessionId));
            authorizationGrant.setSessionDn(sessionId.getDn());
            authorizationGrant.save();
            authorizationCode = authorizationGrant.getAuthorizationCode();
            authzRequest.getRedirectUriResponse().getRedirectUri().addResponseParameter("code", authorizationCode.getCode());
        }
        AccessToken accessToken = null;
        if (responseTypeList.contains(ResponseType.TOKEN)) {
            if (authorizationGrant == null) {
                authorizationGrant = this.authorizationGrantList.createImplicitGrant(user, validateClient, sessionId.getAuthenticationTime());
                authorizationGrant.setNonce(authzRequest.getNonce());
                authorizationGrant.setJwtAuthorizationRequest(authzRequest.getJwtRequest());
                authorizationGrant.setScopes(checkScopesPolicy);
                authorizationGrant.setClaims(authzRequest.getClaims());
                authorizationGrant.setAcrValues(getAcrForGrant(authzRequest.getAcrValues(), sessionId));
                authorizationGrant.setSessionDn(sessionId.getDn());
                authorizationGrant.save();
            }
            ExecutionContext executionContext = new ExecutionContext(authzRequest.getHttpRequest(), authzRequest.getHttpResponse());
            executionContext.setCertAsPem(authzRequest.getHttpRequest().getHeader("X-ClientCert"));
            accessToken = authorizationGrant.createAccessToken(executionContext);
            authzRequest.getRedirectUriResponse().getRedirectUri().addResponseParameter(StatService.ACCESS_TOKEN_KEY, accessToken.getCode());
            authzRequest.getRedirectUriResponse().getRedirectUri().addResponseParameter("token_type", accessToken.getTokenType().toString());
            authzRequest.getRedirectUriResponse().getRedirectUri().addResponseParameter("expires_in", accessToken.getExpiresIn() + "");
        }
        if (responseTypeList.contains(ResponseType.ID_TOKEN)) {
            boolean equals = Boolean.TRUE.equals(this.appConfiguration.getLegacyIdTokenClaims());
            if (authorizationGrant == null) {
                equals = true;
                authorizationGrant = this.authorizationGrantList.createImplicitGrant(user, validateClient, sessionId.getAuthenticationTime());
                authorizationGrant.setNonce(authzRequest.getNonce());
                authorizationGrant.setJwtAuthorizationRequest(authzRequest.getJwtRequest());
                authorizationGrant.setScopes(checkScopesPolicy);
                authorizationGrant.setClaims(authzRequest.getClaims());
                authorizationGrant.setAcrValues(getAcrForGrant(authzRequest.getAcrValues(), sessionId));
                authorizationGrant.setSessionDn(sessionId.getDn());
                authorizationGrant.save();
            }
            ExternalUpdateTokenContext externalUpdateTokenContext = new ExternalUpdateTokenContext(authzRequest.getHttpRequest(), authorizationGrant, validateClient, this.appConfiguration, this.attributeService);
            Function<JsonWebResponse, Void> wrapWithSidFunction = JwrService.wrapWithSidFunction(TokenBindingMessage.createIdTokenTokingBindingPreprocessing(header, validateClient.getIdTokenTokenBindingCnf()), sessionId.getOutsideSid());
            Function<JsonWebResponse, Void> buildModifyIdTokenProcessor = this.externalUpdateTokenService.buildModifyIdTokenProcessor(externalUpdateTokenContext);
            ExecutionContext executionContext2 = externalUpdateTokenContext.toExecutionContext();
            executionContext2.setPreProcessing(wrapWithSidFunction);
            executionContext2.setPostProcessor(buildModifyIdTokenProcessor);
            executionContext2.setIncludeIdTokenClaims(equals);
            executionContext2.setGrant(authorizationGrant);
            authzRequest.getRedirectUriResponse().getRedirectUri().addResponseParameter(StatService.ID_TOKEN_KEY, authorizationGrant.createIdToken(authzRequest.getNonce(), authorizationCode, accessToken, null, authzRequest.getState(), executionContext2).getCode());
        }
        addResponseParameterAcrValues(authzRequest, authorizationGrant);
        addResponseParameterCustomParameters(authzRequest);
        if (sessionId.getId() == null) {
            String id = this.sessionIdService.generateAuthenticatedSessionId(authzRequest.getHttpRequest(), sessionId.getUserDn(), authzRequest.getPrompt()).getId();
            sessionId.setId(id);
            this.log.trace("newSessionId = {}", id);
        }
        addRespnseParameterSessionId(authzRequest, sessionId);
        addResponseParameterSid(authzRequest, sessionId);
        authzRequest.getRedirectUriResponse().getRedirectUri().addResponseParameter("session_state", this.sessionIdService.computeSessionState(sessionId, authzRequest.getClientId(), authzRequest.getRedirectUri()));
        authzRequest.getRedirectUriResponse().getRedirectUri().addResponseParameter("state", authzRequest.getState());
        addResponseParameterScope(authzRequest, authorizationGrant);
        this.clientService.updateAccessTime(validateClient, false);
        authzRequest.getAuditLog().setSuccess(true);
        Response.ResponseBuilder redirectResponseBuilder = RedirectUtil.getRedirectResponseBuilder(authzRequest.getRedirectUriResponse().getRedirectUri(), authzRequest.getHttpRequest());
        addCustomHeaders(redirectResponseBuilder, authzRequest);
        updateSession(authzRequest, sessionId);
        runCiba(authzRequest, validateClient);
        processDeviceAuthorization(userCodeFromSession, user);
        return redirectResponseBuilder;
    }

    private void addCustomHeaders(Response.ResponseBuilder responseBuilder, AuthzRequest authzRequest) {
        if (BooleanUtils.isTrue(this.appConfiguration.getCustomHeadersWithAuthorizationResponse())) {
            for (Map.Entry entry : Util.jsonObjectArrayStringAsMap(authzRequest.getCustomResponseHeaders()).entrySet()) {
                responseBuilder.header((String) entry.getKey(), entry.getValue());
            }
        }
    }

    private void addResponseParameterScope(AuthzRequest authzRequest, AuthorizationGrant authorizationGrant) {
        if (authorizationGrant == null || this.appConfiguration.isFapi()) {
            return;
        }
        authzRequest.setScope(authorizationGrant.checkScopesPolicy(authzRequest.getScope()));
        authzRequest.getRedirectUriResponse().getRedirectUri().addResponseParameterIfNotBlank("scope", authzRequest.getScope());
    }

    private void addResponseParameterSid(AuthzRequest authzRequest, SessionId sessionId) {
        if (BooleanUtils.isTrue(this.appConfiguration.getIncludeSidInResponse())) {
            authzRequest.getRedirectUriResponse().getRedirectUri().addResponseParameter("sid", sessionId.getOutsideSid());
        }
    }

    private void addRespnseParameterSessionId(AuthzRequest authzRequest, SessionId sessionId) {
        if (this.appConfiguration.isFapi() || !BooleanUtils.isTrue(this.appConfiguration.getSessionIdRequestParameterEnabled())) {
            return;
        }
        authzRequest.getRedirectUriResponse().getRedirectUri().addResponseParameter(CookieService.SESSION_ID_COOKIE_NAME, sessionId.getId());
    }

    private void addResponseParameterCustomParameters(AuthzRequest authzRequest) {
        for (Map.Entry<String, String> entry : this.requestParameterService.getCustomParameters(authzRequest.getCustomParameters(), true).entrySet()) {
            authzRequest.getRedirectUriResponse().getRedirectUri().addResponseParameter(entry.getKey(), entry.getValue());
        }
    }

    private void addResponseParameterAcrValues(AuthzRequest authzRequest, AuthorizationGrant authorizationGrant) {
        if (authorizationGrant == null || this.appConfiguration.isFapi()) {
            return;
        }
        authzRequest.getRedirectUriResponse().getRedirectUri().addResponseParameterIfNotBlank("acr_values", authzRequest.getAcrValues());
    }

    private void checkPromptSelectAccount(AuthzRequest authzRequest, List<Prompt> list) {
        if (list.contains(Prompt.SELECT_ACCOUNT)) {
            throw new WebApplicationException(redirectToSelectAccountPage(authzRequest, list));
        }
    }

    private void checkPromptConsent(AuthzRequest authzRequest, List<Prompt> list, SessionId sessionId, User user, ClientAuthorization clientAuthorization, boolean z) {
        if (BooleanUtils.isTrue(this.appConfiguration.getDisablePromptConsent())) {
            this.log.trace("Disabled prompt=consent (because disablePromptConsent=true).");
            list.remove(Prompt.CONSENT);
        } else if (list.contains(Prompt.CONSENT) || !BooleanUtils.isTrue(sessionId.isPermissionGrantedForClient(authzRequest.getClientId()))) {
            if (!z) {
                clientAuthorization = this.clientAuthorizationsService.find(user.getAttribute("inum"), authzRequest.getClient().getClientId());
            }
            this.clientAuthorizationsService.clearAuthorizations(clientAuthorization, authzRequest.getClient().getPersistClientAuthorizations());
            list.remove(Prompt.CONSENT);
            throw new WebApplicationException(redirectToAuthorizationPage(authzRequest, list));
        }
    }

    public void checkPromptLogin(AuthzRequest authzRequest, List<Prompt> list) {
        if (BooleanUtils.isTrue(this.appConfiguration.getDisablePromptLogin())) {
            this.log.trace("Disabled prompt=login (because disablePromptLogin=true).");
            list.remove(Prompt.LOGIN);
        } else if (list.contains(Prompt.LOGIN)) {
            boolean z = false;
            if (this.identity.getSessionId().getState() == SessionIdState.AUTHENTICATED) {
                z = unauthenticateSession(authzRequest.getSessionId(), authzRequest.getHttpRequest(), authzRequest.isPromptFromJwt());
            }
            authzRequest.setSessionId(null);
            list.remove(Prompt.LOGIN);
            if (z) {
                throw new WebApplicationException(redirectToAuthorizationPage(authzRequest, list));
            }
        }
    }

    private void addPromptLoginIfNeeded(List<Prompt> list, Client client) {
        if (this.identity == null || this.identity.getSessionId() == null || this.identity.getSessionId().getState() != SessionIdState.AUTHENTICATED || !Boolean.TRUE.equals(client.getAttributes().getDefaultPromptLogin()) || this.identity.getSessionId().getAuthenticationTime() == null || new Date().getTime() - this.identity.getSessionId().getAuthenticationTime().getTime() <= 500) {
            return;
        }
        list.add(Prompt.LOGIN);
    }

    private Pair<ClientAuthorization, Boolean> fetchClientAuthorization(AuthzRequest authzRequest, Client client, SessionId sessionId, User user, Set<String> set) {
        ClientAuthorization clientAuthorization = null;
        boolean z = false;
        List<Prompt> promptList = authzRequest.getPromptList();
        if (promptList.contains(Prompt.CONSENT)) {
            throw new WebApplicationException(redirectToAuthorizationPage(authzRequest, promptList));
        }
        if (client.getTrustedClient() || isPairwiseWithOnlyOpenIdScope(client, authzRequest, set)) {
            sessionId.addPermission(authzRequest.getClientId(), true);
            this.sessionIdService.updateSessionId(sessionId);
        } else {
            clientAuthorization = this.clientAuthorizationsService.find(user.getAttribute("inum"), client.getClientId());
            z = true;
            if (clientAuthorization != null && clientAuthorization.getScopes() != null) {
                if (this.log.isTraceEnabled()) {
                    this.log.trace("ClientAuthorization - scope: {}, dn: {}, requestedScope: {}", new Object[]{authzRequest.getScope(), clientAuthorization.getDn(), set});
                }
                if (!Arrays.asList(clientAuthorization.getScopes()).containsAll(set)) {
                    throw new WebApplicationException(redirectToAuthorizationPage(authzRequest, promptList));
                }
                sessionId.addPermission(authzRequest.getClientId(), true);
                this.sessionIdService.updateSessionId(sessionId);
            }
        }
        return new Pair<>(clientAuthorization, Boolean.valueOf(z));
    }

    private boolean isPairwiseWithOnlyOpenIdScope(Client client, AuthzRequest authzRequest, Set<String> set) {
        return client.getSubjectType() == SubjectType.PAIRWISE && set.size() == 1 && set.contains(DefaultScope.OPEN_ID.toString()) && authzRequest.getClaims() == null && (authzRequest.getJwtRequest() == null || (authzRequest.getJwtRequest().getUserInfoMember() == null && authzRequest.getJwtRequest().getIdTokenMember() == null));
    }

    private void validateRequestJwt(AuthzRequest authzRequest, boolean z, Client client) {
        if (this.cibaRequestService.hasCibaCompatibility(client) || z) {
            return;
        }
        if (this.appConfiguration.isFapi() && authzRequest.getJwtRequest() == null) {
            throw authzRequest.getRedirectUriResponse().createWebException(AuthorizeErrorResponseType.INVALID_REQUEST);
        }
        this.authorizeRestWebServiceValidator.validateRequestJwt(authzRequest.getRequest(), authzRequest.getRequestUri(), authzRequest.getRedirectUriResponse());
    }

    private void checkResponseType(AuthzRequest authzRequest, List<ResponseType> list, Client client) {
        if (!(AuthorizeParamsValidator.validateResponseTypes(list, client) && AuthorizeParamsValidator.validateGrantType(list, client.getGrantTypes(), this.appConfiguration))) {
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.UNSUPPORTED_RESPONSE_TYPE, authzRequest.getState(), "")).build());
        }
    }

    private void checkForceAuthorization(AuthzRequest authzRequest, List<Prompt> list, Client client, ExternalPostAuthnContext externalPostAuthnContext) {
        if (this.externalPostAuthnService.externalForceAuthorization(client, externalPostAuthnContext)) {
            throw new WebApplicationException(redirectToAuthorizationPage(authzRequest, list));
        }
    }

    private void checkForceReAuthentication(AuthzRequest authzRequest, List<Prompt> list, Client client, ExternalPostAuthnContext externalPostAuthnContext) {
        if (this.externalPostAuthnService.externalForceReAuthentication(client, externalPostAuthnContext)) {
            unauthenticateSession(authzRequest.getSessionId(), authzRequest.getHttpRequest());
            authzRequest.setSessionId(null);
            throw new WebApplicationException(redirectToAuthorizationPage(authzRequest, list));
        }
    }

    private void validateMaxAge(AuthzRequest authzRequest, List<Prompt> list, SessionId sessionId, Client client) {
        if (this.authorizeRestWebServiceValidator.isAuthnMaxAgeValid(authzRequest.getMaxAge(), sessionId, client)) {
            return;
        }
        unauthenticateSession(authzRequest.getSessionId(), authzRequest.getHttpRequest());
        authzRequest.setSessionId(null);
        throw new WebApplicationException(redirectToAuthorizationPage(authzRequest, list));
    }

    public void checkOfflineAccessScopes(List<ResponseType> list, List<Prompt> list2, Client client, Set<String> set) {
        if (!set.contains("offline_access") || client.getTrustedClient()) {
            return;
        }
        if (!list.contains(ResponseType.CODE)) {
            this.log.trace("Removed (ignored) offline_scope. Can't find `code` in response_type which is required.");
            set.remove("offline_access");
        }
        if (!set.contains("offline_access") || list2.contains(Prompt.CONSENT) || BooleanUtils.toBoolean(client.getAttributes().getAllowOfflineAccessWithoutConsent())) {
            return;
        }
        this.log.error("Removed offline_access. Can't find prompt=consent. Consent is required for offline_access.");
        set.remove("offline_access");
    }

    private Pair<User, SessionId> ifUserIsNull(AuthzRequest authzRequest) throws SearchException {
        this.identity.logout();
        List<Prompt> promptList = authzRequest.getPromptList();
        if (!promptList.contains(Prompt.NONE)) {
            if (promptList.contains(Prompt.LOGIN)) {
                unauthenticateSession(authzRequest.getSessionId(), authzRequest.getHttpRequest(), authzRequest.isPromptFromJwt());
                authzRequest.setSessionId(null);
                promptList.remove(Prompt.LOGIN);
                authzRequest.setPrompt(StringUtils.implode(promptList, " "));
            }
            throw new WebApplicationException(redirectToAuthorizationPage(authzRequest, promptList));
        }
        if (!this.authenticationFilterService.isEnabled()) {
            throw new WebApplicationException(authzRequest.getRedirectUriResponse().createErrorBuilder(AuthorizeErrorResponseType.LOGIN_REQUIRED).build());
        }
        String processAuthenticationFilters = this.authenticationFilterService.processAuthenticationFilters(authzRequest.getHttpMethod().equals("GET") ? QueryStringDecoder.decode(authzRequest.getHttpRequest().getQueryString()) : getGenericRequestMap(authzRequest.getHttpRequest()));
        if (processAuthenticationFilters == null) {
            this.applicationAuditLogger.sendMessage(authzRequest.getAuditLog());
            throw new WebApplicationException(authzRequest.getRedirectUriResponse().createErrorBuilder(AuthorizeErrorResponseType.LOGIN_REQUIRED).build());
        }
        Map<String, String> allowedParameters = this.requestParameterService.getAllowedParameters(Maps.newHashMap(getGenericRequestMap(authzRequest.getHttpRequest())));
        SessionId generateAuthenticatedSessionId = this.sessionIdService.generateAuthenticatedSessionId(authzRequest.getHttpRequest(), processAuthenticationFilters, authzRequest.getPrompt());
        generateAuthenticatedSessionId.setSessionAttributes(allowedParameters);
        this.cookieService.createSessionIdCookie(generateAuthenticatedSessionId, authzRequest.getHttpRequest(), authzRequest.getHttpResponse(), false);
        this.sessionIdService.updateSessionId(generateAuthenticatedSessionId);
        return new Pair<>(this.userService.getUserByDn(generateAuthenticatedSessionId.getUserDn(), new String[0]), generateAuthenticatedSessionId);
    }

    private String getAcrForGrant(String str, SessionId sessionId) {
        String acr = this.sessionIdService.getAcr(sessionId);
        return org.apache.commons.lang.StringUtils.isNotBlank(acr) ? acr : str;
    }

    private void runCiba(AuthzRequest authzRequest, Client client) {
        String authReqId = authzRequest.getAuthReqId();
        if (org.apache.commons.lang.StringUtils.isBlank(authReqId)) {
            return;
        }
        CibaRequestCacheControl cibaRequest = this.cibaRequestService.getCibaRequest(authReqId);
        if (cibaRequest == null || cibaRequest.getStatus() == CibaRequestStatus.EXPIRED) {
            this.log.trace("User responded too late and the grant {} has expired, {}", authReqId, cibaRequest);
            return;
        }
        this.cibaRequestService.removeCibaRequest(authReqId);
        CIBAGrant createCIBAGrant = this.authorizationGrantList.createCIBAGrant(cibaRequest);
        ExecutionContext executionContext = new ExecutionContext(authzRequest.getHttpRequest(), authzRequest.getHttpResponse());
        executionContext.setAppConfiguration(this.appConfiguration);
        executionContext.setAttributeService(this.attributeService);
        executionContext.setGrant(createCIBAGrant);
        executionContext.setClient(client);
        executionContext.setCertAsPem(authzRequest.getHttpRequest().getHeader("X-ClientCert"));
        executionContext.setScopes(org.apache.commons.lang.StringUtils.isNotBlank(authzRequest.getScope()) ? new HashSet<>(Arrays.asList(authzRequest.getScope().split(" "))) : new HashSet<>());
        AccessToken createAccessToken = createCIBAGrant.createAccessToken(executionContext);
        this.log.debug("Issuing access token: {}", createAccessToken.getCode());
        ExternalUpdateTokenContext externalUpdateTokenContext = new ExternalUpdateTokenContext(authzRequest.getHttpRequest(), createCIBAGrant, client, this.appConfiguration, this.attributeService);
        int refreshTokenLifetimeInSeconds = this.externalUpdateTokenService.getRefreshTokenLifetimeInSeconds(externalUpdateTokenContext);
        RefreshToken createRefreshToken = refreshTokenLifetimeInSeconds > 0 ? createCIBAGrant.createRefreshToken(executionContext, refreshTokenLifetimeInSeconds) : createCIBAGrant.createRefreshToken(executionContext);
        this.log.debug("Issuing refresh token: {}", createRefreshToken != null ? createRefreshToken.getCode() : "");
        executionContext.setPostProcessor(this.externalUpdateTokenService.buildModifyIdTokenProcessor(externalUpdateTokenContext));
        executionContext.setGrant(createCIBAGrant);
        executionContext.setIncludeIdTokenClaims(Boolean.TRUE.equals(this.appConfiguration.getLegacyIdTokenClaims()));
        IdToken createIdToken = createCIBAGrant.createIdToken(null, null, createAccessToken, createRefreshToken, null, executionContext);
        createCIBAGrant.setTokensDelivered(true);
        createCIBAGrant.save();
        if (cibaRequest.getClient().getBackchannelTokenDeliveryMode() == BackchannelTokenDeliveryMode.PUSH) {
            this.cibaPushTokenDeliveryService.pushTokenDelivery(createCIBAGrant.getAuthReqId(), createCIBAGrant.getClient().getBackchannelClientNotificationEndpoint(), cibaRequest.getClientNotificationToken(), createAccessToken.getCode(), createRefreshToken != null ? createRefreshToken.getCode() : null, createIdToken.getCode(), Integer.valueOf(createAccessToken.getExpiresIn()));
            return;
        }
        if (createCIBAGrant.getClient().getBackchannelTokenDeliveryMode() == BackchannelTokenDeliveryMode.PING) {
            createCIBAGrant.setTokensDelivered(false);
            createCIBAGrant.save();
            this.cibaPingCallbackService.pingCallback(createCIBAGrant.getAuthReqId(), createCIBAGrant.getClient().getBackchannelClientNotificationEndpoint(), cibaRequest.getClientNotificationToken());
        } else if (createCIBAGrant.getClient().getBackchannelTokenDeliveryMode() == BackchannelTokenDeliveryMode.POLL) {
            createCIBAGrant.setTokensDelivered(false);
            createCIBAGrant.save();
        }
    }

    private void updateSessionForROPC(HttpServletRequest httpServletRequest, SessionId sessionId) {
        if (sessionId == null) {
            return;
        }
        Map sessionAttributes = sessionId.getSessionAttributes();
        String str = (String) sessionId.getSessionAttributes().get(Constants.AUTHORIZED_GRANT);
        if (StringHelper.isNotEmpty(str) && GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS == GrantType.fromString(str)) {
            sessionAttributes.remove(Constants.AUTHORIZED_GRANT);
            sessionAttributes.putAll(this.requestParameterService.getAllowedParameters(getGenericRequestMap(httpServletRequest)));
            this.sessionIdService.updateSessionId(sessionId, true, true, true);
        }
    }

    private Map<String, String> getGenericRequestMap(HttpServletRequest httpServletRequest) {
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : httpServletRequest.getParameterMap().entrySet()) {
            hashMap.put((String) entry.getKey(), ((String[]) entry.getValue())[0]);
        }
        return hashMap;
    }

    private Response redirectToAuthorizationPage(AuthzRequest authzRequest, List<Prompt> list) {
        return redirectTo("/authorize", authzRequest, list);
    }

    private Response redirectToSelectAccountPage(AuthzRequest authzRequest, List<Prompt> list) {
        return redirectTo("/selectAccount", authzRequest, list);
    }

    private Response redirectTo(String str, AuthzRequest authzRequest, List<Prompt> list) {
        URI resolve = URI.create(this.appConfiguration.getIssuer()).resolve(this.servletRequest.getContextPath() + str + this.configurationFactory.getFacesMapping());
        RedirectUri redirectUri = authzRequest.getRedirectUriResponse().getRedirectUri();
        redirectUri.setBaseRedirectUri(resolve.toString());
        redirectUri.setResponseMode(ResponseMode.QUERY);
        redirectUri.addResponseParameterIfNotBlank("response_type", authzRequest.getResponseType());
        redirectUri.addResponseParameterIfNotBlank("scope", authzRequest.getScope());
        redirectUri.addResponseParameterIfNotBlank("client_id", authzRequest.getClientId());
        redirectUri.addResponseParameterIfNotBlank("redirect_uri", authzRequest.getRedirectUri());
        redirectUri.addResponseParameterIfNotBlank("state", authzRequest.getState());
        redirectUri.addResponseParameterIfNotBlank("response_mode", authzRequest.getResponseMode());
        redirectUri.addResponseParameterIfNotBlank("nonce", authzRequest.getNonce());
        redirectUri.addResponseParameterIfNotBlank("display", authzRequest.getDisplay());
        redirectUri.addResponseParameterIfNotBlank("prompt", StringUtils.implode(list, " "));
        redirectUri.addResponseParameterIfNotBlank("max_age", authzRequest.getMaxAge() != null ? authzRequest.getMaxAge().toString() : null);
        redirectUri.addResponseParameterIfNotBlank("ui_locales", authzRequest.getUiLocales());
        redirectUri.addResponseParameterIfNotBlank("id_token_hint", authzRequest.getIdTokenHint());
        redirectUri.addResponseParameterIfNotBlank("login_hint", authzRequest.getLoginHint());
        redirectUri.addResponseParameterIfNotBlank("acr_values", authzRequest.getAcrValues());
        redirectUri.addResponseParameterIfNotBlank("amr_values", authzRequest.getAmrValues());
        redirectUri.addResponseParameterIfNotBlank("request", authzRequest.getRequest());
        redirectUri.addResponseParameterIfNotBlank("request_uri", authzRequest.getRequestUri());
        redirectUri.addResponseParameterIfNotBlank("code_challenge", authzRequest.getCodeChallenge());
        redirectUri.addResponseParameterIfNotBlank("code_challenge_method", authzRequest.getCodeChallengeMethod());
        redirectUri.addResponseParameterIfNotBlank(CookieService.SESSION_ID_COOKIE_NAME, authzRequest.getSessionId());
        redirectUri.addResponseParameterIfNotBlank("claims", authzRequest.getClaims());
        redirectUri.addResponseParameterIfNotBlank("auth_req_id", authzRequest.getAuthReqId());
        redirectUri.addResponseParameterIfNotBlank("origin_headers", authzRequest.getOriginHeaders());
        Map<String, String> customParameters = authzRequest.getCustomParameters();
        if (customParameters != null && customParameters.size() > 0) {
            for (Map.Entry<String, String> entry : customParameters.entrySet()) {
                redirectUri.addResponseParameter(entry.getKey(), entry.getValue());
            }
        }
        Response.ResponseBuilder redirectResponseBuilder = RedirectUtil.getRedirectResponseBuilder(redirectUri, authzRequest.getHttpRequest());
        if (authzRequest.getAuditLog() != null) {
            this.applicationAuditLogger.sendMessage(authzRequest.getAuditLog());
        }
        return redirectResponseBuilder.build();
    }

    private void updateSession(AuthzRequest authzRequest, SessionId sessionId) {
        this.authzRequestService.addDeviceSecretToSession(authzRequest, sessionId);
        sessionId.getSessionAttributes().put(SUCCESSFUL_RP_REDIRECT_COUNT, Integer.toString(Util.parseIntSilently((String) sessionId.getSessionAttributes().get(SUCCESSFUL_RP_REDIRECT_COUNT), 0) + 1));
        this.sessionIdService.updateSessionId(sessionId);
    }

    private boolean unauthenticateSession(String str, HttpServletRequest httpServletRequest) {
        return unauthenticateSession(str, httpServletRequest, false);
    }

    private boolean unauthenticateSession(String str, HttpServletRequest httpServletRequest, boolean z) {
        SessionId sessionId = this.identity.getSessionId();
        if (z && sessionId != null && !sessionId.getSessionAttributes().containsKey(SUCCESSFUL_RP_REDIRECT_COUNT)) {
            return false;
        }
        if (sessionId != null) {
            sessionId.setUserDn((String) null);
            sessionId.setUser((User) null);
            sessionId.setAuthenticationTime((Date) null);
        }
        this.identity.logout();
        if (StringHelper.isEmpty(str)) {
            str = this.cookieService.getSessionIdFromCookie(httpServletRequest);
        }
        SessionId sessionId2 = this.sessionIdService.getSessionId(str);
        if (sessionId2 == null) {
            this.log.error("Failed to load session from LDAP by session_id: '{}'", str);
            return true;
        }
        sessionId2.setState(SessionIdState.UNAUTHENTICATED);
        sessionId2.setUserDn((String) null);
        sessionId2.setUser((User) null);
        sessionId2.setAuthenticationTime((Date) null);
        boolean updateSessionId = this.sessionIdService.updateSessionId(sessionId2);
        this.sessionIdService.externalEvent(new SessionEvent(SessionEventType.UNAUTHENTICATED, sessionId2).setHttpRequest(httpServletRequest));
        if (!updateSessionId) {
            this.log.error("Failed to update session_id '{}'", str);
        }
        return updateSessionId;
    }

    private void processDeviceAuthorization(String str, User user) {
        if (org.apache.commons.lang.StringUtils.isBlank(str)) {
            return;
        }
        DeviceAuthorizationCacheControl deviceAuthzByUserCode = this.deviceAuthorizationService.getDeviceAuthzByUserCode(str);
        if (deviceAuthzByUserCode == null || deviceAuthzByUserCode.getStatus() == DeviceAuthorizationStatus.EXPIRED) {
            this.log.trace("User responded too late and the authorization {} has expired, {}", str, deviceAuthzByUserCode);
            return;
        }
        this.deviceAuthorizationService.removeDeviceAuthRequestInCache(str, deviceAuthzByUserCode.getDeviceCode());
        this.log.info("Granted device authorization request, user_code: {}, device_code: {}, grant_id: {}", new Object[]{str, deviceAuthzByUserCode.getDeviceCode(), this.authorizationGrantList.createDeviceGrant(deviceAuthzByUserCode, user).getGrantId()});
    }
}
