package io.jans.as.server.userinfo.ws.rs;

import io.jans.as.common.claims.Audience;
import io.jans.as.common.model.common.User;
import io.jans.as.common.service.AttributeService;
import io.jans.as.common.util.CommonUtils;
import io.jans.as.model.common.FeatureFlagType;
import io.jans.as.model.common.ScopeType;
import io.jans.as.model.config.WebKeysConfiguration;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.AbstractCryptoProvider;
import io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm;
import io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.exception.InvalidClaimException;
import io.jans.as.model.exception.InvalidJweException;
import io.jans.as.model.jwe.Jwe;
import io.jans.as.model.jwe.JweEncrypterImpl;
import io.jans.as.model.jwk.Algorithm;
import io.jans.as.model.jwk.JSONWebKeySet;
import io.jans.as.model.jwk.KeyOpsType;
import io.jans.as.model.jwk.Use;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.jwt.JwtClaims;
import io.jans.as.model.jwt.JwtSubClaimObject;
import io.jans.as.model.jwt.JwtType;
import io.jans.as.model.token.JsonWebResponse;
import io.jans.as.model.userinfo.UserInfoErrorResponseType;
import io.jans.as.persistence.model.Scope;
import io.jans.as.server.audit.ApplicationAuditLogger;
import io.jans.as.server.auth.DpopService;
import io.jans.as.server.model.audit.Action;
import io.jans.as.server.model.audit.OAuth2AuditLog;
import io.jans.as.server.model.authorize.Claim;
import io.jans.as.server.model.common.AbstractToken;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.common.AuthorizationGrantList;
import io.jans.as.server.model.common.AuthorizationGrantType;
import io.jans.as.server.model.common.DefaultScope;
import io.jans.as.server.model.common.UnmodifiableAuthorizationGrant;
import io.jans.as.server.model.userinfo.UserInfoParamsValidator;
import io.jans.as.server.service.ClientService;
import io.jans.as.server.service.ScopeService;
import io.jans.as.server.service.ServerCryptoProvider;
import io.jans.as.server.service.UserService;
import io.jans.as.server.service.date.DateFormatterService;
import io.jans.as.server.service.external.ExternalDynamicScopeService;
import io.jans.as.server.service.external.context.DynamicScopeExternalContext;
import io.jans.as.server.service.token.TokenService;
import io.jans.as.server.util.ServerUtil;
import io.jans.model.JansAttribute;
import io.jans.orm.exception.EntryPersistenceException;
import jakarta.inject.Inject;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.SecurityContext;
import java.nio.charset.StandardCharsets;
import java.security.PublicKey;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.json.JSONObject;
import org.slf4j.Logger;

@Path("/")
/* loaded from: input_file:io/jans/as/server/userinfo/ws/rs/UserInfoRestWebServiceImpl.class */
public class UserInfoRestWebServiceImpl implements UserInfoRestWebService {

    @Inject
    private Logger log;

    @Inject
    private ApplicationAuditLogger applicationAuditLogger;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private ClientService clientService;

    @Inject
    private ScopeService scopeService;

    @Inject
    private AttributeService attributeService;

    @Inject
    private UserService userService;

    @Inject
    private ExternalDynamicScopeService externalDynamicScopeService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private WebKeysConfiguration webKeysConfiguration;

    @Inject
    private AbstractCryptoProvider cryptoProvider;

    @Inject
    private TokenService tokenService;

    @Inject
    private DateFormatterService dateFormatterService;

    @Override // io.jans.as.server.userinfo.ws.rs.UserInfoRestWebService
    public Response requestUserInfoGet(String str, String str2, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        return requestUserInfo(str, str2, httpServletRequest, securityContext);
    }

    @Override // io.jans.as.server.userinfo.ws.rs.UserInfoRestWebService
    public Response requestUserInfoPost(String str, String str2, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        return requestUserInfo(str, str2, httpServletRequest, securityContext);
    }

    private Response requestUserInfo(String str, String str2, HttpServletRequest httpServletRequest, SecurityContext securityContext) {
        if (this.tokenService.isBearerAuthToken(str2)) {
            str = this.tokenService.getBearerToken(str2);
        }
        this.log.debug("Attempting to request User Info, Access token = {}, Is Secure = {}", str, Boolean.valueOf(securityContext.isSecure()));
        this.errorResponseFactory.validateFeatureEnabled(FeatureFlagType.USERINFO);
        Response.ResponseBuilder ok = Response.ok();
        OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpServletRequest), Action.USER_INFO);
        try {
            try {
                if (!UserInfoParamsValidator.validateParams(str)) {
                    Response response = response(400, UserInfoErrorResponseType.INVALID_REQUEST, "access token is not valid.");
                    this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                    return response;
                }
                AuthorizationGrant authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str);
                if (authorizationGrantByAccessToken == null) {
                    this.log.trace("Failed to find authorization grant by access_token: {}", str);
                    Response response2 = response(401, UserInfoErrorResponseType.INVALID_TOKEN);
                    this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                    return response2;
                }
                oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrantByAccessToken, false);
                AbstractToken accessToken = authorizationGrantByAccessToken.getAccessToken(str);
                if (accessToken == null || !accessToken.isValid()) {
                    Logger logger = this.log;
                    Object[] objArr = new Object[3];
                    objArr[0] = str;
                    objArr[1] = Boolean.valueOf(accessToken == null);
                    objArr[2] = false;
                    logger.trace("Invalid access token object, access_token: {}, isNull: {}, isValid: {}", objArr);
                    Response response3 = response(401, UserInfoErrorResponseType.INVALID_TOKEN);
                    this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                    return response3;
                }
                if (authorizationGrantByAccessToken.getAuthorizationGrantType() == AuthorizationGrantType.CLIENT_CREDENTIALS) {
                    Response response4 = response(403, UserInfoErrorResponseType.INSUFFICIENT_SCOPE, "Grant object has client_credentials grant_type which is not valid.");
                    this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                    return response4;
                }
                if (this.appConfiguration.getOpenidScopeBackwardCompatibility().booleanValue() && !authorizationGrantByAccessToken.getScopes().contains(DefaultScope.OPEN_ID.toString()) && !authorizationGrantByAccessToken.getScopes().contains(DefaultScope.PROFILE.toString())) {
                    Response response5 = response(403, UserInfoErrorResponseType.INSUFFICIENT_SCOPE, "Both openid and profile scopes are not present.");
                    this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                    return response5;
                }
                if (!this.appConfiguration.getOpenidScopeBackwardCompatibility().booleanValue() && !authorizationGrantByAccessToken.getScopes().contains(DefaultScope.OPEN_ID.toString())) {
                    Response response6 = response(403, UserInfoErrorResponseType.INSUFFICIENT_SCOPE, "Missed openid scope.");
                    this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                    return response6;
                }
                oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrantByAccessToken, true);
                ok.cacheControl(ServerUtil.cacheControlWithNoStoreTransformAndPrivate());
                ok.header(DpopService.PRAGMA, DpopService.NO_CACHE);
                User user = authorizationGrantByAccessToken.getUser();
                try {
                    user = this.userService.getUserByDn(authorizationGrantByAccessToken.getUserDn(), new String[0]);
                } catch (EntryPersistenceException e) {
                    this.log.warn("Failed to reload user entry: '{}'", authorizationGrantByAccessToken.getUserDn());
                }
                if (authorizationGrantByAccessToken.getClient() != null && authorizationGrantByAccessToken.getClient().getUserInfoEncryptedResponseAlg() != null && authorizationGrantByAccessToken.getClient().getUserInfoEncryptedResponseEnc() != null) {
                    KeyEncryptionAlgorithm fromName = KeyEncryptionAlgorithm.fromName(authorizationGrantByAccessToken.getClient().getUserInfoEncryptedResponseAlg());
                    BlockEncryptionAlgorithm fromName2 = BlockEncryptionAlgorithm.fromName(authorizationGrantByAccessToken.getClient().getUserInfoEncryptedResponseEnc());
                    ok.type("application/jwt");
                    ok.entity(getJweResponse(fromName, fromName2, user, authorizationGrantByAccessToken, authorizationGrantByAccessToken.getScopes()));
                } else if (authorizationGrantByAccessToken.getClient() == null || authorizationGrantByAccessToken.getClient().getUserInfoSignedResponseAlg() == null) {
                    ok.type("application/json;charset=UTF-8");
                    ok.entity(getJSonResponse(user, authorizationGrantByAccessToken, authorizationGrantByAccessToken.getScopes()));
                } else {
                    SignatureAlgorithm fromString = SignatureAlgorithm.fromString(authorizationGrantByAccessToken.getClient().getUserInfoSignedResponseAlg());
                    ok.type("application/jwt");
                    ok.entity(getJwtResponse(fromString, user, authorizationGrantByAccessToken, authorizationGrantByAccessToken.getScopes()));
                }
                Response build = ok.build();
                this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                return build;
            } catch (Exception e2) {
                this.log.error(e2.getMessage(), e2);
                Response build2 = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode()).build();
                this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
                return build2;
            }
        } catch (Throwable th) {
            this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
            throw th;
        }
    }

    private Response response(int i, UserInfoErrorResponseType userInfoErrorResponseType) {
        return response(i, userInfoErrorResponseType, "");
    }

    private Response response(int i, UserInfoErrorResponseType userInfoErrorResponseType, String str) {
        return Response.status(i).entity(this.errorResponseFactory.errorAsJson(userInfoErrorResponseType, str)).type(MediaType.APPLICATION_JSON_TYPE).cacheControl(ServerUtil.cacheControlWithNoStoreTransformAndPrivate()).build();
    }

    private String getJwtResponse(SignatureAlgorithm signatureAlgorithm, User user, AuthorizationGrant authorizationGrant, Collection<String> collection) throws Exception {
        this.log.trace("Building JWT reponse with next scopes {0} for user {1} and user custom attributes {0}", new Object[]{collection, user.getUserId(), user.getCustomAttributes()});
        Jwt jwt = new Jwt();
        jwt.getHeader().setType(JwtType.JWT);
        jwt.getHeader().setAlgorithm(signatureAlgorithm);
        String keyId = new ServerCryptoProvider(this.cryptoProvider).getKeyId(this.webKeysConfiguration, Algorithm.fromString(signatureAlgorithm.getName()), Use.SIGNATURE, KeyOpsType.CONNECT);
        if (keyId != null) {
            jwt.getHeader().setKeyId(keyId);
        }
        jwt.setClaims(createJwtClaims(user, authorizationGrant, collection));
        jwt.setEncodedSignature(this.cryptoProvider.sign(jwt.getSigningInput(), jwt.getHeader().getKeyId(), this.clientService.decryptSecret(authorizationGrant.getClient().getClientSecret()), signatureAlgorithm));
        return jwt.toString();
    }

    private JwtClaims createJwtClaims(User user, AuthorizationGrant authorizationGrant, Collection<String> collection) throws ParseException, InvalidClaimException {
        JwtClaims jwtClaims = new JwtClaims(new JSONObject(getJSonResponse(user, authorizationGrant, collection)));
        jwtClaims.setIssuer(this.appConfiguration.getIssuer());
        Audience.setAudience(jwtClaims, authorizationGrant.getClient());
        return jwtClaims;
    }

    public String getJweResponse(KeyEncryptionAlgorithm keyEncryptionAlgorithm, BlockEncryptionAlgorithm blockEncryptionAlgorithm, User user, AuthorizationGrant authorizationGrant, Collection<String> collection) throws Exception {
        this.log.trace("Building JWE reponse with next scopes {0} for user {1} and user custom attributes {0}", new Object[]{collection, user.getUserId(), user.getCustomAttributes()});
        Jwe jwe = new Jwe();
        jwe.getHeader().setType(JwtType.JWT);
        jwe.getHeader().setAlgorithm(keyEncryptionAlgorithm);
        jwe.getHeader().setEncryptionMethod(blockEncryptionAlgorithm);
        jwe.setClaims(createJwtClaims(user, authorizationGrant, collection));
        if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5) {
            JSONObject jwks = CommonUtils.getJwks(authorizationGrant.getClient());
            PublicKey publicKey = this.cryptoProvider.getPublicKey(new ServerCryptoProvider(this.cryptoProvider).getKeyId(JSONWebKeySet.fromJSONObject(jwks), Algorithm.fromString(keyEncryptionAlgorithm.getName()), Use.ENCRYPTION, KeyOpsType.CONNECT), jwks, (Algorithm) null);
            if (publicKey == null) {
                throw new InvalidJweException("The public key is not valid");
            }
            jwe = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, publicKey).encrypt(jwe);
        } else if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A128KW || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A256KW) {
            try {
                jwe = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, this.clientService.decryptSecret(authorizationGrant.getClient().getClientSecret()).getBytes(StandardCharsets.UTF_8)).encrypt(jwe);
            } catch (Exception e) {
                throw new InvalidJweException(e);
            }
        }
        return jwe.toString();
    }

    public String getJSonResponse(User user, AuthorizationGrant authorizationGrant, Collection<String> collection) throws InvalidClaimException, ParseException {
        this.log.trace("Building JSON reponse with next scopes {} for user {} and user custom attributes {}", new Object[]{collection, user.getUserId(), user.getCustomAttributes()});
        JsonWebResponse jsonWebResponse = new JsonWebResponse();
        ArrayList arrayList = new ArrayList();
        for (String str : collection) {
            Scope scopeById = this.scopeService.getScopeById(str);
            if (scopeById == null || ScopeType.DYNAMIC != scopeById.getScopeType()) {
                Map<String, Object> claims = this.scopeService.getClaims(user, scopeById);
                if (claims != null) {
                    if (scopeById == null) {
                        this.log.trace("Unable to find scope in persistence. Is it removed? Scope name: {}", str);
                    }
                    if (scopeById == null || !Boolean.TRUE.equals(scopeById.isGroupClaims())) {
                        for (Map.Entry<String, Object> entry : claims.entrySet()) {
                            String key = entry.getKey();
                            Object value = entry.getValue();
                            if (value instanceof List) {
                                jsonWebResponse.getClaims().setClaim(key, (List) value);
                            } else if (value instanceof Boolean) {
                                jsonWebResponse.getClaims().setClaim(key, (Boolean) value);
                            } else if (value instanceof Date) {
                                jsonWebResponse.getClaims().setClaimObject(key, this.dateFormatterService.formatClaim((Date) value, key), true);
                            } else {
                                jsonWebResponse.getClaims().setClaim(key, String.valueOf(value));
                            }
                        }
                    } else {
                        JwtSubClaimObject jwtSubClaimObject = new JwtSubClaimObject();
                        jwtSubClaimObject.setName(scopeById.getId());
                        for (Map.Entry<String, Object> entry2 : claims.entrySet()) {
                            String key2 = entry2.getKey();
                            Object value2 = entry2.getValue();
                            if (value2 instanceof List) {
                                jwtSubClaimObject.setClaim(key2, (List) value2);
                            } else {
                                jwtSubClaimObject.setClaim(key2, String.valueOf(value2));
                            }
                        }
                        jsonWebResponse.getClaims().setClaim(scopeById.getId(), jwtSubClaimObject);
                    }
                }
            } else {
                arrayList.add(scopeById);
            }
        }
        if (authorizationGrant.getClaims() != null) {
            JSONObject jSONObject = new JSONObject(authorizationGrant.getClaims());
            if (jSONObject.has("userinfo")) {
                Iterator<String> keys = jSONObject.getJSONObject("userinfo").keys();
                while (keys.hasNext()) {
                    String next = keys.next();
                    JansAttribute byClaimName = this.attributeService.getByClaimName(next);
                    if (byClaimName != null) {
                        jsonWebResponse.getClaims().setClaimFromJsonObject(next, user.getAttribute(byClaimName.getName(), true, byClaimName.getOxMultiValuedAttribute().booleanValue()));
                    }
                }
            }
        }
        if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember() != null) {
            for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember().getClaims()) {
                JansAttribute byClaimName2 = this.attributeService.getByClaimName(claim.getName());
                if (byClaimName2 != null && validateRequesteClaim(byClaimName2, authorizationGrant.getClient().getClaims(), collection)) {
                    jsonWebResponse.getClaims().setClaimFromJsonObject(claim.getName(), user.getAttribute(byClaimName2.getName(), true, byClaimName2.getOxMultiValuedAttribute().booleanValue()));
                }
            }
        }
        jsonWebResponse.getClaims().setSubjectIdentifier(authorizationGrant.getSub());
        if (arrayList.size() > 0 && this.externalDynamicScopeService.isEnabled()) {
            this.externalDynamicScopeService.executeExternalUpdateMethods(new DynamicScopeExternalContext(arrayList, jsonWebResponse, new UnmodifiableAuthorizationGrant(authorizationGrant)));
        }
        return jsonWebResponse.toString();
    }

    public boolean validateRequesteClaim(JansAttribute jansAttribute, String[] strArr, Collection<String> collection) {
        if (jansAttribute == null) {
            this.log.trace("jansAttribute is null.");
            return false;
        }
        if (strArr != null) {
            for (String str : strArr) {
                if (jansAttribute.getDn().equals(str)) {
                    return true;
                }
            }
        }
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            Scope scopeById = this.scopeService.getScopeById(it.next());
            if (scopeById != null && scopeById.getClaims() != null) {
                Iterator it2 = scopeById.getClaims().iterator();
                while (it2.hasNext()) {
                    if (jansAttribute.getDisplayName().equals(this.attributeService.getAttributeByDn((String) it2.next()).getDisplayName())) {
                        return true;
                    }
                }
            }
        }
        return false;
    }
}
